1.1 Purpose
This Personal Data Retention and Destruction Policy (“Policy”) applies in full to Arteng Yapı İnşaat Taahhüt Ve Mühendislik Sanayi Ticaret Limited Şirketi (hereinafter referred to as the “Company”) within the framework of the applicable legislation and is based on nationally recognized fundamental principles regarding the destruction of personal data. It contains the framework and principles for carrying out necessary destruction activities within the scope of relevant legislation.
Article 7, paragraph 3 of the Law on the Protection of Personal Data (“Law”) states that “Procedures and principles regarding the deletion, destruction, or anonymization of personal data are regulated by regulation.” Based on this provision and Article 22, paragraph 1, subparagraph (e) of the Law, the Personal Data Protection Board (“Board”) has prepared the Regulation on the Deletion, Destruction, or Anonymization of Personal Data (“Regulation”), published in the Official Gazette numbered 30224 on October 28, 2017.
Based on the above regulation, the purpose of this Policy is to determine the procedures and principles regarding the deletion, destruction, or anonymization of personal data processed in the conduct of the Company's activities in accordance with the Regulation.
1.2 Scope
This Policy covers personal data of employees, job applicants, visitors, third parties we cooperate with, and employees of third parties at the Company. It applies to all recording environments where personal data owned by or managed by the Company is processed and to all activities related to personal data processing.
| Term | Definition |
|---|---|
| Recipient group | Category of real or legal persons to whom personal data is transferred by the data controller |
| Explicit Consent | Consent expressed freely based on information regarding a specific subject |
| Anonymization | Making personal data in such a way that it cannot be associated with an identified or identifiable real person, even when combined with other data |
| Electronic Environment | Environments where personal data can be created, read, modified, and written using electronic devices |
| Non-Electronic Environment | All other written, printed, visual, or similar environments outside electronic environments |
| Data Subject | Real person whose personal data is processed |
| Relevant User | Individuals processing personal data within the organization of the data controller or based on the authority and instructions received from the data controller, excluding those responsible for the technical storage, protection, and backup of data |
| Destruction | Deletion, destruction, or anonymization of personal data |
| Law | Law No. 6698 on the Protection of Personal Data |
| Recording environment | Any environment where personal data is processed, whether fully or partially automated or as part of any data recording system, including non-automated methods |
| Personal data | Any information relating to an identified or identifiable real person |
| Personal data owner | The real person whose personal data is processed |
| Processing of personal data | Any operation performed on personal data, whether fully or partially automated or part of a data recording system, including obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, acquiring, making accessible, classifying, or preventing use |
| Personal data processing inventory | Inventory created by data controllers detailing personal data processing activities according to business processes, linking processing purposes, data categories, recipient groups, and subject groups, maximum retention periods, cross-border transfers, and security measures |
| Board | Personal Data Protection Board |
| Authority | Personal Data Protection Authority |
| Special category personal data | Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association/membership, health, sexual life, criminal record and security measures, and biometric and genetic data |
| Periodic destruction | Deletion, destruction, or anonymization carried out periodically when all conditions for processing personal data under the Law no longer exist, as stated in the data retention and destruction policy |
| Policy | Policy used by data controllers to determine the maximum retention period for personal data and the basis for deletion, destruction, and anonymization |
| Registry | Data controller registry maintained by the Personal Data Protection Authority |
| Data processor | Real or legal person processing personal data on behalf of the data controller based on the authority given |
| Data recording system | System in which personal data is structured and processed according to certain criteria |
| Data controller | Real or legal person determining the purposes and means of processing personal data, responsible for establishing and managing the data recording system |
| Regulation | Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette dated 28.10.2017 and numbered 30224 |