Personal Data Storage, Deletion, Destruction and Transfer Policy
SOWIND ENERJİ SİSTEMLERİ DIŞ TİCARET LİMİTED ŞİRKETİ
Personal Data Storage, Deletion, Destruction and Transfer Policy
- Purpose of Preparation of Personal Data Storage, Deletion, Destruction and Transfer Policy
The purpose of this Policy is to decide regarding the updating, transfer, anonymization, deletion, and destruction of personal data in SOWIND ENERJİ SİSTEMLERİ DIŞ TİCARET LİMİTED ŞİRKETİ (hereinafter referred to as the Company). The Policy enters into force with the decision of the Board of Directors. The implementation of the Policy is monitored by the Personal Data Protection Committee appointed by the decision of the Board of Directors or by the Responsible Officer appointed by the Board of Directors.
- Preparation of Personal Data Storage and Destruction Policy and Amendments
The Policy enters into force with the decision of the Board of Directors of the Company. The implementation of the Policy is monitored by the Personal Data Protection Committee / Responsible Officer appointed by the decision of the Board of Directors. The Board of Directors may renew the Policy ex officio or upon the proposal of the Committee/responsible person and may make changes in the Policy.
- Definitions
| Abbreviation | Definition |
| Law | Law No. 6698 on the Protection of Personal Data |
| Personal Data Protection Committee/ Officer | The Personal Data Protection Committee established by the decision of the Board of Directors within SOWIND ENERJİ SİSTEMLERİ DIŞ TİCARET LİMİTED ŞİRKETİ and responsible for the internal operation of the company regarding the protection and processing of personal data, or the member selected by him/her, |
| Explicit Consent | Consent on a specific subject, based on information and expressed with free will |
| Receiver Group | The category of natural or legal person to whom personal data is transferred by the data controller |
| Contact Person | The natural person whose personal data is processed. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Anonymization of Personal Data | Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. |
| Destruction of Personal Data | Deletion, destruction, or anonymization of personal data. |
| Deletion of Personal Data | The process of making personal data inaccessible and non-reusable in any way for the relevant users. |
| Destruction of Personal Data | The process of making personal data inaccessible, irretrievable, and non-reusable by anyone in any way. |
| Policy | SOWIND ENERJİ SİSTEMLERİ DIŞ TİCARET LİMİTED ŞİRKETİ Personal Data Storage, Deletion and Destruction Policy. |
| Company | SOWIND ENERJİ SİSTEMLERİ DIŞ TİCARET LİMİTED ŞİRKETİ |
| Board of Directors | Board of Directors of SOWIND ENERJİ SİSTEMLERİ DIŞ TİCARET LİMİTED ŞİRKETİ . |
| Regulation | October 28, 2017 refers to the Regulation on Deletion, Destruction or Anonymization of Personal Data, which entered into force after being published in the Official Gazette. |
- Environments where Personal Data is Recorded
The Company retains the personal data obtained within the scope of data processing activities carried out in accordance with the Law, if it is limited to the extent required by the purpose of processing. In this context, the personal data obtained are stored by the Company in physical and electronic media.
- Legal, Technical and Other Reasons Requiring Storage and Destruction of Personal Data
Personal data obtained directly or indirectly in accordance with the data processing conditions in the Law are kept by the Company in accordance with the law and good faith for the period stipulated by the relevant legislation or required by the purpose of processing.
The Company keeps the information and documents containing personal data related to its commercial activities for the period of limitation within the scope of the fulfillment of its legal obligations arising from the Turkish Commercial Code No. 6102 and Labor Law No. 4857 and other relevant legislation and the establishment, use or protection of its rights, which is one of the data processing conditions in the Law. The Company keeps the job applications made to it in the company systems until the applicants’ request for deletion. From time to time, personnel needs are met from among the applications registered in the system.
In addition, the Company may store the personal data obtained by the Company limited to the realization of the processing conditions specified in Articles 5 and 6 of the Law.
Personal data should be deleted if the reasons requiring its storage disappear in accordance with the general principles set out in Article 4 of the Law. In addition, storage activities carried out based on the explicit consent of the data subject are immediately terminated and the relevant personal data must be deleted if the consent is revoked by the data subject. In cases where the data subject has submitted his/her request for deletion of his/her data to the Company within the scope of his/her rights under Article 11 of the Law, the request is evaluated by authorized persons within the Company and personal data are destroyed if all the data processing conditions specified in the Law are eliminated.
- Technical and Administrative Measures Taken for Secure Storage of Personal Data and Prevention of Unlawful Processing and Access
The Company takes all kinds of technical and administrative measures to ensure the lawful processing and security of personal data; provides training to the Company personnel and periodically conducts audits to comply with these measures.
The Company analyzes the personal data processing processes carried out by each department within its organization and takes necessary actions to ensure compliance with the law in existing and added processes.
All stages of data collection in the Company are reviewed one by one, and efforts are made to ensure that data is obtained in accordance with the law. While receiving job applications, approval texts related to them are also received, and the approval process regarding their applications is completed by e-mailing those who send an e-mail to the Company’s secilcavuslu@panzercrom.com e-mail address.
Company employees are informed not to disclose the personal data they learn within the scope of their work to any third person and/or organization. Accordingly, confidentiality records are added to the service contracts between the employee and the Company, and a commitment is obtained from the employees that these confidentiality obligations will continue after they leave their duties.
In addition, provisions stating that the recipient group will take all kinds of measures to ensure the security of personal data are added to the contracts with third parties and/or organizations to which the Company transfers personal data in accordance with Articles 8 and 9 of the Law.
The Company takes all kinds of technical measures within the framework of technological possibilities and costs to ensure the security of personal data in information systems. For example, the use of firewalls, real-time (penetration) tests, installation of security software on all devices, strong password application, access procedures based on units and business processes. To prevent unlawful access to personal data and disclosure of personal data, encryption systems are used in the Company’s software; employees’ access to data is limited to their job scope.
In addition, the Company has put into effect various policies and Policies to ensure compliance with the law. This Policy and other policies are updated in accordance with changing legislation and emerging needs.
See also.
- Cleaning Personal Data in Common Files on the Computer Environment: Files and images that were not useful were deleted, files and images that were thought to be useful or specified were added to folders that only IT has access to.
- Updating Access Authorizations: Access authorizations in common files were restricted and employees were given access only to files related to their work. The new access authorization was arranged to be given after manager approval and written request.
- Updating All HR Forms: All the forms we receive on the job or while working were evaluated and unnecessary personal data was removed.
- Updating the HR Common Folder: Our HR folders in the computer environment were scanned and all unnecessary or outdated personal data were cleaned.
- Updating Our Reports: All our reports were scanned and reports containing personal data were evaluated and unnecessary personal data was cleaned.
- PDP Coordinator ship/Committee: A lower and upper board/committee was established.
- Training: All staff were trained on the PDP Law and their responsibilities were explained. It was also decided to include the training in mandatory trainings and to repeat it once a year.
- Consent: Consent signatures were obtained from all personnel and a clarification text was published. It was added to the forms to be signed upon employment.
- PDP Procedure & Information Security Procedure: PDP Law Procedure was prepared. We are working on the Information Security Procedure.
- E-mail Alert and Site Update: E-mail alerts to be automatically added to e-mails were prepared and a text about PDP was added to our website.
- Technical and Administrative Measures Taken for the Lawful Destruction of Personal Data
Unless otherwise decided by the Board, the Company is authorized to choose the appropriate method of ex officio deletion, destruction, or anonymization of personal data in accordance with the Regulation. At the request of the data subject, the Company chooses the appropriate method by explaining its reasoning.
The Company takes all kinds of technical and administrative measures to delete, destroy or anonymize personal data in accordance with the law. The most appropriate methods are used, considering the technological possibilities and implementation costs of the Company.
Destruction processes are supervised by the Committee / Responsible Officer established within the Company to ensure the legal compliance of personal data processing processes. Periodic destruction processes are carried out jointly by at least two persons within this unit, and a written commitment is obtained from these persons that no copies of the destroyed personal data are taken. The officers will also be determined by the Committee / Responsible Officer.
If the devices in the company that carry personal data are no longer usable and will be sold or left outside, the data in the device is destroyed, and if this is not possible, the device is destroyed.
- Titles, Units and Job Descriptions of Those Involved in Personal Data Storage and Destruction Processes
The processes regarding the storage and destruction of personal data are carried out by the Committee / Responsible, which is established within the Company and is responsible for ensuring that personal data is processed in accordance with the law.
A “Personal Data Protection Committee” or, if deemed sufficient, a “Responsible” is appointed within the Company, which will include more than one officer, considering criteria such as the size and organizational structure of the processing activities, especially the status and intensity of processing of special quality data in business processes. Again, an Assistant Data Protection Officer may be appointed based on the need.
The duties of the Personal Data Protection Officer are as follows:
- To ensure that personal data processing processes comply with the Law, the Regulation, other secondary legislation, and the privacy policies of the Company,
- To evaluate and finalize requests from data subjects,
- Participate in the destruction of personal data,
- To determine the measures required by the Company regarding personal data security and to ensure that they are taken,
- Conducting periodic audits regarding the compliance status of the Company,
- To prepare and propose a training plan to increase the awareness of employees on developments and changes in the legal field and practice.
- Periodic Destruction Periods
The Company deletes, destroys, or anonymizes personal data at the first periodic destruction following the date on which the obligation to delete, destroy or anonymize personal data arises.
The time interval for periodic destruction is 1 year. However, if the retention period of the personal data to be destroyed is less than 1 year, this period shall apply for the destruction of the relevant personal data.
- Storage and Destruction Periods
The retention and destruction periods for the personal data processed by the Company are shown in the table below. The provisions of the legislation regarding the legal basis of the retention periods are included in the annex of this Policy.
| Category of Data | Storage and Destruction Period | Legal Basis |
| Visitor Data | Generally, it is kept for 1 year. After this period, it is deleted. | Turkish Commercial Code No. 6102, Highway Traffic Law, Turkish Criminal Code No. 5237, Turkish Code of Obligations No. 6098, and other relevant legislation regulating the statute of limitations. |
| Personal data relating to company employees | Retained for the duration of the service relationship. | Turkish Code of Obligations No. 6098, Labor Law No. 4857 and other relevant legislation regulating the statute of limitations. |
| Personal data relating to suppliers and supplier representatives from whom the Company receives goods and/or services | It is kept if the commercial relationship continues. In cases where it is thought that there will be no commercial relationship and no commercial relationship has been established for many years, it is kept for the legal statute of limitations + 1 year. It is deleted at the end of this period. | Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098 and other relevant legislation regulating the statute of limitations. |
| Camera recordings obtained through Closed Circuit Imaging Systems | It will be deleted after one month if there has been no judicial incident and if it has not been requested by official institutions. | In accordance with the Law No. 6698 on the Protection of Personal Data, the data controller is kept for a reasonable period of 15 days within the scope of the legitimate interests of the Company. |
| Items left within the company and containing personal data | If the owner cannot be reached, it is kept for 6 months. At the end of the period, it is destroyed with a report. | In accordance with the Law No. 6698 on the Protection of Personal Data, it is stored for a reasonable period of 6 months within the scope of the legitimate interests of the data controller Company. |
| Job Applications-Resumes | Applications are stored in the system until the applicant’s request for deletion and are immediately destroyed at the request of the approval holder. | It is stored in the legitimate interest of the applicant and in the context of his/her application. |
| Data on former employees who left their jobs | It is kept for 15 years because of possible labor lawsuits, especially lawsuits based on occupational diseases. | Stored due to the Labor Law. |
DURATION OF LIMITATIONS
Turkish Commercial Code No. 6102, Turkish Criminal Code No. 5237, Turkish Code of Obligations No. 6098, the statute of limitations to be taken into consideration should be evaluated as follows:
- Visitor Information
Since there is no special regulation in terms of any judicial case or investigation, it is destroyed in the first destruction process after the end of the company visitor book. Visitor data kept in digital form is kept for 30 days.
- Data of Company Employees
Personal files must be kept for the duration of the employment relationship. When the employment relationship ends, the periods in question are subject to the periods in the former employee status.
- Data on Former Employees
Data on former employees are kept for 15 years, considering occupational disease lawsuits, and are destroyed at the end of this period. If there is a lawsuit, the files are kept until the case is finalized.
- Camera Records
They are automatically deleted once a month. In the event of a situation that may be subject to litigation, these are separated and stored, and the rest are deleted.
- Supplier Information
Real person supplier information is destroyed after 10 years if the contractual relationship has ended and will not continue.
- Ongoing Litigation Files
If the litigation process related to one of the above-mentioned statute of limitations and destruction processes is ongoing – even if the destruction process has arrived – then the data is kept until the end of the litigation process and the finalization of the court decision. Destruction is carried out 1 year after the date of finalization or if the process continues with execution, etc.