Data Retention, Anonymization and Destruction Policy
The purpose of this procedure is to ensure that all printed and written content, information technology assets and peripherals used in obtaining, processing and storing information are safely destroyed when necessary and in accordance with the Law No. 6698 on the Protection of Personal Data.
The procedure covers all personal and commercial data records and business processes.
Law: 6698 refers to the law of "Protection of personal data".
Personal Data: Personal data refers to all kinds of information regarding an identified or identifiable natural person. The fact that a person is specific or identifiable means making that person identifiable by associating existing data with a natural person in any way.
Blackout: Transactions such as scratching, painting and icing all personal data in a way that cannot be associated with an identified or identifiable natural person,
Recording medium: Any medium containing personal data that is fully or partially automated or processed non-automatically provided that it is a part of any data recording system,
Personal data storage and destruction policy: The policy on which data controllers are the basis for the process of determining the maximum time required for the purpose for which personal data are processed and for deletion, destruction and anonymization
Masking: Transactions such as deleting, striking, painting and starring certain areas of personal data in a way that cannot be associated with an identified or identifiable natural person,
Special Quality Personal Data: The race, ethnic origin, political opinion, philosophical belief, religion, sect of the persons.
or other beliefs, dress and dress, association, foundation or union membership, health, sexual life, punishment
Biometric and genetic data with data on conviction and security measures.
Periodic destruction: It is the process of deletion, destruction or anonymization to be carried out ex officio at repetitive intervals specified in the personal data storage and destruction policy in the event that all the conditions for processing personal data in the law are eliminated.
Regulation on the Deletion, Destruction or Anonymization of Personal Data dated 28.10.2018, numbered 30224 of the Law on the Protection of Personal Data No.6698
5.1. Destruction of Assets
In the event that the purpose of the processing of personal data is eliminated, express consent is withdrawn, or all the conditions for processing personal data specified in Articles 5 and 6 of the Law are eliminated, or there is a situation where none of the exceptions in the aforementioned articles can be applied, the processing conditions are eliminated. Personal data are deleted by the relevant business unit, taking into account the business needs, within the scope of Articles 7, 8, 9 or 10 of the Regulation (Deletion, Destruction or Anonymization of Personal Data), by explaining the justification of the method applied, destroyed or anonymized. However, if there is a final court decision, the method of destruction prescribed by the court decision must be applied.
The information on any device with data recording feature is deleted against unauthorized access and the disk and recording mechanism on the device is physically destroyed. Media / Device Destruction Report is filled and signed by the information systems operator. Date, device information, reason for destruction, etc. The destruction process is recorded by entering the information.
Data Deletion Methods
a. Personal Data on Paper Media: It is deleted by destroying with a shredder or by using the blackout method when necessary.
b. Office Files on the Central Server: They are deleted with the delete command in the operating system.
c. Data on Removable Media: It is deleted by the delete command in the operating system.
D. Databases: Relevant rows containing data are deleted with database commands.
Assets and Data Destruction Methods
a. In Local Systems: It is destroyed using the appropriate method of de-magnetizing, physical destruction, overwriting.
b. Environmental Systems:
• Network devices (switches, routers, etc.): They are destroyed by the appropriate methods specified in item a.
• Flash-based media: It is destroyed by the methods recommended by the relevant manufacturer or the methods specified in item a.
• Magnetic tape: It is destroyed by de-magnetizing or physical methods such as burning or melting.
• Sim Card and fixed memory cards: They are destroyed by the appropriate methods specified in item a.
• Optical discs: destroyed by physical methods such as burning, breaking into small pieces, melting.
• Peripherals with fixed Data Recording Environment: They are destroyed by the appropriate methods specified in item a.
c. Printed Media: Destroyed using paper shredders. Electr by scanning from the original paper format