Personal Data Storage and Destruction Policy

1.INTRODUCTION

1.1 Purpose

The Personal Data Storage and Destruction Policy (“Policy”) has been prepared to determine the procedures and principles regarding the work and transactions related to the storage and destruction activities carried out by TUĞCAN OTELCİLİK TURİZM ANONİM ŞİRKETİ (hereinafter referred to as the COMPANY).

In line with the mission, vision and basic principles determined in the strategic plan, our company has determined that the personal data of company employees, job candidates, service providers, visitors and other third parties are processed in accordance with the Constitution of the Republic of Turkey, international agreements, the Law on the Protection of Personal Data No. 6698 (“Law”) and other relevant legislation, and that the relevant persons are able to exercise their rights effectively.

The work and transactions related to the storage and destruction of personal data are carried out in accordance with the Policy prepared by our company in this direction.

1.2 Scope

Personal data belonging to company employees, job candidates, service providers, visitors and other third parties are within the scope of this Policy and this Policy is applied to all recording environments where personal data is processed and activities related to personal data processing owned or managed by our company.

1.3 Abbreviations and Definitions

Recipient Group: The category of real or legal persons to whom personal data is transferred by the data controller.

Explicit Consent: Consent based on information and expressed with free will regarding a specific subject.

Anonymization: Making personal data in no way associated with an identified or identifiable real person, even by matching it with other data.

Employee: Our company personnel.

EBYS: Electronic Document Management System Electronic Environment: Environments where personal data can be created, read, changed and written with electronic devices.

Non-Electronic Environment: All written, printed, visual etc. other environments other than electronic environments.

Service Provider: A natural or legal person who provides services within the framework of a specific contract with our Company.

Relevant Person: A natural person whose personal data is processed.

Relevant User: Persons who process personal data within the data controller organization or in accordance with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.

Destruction: Deletion, destruction or anonymization of personal data.

Law: Law No. 6698 on the Protection of Personal Data.

Recording Medium: Any medium containing personal data processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system.

Personal Data: Any information related to an identified or identifiable natural person.

Personal Data Processing Inventory: Personal data processing activities carried out by data controllers in connection with their business processes; the inventory they create by associating the purposes and legal reason for processing personal data, data category, the recipient group to which the data is transferred and the data subject group, and which they detail by explaining the maximum retention period required for the purposes for which personal data is processed, the personal data planned to be transferred to foreign countries and the measures taken for data security.

Processing of Personal Data: Any operation performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.

Special Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures of individuals, and biometric and genetic data.

Periodic Destruction: The process of deleting, destroying or anonymizing personal data specified in the personal data storage and destruction policy and carried out ex officio at recurring intervals in the event that all the processing conditions of personal data specified in the law are eliminated.

Policy: Personal Data Storage and Destruction Policy

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Recording System: A recording system in which personal data is structured and processed according to certain criteria.

Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Controllers Registry Information System: Data controllers' application to the Registry and other relevant transactions related to the Registry 

information system created and managed by the Presidency, accessible via the internet, which they will use.

VERBIS: Data Controllers Registry Information System Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

2. RESPONSIBILITY AND DUTY DISTRIBUTION

All units and employees of our company actively support the responsible units in the implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy, the training and awareness raising, monitoring and continuous auditing of the unit employees, and the prevention of unlawful processing of personal data, prevention of unlawful access to personal data and ensuring that personal data is stored in accordance with the law, and the adoption of technical and administrative measures to ensure data security in all environments where personal data is processed.

3. RECORDING ENVIRONMENTS

Personal data is stored securely in accordance with the law by our company in the environments specified below.

Personal data storage media:

Electronic Media, Non-Electronic Media Servers (Domain, backup, e-mail, database, web, file sharing, etc.)
Software (office software,
Information security devices (firewall, attack detection and prevention, log file, antivirus, etc.)
Personal computers (Desktop, laptop)
Mobile devices (phone, tablet, etc.),
Optical disks (CD, DVD, etc.)
Removable memories (USB, Memory Card, etc.)
Printer, scanner, photocopier,
Paper,
Manual data recording systems (survey forms, visitor log)
Written, printed, visual media

4. EXPLANATIONS ON STORAGE AND DESTRUCTION

Our company; personal data of employees, job candidates, visitors and employees of third parties, institutions or organizations that we have relations with as service providers in accordance with the Law stored and destroyed.

In this context, detailed explanations regarding storage and destruction are provided below, respectively.

4.1 Explanations Regarding Storage

The concept of processing personal data is defined in Article 3 of the Law, Article 4 states that the personal data processed must be related to the purpose for which they are processed, limited and proportionate, and must be stored for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and Articles 5 and 6 list the conditions for processing personal data.

Accordingly, within the scope of our Company's activities, personal data is stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

4.1.1 Legal Reasons Requiring Storage

Our Company stores personal data processed within the scope of its activities for the period stipulated in the relevant legislation. Within this scope, personal data;

Law No. 6698 on the Protection of Personal Data,
Turkish Code of Obligations No. 6098,
Public Procurement Law No. 4734,
Civil Servants Law No. 657,
Social Insurance and General Health Insurance Law No. 5510,
Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through Such Publications,
Public Financial Management Law No. 5018,
Occupational Health and Safety Law No. 6331,
Law No. 4982 on Information Acquisition,
Law No. 3071 on the Exercise of the Right to Petition,
Labor Law No. 4857,
Higher Education Law No. 2547,
Retirement Health Law No. 5434,
Social Services Law No. 2828
Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
Regulation on Archive Services
Other secondary regulations in force in accordance with these laws
It is stored for the storage periods stipulated within its framework.

4.1.2 Processing Purposes Requiring Storage

Our company stores the personal data it processes within the scope of its activities for the following purposes.

To conduct human resources processes.
To ensure corporate communication.
To ensure company security,
To be able to conduct statistical studies.
To be able to perform work and transactions as a result of signed contracts and protocols.
To ensure that legal obligations are fulfilled as required or made mandatory by legal regulations.
To contact real/legal persons who have a business relationship with our company.
To make legal reports.
The burden of proof as evidence in legal disputes that may arise in the future.
4.2 Reasons Requiring Destruction

Personal data;

Change or repeal of the relevant legislative provisions that form the basis of processing,
The purpose requiring processing or storage is eliminated,
In cases where personal data is processed only based on the condition of explicit consent, the relevant person withdraws his/her explicit consent,
Our Company accepts the application made by the relevant person for the deletion and destruction of his/her personal data within the framework of his/her rights in accordance with Article 11 of the Law,
Our Company, 

In cases where the applicant rejects the application made to him/her with a request for deletion, destruction or anonymization, finds the response insufficient or does not respond within the period stipulated in the Law; If he/she files a complaint with the Board and this request is approved by the Board,
If the maximum period requiring the storage of personal data has passed and there are no conditions that would justify storing personal data for a longer period,

In these cases, upon the request of the relevant person, our company will delete, destroy or delete, destroy or anonymize it ex officio.

5. TECHNICAL AND ADMINISTRATIVE MEASURES

In order to securely store personal data, prevent unlawful processing and access, and to destroy personal data in accordance with the law, technical and administrative measures are taken by our company within the framework of sufficient measures determined and announced by our company for special personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law.

5.1 Technical Measures

The technical measures taken by our company regarding the personal data it processes are listed below:

With penetration tests, risks, threats, vulnerabilities and gaps, if any, regarding our company's information systems are revealed and necessary measures are taken.
As a result of real-time analyses with information security incident management, risks and threats that will affect the continuity of information systems are continuously monitored.
Access to information systems and authorization of users are carried out through security policies via the access and authorization matrix and the corporate active directory.
Necessary measures are taken for the physical security of our company's information systems equipment, software and data.
In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, ensuring the physical security of the side switches that form the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, systems that block malware, etc.) measures are taken.
Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and technical controls are carried out for the measures taken.

Access procedures are established within our company and reporting and analysis studies are carried out regarding access to personal data.
Accesses to storage areas where personal data is located are recorded and improper access or access attempts are kept under control.
Our company takes the necessary measures to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.
Security gaps are monitored, appropriate security patches are installed, and information systems are kept up-to-date.
Strong passwords are used in electronic environments where personal data is processed.
Secure record keeping (logging) systems are used in electronic environments where personal data is processed.
Data backup programs are used to ensure that personal data is stored securely.
Access to personal data stored in electronic or non-electronic environments is restricted according to access principles.
A separate policy has been determined for the security of special personal data.
Training on special personal data security has been provided for employees involved in special personal data processing processes, confidentiality agreements have been made, and the authorities of users authorized to access data have been defined.
Electronic environments where special personal data is processed, stored and/or accessed are protected using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are constantly monitored, necessary security tests are regularly performed/have them performed, test results are recorded,

Adequate security measures are taken for physical environments where special personal data is processed, stored and/or accessed, physical security is ensured and unauthorized entry and exit are prevented.

If special personal data needs to be transferred via e-mail, it is transferred encrypted with a corporate e-mail address or using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment. If transfer is made between servers in different physical environments, data transfer is carried out by establishing a VPN between the servers or by using the FTP method. If transfer is required via paper media, theft, loss of the document or unauthorized persons 

Necessary precautions are taken against risks such as being seen by others and documents are sent in “confidential” format.

5.2 Administrative Measures

The administrative measures taken by our company regarding the personal data it processes are listed below:

Training is provided on preventing unlawful processing of personal data, preventing unlawful access to personal data, ensuring the preservation of personal data, communication techniques, technical knowledge and skills, Law No. 657 and other relevant legislation to improve the qualifications of employees.
Confidentiality agreements are signed by employees regarding the activities carried out by our company.
The disciplinary procedure to be applied to employees who do not comply with the security policies and procedures has been prepared.
Our company fulfills the obligation to inform the relevant persons before starting to process personal data.
A personal data processing inventory has been prepared.
Periodic and random audits are carried out within the company.
Information security training is provided for employees.

6. PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the storage period required for the period stipulated in the relevant legislation or the purpose for which they are processed, personal data shall be destroyed by our company ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, using the techniques specified below.

6.1 Deletion of Personal Data

Personal data shall be deleted using the methods explained below.

Personal Data on Servers:
For personal data on servers whose storage period has expired, the access authorization of the relevant users shall be removed by the system administrator and the deletion shall be carried out.

Personal Data on Electronic Media:
For personal data on electronic media whose storage period has expired, the storage period shall be rendered inaccessible and reusable in no way for other employees (relevant users) except for the database administrator.

Personal Data on Physical Media:
For personal data kept in physical media whose storage period has expired, the storage period shall be rendered inaccessible and reusable in no way for other employees except for the unit manager responsible for the document archive. In addition, a blackening process is also applied by drawing/painting/erasing it so that it cannot be read.

Personal Data on Portable Media
Personal data kept on flash-based storage media whose storage period has expired are encrypted by the system administrator and stored in secure environments with encryption keys, with access authorization granted only to the system administrator.

6.2 Destruction of Personal Data

Personal data is destroyed by the methods explained below.

Personal Data on Physical Media:
Personal data on paper whose storage period has expired are destroyed in paper shredders in a way that cannot be reversed.

Personal Data on Optical / Magnetic Media:
Personal data on optical and magnetic media whose storage period has expired are physically destroyed by melting, burning or pulverizing. In addition, magnetic media is passed through a special device and exposed to a high-value magnetic field, thus rendering the data on it unreadable.

6.3 Anonymization of Personal Data

Anonymization of personal data is the process of rendering personal data incapable of being associated with an identified or identifiable natural person, even if it is matched with other data.

In order for personal data to be anonymized; personal data must be rendered incapable of being associated with an identified or identifiable natural person, even through the use of techniques appropriate for the recording medium and relevant field of activity, such as returning the data by the data controller or third parties and/or matching the data with other data.

STORAGE AND DESTRUCTION PERIODS

Regarding personal data processed by our company within the scope of its activities;

Storage periods based on personal data for all personal data within the scope of activities carried out depending on the processes are included in the Personal Data Processing Inventory;
Storage periods based on data categories are included in the VERBIS registration;
Storage periods based on process are included in the Personal Data Storage and Destruction Policy.

For personal data whose storage periods have expired, our company will perform the deletion, destruction or anonymization process ex officio.

PERIODIC DESTRUCTION PERIOD

Our company has determined the periodic destruction period as 2 YEARS.

PUBLICATION AND STORAGE OF THE POLICY
The policy is published on our website and disclosed to the public on the internet page. The printed paper copy is also stored in the relevant unit within our company.

10. POLICY UPDATE PERIOD

The policy is reviewed as needed and the necessary 

sections are updated.

11. ENFORCEMENT AND REPEAL OF THE POLICY

The policy is deemed to have entered into force after it is published on our company's website.

Tuğcan Hotel