AFORIA THERMAL RESIDENCES
STORAGE AND DESTRUCTION POLICY
1. Purpose of the Policy
The purpose of our personal data retention and destruction policy is to set forth the philosophy, purpose, and action plan we, as the data controller, will follow in determining the maximum time required for the processing of personal data, as well as in deleting, destroying, and anonymizing it. In this context, our goal is to inform our employees, administrative staff, visitors, collaborating companies, and all third parties affiliated with Deva Tekstil Madencilik İnşaat Petrol Ürünleri Sanayi Ve Ticaret Limited Şirketi (hereinafter referred to as Aforia Thermal Residences) about their data processing and their rights. We aim to ensure transparency in this matter and to act with respect for personal data and, consequently, privacy.
2. Basis of the Policy
Our policy has been created as a requirement of the 5th and 6th articles of the "Regulation on the Deletion, Destruction or Anonymization of Personal Data" (Regulation), which was published in the Official Gazette dated 7.4.2016 and numbered 6698 (KVK Law no. 6698) and 28.10.2017 and numbered 30224.
3. Scope of the Policy
Our policy covers our employees, administrative staff, visitors, the institutions we collaborate with, and all natural and legal persons in legal relationships with Aforia Thermal Residences, including all of their personal data, whether of a special nature or not, as defined in KVKK No. 6698. This policy also covers personal data contained in systems where data is processed by fully or partially automated means, or non-automated means, provided that it is part of any data recording system, as specified in KVKK No. 6698. Unless otherwise specified in this policy, personal data and special personal data are collectively referred to as "Personal Data."
4. Definitions
| Contact person | The real person whose personal data is processed, |
|---|---|
| Personal data | Any information relating to an identified or identifiable natural person, |
| Special categories of personal data | Data regarding individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, |
| Explicit consent | Consent related to a specific subject, based on information and expressed with free will, Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| Processing of personal data: | Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, by fully or partially automatic means or non-automatic means provided that it is part of any data recording system, |
| Destruction | Deletion, destruction or anonymization of personal data, |
| Personal data storage and destruction table: | The table showing the periods during which personal data will be kept at Aforia Thermal Residences, |
| Personal data processing inventory: | The inventory in which data controllers create a detailed account of their personal data processing activities, which they carry out in connection with their business processes, by relating the purposes of processing personal data, the data category, the recipient group to which the data is transferred, and the data subject group, and by explaining the maximum period required for the purposes for which personal data is processed, the personal data intended to be transferred to foreign countries, and the measures taken regarding data security. |
| Deletion of personal data | The process of making personal data inaccessible and non-reusable for the relevant users, |
| Destruction of personal data | The process of making personal data inaccessible, irretrievable and reusable by anyone, |
| Anonymization: | Personal data should be rendered incapable of being associated with an identified or identifiable natural person in any way, even if matched with other data. |
| Periodic destruction | In case all the processing conditions of personal data specified in the law are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy, which will be carried out ex officio at recurring intervals, |
| Data recording system | The registration system in which personal data is structured and processed according to certain criteria, |
| Board | Refers to the Personal Data Protection Board. |
5. General Principles Based on the Policy
The data controller, Aforia Thermal Residences, acts in accordance with the principles set out below when processing data.
5.1. Personal data can only be processed in accordance with the procedures and principles stipulated in KVKK No. 6698 and other laws.
5.2. The following principles must be adhered to when processing personal data:
a) Compliance with the law and rules of honesty.
b) Being accurate and up-to-date when necessary.
c) Processing for specified, explicit and legitimate purposes.
d) Being connected, limited and proportionate to the purpose for which they are processed.
d) Storage for the period required by the relevant legislation or for the purpose for which they are processed.
6. Recording Environments Regulated by the Policy
Any environment containing personal data processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system is considered a recording medium.
7. Duties and Powers of the Personal Data Protection Committee
7.1. The Personal Data Protection Committee is responsible for announcing this Policy to the relevant business units and monitoring the fulfillment of its requirements by Aforia Thermal Residences units.
7.2. The Personal Data Protection Committee makes the necessary announcements and notifications to ensure that the relevant business units follow the changes in legislation regarding the protection of personal data, regulatory actions and decisions of the Personal Data Protection Board (Board), court decisions or changes in processes, applications and systems, and to update their business processes if necessary.
7.3. The Personal Data Protection Committee determines the processes for reviewing, evaluating, following up and finalizing the KVKK No. 6698 and secondary regulations, the Board's decisions and regulations, court decisions and other competent authorities' decisions and/or requests, and announces them to the relevant units.
8. What to Do in Case of Elimination of the Conditions for Processing Personal Data
8.1. If the purpose for processing personal data is eliminated, explicit consent is revoked, or all of the conditions for processing personal data stipulated in Articles 5 and 6 of the Personal Data Protection Law No. 6698 are eliminated, or if a situation arises where none of the exceptions in the aforementioned articles apply, the personal data for which the processing conditions have been eliminated will be deleted, destroyed, or anonymized by the relevant business unit, taking into account business needs, within the scope of Articles 7 to 10 of the Regulation, and by explaining the justification for the method applied. However, in the case of a final court decision, the destruction method ordered by the court decision must be applied.
8.2. All users and data owners of Aforia Thermal Residences units that process or store personal data must review the data recording media they use, at least every six months, to determine whether the conditions related to processing have been eliminated. Upon the request of the data owner or upon notification by the Board or a court, the relevant users and units will conduct this review of the data recording media they use, regardless of the periodic inspection period.
8.3. As a result of periodic reviews, or if it is determined at any time that the data processing conditions have ceased to exist, the relevant user or data owner will decide whether to delete, destroy, or anonymize the relevant personal data from their storage media in accordance with this policy. In cases of doubt, the relevant data owner's business unit will be consulted. If a decision is needed to destroy personal data held in Central Information Systems with multi-stakeholder data ownership, the opinion of the Personal Data Protection Committee will be sought, and the relevant data owner's business unit will decide whether to store, delete, destroy, or anonymize the personal data in accordance with this policy.
8.4. All operations related to the deletion, destruction or anonymization of personal data are recorded and the records in question are kept for at least one year, excluding other legal obligations.
8.5. In accordance with Articles 4 and 7 of the Regulation, the methods applied for the deletion, destruction and anonymization of personal data will be explained in the Data Destruction Procedure to be published after this Policy comes into force.
8.6. In deleting, destroying or anonymizing personal data, it is mandatory to act in accordance with the general principles in Article 4 of the KVKK No. 6698 and the technical and administrative measures to be taken within the scope of Article 12, the relevant legislation provisions, the Board decisions and the personal data storage and destruction policy.
8.7. When a natural person who is the subject of personal data applies to Aforia Thermal Residences pursuant to Article 13 of the Personal Data Protection Law No. 6698 and requests the deletion, destruction, or anonymization of their personal data, the relevant data owner business unit examines whether all the conditions for processing personal data have been fulfilled. If all the conditions for processing have been fulfilled, the personal data subject to the request will be deleted, destroyed, or anonymized. In this case, the request will be finalized within thirty days from the date of application, as detailed in the Data Destruction Procedure, and the applicant will be informed through the relevant board. If all the conditions for processing personal data have been fulfilled and the personal data subject to the request has been transferred to a third party, the relevant data owner business unit will immediately notify the third party to whom the data was transferred and ensure that the necessary procedures are taken with the third party under the Regulation.
8.8. In cases where all the conditions for processing personal data have not been eliminated, requests from personal data owners to have their data deleted or destroyed may be rejected by Aforia Thermal Residences, with a justification provided in accordance with Article 13, paragraph 3 of the Personal Data Protection Law No. 6698. Any rejection will be notified to the relevant person in writing or electronically within 30 days at the latest.
8.9. Requests for the deletion or destruction of personal data will only be considered if the relevant person's identity has been established. Requests made outside of these channels will be directed to channels where identification or verification can be made.
9. Implementation of the Policy, Violation Cases and Sanctions
9.1. This Policy will come into force after being announced to all employees and will be binding on all business units, consultants, external service providers and anyone else processing personal data at Aforia Thermal Residences, as of its entry into force.
9.2. It will be the responsibility of the relevant employees' supervisors to monitor whether Aforia Thermal Residences employees comply with the requirements of the Policy. If any violation of the Policy is detected, the matter will be immediately reported to the immediate supervisor by the relevant employee's supervisor. If the violation is significant, the supervisor will immediately notify the Personal Data Protection Committee.
9.3. Necessary administrative action will be taken against employees who violate the policy after an evaluation by the Human Resources department.
9.4. In order to fulfill the policy requirements, Aforia Thermal Residences takes all necessary security measures, including the measures prescribed by the ISO standard and all relevant ministries.
10. Persons Involved in the Storage and Destruction of Personal Data and Their Responsibilities
At Aforia Thermal Residences, all employees, consultants, external service providers, and anyone else who stores and processes personal data at Aforia Thermal Residences are responsible for fulfilling the data destruction requirements specified in Regulation No. 6698 on Personal Data Protection Law (KVKK) and this Policy. Each business unit is responsible for storing and protecting the data generated in its own business processes. However, if the generated data resides solely in information systems beyond the control and authority of the business unit, the data in question will be stored by the units responsible for the information systems. Periodic destruction that would impact business processes and result in data integrity disruption, data loss, or consequences contrary to legal regulations will be carried out by the relevant information systems departments, taking into account the type of personal data involved, the systems within which it is located, and the business unit that owns the data.
11. Personal Data Storage and Destruction Periods
Personal Data Retention and Destruction Periods are listed below. These retention and destruction periods will be taken into account for periodic destruction or upon request. The Personal Data Retention and Destruction Periods Table will be updated by the business units that own the processes listed in the table, taking into account the assessment of the Personal Data Protection Committee in case of doubt.
Article 146 of the Turkish Code of Obligations No. 6098: 10 Years
Relevant Legislation: For the prescribed period
12. Periodic Destruction Periods
The Periodic Destruction Period for Personal Data is determined by the relevant business units that own the data. This period cannot exceed 6 (six) months in any case.
13. Entry into Force
13.1. The policy will come into force as of the date of publication.
13.2. It is the responsibility of the Personal Data Protection Committee to announce the policy throughout Aforia Thermal Residences and make the necessary updates.
Best regards.
Deva Textile Mining Construction Petroleum Products Industry and Trade Limited Company (Aforia Thermal Residences) (Data Controller)
Address: Dörtyol Neighborhood, Demirçevre St. No:1/1 Center/Afyonkarahisar
Email: kvkk@aforiathermal.com.tr
Telephone: 90 272 252 57 57
Kep Address: devatekstil@hs01.kep.tr