Most Amazing Places

MOST AMAZING PLACES TANITIM VE TİCARET A.Ş.

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

Version 1.0

01.06.2024.

INTRODUCTION

1.1. Purpose

  This Personal Data Retention and Destruction Policy (“Policy”), as the data controller, MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. It has been prepared in order to determine the procedures and principles regarding the work and transactions related to personal data storage and destruction activities carried out by (the “Company”). 

Our company; in line with the basic principles it has adopted; Company employees, former employees, employee candidates, shareholders, customers, potential potential customers, service providers, suppliers, business partners, their officials and employees, visitors and other relevant third parties. It has determined that its constitution is processed, stored and destroyed in accordance with international conventions, the Law on the Protection of Personal Data No. 6698 (“KVKK”) and other relevant legislation and ensuring that it effectively exercises the rights of the relevant persons in these matters. 

The work and transactions related to the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Company in this direction. Thus, the Company provides the necessary transparency by informing the personal data owners and showing all their rights and application procedures and methods regarding their use. With the full awareness of our responsibility within this scope, your personal data is processed and stored within the scope of this Policy. 

1.2. Scope 

All personal data processed automatically or non-automatically belonging to Company employees, former employees, employee candidates, shareholders, customers, potential potential customers, service providers, suppliers, agents, business partners and their officers and employees, visitors and other third parties who establish a relationship with our Company, which are processed by automatic or non-automatic means, provided that they are part of any data recording system. This Policy applies to all recording media such as physical, electronic, website and social media media owned by the Company or managed by the Company where personal data and special personal data are processed, and in activities for personal data processing. 

With the KVKK, some personal data has been given special importance due to the risk of causing victimization or discrimination of people in case of unlawful processing. These data are special personal data described in the Abbreviations and Definitions Table below. Our company is sensitive to the protection of special personal data, which is determined as “special” by KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the storage of personal data are applied more carefully in terms of special personal data and the necessary audits are provided within the Company. Additional measures taken regarding the storage of special personal data are included in sections 5.1 and 5.2 of this Policy.

The relevant legal regulations in force regarding the processing, storage and destruction of personal data will first find application. In the event of an incompatibility between the legislation in force and the Policy, our Company accepts that the applicable legislation will first find an application. The policy regulates the rules set out by the relevant legislation by concretizing them within the scope of Company practices.

Abbreviations and Definitions

Buyer Group

The category of real or legal person to whom personal data is transferred by the data controller. 

Open Consent

Consent on a particular subject, informed and freely explained.

Anonymization 

Personal data cannot be associated with an identified or identifiable natural person in any way, even by matching it with other data. 

Employee / Former Employee

MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. staff/staff who left the job.

Employee Candidate

People who have not established a business contract with MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. but are evaluated for establishment.

Electronic Media 

Environments where personal data can be created, read, changed and written with electronic devices. 

Non-Electronic (Physical) Environment 

All written, printed, visual, etc. other media other than electronic media. 

Service / Expertise Service Provider 

Most AMAZING PLACES TANITIM VE TİCARET A.Ş. is a real or legal person providing a service or specialized services such as accounting, workplace health-safety, informatics, legal consultancy within the framework of a specific contract with MOST AMAZING PLACES TANITIM VE TİCARET A.Ş.

Contact Person 

The real person whose personal data is processed. 

Relevant Employee 

Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller. 

Destruction 

Deletion, destruction or anonymization of personal data. 

Law 

Law No. 6698 on the Protection of Personal Data. 

Recording Medium 

Any medium in which personal data is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system. 

Personal Data 

Any information about an identified or identifiable natural person. 

Personal Data Processing Inventory 

The inventory that the data controllers process personal data activities in connection with their business processes; the purposes of processing of personal data and the legal reason, data category, the recipient group transferred and the group of person subject to the data, and the maximum retention period required for the purposes for which the personal data were processed, the personal data envisaged for transfer to foreign countries and the measures taken regarding data security.

Processing of Personal Data 

All kinds of operations performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, which are fully or partially automatic or non-automatic means provided that they are part of any data recording system. 

Board

Personal Data Protection Board

KVKK

Law No. 6698 on the Protection of Personal Data 

Special Personal Data 

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data. 

Periodic Destruction 

In the event that all of the conditions for processing personal data contained in the law have disappeared, the process of deletion, destruction or anonymization of personal data will be carried out ex officio at repeated intervals specified in the storage and destruction policy. 

Politics 

Personal Data Retention and Destruction Policy.

Company 

MOST AMAZING PLACES PROMOTION AND TRADE INC. 

Data Processor 

A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller. 

Data Recording System 

Registration system in which personal data is structured and processed according to certain criteria. 

Data Owner

The real person whose personal data is processed. 

Data Controller 

The real or legal person responsible for the establishment and management of the data recording system, which determines the purposes and means of processing personal data. 

Data Controllers Registry Information System (VERBIS)

The information system created and managed by the Personal Data Protection Board, which can be accessed over the internet, which can be used by the data controllers in the application to the Registry and other related transactions related to the Registry. 

VERBIS 

Data Controllers Registry Information System 

Regulation 

Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017. 

DISTRIBUTION OF RESPONSIBILITY AND DUTIES 

All units and employees of the company actively support the responsible units in ensuring that technical and administrative measures to ensure data security are processed in all environments in order to properly implement the technical and administrative measures taken by the responsible units within the scope of the Policy, to increase the training and awareness of the employees of the unit, to monitor and to prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law and to destroy them when the specified periods.

On the other hand, regarding the personal data processed and needed to be destroyed by our Company, both the data controller official and employees acting as the data controller, as well as the persons who process the data on behalf of our Company, cannot disclose the personal data they have learned to anyone else contrary to the provisions of this Policy Text and KVKK and cannot use it for processing purposes. This obligation is 12/4 of the KVKK. It continues for indefinitely/for life after their resignation in accordance with the Article. 

The distribution of titles, units and job descriptions of those who take part in the storage and destruction processes of personal data is given in Table 1.

Table 1: Storage and destruction processes task distribution

TITLE 

UNIT 

TASK 

Company Personal Data Controller 

MOST AMAZING PLACES PROMOTION AND TRADE INC. 

It is responsible for the preparation, development, execution, publication and updating of the Policy in related environments and the employees’ act in accordance with the policy.

Company Data Controller Contact Person 

Id. Jobs, Finance and Sales-Marketing Departments

It is responsible for providing and following up the administrative, physical and technical solutions needed in the implementation of the policy. 

Id. Financial Affairs, Finance and Accounting, Sales, Marketing, Information Processing (IT), Departments

Other Units

He is responsible for the execution of this Policy in accordance with his/her duties.

RECORDING MEDIA 

Personal data is stored securely by the Company in accordance with the law in the environments listed in Table 2.

Table 2: Personal data storage environments

Electronic Media 

Non-Electronic Environments 

– – Servers (Domain, backup, e-mail, database, web, file sharing, etc.) 

– Office Programs, 

– Software (portal, office software), 

– Information security devices (daily log file, antivirus, etc. ) 

– Personal computers (Desktop, laptop) 

– Mobile devices (phone, tablet, etc.) 

– Optical discs (CD, DVD, etc.) 

– Removable memories (USB, Memory Card, etc.) 

– Printer, scanner, copier 

– Paper 

– Manual data recording systems (occupational health and safety exam measurement and other filled form documents) 

– Written, printed, visual media.

EXPLANATIONS ABOUT STORAGE AND DESTRUCTION 

by the Company; above of this Policy “1.2. Personal data about all real persons shown under the heading of “Scope” is stored and destroyed in accordance with this Policy and KVKK. 

In this context, detailed explanations regarding storage and destruction are given below.

4.1. Explanations Regarding Storage and Protection

Article 3 of the Law No. 6698 defines the concept of processing of personal data, Article 4 states that the processed personal data should be related to the purpose for which they are processed, limited and measured and should be kept for the period stipulated in the relevant legislation or for the purpose for which they are processed, and in Articles 5 and 6, the processing conditions of personal data are listed. 

Accordingly, within the framework of the activities of our company, personal data is stored for the period stipulated in the relevant legislation or for the period suitable for our processing purposes.

12th of the Law No. 6698. In accordance with the Article, our Company takes the necessary measures according to the nature of the data to be protected in order to prevent the disclosure, access, transfer of personal data or other security deficiencies that may occur in other ways. It takes technical and administrative measures to ensure the necessary level of security in accordance with the guidelines published by the Board, carries out or has audits carried out. 

Our company provides the organization of necessary trainings for business units in order to prevent the unlawful processing of personal data, unlawful access to data and to increase awareness of data preservation.

Sensitive personal data is given special importance within the scope of the Law No. 6698 due to the risk of causing victimization or discrimination of people when processed unlawfully. These “special” personal data are data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. 

In this context, the technical and administrative measures taken by our Company for the storage of personal data are also carefully applied in terms of special personal data, and while the necessary inspections are provided within our Company, some additional measures are also taken for the storage and protection of special personal data. In this sense, adequate and more detailed measures regarding the storage and protection of special personal data are included separately in Sections 5.1 and 5.2 of this Policy.

Legal Reasons Requiring Storage 

Personal data processed within the framework of our activities in our company are kept for the period stipulated in the relevant legislation. In this context, personal data; 

  • Law No. 6698 on the Protection of Personal Data,
  • Turkish Code of Obligations No. 6098, 
  • Turkish Commercial Code No. 6102, 
  • Tax Procedure Law No. 213,
  • Public Procurement Law No. 4734, 
  • Labor Law and Labor Courts Law No. 4857,
  • Occupational Health and Safety Law No. 6331, 
  • Social Insurance and General Health Insurance Law No. 5510, 
  • Pensioner Health Law No. 5434, 
  • Social Services Law No. 2828 
  • Law No. 5651 on the Regulation of Broadcasts Made on the Internet and the Combating of Crimes Committed Through These Publications, 
  • Law No. 6563 on the Regulation of Electronic Commerce,
  • Electronic Signature Law No. 5070,
  • Electronic Communication Law No. 5809,
  • Information Acquisition Law No. 4982, 
  • Law No. 3071 on the Exercise of the Right of Petition, 
  • Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes, 
  • Other secondary regulations in force under these laws,
  • Other relevant provisions of the legislation,

It is stored for the storage periods stipulated within the framework and then destroyed. 

Processing Purposes Requiring Storage 

The company stores the personal data it processes within the framework of its activities for the following purposes. 

  • Carrying out human resources processes.
  • To provide corporate communication. 
  • To ensure the commercial, legal, cyber security of the company with physical space and goods, business partners, suppliers and customers. 
  • To be able to do statistical studies. 
  • To be able to perform work and transactions as a result of signed contracts and protocols. 
  • Creating and updating VERBIS records in the necessary process. 
  • To ensure the fulfillment of legal obligations as required or required by legal regulations. 
  • To provide contact with real / legal persons who have a business relationship with the company. 
  • Conducting marketing, market research, analysis and reports within legal limits,
  • Managing call center processes,
  • To ensure the burden of proof as evidence in legal disputes that may arise in the future.

4.2. Explanation Regarding Destruction and Reasons Requiring Destruction 

Our company retains personal data for the period necessary for the purpose for which they are processed and for the minimum period stipulated in the relevant legal legislation. In this context, our Company first determines whether a period is provided for the storage of personal data in the relevant legislation, and if a period has been determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period that will be necessary for the purpose for which they are processed, taking into account general and commercial procedures, and at the end of the specified storage periods, and in accordance with the periodic destruction periods or the data owner application, and with the determined destruction methods (deletion, destruction or anonymization). 

Personal data; 

  • Changing or abolishing the provisions of the relevant legislation, which is the basis for processing, 
  • In accordance with Article 7/1 of Law No. 6698; the disappearance of the purpose/reasons requiring its processing or storage, 
  • In cases where the processing of personal data takes place only on the basis of the condition of explicit consent, withdrawing the explicit consent of the relevant person, 
  • In accordance with Article 11 of the Law, the Company accepts the application for the deletion and destruction of personal data within the framework of the rights of the relevant person, 
  • In cases where the Company rejects the application made to it by the relevant person with the request to delete, destroy or anonymize his personal data, finds the answer it insufficient or does not respond within the period stipulated in the Law; Making a complaint to the Board and find this request appropriate by the Board, 
  • The maximum retention periods specified in this Policy requiring the storage of personal data have passed and there is no condition that justifies the retention of personal data for a longer period, 

In the case of the Company, ex officio or at the request of the relevant person, in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data in accordance with Article 11/1 of the Regulation arises, personal data is deleted, destroyed or anonymized.

TECHNICAL AND ADMINISTRATIVE MEASURES FOR SECURE STORAGE 

In accordance with Article 12 of the KVKK, the necessary technical and administrative measures stated below are taken by our Company in order to prevent the safe storage of personal data, unlawful processing and access, and to store and destroy personal data in accordance with the law. In addition, in accordance with the fourth paragraph of Article 6 of the KVKK and the Decision of the Board dated 31/01/2018 and numbered 2018/10, sufficient additional measures determined and announced by the Board for special personal data are also taken as follows. 

5.1. Technical Measures 

The technical measures taken by the Company regarding the personal data it processes are listed below: 

  • Network security and application security are provided. In this context, security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up to date. Again, security updates are followed and test results are reported. 
  • Access to the company website is encrypted using a secure protocol, and security updates of the environments are constantly monitored.
  • Key management is applied. 
  • Security measures are taken within the scope of information technology systems procurement, development and maintenance. In this context, necessary measures are also taken for the physical security of the company’s information systems equipment, software and data. Software measures (firewalls, attack prevention systems, network access control, systems that block malicious software, etc.) measures are taken to ensure the security of information systems against environmental threats. 
  • The security of personal data stored in the cloud is ensured.
  • An authority matrix has been created for employees. Thus, access to information systems and authorization of users are made through access and authorization matrix in accordance with institutional policies.
  • The powers of employees who have a change of duty or who leave their jobs are removed in this field.
  • Access logs are kept regularly. Again, access to personal data stored in electronic media is limited according to access principles. 
  • Strong passwords are used in electronic environments where personal data is processed.
  • Data masking measure is applied when necessary.
  • Up-to-date anti-virus systems are used.
  • Firewalls are used.
  • Personal data security issues are reported quickly.
  • Personal data security is monitored. 
  • Personal data is reduced as much as possible.
  • Personal data is backed up and the security of the backed up personal data is also ensured. Secure backup of personal data is carried out in our office, accounting and other programs that we use at home/abroad and secure cloud programs used for our information system. 
  • User account management and authorization control system are applied and their follow-up is also carried out.
  • Log records are kept without user intervention.
  • Existing risks and threats have been identified.
  • Attack detection and prevention systems are used.
  • Encryption is being done. 
  • Special data transferred on portable memory, CD, DVD media is encrypted and transferred.
  • Data loss prevention software is used.
  • Risks to prevent unlawful processing of personal data are determined, technical measures appropriate to these risks are taken and technical controls are carried out for the measures taken. 
  • Necessary measures are taken to ensure that the deleted personal data is inaccessible and unusable for the relevant users. 

5.2. Administrative Measures 

The administrative measures taken by the Company regarding the personal data it processes are listed below: 

  • There are disciplinary regulations including data security provisions for employees. In this context, the disciplinary sanctions to be applied to employees who do not comply with data privacy and security policies and procedures (within the scope of Privacy Commitments and other regulations and general provisions in cases where cites are not found and cited) have been determined. 
  • Training and awareness studies on data and information security for employees are carried out at regular intervals. In this context, in order to improve the quality of the employees in this regard, regular trainings are given on the Labor Law and other relevant legislation, especially the KVKK No. 6698, to prevent the unlawful processing of personal data, to prevent the unlawful access of personal data, to ensure the preservation of personal data, and to improve the quality of the employees in this subject, and a corporate culture is created in this subject. 
  • An authority matrix has been created for employees. Thus, access to information systems and authorization of users are made through access and authorization matrix in accordance with institutional policies.
  • Corporate policies on access, information security, use, storage and destruction have been prepared and started to implement. 
  • Confidentiality commitments are made. In this context, confidentiality agreements are made to sign confidentiality agreements for all relevant users who process personal and special personal data regarding the activities carried out by the Company. 
  • An authority matrix has been created for employees. Thus, access to personal data and authorization of users is made through the access and authorization matrix in accordance with corporate policies, and access to personal data stored in physical environments is limited according to these access principles.
  • The powers of employees who have a change of duty or who leave their jobs are removed in this field.
  • Signed contracts contain data security provisions.
  • Extra security measures are taken for personal data transferred by paper and the relevant documents are sent in the format of confidential documents.
  • Personal data security policies and procedures are determined. Thus, all policy and procedure documents and texts, especially the Company’s “Personal Data Processing and Protection Policy”, have been created and put into force to cover all persons and data groups related to the protection of personal data processing within the Company. In this context, first of all, the Company’s “Personal Data Processing Inventory” has been prepared. If there is a new category of personal data to be processed in the said inventory, these will be added and updated to the 6-month periodic destruction periods determined in accordance with this “Personal Data Retention and Destruction Policy”. Again, in this context, before starting to process personal data, the obligation to clarify the relevant persons is carefully fulfilled by the Company in any case and under any circumstances. 
  • Personal data security issues are reported quickly.
  • Personal data security is monitored.
  • Necessary security measures are taken regarding the entrances and exits to physical environments containing personal data.
  • Access to the storage areas where personal data is located is recorded and inappropriate accesses or access attempts are kept under control.
  • Security of physical environments containing personal data against external risks (fire, flood, etc.) is provided. In this way, in order to ensure the security of information systems against environmental threats, hardware (access control system that provides only authorized personnel to enter the system room, 24/7 work and storage places, entrance-exit monitoring system, fire extinguishing system, air conditioning system, etc.) measures are taken. 
  • The security of environments containing personal data is ensured. 
  • Personal data is reduced as much as possible.
  • Personal data is backed up and the security of the backed up personal data is also ensured.
  • In-house periodic and/or random inspections are carried out and carried out.
  • Existing risks and threats have been identified.
  • Data processing service providers are controlled at regular intervals for data security.
  • Data processing service providers are aware of data security.
  • Pursuant to Article 13 of the Regulation on the Registry of Data Controllers; Necessary arrangements and measures have been taken in case of necessity, for registration in the registry within the legal period and in case of a change in the information registered in the registry, the necessary arrangements and measures have been taken regarding the notification of the Institution within 7 days through the registry.
  • Other than this “Personal Data Protection and Destruction Policy”, the “Personal Data Protection and Processing Policy” has been prepared in a more inclusive way, and with the policy mentioned, it has been tried to ensure that both data owners and our employees gain more comprehensive information and sensitivity about our data processing and protection activities.
  • In case of personal data breach, a suitable system and infrastructure has been established by the Company for the application of the relevant person to our Company and to notify the relevant person and the Board of this situation.
  • In this context, in accordance with the Decision of the Board dated 24.01.2019 and numbered 2019/10, the “Data Breach Intervention Plan” regarding Personal Data Violations was prepared and it was decided to review this Plan on the annual periodic destruction of personal data at least twice a year. 
In summary, in accordance with the Data Breach Intervention Plan in question;

Our company has determined the necessary measures to continuously evaluate and follow up the possible data breach situations related to the personal data we process and transfer and to intervene immediately when such a problem occurs.

As of the date of learning about the violation, our company has made a notification to the Board without delay and within 72 hours at the latest in accordance with Article 12 of the Law and the Decision of the Board, if a notification cannot be made within 72 hours with a justified reason, a process has been established to explain the reasons for the delay to the Board along with the notification to be made.

It has been decided to use the “Personal Data Breach Notification Form” published by the Board and provided by us in the notification to the Board.

It has been decided by our company to record the information, effects and measures taken regarding data breaches and to keep them ready for the Board’s examination.

Following the determination of the relevant persons affected by the said data breach, it has been decided to notify the relevant persons as soon as reasonable, if the contact address of the relevant person can be reached directly, and if not, the data is published on the website of our Company with appropriate methods.

In the event that the data breach occurs with the data processor, measures have been taken to notify our Company of the data processor without any delay in this regard.

In the event that the data breach occurs before the data controller located abroad, if the results of this violation affect the relevant persons residing in Turkey and the relevant persons benefit from the products and services offered in Turkey, this data controller has been subject to notify the Board within the framework of the same principles.

  • For the security of special personal data, protocols and procedures are determined and implemented in this text as shown below.

5.3. Additional Measures for the Protection of Special Personal Data 

For the security of special personal data processed by the Company, within the scope of a separate policy (protocol and procedures) in this text, the additional technical and administrative measures taken by the Company regarding the special personal data it processes are listed below:

  • If special personal data is to be sent via electronic mail, it is necessarily sent encrypted and using KEP or corporate mail account. Portable memory is encrypted if it needs to be transferred via media such as CD, DVD. If transfer is performed between servers in different physical environments, a firewall is used or data transfer and remote connection are performed via FTP and VPN. If it is necessary to transfer it via paper media, necessary measures are taken against risks such as theft, loss or view of the document by unauthorized persons, and the documents are sent in a “confidential” format.
  • Secure encryption / cryptographic keys are used for special personal data and managed by different units.
  • Regular trainings and follow-up are carried out on the security of special personal data for employees who are involved in special personal data processing processes and have the authority to access special personal data. Again, confidentiality agreements of employees within this scope have been made, and the permissions of users who have the authority to access this data have been defined. In this context, the scopes and periods of authorization for employees who have access to special personal data have been determined precisely and clearly with the “Retention and Access Authorizations” instruction, which is implemented as a regulatory document by the Company Data Manager Official. Thus, periodically authorization control is carried out for these personnel, their authority in this field is immediately removed when their duties are changed or those who leave their jobs, and all information, documents and tools under their duties are returned on this subject. 
  • Adequate security measures are taken for the physical environments where special personal data are processed, stored and/or accessed, and the physical security of these places is ensured with personnel, continuous closed circuit camera monitoring and technical equipment, and unauthorized entry-exit and access are prevented. In addition, according to the nature of these places, adequate precautions are taken against situations such as fire, flood, electricity leakage and theft.

PERSONAL DATA DESTRUCTION TECHNIQUES 

At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, personal data are destroyed by the Company ex officio or upon the application of the relevant person, in accordance with the provisions of the relevant legislation with the following techniques. 

6.1. Deletion of Personal Data 

Personal data is deleted by the methods given in Table-3.

Table 3: Deletion of Personal Data

Data Recording Environment 

Description 

Personal Data on Servers 

For those whose storage period has expired from the personal data on the servers, the access authority of the relevant users has been removed by the system administrator and the deletion process is performed. 

Personal Data in Electronic Media 

Those who require the storage of personal data in the electronic environment are made inaccessible and unusable in any way for other employees (related users) except for the database administrator. 

Personal Data in the Physical Environment 

For those who require the period to be stored in the physical environment, it is made inaccessible and reusable in any way for other employees, except for the unit manager responsible for the document archive. In addition, the blackening process is also applied by drawing/painting/erasing on it so that it cannot be read. 

Personal Data in Portable Media 

The period that expires from the storage of personal data stored in Flash-based storage media is encrypted by the system administrator and the access authority is only given to the system administrator and stored in secure environments with encryption keys. 

Destruction of Personal Data 

Personal data is destroyed by the Company by the methods given in Table-4. 

Table 4: Destruction of Personal Data

Data Recording Environment 

Description 

Personal Data in the Physical Environment 

Those that need to be stored from the personal data on paper that expire are irreversibly destroyed in the paper clipping machine. 

Personal Data in Optical / Magnetic Media 

Physical destruction of personal data from optical media and magnetic media that has expired, such as melting, burning or pulverizing, is applied. In addition, magnetic media is passed through a special device and exposed to a high-value magnetic field, making the data on it unreadable. 

Anonymization of Personal Data 

Anonymization of personal data is the ability to make personal data not to be associated with an identified or identifiable real person in any way, even if it is matched with other data.

In order to anonymize the personal data, it is necessary to make it irrelatable to an identified or identifiable real person, even through the use of appropriate techniques for the recording environment and the relevant field of activity, such as the return of personal data controller or third parties by the personal data controller or third parties and/or matching the data with other data. These transactions specified by our company are carried out in accordance with the procedures and techniques specified in the “Guide to Deletion, Destruction or Anonymization of Personal Data” published by the Board.

STORAGE AND DESTRUCTION PERIODS 

Regarding the personal data processed by the Company within the scope of its activities; 

  • Retention periods on the basis of personal data for all personal data within the scope of activities carried out depending on the processes are in the Personal Data Processing Inventory,
  • Storage periods based on data categories are registered with VERBIS (when registration is required in VERBIS), 
  • Process-based retention periods are included in the Personal Data Retention and Destruction Policy. 

Updates are made on the said retention periods with the offer of the Contact Person of our Company Data Controller and the approval of the Data Controller Officer of our Company, if necessary. 

The process of ex officio deletion, destruction or anonymization for personal data whose storage periods have expired is carried out by the Contact Person, the Personal Data Controller, who is the Relevant Employee of Our Company, as shown in Table 5 below.

 

Table 5: Process-based storage and disposal times table

PROCESS

RETENTION PERIOD

DESTRUCTION PERIOD

Security camera image recordings

6 months from registration (10 years from registration if there is evidence within the scope of Law No. 6331, 10 years from registration, if there is evidence of crime, during the statute of limitations of the case)

Within 180 days following the end of the storage period

Call center voice recordings

6 months from registration (10 years if it is legal evidence, if it is criminal evidence, it is z. during the excess)

Within 180 days following the end of the storage period

Biometric Image and Sound Recordings for Remote/Video Conference Activities

6 months from registration

Within 180 days following the end of the storage period

Employee candidate and reference information (If no employment contract has been established)

6 months from the transaction (10 years from leaving the job if hired)

Within 180 days following the end of the storage period

Information and documents related to trainer-advisor, service providers regarding in-service training and service supply activities

1 year from the completion of the training, service activity

Within 180 days following the end of the storage period

Shareholder and Employee passport information (Those Received Within the Scope of Overseas Business Travel Activity)

 1 year after leaving the partnership or business

Within 180 days following the end of the storage period

Mail-Cargo Document Receiving-Issuing Transactions, Incoming-Outgoing Documents

1 Year From The Transaction

Within 180 days following the end of the storage period

Information about visitor records

1 year from the Date of Visit

Within 180 days following the end of the storage period

IP and Cookie data for Website users

1 year from the date of access 

Within 180 days following the end of the storage period

Internet Access Data Provided to Personnel in the Company

1 year from the date of access

Within 180 days following the end of the storage period

Shopping slip-z report information made by customers with debit-credit card

5 years from the end of the legal relationship

Within 180 days following the end of the storage period

Data on employees and shareholders stored within the scope of labor law 

10 years after the end of the employment relationship

Within 180 days following the end of the storage period

Employee and shareholder data kept within the scope of SSI legislation and other relevant legislation

10 years after the end of the employment relationship

Within 180 days following the end of the storage period

Employment-employment contract and its annexes, a part of the contract process

10 years after the end of the employment relationship 

Within 180 days following the end of the storage period

All documents related to employee training activities

10 years after leaving the job

Within 180 days following the end of the storage period

Data collected for employees within the scope of workplace health and safety legislation

10 years after the end of the employment relationship

(Within the scope of occupational health, data consisting of temporary incapacity report, lung radiography, respiratory function test, hemogram, eye and hearing test, reports and information that may be the subject of a work accident or occupational disease case that there is a disease finding 15 years)

Within 180 days following the end of the storage period

Documents regarding the allocation and use of vehicles, computers, telephones, etc. to employees

10 years

Within 180 days following the end of the storage period

Personnel financing processes document (Salary and other payments)

10 years after the termination of the employment relationship

Within 180 days following the end of the storage period

Personal data about supplier and business partners

10 years after the end of the legal relationship

Within 180 days following the end of the storage period

Payment transactions

10 years after the business-commercial relationship ends

Within 180 days following the end of the storage period

Contracts concluded with third parties

10 years

Within 180 days following the end of the storage period

Customer data 

10 years after the end of the legal relationship

Within 180 days following the end of the storage period

Request-complaint data

10 years after the end of the legal relationship

Within 180 days following the end of the storage period

KVKK disclosure notice, consent declaration and other approval documents 

10 years after the end of the legal relationship (on that date if the main document is shorter)

Within 180 days following the end of the storage period

Personal Data Destruction Records and repealed Policy Texts 

10 years from the transaction

Within 180 days following the end of the storage period

Filing all kinds of other documents

10 years from the transaction

Within 180 days following the end of the storage period

Data collected in accordance with other relevant legislation

As much as the period stipulated in the relevant legislation

Within 180 days following the end of the storage period

The fact that the relevant personal data is subject to a crime within the scope of the Turkish Penal Code or other penal provisions

As long as the case timeout is

Within 180 days following the end of the storage period

PERIODIC DESTRUCTION PERIOD 

In accordance with Article 11 of the Regulation, the Company has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out in the Company in June and December every year. 

PUBLICATION AND STORAGE OF THE POLICY 

The policy is published in two different media, wet signed (printed paper) and electronic, and announced to the public on the website. The printed paper copy is also stored in the file to be kept by the Contact Personal Data Controller, who is the Company’s Relevant Employee. 

UPDATE PERIOD OF THE POLICY 

The policy is reviewed as needed and the necessary sections are updated. 

ENFORCEMENT AND REPEAL OF THE POLICY 

This Policy issued by our company is dated 01.06.2024. The Policy is considered to have entered into force after the publication of our Company on the website “www.most-amazing-places.com” and is considered accessible to personal data owners. In case of renewal of all or certain articles of the Policy, the effective date will be updated. If it is decided to repeal the Policy, the old wet-signed copies are canceled by the Company Data Controller Authority Decision (by stamping the cancellation or writing the cancellation) and stored in the file to be kept by the Contact Personal Data Controller who is the Company’s Relevant Employee for a period of 10 years.