This Personal Data Retention and Destruction Policy ("Policy") is about the storage, anonymization and deletion of personal data in accordance with the Personal Data Protection Law No. 6698 ("KVKK") and the Regulation on the Deletion, Destruction or Anonymization of Personal Data ("Regulation") issued based on this law in order to fulfill the obligations stipulated for the storage, anonymization and deletion of personal data, in particular to determine the maximum periods required for the purpose for which personal data are processed and to regulate the processes of anonymization, deletion and destruction of data, and to inform the relevant persons on these issues, ERKAL Uluslararası Nakliyat ve Ticaret AŞ registered as data controller with the Istanbul Trade Registry Directorate with the registration number 444352-0, located at Evliya Çelebi Mah. Tersaneler Cad.No.50 Tuzla/Istanbul ERKAL Uluslararası Nakliyat ve Ticaret A.Ş. ("TK TUZLA SHIPYARD") ("Company").
2. DEFINITIONSActive Directory: It allows users to connect to the domain environment and manage it from a single center.
Explicit Consent: Consent on a specific subject, based on information and expressed with free will,
Anonymization: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data,
Archive Cabinets: Cabinets where the physical folders kept by each unit in the company for their completed and archived activities are kept,
Unit Cabinets: Cabinets where the physical folders kept by each unit in the company for their active activities are kept,
Exchange Server: Provides management of mail accounts of users connected to Active Directory.
File Server: Allows users to manage their frequently used files such as Desktop, Documents, Favorites from a central location.
Firewall: It is a hardware device that provides security in both mail and internet to prevent attacks from outside the company and to prevent users from being exposed to such attacks. Internet access restrictions are also set through this device.
Physical Destruction: The physical destruction of optical media and magnetic media, such as melting, incineration or pulverization.
Destruction: Deletion, destruction or anonymization of personal data,
Relevant Person: The natural person whose personal data is processed,
Relevant User: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data,
Law: Law No. 6698 on the Protection of Personal Data,
Recording Medium: Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system,
Personal Data: Any information relating to an identified or identifiable natural person,
Personal Data Retention Table: The table showing the periods for which personal data will be stored within the Company,
Personal Data Processing Inventory: The inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes of processing personal data, data category, transferred recipient group and data subject group, and detailing the maximum time required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security,
Deletion of Personal Data: The process of making personal data inaccessible and non-reusable in any way for the relevant users,
Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and non-reusable by anyone in any way,
Logo Software: The software through which the accounting department controls the accounting work and enters their data,
Model ERP: Automation software used for the execution of material requisition, attendance, OHS, PBS, etc. within the company,
Open Scappe Business X8 (Switchboard Device): The recording medium where the information of the numbers calling the switchboard line is kept,
Sensitive Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,
Periodic Destruction: The process of deletion, destruction or anonymization to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy in the event that all of the conditions for processing personal data specified in the Law disappear, The Company ERKAL Uluslararası Nakliyat ve Ticaret A.Ş. ("TK TUZLA SHIPYARD"),
Overwriting: The process of writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media to prevent the recovery of old data.
Data Recording System: The recording system where personal data is structured and processed according to certain criteria,
Printer Interface: The printer unit where printer usage information is recorded,
Regulation Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.
3. RECORDING MEDIAIn the implementation of this Policy, recording media means any environment where personal data is available. The Company stores the personal data it processes in the following recording media in accordance with the relevant legislation, especially the Personal Data Protection Law No. 6698, and by taking the most up-to-date measures regarding data security.
In this context, the recording media in the Company:
- - Unit Lockers,
- - Archive Cabinets,
- - Active Directory
- - File Server
- - Printer Interface
- - Email Server
- - Firewall
- - ERP
- - Accounting Software
- - Switchboard Device
- - Barbaros Invitation Module and Face Recognition System
a) Personal data of the Data Subjects may be processed by the Company for the following purposes:
StaffYour personal data collected by the Company may be used for evaluating suitability for the job, creating a personnel file, making SSI entries, conducting communication activities, directing legal requests, issuing a work document when leaving the job, checking the family status notification, making salary and other payments, and following up leave rights, To ensure that the employer can use as evidence in possible lawsuits, to obtain signatures from the personnel as required by legal obligation, to follow up lawsuits, to enforce enforcement decisions, to provide appropriate clothing for work, to make LVP payments, to determine the wage policy, performance evaluation, to notify the SSI, to notify İŞKUR, to monitor the health and occupational diseases of employees, obtaining port entry permits of employees, obtaining entry permits to shipyards in hazardous works class, tracking overtime, carrying out accounting affairs, accounting for the release agreement of the departing personnel, tracking the use of computers, tracking the use of printers, retrospective follow-up of the work carried out via e-mail, Ensuring internet security, ensuring general security, determining suitability for work within the scope of OHS legislation, determining participation in OHS trainings, applying OHS penalties, determining participation in employee representative elections, creating an accident report and querying the operator certificate for operators.
Employee Candidates:Your personal data collected by the Company is processed for the purposes of evaluating job suitability and ensuring communication.
Service Providers:Your personal data collected by the Company is processed for the purpose of conducting communication activities, carrying out the procurement processes of goods and services and issuing withholding tax returns.
Customers:Your personal data collected by the Company is processed in order to establish communication, to carry out visa procedures and to obtain entry permits to shipyards and ports.
Subcontractor employeesı:Your personal data collected by the Company may be used for the evaluation of suitability for work, control of SSI registration, control of salary payments of subcontractor company employees, conducting communication activities, performance evaluation, monitoring employee health and occupational diseases, intervening in emergencies, obtaining port entry permits, The hazardous works class is processed for the purposes of obtaining entry permits to shipyards, tracking overtime, ensuring general safety, determining suitability for work within the scope of OHS legislation, determining participation in OHS trainings, applying OHS penalties, determining participation in employee representative elections, creating an accident report and querying the operator certificate for operators.
Company owners and employees on site; foreign ship employees and visitors:Your personal data collected by the Company is processed to ensure entry and exit control and general security.
Tenants:Your personal data collected by the Company will be processed for the purpose of establishing the lease agreement and carrying out accounting affairs.
Switchboard:Your personal data collected by the Company is processed for the purpose of establishing communication.
b) Pursuant to the Regulation, in the cases listed below, the personal data of the data subjects shall be deleted or destroyed by the Company ex officio or upon request:
a. Amendment or abolition of the provisions of the relevant legislation that constitute the basis for the processing or storage of personal data,
b. The purpose requiring the processing or storage of personal data disappears,
c. The conditions requiring the processing of personal data under Articles 5 and 6 of the Law have disappeared lifting,
d. In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject's withdrawal of consent,
e. The application of the data subject for the deletion, anonymization or destruction of his/her personal data is accepted by the data controller,
f. In cases where the data controller rejects the application made by the data subject with the request for the deletion, anonymization or destruction of personal data, the response is found insufficient or does not respond within the period stipulated in the Law, a complaint is filed to the Personal Data Protection Board and this request is approved by the Board,
g. Although the maximum period of time required for the retention of personal data has elapsed, there are no circumstances justifying the retention of personal data for a longer period of time.
5. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE SECURE STORAGE AND LAWFUL PROCESSING OF PERSONAL DATAa) Technical Measures:
- Technically knowledgeable personnel are employed.
- Access authorizations are limited, and authorizations are regularly reviewed.
- Access to data storage areas containing personal data is logged and inappropriate access or access attempts are instantly communicated to the relevant persons.
- With Fortigate Firewall, attacks such as DDOS, IPS attack, which can come from outside to inside, and attacks such as Mail Phishing with Spamtitan are prevented.
- Possible threats that may escape from the firewall are prevented by Sophos Antivirus installed in Local.
- In order to protect users' work files and prevent data loss, profiles on users' computers are redirected to the FILE server. In this way, physical or soft damages are also prevented.
- In order to avoid any problems with the mails and to recover the mails that users delete intentionally or inadvertently, copies of incoming and outgoing mails are backed up in two mailboxes.
- These two mailboxes are backed up to another location with MailStore.
- In addition to the above backup operations, the same operations are also performed for user files on the FILE, MUHSRV- TKTUZLA-MUH server. For deleted or destroyed files, Microsoft's Shadow Copy feature is used in the first place, and if there is a problem here, both daily and 3-hour files can be returned with VEEAM software on TKVEEAM and DSRVEEAM servers backed up to different locations. Thanks to VEEAM, it is also possible to retrieve e-mails.
b) Administrative Measures
- Employees are informed and trained on the law on the protection of personal data and the processing and storage of personal data in accordance with the law.
- Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the Law and cannot use them for purposes other than processing, and that this obligation will continue even after their resignation; the contracts between the Company and the employees include records that impose the obligation not to process, disclose and use personal data, except for the Company's instructions and exceptions imposed by law, and the awareness of the employees is raised in this regard.
- Employees are informed and trained on the law on the protection of personal data and the destruction of personal data in accordance with the law.
- The personnel who will destroy the personal data registered in the Personal Data Inventory have been identified.
- Personal data storage and destruction activities carried out within the Company are audited.
- Technical measures taken are reported to the relevant person.
- Technically knowledgeable personnel are employed.
a. Methods of Deletion of Personal Data
i. Personal Data on Paper Media: It is erased using the blackout method. The blackout process is performed by making the personal data on the relevant document invisible to the relevant users by using fixed ink in a way that cannot be reversed and cannot be read by technological solutions.
ii. Office Files Located on the Central Server: Irreversibly deleted with the delete command in the operating system.
b. Methods of Destruction of Personal Data
i. Personal Data on Local Systems: Destroyed by using the appropriate method of physical destruction, overwriting.
ii. Personal Data in Peripheral Systems: Peripherals such as printers, security cameras, etc. whose data recording medium is fixed: are destroyed by using the appropriate method of physical destruction or overwriting.
8. OFFICERS INVOLVED IN THE STORAGE AND DISPOSAL PROCESSES| PROCESS RESPONSIBLE | TASK | RESPONSIBILITY |
|---|---|---|
| Administrative Affairs Manager | Security, Power Plant, Production, Planning - Personal Data Retention and Destruction Policy Application Responsible | Ensuring that the data processed by the department in charge complies with the retention period in this Data Retention and Destruction Policy and managing the personal data destruction process during periodic destruction periods. |
| Human Resources Chief | Human Resources Department - Personal Data Retention and Destruction Policy Application Responsible | |
| Accounting Manager | Financial Affairs Department - Personal Data Retention and Destruction Policy Application Responsible | |
| Chief Information Officer | IT Department - Personal Data Retention and Destruction Policy Application Responsible | |
| Occupational Health and Safety Manager | OHS Manager - Personal Data Retention and Destruction Policy Implementation Officer | |
| Finance Manager | Finance Department - Personal Data Retention and Destruction Policy Implementation Officer | |
| Human Resources Supervisor / Attendance Employees | Attendance Department - Personal Data Retention and Destruction Policy Application Responsible | |
| Workplace Physician | Infirmary - Personal Data Storage and Destruction Policy Application Responsible |
| DATA CATEGORY | STORAGE TIME | DISPOSAL PERIOD |
|---|---|---|
| Other data that is necessary for the establishment or performance of a contract or processed within this scope | 10 years from the date of termination of the Contract in accordance with the Turkish Code of Obligations | During the first periodic destruction following the end of the storage period |
| Employee health data | 15 years from the date of termination of employment in accordance with Occupational Health and Safety legislation | During the first periodic destruction following the end of the storage period |
| Personnel File Data | 10 years | During the first periodic extermination 10 years after the employee's termination date |
| Visitor entry and exit information to ensure building security within the scope of legitimate interest | 5 years | During the first periodic destruction following the end of the storage period |
| Data on the tenant arising from the lease agreement | 5 years from the date of termination of the contract in accordance with the Turkish Code of Obligations | During the first periodic destruction following the end of the storage period |
| Camera recordings taken to ensure general security | 30 days | During the first periodic destruction following the end of the storage period |
| Other data for which a special retention period is stipulated in the relevant legislation | During the retention period stipulated in the relevant legislation | During the first periodic destruction following the end of the storage period |
| Personal data processed based on consent | Until the request of the data subject to delete his/her personal data | Within 30 days of the relevant person's request |
Physical and digital data that have expired their legal retention and destruction periods are periodically destroyed. The Company deletes or destroys personal data in the first periodic destruction process following the date on which the obligation to delete or destroy personal data arises.
Periodic destruction is carried out at 6-month intervals for all personal data.
Transaction records regarding deletion and destruction are kept for 3 years.
11. UPDATE INFORMATIONThe first version of the Policy is already in force.