Contact

Address

Kocaeli Serbest Bölge Sepetlipınar SB. Mah. 104.Cad No:8/1 41275 Başiskele, Kocaeli, Turkey

Phone

+90 (262) 242 57 00

[email protected]

General Manager

Kıvanç Nart

[email protected]

Tel: +90 (532) 488 21 08

Fill out the form, we will contact you soon!

How can we help you?

DATA STORAGE AND DESTRUCTION POLICY UNDER KVKK

1. INTRODUCTION

The Personal Data Storage and Destruction Policy ("Policy") encompasses all processes in which Ak Yatçılık Sanayi ve Ticaret Anonim Şirketi ("Company") processes personal data, including all subsidiaries, branches, departments, and employees operating in Turkey, as well as third parties and all storage and destruction activities the Company will apply to personal data. This Policy will apply solely to the processes of destruction and storage of personal data. In case of partial or complete changes, amendments, updates, or abolition of the legislation, the Company will update and modify the Policy to comply with the new legislation.

2. DEFINITIONS

The terms used in the implementation of this Policy are defined below;

Recipient Group

A group formed by individuals or legal entities to whom the personal data is transferred by the data controller.

Related User

Individuals who process personal data within the data controller organization, excluding those responsible for the technical storage, protection, and backup of data, and individuals who process personal data within the data controller's organization or in accordance with the authorization and instructions received from the data controller.

Destruction

The deletion, destruction, or anonymization of personal data.

KVKK

Law No. 6698 on the Protection of Personal Data.

Record Medium

Any environment in which personal data is processed, either entirely or partially automated or non-automated, and forms part of any data recording system.

Personal Data Processing Inventory

An inventory created by the Company related to the personal data processing activities carried out in connection with its business processes. It details the activities of processing personal data, including the purposes of processing, data category, recipient group to which the data is transferred, and the data subject group. It also outlines the maximum retention period necessary for the purposes for which personal data is processed, the personal data intended for transfer to foreign countries, and the security measures taken for data security.

Board

The Personal Data Protection Board.

Periodic Destruction

The deletion, destruction, or anonymization process to be carried out by the Company at specific time intervals specified in this Policy when all the processing conditions for personal data in KVKK cease to exist.

Registry

The Data Controllers Registry.

Data Record System

The system in which personal data is processed by being structured according to certain criteria.

Data Controller

An individual or legal entity responsible for determining the purposes and means of processing personal data and managing the data recording system.

Regulation

Regulation on the Deletion, Destruction, or Anonymization of Personal Data.

3. PURPOSE AND SCOPE

This Policy applies to individuals or legal entities responsible for the destruction of personal data under Article 7 of the KVKK and set out in the Regulation. It determines the principles that the Company and third parties authorized by the Company through contracts must comply with.

According to the Regulation, the Company, as a Data Controller with a registration obligation to the Registry, is obliged to prepare this Policy and act accordingly to store the personal data it possesses in the personal data inventory properly and to destroy it when necessary.

The following principles will apply to the storage and destruction of personal data:

a) Compliance with the general principles in Article 4 of the KVKK.

b) The Company acknowledges that the sole preparation of this Policy does not imply that personal data is destroyed in compliance with the Regulation, KVKK, and relevant legislation.

c) The Company commits, declares, and undertakes to comply with the security measures specified in Article 12 of the KVKK, the relevant provisions in the legislation, the decisions of the Board, and this Policy when storing, deleting, destroying, or anonymizing personal data.

d) The Company undertakes to ensure compliance with the tools, programs, and processes to be applied in accordance with this Policy and related to the storage and destruction of personal data during the destruction process, where personal data is entirely or partially automated or non-automated and forms part of any data recording system.

e) The Company takes all necessary technical and administrative measures to securely store and prevent the unlawful processing and access of personal data during the storage and destruction processes. These technical and administrative measures are described in the technical guides created for the methods to be used for the storage and destruction of personal data.

f) If the Company has employees present during the storage and destruction processes of personal data, it specifies their title, department, and job descriptions.

4. ENVIRONMENTS AND SECURITY MEASURES

4.1. Record Environments for Personal Data

Personal data stored by the Company is kept in a record environment appropriate to the nature of the relevant data and our legal obligations. The Company acts as the data controller and processes and protects personal data in compliance with the Law, the Personal Data Processing and Protection Policy, and this Personal Data Storage and Destruction Policy.

a) Computers/servers used on behalf of the Company,

b) Network devices,

c) Shared/non-shared disk drives used for data storage on the network,

d) Mobile phones and all storage areas within them,

e) Paper,

f) Optical disks,

g) Portable disks and flash memories,

h) Cloud environments.

4.2. Ensuring the Security of Environments

The Company takes all necessary technical and administrative measures to securely store personal data and prevent its unlawful processing and access in accordance with the characteristics of the environment where the relevant personal data is kept.

These measures include, but are not limited to, the following administrative and technical measures in proportion to the nature of the relevant personal data and the environment where it is kept.

4.2.1. Technical Measures

The Company takes the following technical measures for all environments where personal data is stored:

Only up-to-date and secure systems that are compatible with technological advancements are used in environments where personal data is stored.
Security systems are used for environments where personal data is stored.
Security tests and research are conducted to detect security vulnerabilities in information systems, and any identified existing or potential risks are addressed.
Access to environments where personal data is stored is restricted, allowing only authorized individuals limited access for the purpose of storing personal data, and all accesses are recorded.
The Company has sufficient technical personnel to ensure the security of environments where personal data is stored.
Backup programs are used in a lawful manner to ensure the secure storage of personal data.

4.2.2. Administrative Measures

The Company takes the following administrative measures for all environments where personal data is stored:

Efforts are made to increase awareness and educate all Company employees who have access to personal data about information security, personal data, and the privacy of private life.
Legal and technical consultancy services are obtained or personnel are employed to follow developments in information security, the privacy of private life, and the protection of personal data and to take necessary actions accordingly.
Protocols are signed with third parties when personal data is transferred to them due to technical or legal requirements, and all necessary care is taken to ensure that these third parties comply with their obligations in these protocols.

4.2.3. Internal Auditing by the Company

The Company conducts internal audits for the implementation of the provisions of the Law and the provisions of this Personal Data Storage and Destruction Policy and the Personal Data Processing and Protection Policy in accordance with Article 12 of the Law.

In case of deficiencies or defects in the implementation of these provisions during internal audits, these deficiencies or defects are immediately addressed.

If, during the audit or in any other way, it is understood that personal data under the responsibility of the Company has been obtained unlawfully by others, the Company immediately notifies the relevant person and the Board.

5. REASONS FOR THE STORAGE OF PERSONAL DATA

The personal data held by the Company is stored for the purposes and reasons specified hereunder in accordance with the Law and our Personal Data Policy and the Policy on the Processing and Protection of Personal Data of Employees (you can access the relevant policies at akyacht.net or akyacht.com).

6. SITUATIONS REQUIRING THE DESTRUCTION OF PERSONAL DATA

In case of a breach within the scope stated below, the Company will consider it a Potential Security Breach, and the relevant security breach procedures will be initiated by the Company. Reports and notifications related to these procedures will be shared with the Company management, the Board, and the relevant personal data owners when deemed necessary. For this purpose, the breach management processes of the Company will be applied.

6.1. Non-Compliance with KVKK

The Company commits not to process personal data in a manner contrary to what is specified in KVKK.

Unless there are exceptions in the processing conditions of personal data specified in Articles 5 and 6 of the KVKK;

a) The Company will not store the personal data of individuals without their explicit consent, except for the exceptions specified in the KVKK.

b) In case the purpose of processing data covered by exceptions or explicit consent ceases to exist and/or the legal retention periods expire, the Company will not store and will destroy this personal data.

6.2. Cessation of Personal Data Processing Conditions

The Company is responsible for the currency of the data processing conditions and shares this responsibility with all relevant employees processing personal data.

Employees will not continue data processing when the data processing conditions cease to exist. Detection of these situations is carried out through audits conducted by the KVKK Audit Unit and Legal Units established within the Company, accompanied by the proposal of the relevant business unit, and the destruction process is carried out in accordance with this Policy.

The Company acknowledges that data processing conditions have ceased to exist in the following cases, which are also specified in the Regulation:

a) Amendment or repeal of the provisions of the relevant legislation that constitute the basis for processing personal data,

b) The contract between the parties has never been concluded, the contract is invalid, the contract is terminated automatically, the contract is terminated, or the contract is withdrawn,

c) Cessation of the purpose requiring the processing of personal data,

d) Processing of personal data is contrary to law or the principle of honesty,

e) In cases where the processing of personal data is based solely on explicit consent, withdrawal of the consent by the relevant person,

f) Acceptance by the Company of the duly made application of the relevant person regarding the processing of personal data within the framework of the rights specified in Article 11 of the KVKK,

g) If the Company rejects the application for the destruction of personal data made by the relevant person, finds the response inadequate, or does not respond within the period specified in the KVKK; filing a complaint with the Board and approval of this request by the Board,

h) Despite the expiration of the maximum period requiring the storage of personal data, the absence of any condition justifying the Company to keep personal data for a longer period.

7. DESTRUCTION OF PERSONAL DATA

The destruction of personal data can be done in three different ways: deletion, destruction, or anonymization, as detailed below.

The relevant business units within the Company, information systems, and application owners where personal data is located, the Internal Audit Team, the Legal Department, and other individuals or departments that may be relevant to the subject make a written decision on the method to be applied for the destruction of personal data based on the reason for this destruction. In accordance with this written decision, one of the destruction methods specified in this Policy is applied, depending on the Personal Data Protection Authority's Guide on Deletion, Destruction, and Anonymization of Personal Data.

The Company also creates technical guides and ensures their implementation regarding the methods to be used for the storage and destruction of personal data.

The tracking of the destruction of personal data is the responsibility of the relevant data owner unit within the Company. The data owner unit receives support from various units of the Company, provided that the audit for the destruction of data is carried out by itself.

7.1. Deletion of Personal Data

Deletion of personal data processed wholly or partially by automatic means is the process of making such personal data inaccessible and unusable by any means.

In the process of deleting personal data that is part of any non-automatic data recording system, the personal data subject to deletion is determined, taking into account the legal retention periods. The Company updates its role and authorization matrices on information systems and applications that the Company currently operates in terms of access and authorization of personal data and identifies relevant users. The powers and methods of relevant users, such as access, retrieval, and reuse, are determined within this scope.

When the Company deletes personal data, it ensures that the data becomes inaccessible or unusable in any way. The Company guarantees that the data is not accessible or usable by any user while performing this process.

7.2. Destruction of Personal Data

The destruction of personal data is the process of making personal data inaccessible, unrecoverable, and unusable by anyone.

The destruction process will be carried out when the Company processes data in physical record environments, and the Company is obliged to make this data permanently irretrievable. The process of destroying data in the paper environment involves breaking down the environment into small pieces with paper shredders or cutting machines in a way that cannot be reassembled in an understandable size. Additionally, the Company may receive destruction services from third parties in this context.

7.3. Anonymization of Personal Data

Anonymization is the process of making personal data processed wholly or partially by automatic means by the Company such that, even if matched with other data, it cannot be associated with the identity of a specific or identifiable individual.

During the anonymization of data, the Company ensures that all direct and/or indirect identifiers in the relevant data set are removed or modified, preventing the identification of the identity of the relevant individual, and the data loses its distinctiveness within a group or crowd and cannot be associated with a real person.

During the anonymization of data, the Company may use methods such as one-way functions or encryption for data anonymization.

8. METHODS AND PROCESS OF PERSONAL DATA DESTRUCTION

For the destruction of personal data, the Company defines all methods that can be used during destruction in this Policy and its annexes. The data owner unit is responsible for determining and implementing the appropriate method according to the situation specified in this Policy.

The Company, in accordance with the Law and other legislation and its Policy on the Processing and Protection of Personal Data, deletes, destroys, or anonymizes personal data stored in compliance with the reasons requiring the processing of data when the relevant reasons for processing cease or within the periods specified in this Personal Data Storage and Destruction Policy upon the request of the relevant person.

During the destruction process, the Company creates records in accordance with the data destruction instruction. The destruction process in the electronic environment is certified during the deletion process of special category personal data. During the destruction of personal data, the Company selects the appropriate method from the following methods according to the written decision it will give:

Deletion Methods

Deletion Methods for Personal Data Kept in Print Medium

Redaction:

Personal data kept in print medium is deleted using the redaction method. The redaction process involves cutting the personal data on the relevant document, if possible, and making it invisible by using permanent ink in a way that cannot be read with technological solutions if it is not possible to cut.

Deletion Methods for Personal Data Kept in Cloud and Local Digital Medium

Safely Deleting from Software:

Personal data stored in the cloud or local digital environments is digitally deleted in a way that cannot be recovered. Once deleted in this way, the data cannot be accessed again.

Destruction Methods

Physical Destruction Methods for Personal Data Kept in Print Medium

Physical Destruction:

Documents kept in print medium are destroyed in a way that cannot be reassembled using document destruction machines.

Destruction Methods for Personal Data Kept in Local Digital Medium

Physical Destruction:

Physical destruction is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning, or turning it into dust. Processes such as melting, burning, turning into dust, or passing through a metal grinder make the data inaccessible.

Degaussing:

Degaussing is the process of exposing magnetic media to a high magnetic field, causing the data on it to be unreadable.

Overwriting:

Writing random data consisting of 0s and 1s on magnetic media and rewritable optical media at least seven times prevents the old data from being read and recovered.

Destruction Methods for Personal Data Kept in Cloud Medium

Safely Deleting from Software:

Personal data stored in the cloud is digitally deleted in a way that cannot be recovered, and all copies of encryption keys necessary to make personal data usable are destroyed when the cloud computing service relationship ends. In this way, the deleted data cannot be accessed again.

Anonymization Methods

Anonymization is the process of making personal data such that it cannot be associated with the identity of a specific or identifiable individual, even if matched with other data.

Removing Variables:

Removing one or more direct identifiers from personal data belonging to the relevant person that could be used to identify the individual in any way.

This method can be used to anonymize personal data, and it can also be used to delete information that does not fit the purpose of processing in the personal data if there are such pieces of information.

Regional Masking:

Deleting information that may be distinctive about data that is collectively anonymous in a data table.

Generalization:

Turning the personal data of many individuals into statistical data by removing distinctive information.

Lower and Upper Bound Coding / Global Coding:

Defining intervals for a variable and categorizing them. If the variable does not contain numerical values, similar values in the variable are categorized. Values within the same category are combined.

Micro Aggregation:

Arranging all records in the data set in a meaningful order and then dividing the entire set into a certain number of subsets. Then, the average of the value of the variable for each subset is taken, and the value of the variable for the subset is replaced with the average value. In this way, since indirect identifiers in the data are corrupted, it becomes difficult to associate the data with the relevant person.

Data Mixing and Distortion:

Mixing or distorting direct or indirect identifiers in personal data with other values to sever the relationship with the individual and make them lose their identifying characteristics.

The Company uses one or more of these anonymization methods depending on the nature of the relevant data to anonymize personal data.

9. DATA RETENTION AND DESTRUCTION PERIODS

DATA OWNER

DATA CATEGORY

MAXIMUM DATA RETENTION PERIOD

Employee

Includes the essential data of notifications made to the Social Security Institution (such as employment declaration, premium and service documents, missing day notifications, accruals, employment termination declaration), records containing basic information about the employee, wage and fringe benefits, and records of employment and termination dates.

Kept for a period of 10 (ten) years from the continuation and termination of the employment contract, upon a possible request for service/wage determination and a debt request from the Social Security Institution.

Employee

Personnel Records

Kept for a period of 10 (ten) years from the beginning of the calendar year following the continuation and termination of the employment contract.

Employee

Personal Health Data in Workplace Files

Kept for a period of 15 (fifteen) years from the continuation and termination of the employment contract.

Business Partner/Service Provider/Consultant

Includes identity information, contact information, financial information, telephone recordings taken during the commercial relationship between the Business Partner/Service Provider/Consultant and the Company, employee data of the Business Partner/Service Provider/Consultant.

Kept for a period of 10 (ten) years in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code from the beginning to the end of the business/commercial relationship between the Business Partner/Service Provider/Consultant and the Company.

Visitor

Camera recordings taken upon entry to the Company's physical space.

Kept for a period of 3 (three) months.

Job Applicant

Resume and information provided in the job application form of the job applicant.

Kept for a maximum of 2 (two) years until the resume becomes outdated.

Intern (Student)

Includes identity, contact, financial, and photo information in the intern's internship file.

Kept for a period of 10 (ten) years from the beginning of the calendar year following the continuation and termination of the internship relationship.

Customer

Information related to the customer, such as name, surname, T.C. ID number, address, contact information, payment information and methods, product/service preferences, transaction history.

Kept for a period of 10 (ten) years from the delivery of each product/service purchased by the customer, in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.

Customer

Camera images.

Kept for a period of 3 (three) months.

Customer Candidate

Identity information, contact information, financial information, telephone recordings taken during contract negotiations for establishing a commercial relationship between the Potential Customer and the Company.

Kept for a period of 2 (two) years.

Companies/Firms Collaborating with the Company (Supplier, etc.)

Includes identity information related to the commercial relationship between the Companies/Firms Collaborating with the Company and the Company.

Kept for a period of 10 (ten) years from the beginning to the end of the business/commercial relationship between the Companies/Firms Collaborating with the Company and the Company, in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.

*If it is regulated for a longer period under the legislation or if a longer period is envisaged for statutes of limitations, statutory periods, retention periods, etc., in accordance with the legislation, these periods are considered as the maximum retention period.

9.1. Periodic Destruction and Legal Retention Periods

Physically and electronically, data that exceeds legal retention and destruction periods is periodically destroyed. The Company destroys personal data in the first periodic destruction process following the date on which the obligation to destroy arises.

Periodic destruction is carried out every 6 months for all personal data. The legal retention periods to be taken into account during periodic destruction are determined in the Company's Personal Data Inventory. The destruction process is applied during the first periodic destruction following the emergence of the obligation to destroy.

All transactions related to the destroyed personal data are recorded, and these records are kept for a period of three years.

9.2. Destruction Process in Case of Requests from Data Owners

In cases where data owners request the destruction of their personal data by applying to the Company, the Company checks the current conditions of processing the personal data. Following this check;

If it is understood that all processing conditions of personal data subject to the request have disappeared, the personal data subject to the request is destroyed in accordance with the decisions and methods stated in this Policy within thirty days at the latest, and the relevant person is informed.
If it is understood that the processing conditions of personal data have disappeared and it is understood that the personal data subject to the request has been transferred to third parties, the Company notifies this situation to the relevant third party and ensures that necessary actions are taken by the relevant third party within the scope of the Regulation.
If all processing conditions of personal data have not disappeared, the Company may reject the request by explaining the reason and notifies the refusal to the relevant person in writing or electronically within thirty days at the latest.
A Management Process is created for Requests and Complaints from Data Subjects within the Company in order to meet the requests and responses of the data subjects.

9.3. Inspection of the Legality of the Destruction Process

The Company performs destruction processes it conducts, both upon request and in periodic destruction processes, in accordance with the Law, other legislation, the Personal Data Processing and Protection Policy, and this Personal Data Retention and Destruction Policy.

The Company takes various administrative and technical measures to ensure that destruction processes are carried out in compliance with these regulations.

9.3.1. Technical Measures

The Company has technical tools and equipment suitable for each destruction method specified in this policy.
The Company ensures the security of the place where the destruction process is performed.
The Company keeps access records of the individuals performing the destruction process.
The Company employs competent and experienced personnel to perform the destruction process or obtains services from competent third parties when necessary.

9.3.2. Administrative Measures

The Company conducts studies to increase the awareness and consciousness of its employees who will perform the destruction process in terms of information security, personal data, and the privacy of private life.
The Company receives legal and technical consultancy services to follow developments in the field of information security, privacy, personal data protection, and secure destruction techniques and to take necessary actions.
In cases where the Company has the destruction process performed by third parties due to technical or legal requirements, the Company signs protocols with the relevant third parties regarding the protection of personal data, and the Company takes all necessary care to ensure that the relevant third parties comply with their obligations in these protocols.
The Company regularly checks whether the destruction processes are carried out in accordance with regulations and obligations specified in this Personal Data Retention and Destruction Policy, and takes necessary actions.
The Company records all processes related to the deletion, destruction, and anonymization of personal data, and keeps these records for at least three years, except for other legal obligations.

10. AUTHORIZATION IN STORAGE AND DESTRUCTION PROCESSES

The Company establishes a Personal Data Committee within its organization. The Personal Data Committee is authorized and responsible for making or commissioning necessary processes for the storage and processing of relevant individuals' data in accordance with the law, the Personal Data Processing and Protection Policy, and the Personal Data Storage and Destruction Policy. The individuals and job descriptions involved in the storage and destruction processes of personal data by the Company are as follows;

GDPR Team: Decides on policies and methods by working together with the relevant departments of the Company regarding the storage and destruction of personal data, ensures that the Policy and its annexes are kept up to date, and, if necessary, ensures that the processes stipulated by the Policy are carried out correctly in accordance with the GDPR.

Legal Department: Provides legal consultancy on issues related to the storage and destruction of personal data and informs the relevant departments in case of changes in the legislation. Ensures that the Policy is implemented in compliance with the legislation.

Information Technologies: Ensures that relevant storage and destruction processes are carried out in accordance with the decisions and methods specified in the Policy.

Relevant departments of the Company: Expresses opinions and justifications for determining policies and methods regarding the storage and destruction of personal data and follows up on the actions to be taken within the framework of the Policy.

Title

Job Description

Personal Data Committee Manager:

Responsible for directing all planning, analysis, research, and risk identification studies carried out in projects during the compliance process with the law; managing processes stipulated by the Law, the Personal Data Processing and Protection Policy, and the Personal Data Storage and Destruction Policy; and making decisions on requests from relevant individuals.

GDPR Specialist

(Technical and Administrative):

Responsible for examining and reporting requests from relevant individuals for evaluation by the Personal Data Committee Manager; implementing processes related to requests evaluated and decided by the Personal Data Committee Manager; and overseeing the audit of storage and destruction processes and reporting these audits to the Personal Data Committee Manager. Responsible for the execution of storage and destruction processes.

11. CHANGES TO THE POLICY

The Company will update and change the Policy to comply with new legislation if there is a partial or complete change, amendment, update, or repeal of the GDPR, the Regulation, or other legislation.

The Company will share the updated Policy via email with its employees in a way that the changes can be examined, and will make it accessible to its employees through corporate intranet/portal.

THE EFFECTIVE DATE OF THE POLICY

This Policy has been in effect since DECEMBER 2021.