Version 1.0
01.06.2024.
This Personal Data Retention and Destruction Policy (“Policy”), as the data controller, MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. It has been prepared in order to determine the procedures and principles regarding the work and transactions related to personal data storage and destruction activities carried out by (the “Company”).
Our company; in line with the basic principles it has adopted; Company employees, former employees, employee candidates, shareholders, customers, potential potential customers, service providers, suppliers, business partners, their officials and employees, visitors and other relevant third parties. It has determined that its constitution is processed, stored and destroyed in accordance with international conventions, the Law on the Protection of Personal Data No. 6698 (“KVKK”) and other relevant legislation and ensuring that it effectively exercises the rights of the relevant persons in these matters.
The work and transactions related to the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Company in this direction. Thus, the Company provides the necessary transparency by informing the personal data owners and showing all their rights and application procedures and methods regarding their use. With the full awareness of our responsibility within this scope, your personal data is processed and stored within the scope of this Policy.
All personal data processed automatically or non-automatically belonging to Company employees, former employees, employee candidates, shareholders, customers, potential potential customers, service providers, suppliers, agents, business partners and their officers and employees, visitors and other third parties who establish a relationship with our Company, which are processed by automatic or non-automatic means, provided that they are part of any data recording system. This Policy applies to all recording media such as physical, electronic, website and social media media owned by the Company or managed by the Company where personal data and special personal data are processed, and in activities for personal data processing.
With the KVKK, some personal data has been given special importance due to the risk of causing victimization or discrimination of people in case of unlawful processing. These data are special personal data described in the Abbreviations and Definitions Table below. Our company is sensitive to the protection of special personal data, which is determined as “special” by KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the storage of personal data are applied more carefully in terms of special personal data and the necessary audits are provided within the Company. Additional measures taken regarding the storage of special personal data are included in sections 5.1 and 5.2 of this Policy.
The relevant legal regulations in force regarding the processing, storage and destruction of personal data will first find application. In the event of an incompatibility between the legislation in force and the Policy, our Company accepts that the applicable legislation will first find an application. The policy regulates the rules set out by the relevant legislation by concretizing them within the scope of Company practices.
Buyer Group | The category of real or legal person to whom personal data is transferred by the data controller. |
Open Consent | Consent on a particular subject, informed and freely explained. |
Anonymization | Personal data cannot be associated with an identified or identifiable natural person in any way, even by matching it with other data. |
Employee / Former Employee | MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. staff/staff who left the job. |
Employee Candidate | People who have not established a business contract with MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. but are evaluated for establishment. |
Electronic Media | Environments where personal data can be created, read, changed and written with electronic devices. |
Non-Electronic (Physical) Environment | All written, printed, visual, etc. other media other than electronic media. |
Service / Expertise Service Provider | Most AMAZING PLACES TANITIM VE TİCARET A.Ş. is a real or legal person providing a service or specialized services such as accounting, workplace health-safety, informatics, legal consultancy within the framework of a specific contract with MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. |
Contact Person | The real person whose personal data is processed. |
Relevant Employee | Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller. |
Destruction | Deletion, destruction or anonymization of personal data. |
Law | Law No. 6698 on the Protection of Personal Data. |
Recording Medium | Any medium in which personal data is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system. |
Personal Data | Any information about an identified or identifiable natural person. |
Personal Data Processing Inventory | The inventory that the data controllers process personal data activities in connection with their business processes; the purposes of processing of personal data and the legal reason, data category, the recipient group transferred and the group of person subject to the data, and the maximum retention period required for the purposes for which the personal data were processed, the personal data envisaged for transfer to foreign countries and the measures taken regarding data security. |
Processing of Personal Data | All kinds of operations performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, which are fully or partially automatic or non-automatic means provided that they are part of any data recording system. |
Board | Personal Data Protection Board |
KVKK | Law No. 6698 on the Protection of Personal Data |
Special Personal Data | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data. |
Periodic Destruction | In the event that all of the conditions for processing personal data contained in the law have disappeared, the process of deletion, destruction or anonymization of personal data will be carried out ex officio at repeated intervals specified in the storage and destruction policy. |
Politics | Personal Data Retention and Destruction Policy. |
Company | MOST AMAZING PLACES PROMOTION AND TRADE INC. |
Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller. |
Data Recording System | Registration system in which personal data is structured and processed according to certain criteria. |
Data Owner | The real person whose personal data is processed. |
Data Controller | The real or legal person responsible for the establishment and management of the data recording system, which determines the purposes and means of processing personal data. |
Data Controllers Registry Information System (VERBIS) | The information system created and managed by the Personal Data Protection Board, which can be accessed over the internet, which can be used by the data controllers in the application to the Registry and other related transactions related to the Registry. |
VERBIS | Data Controllers Registry Information System |
Regulation | Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017. |
DISTRIBUTION OF RESPONSIBILITY AND DUTIES
All units and employees of the company actively support the responsible units in ensuring that technical and administrative measures to ensure data security are processed in all environments in order to properly implement the technical and administrative measures taken by the responsible units within the scope of the Policy, to increase the training and awareness of the employees of the unit, to monitor and to prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law and to destroy them when the specified periods.
On the other hand, regarding the personal data processed and needed to be destroyed by our Company, both the data controller official and employees acting as the data controller, as well as the persons who process the data on behalf of our Company, cannot disclose the personal data they have learned to anyone else contrary to the provisions of this Policy Text and KVKK and cannot use it for processing purposes. This obligation is 12/4 of the KVKK. It continues for indefinitely/for life after their resignation in accordance with the Article.
The distribution of titles, units and job descriptions of those who take part in the storage and destruction processes of personal data is given in Table 1.
Table 1: Storage and destruction processes task distribution
TITLE | UNIT | TASK |
Company Personal Data Controller | MOST AMAZING PLACES PROMOTION AND TRADE INC. | It is responsible for the preparation, development, execution, publication and updating of the Policy in related environments and the employees’ act in accordance with the policy. |
Company Data Controller Contact Person | Id. Jobs, Finance and Sales-Marketing Departments | It is responsible for providing and following up the administrative, physical and technical solutions needed in the implementation of the policy. |
Id. Financial Affairs, Finance and Accounting, Sales, Marketing, Information Processing (IT), Departments | Other Units | He is responsible for the execution of this Policy in accordance with his/her duties. |
Personal data is stored securely by the Company in accordance with the law in the environments listed in Table 2.
Table 2: Personal data storage environments
Electronic Media | Non-Electronic Environments |
– – Servers (Domain, backup, e-mail, database, web, file sharing, etc.) – Office Programs, – Software (portal, office software), – Information security devices (daily log file, antivirus, etc. ) – Personal computers (Desktop, laptop) – Mobile devices (phone, tablet, etc.) – Optical discs (CD, DVD, etc.) – Removable memories (USB, Memory Card, etc.) – Printer, scanner, copier | – Paper – Manual data recording systems (occupational health and safety exam measurement and other filled form documents) – Written, printed, visual media. |
by the Company; above of this Policy “1.2. Personal data about all real persons shown under the heading of “Scope” is stored and destroyed in accordance with this Policy and KVKK.
In this context, detailed explanations regarding storage and destruction are given below.
Article 3 of the Law No. 6698 defines the concept of processing of personal data, Article 4 states that the processed personal data should be related to the purpose for which they are processed, limited and measured and should be kept for the period stipulated in the relevant legislation or for the purpose for which they are processed, and in Articles 5 and 6, the processing conditions of personal data are listed.
Accordingly, within the framework of the activities of our company, personal data is stored for the period stipulated in the relevant legislation or for the period suitable for our processing purposes.
12th of the Law No. 6698. In accordance with the Article, our Company takes the necessary measures according to the nature of the data to be protected in order to prevent the disclosure, access, transfer of personal data or other security deficiencies that may occur in other ways. It takes technical and administrative measures to ensure the necessary level of security in accordance with the guidelines published by the Board, carries out or has audits carried out.
Our company provides the organization of necessary trainings for business units in order to prevent the unlawful processing of personal data, unlawful access to data and to increase awareness of data preservation.
Sensitive personal data is given special importance within the scope of the Law No. 6698 due to the risk of causing victimization or discrimination of people when processed unlawfully. These “special” personal data are data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
In this context, the technical and administrative measures taken by our Company for the storage of personal data are also carefully applied in terms of special personal data, and while the necessary inspections are provided within our Company, some additional measures are also taken for the storage and protection of special personal data. In this sense, adequate and more detailed measures regarding the storage and protection of special personal data are included separately in Sections 5.1 and 5.2 of this Policy.
Personal data processed within the framework of our activities in our company are kept for the period stipulated in the relevant legislation. In this context, personal data;
It is stored for the storage periods stipulated within the framework and then destroyed.
The company stores the personal data it processes within the framework of its activities for the following purposes.
Our company retains personal data for the period necessary for the purpose for which they are processed and for the minimum period stipulated in the relevant legal legislation. In this context, our Company first determines whether a period is provided for the storage of personal data in the relevant legislation, and if a period has been determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period that will be necessary for the purpose for which they are processed, taking into account general and commercial procedures, and at the end of the specified storage periods, and in accordance with the periodic destruction periods or the data owner application, and with the determined destruction methods (deletion, destruction or anonymization).
Personal data;
In the case of the Company, ex officio or at the request of the relevant person, in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data in accordance with Article 11/1 of the Regulation arises, personal data is deleted, destroyed or anonymized.
In accordance with Article 12 of the KVKK, the necessary technical and administrative measures stated below are taken by our Company in order to prevent the safe storage of personal data, unlawful processing and access, and to store and destroy personal data in accordance with the law. In addition, in accordance with the fourth paragraph of Article 6 of the KVKK and the Decision of the Board dated 31/01/2018 and numbered 2018/10, sufficient additional measures determined and announced by the Board for special personal data are also taken as follows.
The technical measures taken by the Company regarding the personal data it processes are listed below:
The administrative measures taken by the Company regarding the personal data it processes are listed below:
– Our company has determined the necessary measures to continuously evaluate and follow up the possible data breach situations related to the personal data we process and transfer and to intervene immediately when such a problem occurs.
– As of the date of learning about the violation, our company has made a notification to the Board without delay and within 72 hours at the latest in accordance with Article 12 of the Law and the Decision of the Board, if a notification cannot be made within 72 hours with a justified reason, a process has been established to explain the reasons for the delay to the Board along with the notification to be made.
– It has been decided to use the “Personal Data Breach Notification Form” published by the Board and provided by us in the notification to the Board.
– It has been decided by our company to record the information, effects and measures taken regarding data breaches and to keep them ready for the Board’s examination.
– Following the determination of the relevant persons affected by the said data breach, it has been decided to notify the relevant persons as soon as reasonable, if the contact address of the relevant person can be reached directly, and if not, the data is published on the website of our Company with appropriate methods.
– In the event that the data breach occurs with the data processor, measures have been taken to notify our Company of the data processor without any delay in this regard.
– In the event that the data breach occurs before the data controller located abroad, if the results of this violation affect the relevant persons residing in Turkey and the relevant persons benefit from the products and services offered in Turkey, this data controller has been subject to notify the Board within the framework of the same principles.
For the security of special personal data processed by the Company, within the scope of a separate policy (protocol and procedures) in this text, the additional technical and administrative measures taken by the Company regarding the special personal data it processes are listed below:
At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, personal data are destroyed by the Company ex officio or upon the application of the relevant person, in accordance with the provisions of the relevant legislation with the following techniques.
Personal data is deleted by the methods given in Table-3.
Table 3: Deletion of Personal Data
Data Recording Environment | Description |
Personal Data on Servers | For those whose storage period has expired from the personal data on the servers, the access authority of the relevant users has been removed by the system administrator and the deletion process is performed. |
Personal Data in Electronic Media | Those who require the storage of personal data in the electronic environment are made inaccessible and unusable in any way for other employees (related users) except for the database administrator. |
Personal Data in the Physical Environment | For those who require the period to be stored in the physical environment, it is made inaccessible and reusable in any way for other employees, except for the unit manager responsible for the document archive. In addition, the blackening process is also applied by drawing/painting/erasing on it so that it cannot be read. |
Personal Data in Portable Media | The period that expires from the storage of personal data stored in Flash-based storage media is encrypted by the system administrator and the access authority is only given to the system administrator and stored in secure environments with encryption keys. |
Personal data is destroyed by the Company by the methods given in Table-4.
Table 4: Destruction of Personal Data
Data Recording Environment | Description |
Personal Data in the Physical Environment | Those that need to be stored from the personal data on paper that expire are irreversibly destroyed in the paper clipping machine. |
Personal Data in Optical / Magnetic Media | Physical destruction of personal data from optical media and magnetic media that has expired, such as melting, burning or pulverizing, is applied. In addition, magnetic media is passed through a special device and exposed to a high-value magnetic field, making the data on it unreadable. |
Anonymization of personal data is the ability to make personal data not to be associated with an identified or identifiable real person in any way, even if it is matched with other data.
In order to anonymize the personal data, it is necessary to make it irrelatable to an identified or identifiable real person, even through the use of appropriate techniques for the recording environment and the relevant field of activity, such as the return of personal data controller or third parties by the personal data controller or third parties and/or matching the data with other data. These transactions specified by our company are carried out in accordance with the procedures and techniques specified in the “Guide to Deletion, Destruction or Anonymization of Personal Data” published by the Board.
Regarding the personal data processed by the Company within the scope of its activities;
Updates are made on the said retention periods with the offer of the Contact Person of our Company Data Controller and the approval of the Data Controller Officer of our Company, if necessary.
The process of ex officio deletion, destruction or anonymization for personal data whose storage periods have expired is carried out by the Contact Person, the Personal Data Controller, who is the Relevant Employee of Our Company, as shown in Table 5 below.
Table 5: Process-based storage and disposal times table
PROCESS | RETENTION PERIOD | DESTRUCTION PERIOD |
Security camera image recordings | 6 months from registration (10 years from registration if there is evidence within the scope of Law No. 6331, 10 years from registration, if there is evidence of crime, during the statute of limitations of the case) | Within 180 days following the end of the storage period |
Call center voice recordings | 6 months from registration (10 years if it is legal evidence, if it is criminal evidence, it is z. during the excess) | Within 180 days following the end of the storage period |
Biometric Image and Sound Recordings for Remote/Video Conference Activities | 6 months from registration | Within 180 days following the end of the storage period |
Employee candidate and reference information (If no employment contract has been established) | 6 months from the transaction (10 years from leaving the job if hired) | Within 180 days following the end of the storage period |
Information and documents related to trainer-advisor, service providers regarding in-service training and service supply activities | 1 year from the completion of the training, service activity | Within 180 days following the end of the storage period |
Shareholder and Employee passport information (Those Received Within the Scope of Overseas Business Travel Activity) | 1 year after leaving the partnership or business | Within 180 days following the end of the storage period |
Mail-Cargo Document Receiving-Issuing Transactions, Incoming-Outgoing Documents | 1 Year From The Transaction | Within 180 days following the end of the storage period |
Information about visitor records | 1 year from the Date of Visit | Within 180 days following the end of the storage period |
IP and Cookie data for Website users | 1 year from the date of access | Within 180 days following the end of the storage period |
Internet Access Data Provided to Personnel in the Company | 1 year from the date of access | Within 180 days following the end of the storage period |
Shopping slip-z report information made by customers with debit-credit card | 5 years from the end of the legal relationship | Within 180 days following the end of the storage period |
Data on employees and shareholders stored within the scope of labor law | 10 years after the end of the employment relationship | Within 180 days following the end of the storage period |
Employee and shareholder data kept within the scope of SSI legislation and other relevant legislation | 10 years after the end of the employment relationship | Within 180 days following the end of the storage period |
Employment-employment contract and its annexes, a part of the contract process | 10 years after the end of the employment relationship | Within 180 days following the end of the storage period |
All documents related to employee training activities | 10 years after leaving the job | Within 180 days following the end of the storage period |
Data collected for employees within the scope of workplace health and safety legislation | 10 years after the end of the employment relationship (Within the scope of occupational health, data consisting of temporary incapacity report, lung radiography, respiratory function test, hemogram, eye and hearing test, reports and information that may be the subject of a work accident or occupational disease case that there is a disease finding 15 years) | Within 180 days following the end of the storage period |
Documents regarding the allocation and use of vehicles, computers, telephones, etc. to employees | 10 years | Within 180 days following the end of the storage period |
Personnel financing processes document (Salary and other payments) | 10 years after the termination of the employment relationship | Within 180 days following the end of the storage period |
Personal data about supplier and business partners | 10 years after the end of the legal relationship | Within 180 days following the end of the storage period |
Payment transactions | 10 years after the business-commercial relationship ends | Within 180 days following the end of the storage period |
Contracts concluded with third parties | 10 years | Within 180 days following the end of the storage period |
Customer data | 10 years after the end of the legal relationship | Within 180 days following the end of the storage period |
Request-complaint data | 10 years after the end of the legal relationship | Within 180 days following the end of the storage period |
KVKK disclosure notice, consent declaration and other approval documents | 10 years after the end of the legal relationship (on that date if the main document is shorter) | Within 180 days following the end of the storage period |
Personal Data Destruction Records and repealed Policy Texts | 10 years from the transaction | Within 180 days following the end of the storage period |
Filing all kinds of other documents | 10 years from the transaction | Within 180 days following the end of the storage period |
Data collected in accordance with other relevant legislation | As much as the period stipulated in the relevant legislation | Within 180 days following the end of the storage period |
The fact that the relevant personal data is subject to a crime within the scope of the Turkish Penal Code or other penal provisions | As long as the case timeout is | Within 180 days following the end of the storage period |
In accordance with Article 11 of the Regulation, the Company has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out in the Company in June and December every year.
The policy is published in two different media, wet signed (printed paper) and electronic, and announced to the public on the website. The printed paper copy is also stored in the file to be kept by the Contact Personal Data Controller, who is the Company’s Relevant Employee.
The policy is reviewed as needed and the necessary sections are updated.
This Policy issued by our company is dated 01.06.2024. The Policy is considered to have entered into force after the publication of our Company on the website “www.most-amazing-places.com” and is considered accessible to personal data owners. In case of renewal of all or certain articles of the Policy, the effective date will be updated. If it is decided to repeal the Policy, the old wet-signed copies are canceled by the Company Data Controller Authority Decision (by stamping the cancellation or writing the cancellation) and stored in the file to be kept by the Contact Personal Data Controller who is the Company’s Relevant Employee for a period of 10 years.
You are currently viewing a placeholder content from Instagram. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information