1. Purpose of Drafting Personal Data Keeping, Deletion, Destruction and Transfer Policy
The purpose of this Policy is to make regulations on updating, transferring, anonymising, deletion and destruction of personal data at EN GÜMRÜK MÜŞAVİRLİĞİ LOJİSTİK DEPOLAMA İTHALAT VE İHRACAT TİCARET A.Ş. (hereinafter to be referred to as the “Company”). The Policy comes into force with the resolution of the Board of Directors. The implementation of the Policy is pursued by Personal Data Protection Committee assigned with the resolution of the Board of Directors or a Responsible Person being elected by the Committee.
  1. Drafting Personal Data Keeping and Destruction Policy and Amendments
The Policy comes into force with the resolution of the Board of Directors. The implementation of the Policy is pursued by Personal Data Protection Committee/Responsible assigned with the resolution of the Board of Directors. The Board of Directors may ex officio or with the recommendation of Committee/Responsible renew and make amendments in the Policy.
  1. Media Where Personal Data Are Saved
The Company keeps the personal data, which it has obtained within the scope of data processing activities which it performs in compliance with the Law, provided that it shall be limited with the measure the purpose of processing requires. In this context, the personal data being obtained are kept at physical and electronic media by the Company.
  1. Legal, Technical and Other Reasons Requiring Personal Data Keeping and Destruction
The personal data being obtained directly or indirectly in compliance with the conditions of data processing provided under the Law are kept by the Company in compliance with the Law and rules of honesty during the period stipulated by relevant legislation or the purpose of processing so requires. The Company keeps the information and documents containing personal data regarding commercial activities within the scope of performing legal liabilities arisen from 6102 No Turkish Commercial Code and 4857 No Labour Code and other relevant legislation and establishing, using or protecting rights, which is one of the conditions of data processing provided under the Law, during the period of lapse time. The Company keeps job applications made in company systems until the deletion request of the applicants. From time to time, the personnel need is covered amongst applications recorded in the system. The Company may also keep the personal data it has obtained for the purpose of meeting the conditions of processing provide under the Article 5 and 6 of the Law. Personal data should be deleted when reasons requiring them to be kept in compliance with the general principles provided under the Article 4 of the Law are revoked. Also, data keeping activities being performed based on express consent of the data owner are immediately terminated if the consent is withdrawn by the data owner and relevant personal data should be deleted. In cases when the data owner submits request on deletion of its data within the scope of its rights provided under the Article 11 of the Law, the request is evaluated by persons authorised at the Company and personal data are deleted if all conditions of data processing provided under the Law are revoked.
  1. Technical and Administrative Measures Taken To Keep Personal Data In A Safe Manner and To Prevent Illegal Processing and Access
The Company takes any technical and administrative measures to ensure legal processing and ensuring safety; gives training to its personnel and conducts periodical inspections for the purpose complying with such measures. The Company analyses personal data processing performed by each department at the Company and takes necessary actions to ensure legality in existing and added processes All phases on data collection at the Company are reviewed one by one and deeds are performed to obtain data legally. Consent statements are taken while accepting job applications and job applications made to [email protected] are responded via e-mail and relevant consent process is completed. The company employees are informed regarding not to disclose the personal data they have learned during performance of their work to any third party and/or legal person. Confidentiality clauses are included in labour contracts between the Employee and Company; and a warranty that their secret keeping liabilities continue even after their employment ceases. Also, clauses regarding that the receiver shall take any measure to ensure the safety of personal data are included in agreements between the Company and third parties and/or legal persons to whom personal data transfer is made in compliance with the Articles 8 and 9 of the Company. The Company takes any technical measure within the framework of technological facilities and costs for the purpose of ensuring the safety of personal data kept at information systems. For instance, firewalls, real time penetration tests, installation of security software to all devices, strong passwords, access procedures on the basis of unit and business processes. Encoding systems are used in company software for the purpose of preventing illegal access to and disclosure of personal data; the access of employees to data are restricted with their job definition. Besides, the Company has put various policies to ensure legality. This Policy and other Policies are updated in compliance with the changing legislation and arising needs. Also;
  • Cleaning Personal Data Contained In Common Files On The Computer: useless files and pictures have been deleted; the files and pictures deemed useful have been added to folders, which may be accessed by only the IT Department.
  • Access Powers Update: Access powers on common files have been restricted and employees may now access to only files related with their works. New access power has been regulated in a manner to grant it with the approval of the director and after written request.
  • Updating All HR Forms: All forms we have taken during work have been evaluated and unnecessary personal data have been removed.
  • Updating Common HR Folder: Our HR folders on computers have been scanned and all unnecessary and outdated personal data have been deleted.
  • Updating Reports: All reports have been scanned and reports containing personal data have been evaluated and personal data deemed as unnecessary have been deleted.
  • LPPD Coordinator/Committee: One inferior and one superior board/committee have been established.
  • Training: All personnel have been trained on LPPD and their responsibilities have been explained. Also, it is decided to include training in mandatory trainings and repeat it once a year.
  • Consent Statement: Consent signatures have been taken from all personnsl and a clarification letter has been published. It has been added amongst forms to be signed at the moment of recruitment.
  • LPPD Procedure & Information Security Procedure: LPPD Procedure is drafted. We are working on Information Security Procedure.
  • e-mail Warning and Web Site Update: e-mail warning to be attached to mails is drafted and a text related with LPPD has been added to our web site.
  1. Technical and Administrative Measures Taken For Legal Deletion of Personal Data
The Company is authorised to select the appropriate method amongst deletion, destruction or anonymisation of personal data ex officio under the Regulation unless a resolution otherwise is resolved by the Board. In case of request by the data owner, it selects the appropriate method be explaining the reason. The Company is taking any technical and administrative measure to delete, destruct or anonymise personal data legally. Most appropriate methods are being used by considering Company’s technological facilities and implementation costs. The destruction processes are audited by the Committee/Responsible being established to ensure legality of personal data processing at the Company. Periodical destruction processes are performed by at least two persons from this department and warranty in writing is obtained from such persons that destructed personal data have not been copied. If the devices located at the Company and holding personal data have become unusable and they shall be sold or abandoned outside the Company then, the data inside are destructed and if this is not possible then, the device is destructed.
  1. Titles, Departments and Job Definitions Taking Part In Keeping and Destruction of Personal Data
The processes regarding keeping and destruction of personal data are performed by the Committee/Responsible established at the Company and in charge to ensure legal processing of personal data. A “Personal Data Protection Committee” in which more than one official shall take part or if found necessary one “Responsible” shall be assigned by considering mainly private personal data processing status and criteria such as density in work processes and the size of processing activities, organisation structure. A Deputy Data Protection Responsible may be assigned depending on the need. The duties of Personal Data protection Responsible are as follows:
  • To ensure compliancy of personal data processing procedures with the Law, Regulation, ancillary legislation and confidentiality policies of the Company,
  • To evaluate and conclude request from data owners,
  • To actually participate at destruction of personal data,
  • To determine and ensure measures needed by the Company on personal data safety to be taken,
  • To perform / have had performed periodical inspection regarding the compliancy status of the Company,
  • To draft training program and make recommendations on increasing the awareness of the employees in legal field and on developments and changes in the practice.
  1. Periodical Destruction Terms
The Company deletes, destructs or anonymises personal data at the first periodical destruction procedure following the date the liability of deleting, destructing or anonymising personal data arises. The time interval when periodical destruction shall take place is 1 year. However, if the period of keeping personal data, which should be destructed is less than 1 year then, such period shall apply regarding the destruction of relevant personal data.
  1. Keeping and Destruction Terms
The terms for keeping and destruction personal data being processed by the Company are given in the table below. Provisions of legislation on legal grounds of keeping terms are given in the appendix of this Policy.
DATA CATEGORY KEEPING AND DESTRUCTION TERM LEGAL GROUNDS
Visitor Data Kept for 1 year in general. Deleted at the end of this period. 6102 No Turkish Commercial Code, Highways Traffic Law, 5237 No Turkish Criminal Code, 6098 No Turkish Obligations Code and other relevant legislation where lapse of time is stipulated.
Personal data of company employees Kept during the term service relation continues. 6098 No Turkish Obligations Code, 4857 No Labour Code and other relevant legislation where lapse of time is stipulated.
Personal data of the suppliers and supplier representatives from whom the Company purchases goods and/or services Kept during the term commercial relation continues. Kept for lapse of time term + 1 year in cases where it is thought that there shall be no commercial relation; commercial relation is not established. Deleted at the end of this period. 6102 No Turkish Commercial Code , 6098 No Turkish Obligations Code and other relevant legislation where lapse of time is stipulated.
Camera recording obtained through Closed Circuit Camera Systems Deleted at the end of six months in case no judicial event has occurred and governmental authorities have not requested. Kept for a reasonable period of time of 15 days within the scope of legit interests of the data responsible company in compliance with the 6698 No Law on Protection of Personal Data.
Goods being forgotten at the Company and containing personal data Kept for 6 months if the owner could not be reached. Destroyed at the end of the period with a minutes drafted. Kept for a reasonable period of time of 6 months within the scope of legit interests of the data responsible company in compliance with the 6698 No Law on Protection of Personal Data.
Job Applications – Résumés Applications are kept in the system until request of deletion by its owner and destroyed immediately upon request of consent holder. Kept based on legit interest and application of the applicant.
Data pertaining to former employees who quit job Kept for 15 years due to possible labour cases and particularly cases based on occupational diseases. Kept due to Labour Code.
LAPSE OF TIME TERMS The lapse of time terms, which should be considered within the framework of 6102 No Turkish Commercial Code, 5237 No Turkish Criminal Code, 6098 No Turkish Obligations Code should be evaluated as follows Visitor Data Since there is no special regulation in respect of any judicial case or investigation, they are destroyed at the first destruction procedure after the company visitor book is full. Visitor data being kept digitally are kept for 30 days. Company Employee Data They should be kept in personal labour files as long as the labour relation continues. Such terms are subject to terms related with former employee when labour relation terminates. Former Employee Data Former employee data are kept for 15 years by considering occupational disease cases and destroyed at the end of such term. If there is a pending case then, files are kept until case is concluded. Camera Recordings Deleted semi-annually automatically. If any event subject to a case occurs then, these are separated and kept, and remaining is deleted. Supplier Data Real person supplier data are destroyed after 10 years if contractual affairs terminated and shall not continue. Pending Files If judicial proceeding continues in relation with the lapse of time and destruction procedures above then, data are kept until the proceeding expires and court order becomes final. The destruction of data is performed 1 year after the date the order becomes final or the procedure continues with transactions like execution.