1. PURPOSE OF THE POLICY
The purpose of this policy is to fulfill the obligations regarding the storage and destruction of personal data and other obligations specified in the Regulation on the Deletion, Destruction, or Anonymization of Personal Data (Regulation), which was issued based on the Law on the Protection of Personal Data No. 6698 (Law) and published in the Official Gazette No. 30224 on October 28, 2017, in accordance with Articles 5 and 6 of the Regulation. 5 and 6 of the Regulation, which was issued based on the Law on the Protection of Personal Data No. 6698 and published in the Official Gazette No. 30224 on 28.10.2017, and to fulfill other obligations specified in the Regulation. “Umut İnşaat Turizm San. Ve Tic. A.Ş. (hereinafter referred to as ”Umut İnşaat“ or ”Company").
2. SCOPE OF THE POLICY
The Policy covers personal data and special category personal data defined by the Law, held within the scope of the “”, all “Umut İnşaat” employees, managers, consultants, and in all cases where personal data sharing is involved, its affiliates, external service providers, and all natural and legal persons with whom “Umut İnşaat” has entered into a legal relationship.
The Policy covers personal data contained in systems where data is processed automatically, in whole or in part, or by non-automated means as long as it is part of a data recording system, as specified in the Law.
Unless otherwise specified in this Policy, personal data and special category personal data will generally be referred to as “Personal Data”.
3. DEFINITIONS
Anonymization: The process of rendering personal data unidentifiable, such that it cannot be associated with any specific or identifiable natural person, even when combined with other data,
Personal Data: Any information relating to an identified or identifiable natural person,
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers in accordance with their business processes; which they create by linking the purposes of processing personal data, the data category, the group of recipients to whom the data is transferred, and the group of data subjects, and which details the maximum period necessary for the purposes for which the personal data is processed, the personal data intended to be transferred to foreign countries, and the measures taken regarding data security,
• Deletion of Personal Data: The process of rendering personal data inaccessible and unusable for relevant users,
• Destruction (Disposal) of Personal Data: The process of rendering personal data inaccessible, unrecoverable, and unusable by anyone,
• Deletion of Personal Data: The process of rendering personal data inaccessible and unusable for the relevant users.
• Destruction (Disposal) of Personal Data: The process of rendering personal data inaccessible, unrecoverable, and unusable by anyone.
• Special Category Personal Data: Data related to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, attire, membership in associations, foundations, or unions, health, sex life, criminal convictions, and security measures, as well as biometric and genetic data,
• Periodic destruction: The deletion, destruction, or anonymization of personal data, as specified in the personal data storage and destruction policy, to be carried out automatically at recurring intervals when all conditions for processing personal data specified in the law cease to exist.
• Law: The Personal Data Protection Law No. 6698 published in the Official Gazette dated 07.04.2016 and numbered 29677,
• Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette dated 28.10.2017 and numbered 30224,
Board: The Personal Data Protection Board,
• Recording medium: Any medium containing personal data processed by fully or partially automated means or by non-automated means provided that it is part of a data recording system,
• Personal Data Protection and Processing Policy: The policy determining the procedures and principles regarding the management of personal data, which can be accessed by the Relevant Person (Data Subject) at https://www.umutinsaat.com.tr/.
• ISMS: Information Security Management Systems.
These terms are defined as follows.
4. RECORDING ENVIRONMENTS REGULATED BY THE POLICY
Any environment containing personal data processed fully or partially automatically or by non-automated means, provided that it is part of a data recording system, falls within the scope of the recording environment.
4.1. ENVIRONMENTS WHERE PERSONAL DATA IS STORED
Personal data stored at “Umut İnşaat” is kept in a storage medium that is appropriate for the nature of the relevant data and our legal obligations within the scope of the BGYS.
The storage media used for storing personal data are generally listed below. However, some data may be located and stored in a medium other than those listed here due to their special characteristics or our legal obligations. “Umut İnşaat” acts as the data controller and processes and protects data in accordance with the KVK Law, the Personal Data Protection and Processing Policy, and this Personal Data Storage and Destruction Policy, within the scope of the KVK Law and BGYS.
Hardcopy media Media where data is stored by printing it on paper or microfilm.
Local digital media These are other digital media such as servers, fixed or portable disks, and optical disks located within “Umut İnşaat”.
Cloud media These are media that are not located within “Umut İnşaat” but are used by “Umut İnşaat” and utilize internet-based systems encrypted with cryptographic methods.
4.2. ENSURING THE SECURITY OF ENVIRONMENTS
“Umut İnşaat” takes all necessary technical and administrative measures within the scope of the KVK Law and BGYS, in accordance with the nature of the relevant personal data and the environment in which it is stored, to ensure that personal data is stored securely and to prevent its unlawful processing and access.
These measures include, but are not limited to, the following administrative and technical measures within the scope of the KVK Law and BGYS, to the extent appropriate to the nature of the relevant personal data and the environment in which it is stored.
4.2.1. Technical Measures
“Umut İnşaat” takes the following technical measures within the scope of the KVK Law and BGYS, in accordance with the nature of the relevant data and the environment in which the data is stored:
• Only up-to-date and secure systems that are compatible with technological developments are used in environments where personal data is stored.
• Security tests and research are conducted to identify security vulnerabilities in information systems, and any existing or potential risks identified as a result of these tests and research are addressed.
• Access to environments where personal data is stored is restricted, and only authorized persons are permitted to access this data within the scope of the purpose for which the personal data is stored.
• Umut İnşaat employs sufficient technical personnel to ensure the security of environments where personal data is stored.
4.2.2. Administrative Measures
“Umut İnşaat” takes the following administrative measures in accordance with the KVK Law and BGYS, appropriate to the nature of the relevant data and the environment in which it is stored:
• Efforts are made to raise awareness and educate all Umut İnşaat employees with access to personal data on information security, personal data, and privacy.
• Legal and technical consulting services are obtained to follow developments in the areas of information security, privacy, and personal data protection and to take the necessary actions.
• When personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data, and all necessary care is taken to ensure that the relevant third parties comply with their obligations under these protocols.
4.2.3. Internal Audit
“Umut İnşaat” conducts internal audits within the scope of the BGYS in accordance with Article 12 of the Law regarding the implementation of the provisions of the Law and the provisions of this Personal Data Storage and Destruction Policy and the Personal Data Protection and Processing Policy. If any deficiencies or shortcomings in the implementation of these provisions are identified as a result of internal audits, such deficiencies or shortcomings are immediately remedied.
If, during an audit or otherwise, it is determined that personal data under the responsibility of Umut İnşaat has been obtained by others through unlawful means, Umut İnşaat shall notify the relevant party and the Board of this situation as soon as possible.
5. DUTIES AND AUTHORITIES OF THE PERSONAL DATA PROTECTION COMMITTEE (TEAM LIST)
5.1. The Personal Data Protection Committee (Team List) is responsible for communicating the Policy to the relevant business units and monitoring the fulfillment of its requirements by the units of “Umut İnşaat”.
5.2. The Personal Data Protection Committee (Team List) issues the necessary announcements and notifications for relevant business units to monitor situations such as changes in legislation regarding the protection of personal data, the Board's regulatory actions and decisions, court decisions, or changes in processes, applications, and systems, and to update their business processes if necessary.
5.3. The Personal Data Protection Committee (Team List) determines and announces to the relevant units the processes for examining, evaluating, following up, and finalizing the Law and secondary regulations, the Board's decisions and regulations, court decisions, and the decisions and/or requests of other competent authorities.
6. ACTIONS TO BE TAKEN WHEN THE CONDITIONS FOR PROCESSING PERSONAL DATA CEASE TO EXIST
6.1. If the purpose of processing personal data ceases to exist, explicit consent is withdrawn, or all of the conditions for processing personal data set out in Articles 5 and 6 of the Law cease to exist, or if none of the exceptions mentioned in the aforementioned articles can be applied, the personal data for which the processing conditions no longer exist shall be deleted, destroyed, or anonymized by the relevant business unit, taking into account business needs, in accordance with Articles 7, 8, 9, or 10 of the Regulation, and the reason for the method applied shall also be explained. However, in the event of a final court decision, the destruction method ruled by the court decision must be applied.
6.2. All users and data owners who process or store personal data, as well as the “Umut İnşaat” units, shall review the conditions related to data processing in the data storage environments they use at least every six months to determine whether these conditions still apply. Upon the request of the personal data owner or the notification of the Board or a court, the relevant users and units shall carry out this review in the data recording environments they use, regardless of the periodic review period.
6.3. Upon periodic reviews or at any time when it is determined that the conditions for data processing no longer exist, the relevant user or data owner shall decide to delete, destroy (dispose of), or anonymize the relevant personal data from the storage medium in their possession in accordance with this policy. In cases of doubt, the relevant data owner shall consult with the business unit before proceeding. When a decision needs to be made regarding the destruction of personal data with multi-stakeholder ownership located in Central Information Systems, the opinion of the Personal Data Protection Committee shall be sought, and the relevant data owner unit shall decide on the storage, deletion, destruction (disposal), or anonymization of the personal data in question in accordance with this policy.
6.4. All operations performed regarding the deletion, destruction, or anonymization of personal data shall be recorded, and such records shall be stored for the maximum period specified in the law for other legal obligations.
6.5. Pursuant to Article 7.4 of the Regulation, the methods applied for the deletion, destruction, or anonymization of personal data will be published and explained after the Policy enters into force.
6.6. When deleting, destroying (disposing of), or anonymizing personal data, it is mandatory to act in accordance with the general principles set forth in Article 4 of the Law, the technical and administrative measures required under Article 12, relevant legislation, Board decisions, and court rulings.
6.7. When the owner of personal data, who is a real person, requests the deletion, destruction, or anonymization of their personal data by applying to “Umut İnşaat” in accordance with Article 13 of the Law, the relevant business unit examines whether all the conditions for processing personal data have ceased to exist. If all processing conditions have ceased to exist, the personal data subject to the request shall be deleted, destroyed, or anonymized. In this case (as specified in the Destruction Procedure detailed in the BGYS), the request shall be finalized within thirty days at the latest from the date of application, and the relevant person shall be informed by the contact person appointed by the Data Controller “Umut İnşaat”. If all conditions for processing personal data have ceased to exist and the personal data subject to the request has been transferred to third parties, the relevant data owner unit shall immediately notify the third party to whom the transfer was made and ensure that the necessary actions are taken by the third party within the scope of the Regulation.
6.8. In cases where all conditions for processing personal data have not ceased to exist, requests from data subjects for the deletion or destruction of their data may be rejected by “Umut İnşaat” with justification provided in accordance with Article 13, Paragraph 3 of the Law. The rejection response shall be communicated to the relevant person in writing or electronically within 30 days at the latest.
6.9. Requests for the erasure or destruction of personal data will only be evaluated if the identity of the relevant person has been verified. Requests made through channels other than those specified will be directed to channels where the identity of the relevant persons can be verified or confirmed.
7. IMPLEMENTATION OF THE POLICY, VIOLATIONS, AND SANCTIONS
7.1. This Policy shall be announced on the website of “Umut İnşaat” (https://www. umutinsaat.com.tr/) and shall be binding on all business units, consultants, customers, suppliers, insurance companies, external service providers, and other companies that process personal data.
7.2. Monitoring whether Umut İnşaat employees comply with the requirements of the Policy shall be the responsibility of the employees' supervisors. If any conduct contrary to the Policy is detected, the matter shall be reported immediately by the employee's supervisor to a higher-level supervisor. If the violation is significant, the superior manager will inform the Personal Data Protection Committee (Team List) without delay.
7.3. Following an assessment by Human Resources and/or Personnel Affairs, the necessary administrative action will be taken against employees who violate the Policy.
7.4. In order to fulfill the requirements of the Policy, Umut İnşaat takes all necessary security measures within the scope of the BGYS (Information Security Management System) and Law No. 6698 on the Protection of Personal Data.
8. PERSONS INVOLVED IN THE STORAGE AND DISPOSAL PROCESSES OF PERSONAL DATA AND THEIR RESPONSIBILITIES
All employees, customers, suppliers, insurance companies, consultants, external service providers, and anyone else who stores and processes personal data on behalf of “Umut İnşaat” are responsible for fulfilling the requirements regarding the destruction of data specified in the Law, Regulations, and Policy.
Each business unit is responsible for storing and protecting the data it generates in its business processes; however, if the generated data is only stored in information systems outside the control and authority of the business unit, such data will be stored by the units responsible for those information systems. Periodic disposals that will affect business processes and cause data integrity to be compromised, data loss, and results that violate legal regulations will be carried out by the relevant information systems departments, taking into account the type of personal data concerned, the systems in which it is located, and the business unit that owns the data.
8.1. PERSONAL DATA PROTECTION COMMITTEE
“Umut İnşaat” establishes a Personal Data Protection Committee. The Personal Data Protection Committee is authorized and responsible for performing/having performed the necessary procedures and supervising the processes to ensure that the data of the relevant persons is stored and processed in accordance with the law, the Personal Data Protection and Processing Policy, and the Personal Data Storage and Destruction Policy.
The Personal Data Protection Committee consists of at least three persons, including a manager, an administrative expert, and a technical expert. The titles and job descriptions of the Umut İnşaat employees serving on the Personal Data Committee are listed below:
Title Job Description
Personal Data Protection Committee Manager Responsible for directing all planning, analysis, research, and risk identification activities in projects carried out during the compliance process; managing processes that must be carried out in accordance with the Law, the Personal Data Protection and Processing Policy, and the Personal Data Retention and Destruction Policy; and deciding on requests received from relevant persons.
KVK Specialist (Contact Person)
(Technical and Administrative) Responsible for reviewing and evaluating requests from relevant persons and reporting them to the Personal Data Committee Manager; Ensuring that the actions related to the requests of the relevant persons, which are evaluated and decided upon by the Personal Data Committee Manager, are carried out in accordance with the decision of the Personal Data Committee Manager; supervising the storage and destruction processes and reporting these supervisions to the Personal Data Committee Manager; and being responsible for the execution of the storage and destruction processes.
8.2. STORAGE AND DISPOSAL REASONS
8.2.1. Reasons for Storage
Personal data held by “Umut İnşaat” is stored for the purposes and reasons specified herein, in accordance with the Law and our Personal Data Policy (the relevant policy can be accessed at “https://www.umutinsaat.com.tr/”).
8.2.2. Reasons for Destruction
Personal data held by Umut İnşaat shall be deleted, destroyed (within its structure), or anonymized in accordance with this destruction policy upon the request of the relevant person or upon the cessation of the reasons listed in Articles 5 and 6 of the Law. The reasons listed in Articles 5 and 6 of the KVK Law are as follows:
Explicitly stipulated by law,
It is necessary to protect the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally valid, or of another person,
It is necessary for the establishment or performance of a contract, provided that it is directly related to the contract and the processing of personal data belonging to the parties to the contract is necessary,
It is necessary for the data controller to fulfill its legal obligations,
• It has been made public by the data subject,
• Data processing is necessary for the establishment, exercise, or defense of a legal claim,
• Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject,
8.3. DISPOSAL METHODS
“Umut İnşaat” deletes, destroys, or anonymizes personal data stored in accordance with the Law and other legislation and the Personal Data Protection and Processing Policy upon the request of the relevant person when the reasons for processing the data no longer exist, or automatically within the periods specified in this Personal Data Storage and Destruction Policy.
The deletion, destruction, and anonymization techniques most commonly used by “Umut İnşaat” are listed below:
8.3.1.1 Deletion Methods
Deletion Methods for Personal Data Stored in Printed Media
Blacking Out Personal data stored in printed media is deleted using the blacking out method. The blacking out process involves cutting out the personal data on the relevant document, where possible, or, where this is not possible, rendering it invisible using permanent ink so that it cannot be restored or read using technological solutions.
Methods for Deleting Personal Data Stored in Cloud and Local Digital Environments
Secure deletion from software Personal data stored in cloud or local digital environments is deleted using digital commands in a manner that prevents recovery. Data deleted in this manner cannot be accessed again.
8.3.1.2 Destruction Methods
Destruction Methods for Personal Data Stored in Printed Media
Physical destruction Documents stored in printed media are destroyed using document shredders in a manner that prevents their reassembly.
Destruction Methods for Personal Data Stored in Local Digital Media
Physical destruction This involves the physical destruction of optical and magnetic media containing personal data, such as melting, burning, or pulverizing. Data is rendered inaccessible by melting, burning, pulverizing, physically cutting and/or punching, or passing through a metal shredder.
Degaussing This is the process of exposing magnetic media to a high magnetic field to corrupt the data on it to the point where it is unreadable.
Overwriting Random data consisting of 0s and 1s is written at least seven times onto magnetic media and rewritable optical media to prevent the old data from being read and recovered.
Destruction Methods for Personal Data Stored in the Cloud
Secure deletion from software Personal data stored in the cloud is digitally deleted in a manner that prevents recovery, and all copies of encryption keys required to make the personal data usable are destroyed when the cloud computing service relationship ends. This ensures that the deleted data cannot be accessed again.
8.3.1.3. Anonymization Methods
Anonymization is the process of rendering personal data unidentifiable, such that it cannot be associated with any specific or identifiable natural person, even when combined with other data.
Removing variables Removing one or more direct identifiers contained within the personal data belonging to the relevant person that could be used to identify that person in any way. This method can be used to anonymize personal data, or it can be used to delete information that is not relevant to the purpose of processing the personal data.
Regional masking This is the process of deleting information that could be distinctive in relation to data that is an exception in a database where personal data is collectively anonymous.
Generalization This is the process of combining the personal data of many individuals, removing distinctive information, and converting it into statistical data.
Lower and upper limit coding
Global coding For a given variable, ranges are defined for that variable and categorized. If the variable does not contain a numerical value, data points that are close to each other within the variable are categorized. Values remaining within the same category are combined.
Microaggregation With this method, all records in the dataset are first sorted into a meaningful order and then the entire set is divided into a certain number of subsets. Next, the average value of each subset's variable is calculated, and the value of that variable in the subset is replaced with the average value. This makes it difficult to associate the data with the relevant person, as the indirect identifiers in the data will be corrupted.
Data mixing and corruption Direct or indirect identifiers in personal data are mixed with other values or corrupted, severing their connection to the relevant person and ensuring they lose their identifying qualities.
“Umut İnşaat” uses one or more of these anonymization methods, depending on the nature of the relevant data, to anonymize personal data. “Umut İnşaat” may use K-Anonymity, L-Diversity, and T-Proximity statistical methods when using these anonymization methods.
9. PERSONAL DATA RETENTION AND DISPOSAL PERIODS
The table showing the personal data retention and disposal periods is included in Appendix 1. These retention and disposal periods will be taken into account in periodic disposal or disposal upon request. The Table Showing Personal Data Retention and Destruction Periods will be updated by the business units responsible for the processes included in the “Umut İnşaat” personal data inventory, taking into account the assessments of the Personal Data Protection Committee in case of doubt.
9.1. Retention Periods (Table Appendix:1)
DATA SUBJECT DATA CATEGORY DATA RETENTION PERIOD
Employee Personal data used as the basis for notifications regarding service duration and remuneration made to the Social Security Institution with recruitment documents Retained for 10 (ten) years during the term of the service contract and after its termination.
Employee Personal data other than that used as a basis for notifications regarding service period and salary made to the Social Security Institution with employment documents These are retained for 10 (ten) years during the term of the employment contract and for 10 (ten) years starting from the beginning of the calendar year following the termination of the employment contract.
Employee Data Contained in the Workplace Personal Health File These are retained for 10 (ten) years during the term of the employment contract and for 10 (ten) years following the termination of the employment contract.
Business Partner/Solution Partner/Consultant Identity information, contact information, financial information, voice recordings of telephone calls, and Business Partner/Solution Partner/Consultant employee data related to the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and “Umut İnşaat” The Business Partner/Solution Partner/Consultant's name, surname, e-mail address, browsing activity information for the duration of the business/commercial relationship with “Umut İnşaat” and for 10 years after its termination in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.
Website Visitor The name, surname, email address, and browsing activity information of the Website Visitor is stored for 3 months and automatically deleted at the end of this period.
Job Applicant The information contained in the resume and job application form of the Job Applicant are stored for a maximum of 6 months, or until the resume becomes outdated.
Intern (student) Information contained in the intern's internship file is retained for 5 (five) years following the continuation of the internship relationship and the calendar year following its termination.
Customer Customer's name, surname, T.C.K.N., contact information, payment information and methods, browsing activity information, voice recordings of phone calls, product/service preferences, transaction history, special day information, vehicle license plate information The Customer's name, surname, T.C.K.N., contact information, payment information and methods, browsing activity information, voice recordings of telephone calls, product/service preferences, transaction history, special day information, vehicle license plate information
Potential Customer Identity information, contact information, financial information, and voice recordings of telephone calls obtained during contract negotiations between the Potential Customer and “Umut İnşaat” regarding the establishment of a commercial relationship are stored for 5 years.
Institutions/Companies Collaborating with Umut İnşaat (Suppliers, Contract Manufacturers, Dealers/Franchisees) Identity information, contact information, financial information, voice recordings of telephone calls, and data of employees of the Institutions/Companies that “Umut İnşaat” collaborates with, regarding the execution of the commercial relationship between the Institutions/Companies that “Umut İnşaat” collaborates with and “Umut İnşaat” The data of employees of the Institutions/Companies that “Umut İnşaat” collaborates with is stored for 10 years in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code during the term of the business/commercial relationship with “Umut İnşaat” and for 10 years after its termination.
* If a longer period is stipulated by legislation or if a longer period is envisaged for the statute of limitations, the period of forfeiture of rights, retention periods, etc., the periods specified in the legislation shall be considered the maximum retention period.
9.2. Retention Periods
“Umut İnşaat” deletes, destroys, or anonymizes personal data for which it is responsible in accordance with the Law, relevant legislation, the Personal Data Protection and Processing Policy, and this Personal Data Storage and Destruction Policy during the first periodic destruction process following the date on which the obligation to delete, destroy, or anonymize such data arises. or anonymizes the personal data in the first periodic destruction process following the date on which the obligation to delete, destroy (shred), or anonymize the personal data for which it is responsible arises, in accordance with the Law, relevant legislation, the Personal Data Protection and Processing Policy, and this Personal Data Retention and Destruction Policy.
When the relevant person applies to “Umut İnşaat” requesting the deletion or destruction of their personal data in accordance with Article 13 of the Law;
1. If all conditions for processing personal data have ceased to exist, “Umut İnşaat” shall delete, destroy (destroy), or anonymize the personal data subject to the request within 30 (thirty) days from the date of receiving the request, explaining the reason and using an appropriate destruction method. For “Umut İnşaat” to be deemed to have received the request, the relevant person must have made the request in accordance with the Personal Data Protection and Processing Policy. “Umut İnşaat” shall, in any case, inform the relevant person about the action taken.
2. If all conditions for processing personal data have not ceased to exist, this request may be rejected by “Umut İnşaat” with an explanation of the reasons in accordance with the third paragraph of Article 13 of the Law, and the rejection response shall be notified to the relevant person in writing or electronically within thirty days at the latest.
10. PERIODIC DESTRUCTION PERIODS
10. PERIODIC DISPOSAL PERIODS
In the event that all conditions for the processing of personal data specified in the Personal Data Protection Law No. 6698 cease to exist, “Umut İnşaat” shall delete, destroy (dispose of), or anonymize the personal data for which the processing conditions no longer apply through a process to be carried out automatically at recurring intervals as specified in this Personal Data Retention and Disposal Policy.
Periodic destruction processes will commence for the first time on January 1, 2025, and will be repeated every 6 (six) months.
10.1. MONITORING THE LEGALITY OF THE DESTRUCTION PROCESS
“Umut İnşaat” carries out its destruction procedures, both upon request and periodically, in accordance with the Law, other legislation, the Personal Data Protection and Processing Policy, and this Personal Data Storage and Destruction Policy.
“Umut İnşaat” takes a number of administrative and technical measures to ensure that destruction procedures are carried out in accordance with these regulations.
10.1.1. Technical Measures
• “Umut İnşaat” provides technical tools and equipment suitable for each disposal method outlined in this policy.
• “Umut İnşaat” ensures the security of the location where the destruction operations are carried out,
• “Umut İnşaat” keeps access records of the persons performing the destruction operation,
• “Umut İnşaat” employs competent and experienced personnel to perform the destruction operation or, when necessary, obtains services from competent third parties.
10.1.2. Administrative Measures
• “Umut İnşaat” works to raise awareness and educate its employees who will perform the destruction process on information security, personal data, and privacy issues.
• Umut İnşaat obtains legal and technical consulting services to follow developments in the areas of information security, privacy, personal data protection, and secure destruction techniques, and to take the necessary actions.
• “Umut İnşaat” signs protocols with relevant third parties for the protection of personal data in cases where the destruction process is carried out by third parties due to technical or legal requirements, and takes all necessary care to ensure that the relevant third parties comply with their obligations under these protocols.
• “Umut İnşaat” regularly monitors whether destruction procedures are carried out in accordance with the law and the terms and obligations specified in this Personal Data Retention and Destruction Policy, and takes the necessary actions.
All operations related to the deletion, destruction, and anonymization of personal data are recorded, and such records are retained for at least three years, except for other legal obligations.
11. EFFECTIVE DATE
11.1. The Policy shall become effective as of the date of publication.
11.2. The Personal Data Protection Committee is responsible for announcing the Policy throughout “Umut İnşaat” and making the necessary updates.
12. UPDATE and COMPLIANCE
“Umut İnşaat” reserves the right to make changes to the Personal Data Protection and Processing Policy or this Personal Data Retention and Destruction Policy due to amendments to the Law, in accordance with the decisions of the Authority, or in line with developments in the sector or in the field of information technology.
Changes made to this Personal Data Retention and Destruction Policy are incorporated into the text without delay, and explanations regarding the changes are provided at the end of the policy.