Data Controller : Fab Dış Ticaret Anonim Şirketi
Address : Masko Mobilyacılar Sitesi 6A Blok Sok. No: 15 Başakşehir/ İstanbul
Phone : (0212) 675 03 33
1. INTRODUCTION
1.1 Purpose
This Personal Data Retention and Destruction Policy (Policy) has been prepared to determine the procedures and principles regarding the retention and destruction activities carried out by Fab Dış Ticaret Anonim Şirketi (FABCO).
FABCO prioritizes the processing of personal data belonging to its employees, employee candidates, service providers, visitors, contracting parties and other third parties in accordance with the Constitution of the Republic of Türkiye, international conventions, the Law No. 6698 on the Protection of Personal Data (Law) and other relevant legislation, and ensuring that data subjects can effectively exercise their rights.
The procedures and transactions regarding the retention and destruction of personal data are carried out by FABCO in accordance with this Policy prepared for this purpose.
1.2 Scope
Personal data belonging to FABCO’s employees, employee candidates, service providers, visitors, contracting parties and other third parties are within the scope of this Policy, and this Policy applies to all recording environments where personal data owned or managed by FABCO is processed and to all activities involving the processing of personal data.
1.3 Abbreviations and Definitions
|
Recipient Group |
: |
The category of real or legal persons to whom personal data is transferred by the data controller. |
|
Explicit Consent |
: |
Consent relating to a specific matter, based on information and expressed with free will. |
|
Anonymization |
: |
Rendering personal data unable to be associated with an identified or identifiable natural person under any circumstances, even by matching it with other data. |
|
Employee |
: |
Personnel of Fab Dış Ticaret Anonim Şirketi. |
|
EDMS |
: |
Electronic Document Management System |
|
Electronic Environment |
: |
Environments where personal data can be created, read, modified and written by electronic devices. |
|
Non-Electronic Environment |
: |
All written, printed, visual and other environments outside electronic environments. |
|
Service Provider |
: |
A real or legal person providing services to Fab Dış Ticaret Anonim Şirketi within the framework of a specific agreement. |
|
Data Subject |
: |
The natural person whose personal data is processed. |
|
Relevant User |
: |
Persons who process personal data within the organization of the data controller or in accordance with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data. |
|
Destruction |
: |
Deletion, destruction or anonymization of personal data. |
|
Law |
: |
Law No. 6698 on the Protection of Personal Data.
|
|
Recording Environment |
: |
Any environment where personal data is processed wholly or partially by automated means or by non-automated means provided that it is part of a data recording system. |
|
Personal Data |
: |
Any information relating to an identified or identifiable natural person. |
|
Personal Data Processing Inventory |
: |
An inventory created by data controllers by associating personal data processing activities carried out depending on their business processes with the purposes and legal basis of processing, data category, transferred recipient group and data subject group, and detailing the maximum retention period required for the purposes for which personal data is processed, personal data intended to be transferred abroad and measures taken regarding data security. |
|
Processing of Personal Data |
: |
Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, wholly or partially by automated means or by non-automated means provided that it is part of a data recording system. |
|
Board |
: |
Personal Data Protection Board |
|
Special Categories of Personal Data |
: |
Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. |
|
Periodic Destruction |
: |
The deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy when all personal data processing conditions set forth in the Law cease to exist. |
|
Policy |
: |
Personal Data Retention and Destruction Policy |
|
Data Processor |
: |
A real or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. |
|
Data Recording System |
: |
A recording system in which personal data is structured and processed according to specific criteria. |
|
Data Controller |
: |
A real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
|
Data Controllers Registry Information System |
: |
An information system created and managed by the Presidency, accessible via the internet, used by data controllers for applications to the Registry and other related Registry procedures. |
|
VERBIS |
: |
Data Controllers Registry Information System |
|
Regulation |
: |
The Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017, and its amendments. |
2. RESPONSIBILITY AND DUTY DISTRIBUTION
All units and employees of FABCO actively support the responsible units in ensuring the proper implementation of technical and administrative measures taken within the scope of the Policy, training and raising awareness among unit employees, monitoring and continuous auditing, preventing unlawful processing of personal data, preventing unlawful access to personal data, and taking technical and administrative measures to ensure data security in all environments where personal data is processed.
The distribution of titles, units and duty descriptions of those involved in the retention and destruction processes of personal data is provided below:
|
TITLE |
UNIT |
DUTY |
|
Chairman of the Board |
Board of Directors |
Responsible for ensuring that employees act in accordance with the Policy. |
|
IT Specialist |
Information Systems |
Responsible for providing the technical solutions required for the implementation of the Policy. |
|
Archive Officer |
Archive Officer |
Destruction of personal data. |
|
Lawyer |
Legal |
Receiving requests from data subjects, checking their procedural compliance and responding to the request. |
|
Accounting/Human Resources Personnel |
Accounting/Human Resources |
Ensuring that processes within their duties comply with retention periods, managing the periodic destruction process, and carrying out the necessary inspections and controls to respond to requests from data subjects. |
|
Customer Representative Personnel |
Customer Representative |
Ensuring that processes within their duties comply with retention periods and managing the personal data destruction process in accordance with the periodic destruction period. |
3. RECORDING ENVIRONMENTS
Personal data is securely stored by FABCO in the environments listed below in accordance with the law.
Electronic Environments: Servers, Software, Information Security Devices, Computers, Mobile Devices, Optical Discs, External Memories, Printer, Scanner, Fax and Photocopy Machine, NAS, survey forms, CRM
Non-Electronic Environments: Paper, manual data recording systems, written, printed and visual environments, unit cabinets
4. EXPLANATIONS REGARDING RETENTION AND DESTRUCTION
Personal data belonging to employees, employee candidates, visitors, contracting parties and third parties, institutions or organizations’ employees with whom FABCO has a relationship as a service provider are retained and destroyed in accordance with the Law.
Detailed explanations regarding retention and destruction within this scope are provided below respectively.
4.1. Explanations Regarding Retention
Article 3 of the Law defines the concept of processing of personal data, Article 4 states that the processed personal data must be related to, limited and proportionate to the purposes for which they are processed and retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and Articles 5 and 6 list the conditions for processing personal data.
Accordingly, within the framework of our company’s activities, personal data is retained for the period stipulated in the relevant legislation or for the period appropriate to our processing purposes.
4.1.1. Legal Grounds Requiring Retention
Personal data processed within the scope of the company’s activities are retained for the periods stipulated in the relevant legislation. In this context, personal data are retained for the retention periods stipulated under Law No. 6698 on the Protection of Personal Data, Turkish Code of Obligations No. 6098, Turkish Commercial Code No. 6102, Public Procurement Law No. 4734, Social Insurance and General Health Insurance Law No. 5510, Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications, Occupational Health and Safety Law No. 6331, Right to Information Law No. 4982, Labor Law No. 4857, Social Services Law No. 2828 and other relevant/related legislation.
4.1.2. Processing Purposes Requiring Retention
FABCO retains personal data processed within the scope of its activities for the purposes of carrying out commercial activities, fulfilling commercial and legal obligations, performing debts and following up receivables, carrying out human resources processes, ensuring corporate communication, ensuring the security of the workplace, employees, third parties and the company, conducting statistical studies, communicating with related or third parties and public institutions and organizations, reporting, managing call center processes, and using them as legal evidence in disputes that may arise in the future.
4.2. Reasons Requiring Destruction
Personal data shall be deleted, destroyed or anonymized by FABCO upon the request of the data subject or ex officio in cases where the provisions of the relevant legislation forming the basis for processing are amended or repealed, the purpose requiring processing or retention ceases to exist, where processing is carried out solely based on explicit consent and the data subject withdraws such explicit consent, where the data subject’s application for the deletion or destruction of personal data within the scope of their rights under Article 11 of the Law is accepted, where FABCO rejects the application made by the data subject requesting the deletion, destruction or anonymization of their personal data, the data subject finds the response insufficient or FABCO fails to respond within the period stipulated in the Law, the data subject files a complaint with the Board and the Board finds the request appropriate, the maximum retention period requiring the retention of personal data has expired, and there is no condition justifying the longer retention of personal data.
5. TECHNICAL AND ADMINISTRATIVE MEASURES
Technical and administrative measures are taken by FABCO within the framework of the sufficient measures determined and announced by the Board for special categories of personal data pursuant to Article 12 and the fourth paragraph of Article 6 of the Law, in order to securely retain personal data, prevent unlawful processing and access, and ensure lawful destruction of personal data.
5.1. Technical Measures
The technical measures taken by FABCO regarding the personal data it processes are listed below:
5.2. Administrative Measures
The administrative measures taken by FABCO regarding the personal data it processes are listed below:
6. PERSONAL DATA DESTRUCTION TECHNIQUES
At the end of the retention period stipulated in the relevant legislation or required for the purpose for which they are processed, personal data are destroyed by FABCO ex officio or upon the application of the data subject, in accordance with the relevant legislation, using the techniques specified below.
6.1. Deletion of Personal Data
Personal data are deleted using the methods specified in the table below.
|
Data Recording Environment |
Description |
|
Personal Data on Servers |
For personal data on servers whose retention period has expired, the system administrator removes the access authorization of the relevant users and performs the deletion process.
|
|
Personal Data in Electronic Environment |
Personal data in electronic environments whose retention period has expired are made inaccessible and unusable for employees other than the database administrator.
|
|
Personal Data in Physical Environment |
Personal data kept in physical environments whose retention period has expired are made inaccessible and unusable for employees other than the unit manager responsible for the document archive. In addition, blackening is applied by crossing out/painting over/erasing the data so that it cannot be read.
|
|
Personal Data on Portable Media |
Personal data stored on flash-based storage media whose retention period has expired are encrypted by the system administrator, access authorization is granted only to the system administrator, and encryption keys are stored in secure environments.
|
6.2. Destruction of Personal Data
Personal data are destroyed using the methods specified in the table below.
|
Data Recording Environment |
Description |
|
Personal Data in Physical Environment |
Personal data in paper format whose retention period has expired are destroyed irreversibly using paper shredders.
|
|
Personal Data on Optical / Magnetic Media |
Personal data on optical and magnetic media whose retention period has expired are physically destroyed by methods such as melting, burning or pulverizing. In addition, magnetic media are passed through a special device and exposed to a high magnetic field to render the data unreadable.
|
6.3. Anonymization of Personal Data
Anonymization of personal data means rendering personal data unable to be associated with an identified or identifiable natural person under any circumstances, even if matched with other data.
For personal data to be anonymized, it must be rendered unable to be associated with an identified or identifiable natural person, even through techniques appropriate to the recording environment and relevant field of activity, such as the reversal of data by the data controller or third parties and/or matching the data with other data.
7. RETENTION AND DESTRUCTION PERIODS
Regarding personal data processed by FABCO within the scope of its activities;
The said retention periods are updated when necessary.
|
Personal Data |
Retention Period |
Destruction Period |
|
All records related to accounting and financial transactions (identity, contact, location, personnel data) |
Retained for 15 years from the date of termination of the contractual relationship. |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Documents related to general company decisions such as powers of attorney, signature circulars, general assembly resolutions and revocations |
15 years from the date of first registration |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Agreements signed with third parties, including lease agreements, service agreements and supply agreements |
15 years from the date of termination of the relevant agreement |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Tender / workplace opening / ministries and undersecretariats document preparation processes |
15 years from the date of completion of the process |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Personal data obtained within the scope of occupational health and safety practices |
15 years from the date of termination of the employment relationship |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Supplier contact and introduction forms |
10 years from the date of termination of the business relationship |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Personal health data of employees |
10 years from the date of termination of the employment relationship |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Employee recruitment files and personnel data |
10 years from the date of termination of the employment relationship |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Customer request/complaint information |
5 years from the date of registration |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Responding to court/enforcement information requests regarding personnel |
10 years from the date of termination of the employment relationship |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Personnel financing processes |
10 years from the date of termination of the employment relationship |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Contact information obtained by all units |
Retained for 10 years from the date the contact information is obtained. |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Internet usage logs kept pursuant to Law No. 5651 |
Retained for 2 years. |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Keeping camera recordings for physical security purposes |
Retained for 3 months. |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Candidate employee evaluation |
Negative evaluations are retained for 1 month. |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Training activities |
Upon termination of the employment agreement, personal data within the scope of occupational health and safety legislation are retained for 15 years, while other data are retained for 10 years. |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Leaves |
Retained for 10 years from the termination of the employee’s employment relationship. |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Workplace opening procedures |
The processed personal data are retained for 10 years. |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Invoice accrual |
Retained for 10 years in cases arising from the Turkish Commercial Code and for 5 years in cases arising from the Tax Procedure Law. |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Preparation of tax returns |
Retained for 5 years pursuant to the Tax Procedure Law. |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Part of the contract process and retention of the contract |
10 years from the date of termination of the business relationship |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Personal data protection processes, including disclosure notices, explicit consent, applications and complaints |
15 years from the date the relevant record is created |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Postal and cargo transaction records |
1 year from the transaction date |
Destroyed during the first periodic destruction process following the end of the retention period. |
|
Personal data relating to customers |
10 years from the end of the legal/contractual relationship |
Destroyed during the first periodic destruction process following the end of the retention period. |
8. PERIODIC DESTRUCTION PERIOD
Pursuant to Article 11 of the Regulation, FABCO has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out at FABCO every year in June and December.
9. PUBLICATION AND RETENTION OF THE POLICY
The Policy is published electronically and made publicly available on the website.
10. UPDATE PERIOD OF THE POLICY
The Policy is reviewed as needed and the necessary sections are updated.
11. ENTRY INTO FORCE AND REVOCATION OF THE POLICY
The Policy is deemed to have entered into force upon its publication on FABCO’s website. If it is decided to revoke the Policy, the old wet-signed copies of the Policy shall be cancelled and signed by the company official and retained for at least 5 years.
For questions about orders, production or materials used, please visit our FAQ section.
View FAQ