Step Into The Space

PERSONAL DATA RETENTION AND DESTRUCTION POLICY

Data Controller : Fab Dış Ticaret Anonim Şirketi

Address : Masko Mobilyacılar Sitesi 6A Blok Sok. No: 15 Başakşehir/ İstanbul

Phone : (0212) 675 03 33

1. INTRODUCTION

1.1 Purpose

This Personal Data Retention and Destruction Policy (Policy) has been prepared to determine the procedures and principles regarding the retention and destruction activities carried out by Fab Dış Ticaret Anonim Şirketi (FABCO).

FABCO prioritizes the processing of personal data belonging to its employees, employee candidates, service providers, visitors, contracting parties and other third parties in accordance with the Constitution of the Republic of Türkiye, international conventions, the Law No. 6698 on the Protection of Personal Data (Law) and other relevant legislation, and ensuring that data subjects can effectively exercise their rights.

The procedures and transactions regarding the retention and destruction of personal data are carried out by FABCO in accordance with this Policy prepared for this purpose.

1.2 Scope

Personal data belonging to FABCO’s employees, employee candidates, service providers, visitors, contracting parties and other third parties are within the scope of this Policy, and this Policy applies to all recording environments where personal data owned or managed by FABCO is processed and to all activities involving the processing of personal data.

1.3 Abbreviations and Definitions

Recipient Group

:

The category of real or legal persons to whom personal data is transferred by the data controller.

Explicit Consent

:

Consent relating to a specific matter, based on information and expressed with free will.

Anonymization

:

Rendering personal data unable to be associated with an identified or identifiable natural person under any circumstances, even by matching it with other data.

Employee

:

Personnel of Fab Dış Ticaret Anonim Şirketi.

EDMS

:

Electronic Document Management System

Electronic Environment

:

Environments where personal data can be created, read, modified and written by electronic devices.

Non-Electronic Environment

:

All written, printed, visual and other environments outside electronic environments.

Service Provider

:

A real or legal person providing services to Fab Dış Ticaret Anonim Şirketi within the framework of a specific agreement.

Data Subject

:

The natural person whose personal data is processed.

Relevant User

:

Persons who process personal data within the organization of the data controller or in accordance with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.

Destruction

:

Deletion, destruction or anonymization of personal data.

Law

:

Law No. 6698 on the Protection of Personal Data.

 

Recording Environment

:

Any environment where personal data is processed wholly or partially by automated means or by non-automated means provided that it is part of a data recording system.

Personal Data

:

Any information relating to an identified or identifiable natural person.

Personal Data Processing Inventory

:

An inventory created by data controllers by associating personal data processing activities carried out depending on their business processes with the purposes and legal basis of processing, data category, transferred recipient group and data subject group, and detailing the maximum retention period required for the purposes for which personal data is processed, personal data intended to be transferred abroad and measures taken regarding data security.

Processing of Personal Data

:

Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, wholly or partially by automated means or by non-automated means provided that it is part of a data recording system.

Board

:

Personal Data Protection Board

Special Categories of Personal Data

:

Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Periodic Destruction

:

The deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy when all personal data processing conditions set forth in the Law cease to exist.

Policy

:

Personal Data Retention and Destruction Policy

Data Processor

:

A real or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Recording System

:

A recording system in which personal data is structured and processed according to specific criteria.

Data Controller

:

A real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Controllers Registry Information System

:

An information system created and managed by the Presidency, accessible via the internet, used by data controllers for applications to the Registry and other related Registry procedures.

VERBIS

:

Data Controllers Registry Information System

Regulation

:

The Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017, and its amendments.

2. RESPONSIBILITY AND DUTY DISTRIBUTION

All units and employees of FABCO actively support the responsible units in ensuring the proper implementation of technical and administrative measures taken within the scope of the Policy, training and raising awareness among unit employees, monitoring and continuous auditing, preventing unlawful processing of personal data, preventing unlawful access to personal data, and taking technical and administrative measures to ensure data security in all environments where personal data is processed.

The distribution of titles, units and duty descriptions of those involved in the retention and destruction processes of personal data is provided below:

TITLE

UNIT

DUTY

Chairman of the Board

Board of Directors

Responsible for ensuring that employees act in accordance with the Policy.

IT Specialist

Information Systems

Responsible for providing the technical solutions required for the implementation of the Policy.

Archive Officer

Archive Officer

Destruction of personal data.

Lawyer

Legal

Receiving requests from data subjects, checking their procedural compliance and responding to the request.

Accounting/Human Resources Personnel

Accounting/Human Resources

Ensuring that processes within their duties comply with retention periods, managing the periodic destruction process, and carrying out the necessary inspections and controls to respond to requests from data subjects.

Customer Representative Personnel

Customer Representative

Ensuring that processes within their duties comply with retention periods and managing the personal data destruction process in accordance with the periodic destruction period.

3. RECORDING ENVIRONMENTS

Personal data is securely stored by FABCO in the environments listed below in accordance with the law.

Electronic Environments: Servers, Software, Information Security Devices, Computers, Mobile Devices, Optical Discs, External Memories, Printer, Scanner, Fax and Photocopy Machine, NAS, survey forms, CRM

Non-Electronic Environments: Paper, manual data recording systems, written, printed and visual environments, unit cabinets

4. EXPLANATIONS REGARDING RETENTION AND DESTRUCTION

Personal data belonging to employees, employee candidates, visitors, contracting parties and third parties, institutions or organizations’ employees with whom FABCO has a relationship as a service provider are retained and destroyed in accordance with the Law.

Detailed explanations regarding retention and destruction within this scope are provided below respectively.

4.1. Explanations Regarding Retention

Article 3 of the Law defines the concept of processing of personal data, Article 4 states that the processed personal data must be related to, limited and proportionate to the purposes for which they are processed and retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and Articles 5 and 6 list the conditions for processing personal data.

Accordingly, within the framework of our company’s activities, personal data is retained for the period stipulated in the relevant legislation or for the period appropriate to our processing purposes.

4.1.1. Legal Grounds Requiring Retention

Personal data processed within the scope of the company’s activities are retained for the periods stipulated in the relevant legislation. In this context, personal data are retained for the retention periods stipulated under Law No. 6698 on the Protection of Personal Data, Turkish Code of Obligations No. 6098, Turkish Commercial Code No. 6102, Public Procurement Law No. 4734, Social Insurance and General Health Insurance Law No. 5510, Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications, Occupational Health and Safety Law No. 6331, Right to Information Law No. 4982, Labor Law No. 4857, Social Services Law No. 2828 and other relevant/related legislation.

4.1.2. Processing Purposes Requiring Retention

FABCO retains personal data processed within the scope of its activities for the purposes of carrying out commercial activities, fulfilling commercial and legal obligations, performing debts and following up receivables, carrying out human resources processes, ensuring corporate communication, ensuring the security of the workplace, employees, third parties and the company, conducting statistical studies, communicating with related or third parties and public institutions and organizations, reporting, managing call center processes, and using them as legal evidence in disputes that may arise in the future.  

4.2. Reasons Requiring Destruction

Personal data shall be deleted, destroyed or anonymized by FABCO upon the request of the data subject or ex officio in cases where the provisions of the relevant legislation forming the basis for processing are amended or repealed, the purpose requiring processing or retention ceases to exist, where processing is carried out solely based on explicit consent and the data subject withdraws such explicit consent, where the data subject’s application for the deletion or destruction of personal data within the scope of their rights under Article 11 of the Law is accepted, where FABCO rejects the application made by the data subject requesting the deletion, destruction or anonymization of their personal data, the data subject finds the response insufficient or FABCO fails to respond within the period stipulated in the Law, the data subject files a complaint with the Board and the Board finds the request appropriate, the maximum retention period requiring the retention of personal data has expired, and there is no condition justifying the longer retention of personal data.

5. TECHNICAL AND ADMINISTRATIVE MEASURES

Technical and administrative measures are taken by FABCO within the framework of the sufficient measures determined and announced by the Board for special categories of personal data pursuant to Article 12 and the fourth paragraph of Article 6 of the Law, in order to securely retain personal data, prevent unlawful processing and access, and ensure lawful destruction of personal data.

5.1. Technical Measures

The technical measures taken by FABCO regarding the personal data it processes are listed below:

  • Risks, threats, vulnerabilities and possible security gaps regarding FABCO information systems are identified through penetration tests and necessary measures are taken.
  • Through information security incident management, risks and threats that may affect the continuity of information systems are continuously monitored as a result of real-time analyses.
  • Access to information systems and authorization of users are carried out through an access and authorization matrix and corporate active directory security policies.
  • Necessary measures are taken for the physical security of FABCO information systems equipment, software and data.
  • Hardware-based and software-based measures are taken to ensure the security of information systems against environmental threats.
  • Risks related to preventing unlawful processing of personal data are identified, technical measures appropriate to these risks are taken, and technical controls are carried out regarding the measures taken.
  • Access procedures are established within FABCO and reporting and analysis studies are carried out regarding access to personal data.
  • Access to storage areas containing personal data is recorded, and improper access or access attempts are kept under control.
  • FABCO takes the necessary measures to ensure that deleted personal data is inaccessible and cannot be reused by relevant users.
  • In the event that personal data is unlawfully obtained by others, FABCO has established a suitable system and infrastructure to notify the data subject and the Board.
  • Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up to date.
  • Strong passwords are used in electronic environments where personal data is processed.
  • Secure logging systems are used in electronic environments where personal data is processed.
  • Data backup programs are used to ensure the secure storage of personal data.
  • Access to personal data stored in electronic or non-electronic environments is restricted according to access principles.
  • Access to FABCO’s website is provided through a secure protocol (HTTPS) and encrypted with the …….. algorithm.
  • A separate policy has been established for the security of special categories of personal data.
  • Employees involved in special category personal data processing processes have been provided with training on the security of special categories of personal data, confidentiality agreements have been signed, and the authorizations of users with access to the data have been defined.
  • Electronic environments where special categories of personal data are processed, retained and/or accessed are protected using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are continuously monitored, and necessary security tests are regularly conducted or commissioned and the test results are recorded.
  • Physical environments where special categories of personal data are processed, retained and/or accessed are provided with adequate security measures, and unauthorized entries and exits are prevented by ensuring physical security.
  • If special categories of personal data need to be transferred by e-mail, they are transferred in encrypted form through a corporate e-mail address or by using a registered electronic mail account. If they need to be transferred via portable memory, CD, DVD or similar media, they are encrypted using cryptographic methods and the cryptographic key is kept in a different environment. If transfer is carried out between servers in different physical environments, data transfer is performed by establishing a VPN between servers or by using the sFTP method. If transfer is required through paper media, necessary measures are taken against risks such as the document being stolen, lost or seen by unauthorized persons, and the document is sent in “confidential” format.

5.2. Administrative Measures

The administrative measures taken by FABCO regarding the personal data it processes are listed below:

  • Training is provided to improve the qualifications of employees on preventing unlawful processing of personal data, preventing unlawful access to personal data, ensuring the retention of personal data, communication techniques, technical knowledge and skills, Law No. 657 and other relevant legislation.
  • Confidentiality agreements are signed with employees regarding the activities carried out by FABCO.
  • A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
  • Before starting to process personal data, FABCO fulfills its obligation to inform data subjects.
  • A personal data processing inventory has been prepared.
  • Periodic and random internal audits are carried out within the company.
  • Information security training is provided to employees.

6. PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the retention period stipulated in the relevant legislation or required for the purpose for which they are processed, personal data are destroyed by FABCO ex officio or upon the application of the data subject, in accordance with the relevant legislation, using the techniques specified below.

6.1. Deletion of Personal Data

Personal data are deleted using the methods specified in the table below.

Data Recording Environment

Description

 

Personal Data on Servers

 

For personal data on servers whose retention period has expired, the system administrator removes the access authorization of the relevant users and performs the deletion process.

 

 

Personal Data in Electronic Environment

 

Personal data in electronic environments whose retention period has expired are made inaccessible and unusable for employees other than the database administrator.

 

 

Personal Data in Physical Environment

 

Personal data kept in physical environments whose retention period has expired are made inaccessible and unusable for employees other than the unit manager responsible for the document archive. In addition, blackening is applied by crossing out/painting over/erasing the data so that it cannot be read.

 

 

Personal Data on Portable Media

 

Personal data stored on flash-based storage media whose retention period has expired are encrypted by the system administrator, access authorization is granted only to the system administrator, and encryption keys are stored in secure environments.

 

6.2. Destruction of Personal Data

Personal data are destroyed using the methods specified in the table below.

Data Recording Environment

Description

 

Personal Data in Physical Environment

 

Personal data in paper format whose retention period has expired are destroyed irreversibly using paper shredders.

 

 

Personal Data on Optical / Magnetic Media

 

Personal data on optical and magnetic media whose retention period has expired are physically destroyed by methods such as melting, burning or pulverizing. In addition, magnetic media are passed through a special device and exposed to a high magnetic field to render the data unreadable.

 

6.3. Anonymization of Personal Data

Anonymization of personal data means rendering personal data unable to be associated with an identified or identifiable natural person under any circumstances, even if matched with other data.

For personal data to be anonymized, it must be rendered unable to be associated with an identified or identifiable natural person, even through techniques appropriate to the recording environment and relevant field of activity, such as the reversal of data by the data controller or third parties and/or matching the data with other data.

7. RETENTION AND DESTRUCTION PERIODS

Regarding personal data processed by FABCO within the scope of its activities;

  • Retention periods on the basis of personal data for all personal data within the scope of activities carried out depending on processes are included in the Personal Data Processing Inventory;
  • Retention periods on the basis of processes are included in the Personal Data Retention and Destruction Policy.

The said retention periods are updated when necessary.

Personal Data

Retention Period

Destruction Period

All records related to accounting and financial transactions (identity, contact, location, personnel data)

Retained for 15 years from the date of termination of the contractual relationship.

Destroyed during the first periodic destruction process following the end of the retention period.

Documents related to general company decisions such as powers of attorney, signature circulars, general assembly resolutions and revocations

15 years from the date of first registration

Destroyed during the first periodic destruction process following the end of the retention period.

Agreements signed with third parties, including lease agreements, service agreements and supply agreements

15 years from the date of termination of the relevant agreement

Destroyed during the first periodic destruction process following the end of the retention period.

Tender / workplace opening / ministries and undersecretariats document preparation processes

15 years from the date of completion of the process

Destroyed during the first periodic destruction process following the end of the retention period.

Personal data obtained within the scope of occupational health and safety practices

15 years from the date of termination of the employment relationship

Destroyed during the first periodic destruction process following the end of the retention period.

Supplier contact and introduction forms

10 years from the date of termination of the business relationship

Destroyed during the first periodic destruction process following the end of the retention period.

Personal health data of employees

10 years from the date of termination of the employment relationship

Destroyed during the first periodic destruction process following the end of the retention period.

Employee recruitment files and personnel data

10 years from the date of termination of the employment relationship

Destroyed during the first periodic destruction process following the end of the retention period.

Customer request/complaint information

5 years from the date of registration

Destroyed during the first periodic destruction process following the end of the retention period.

Responding to court/enforcement information requests regarding personnel

10 years from the date of termination of the employment relationship

Destroyed during the first periodic destruction process following the end of the retention period.

Personnel financing processes

10 years from the date of termination of the employment relationship

Destroyed during the first periodic destruction process following the end of the retention period.

Contact information obtained by all units

Retained for 10 years from the date the contact information is obtained.

Destroyed during the first periodic destruction process following the end of the retention period.

Internet usage logs kept pursuant to Law No. 5651

Retained for 2 years.

Destroyed during the first periodic destruction process following the end of the retention period.

Keeping camera recordings for physical security purposes

Retained for 3 months.

Destroyed during the first periodic destruction process following the end of the retention period.

Candidate employee evaluation

Negative evaluations are retained for 1 month.

Destroyed during the first periodic destruction process following the end of the retention period.

Training activities

Upon termination of the employment agreement, personal data within the scope of occupational health and safety legislation are retained for 15 years, while other data are retained for 10 years.

Destroyed during the first periodic destruction process following the end of the retention period.

Leaves

Retained for 10 years from the termination of the employee’s employment relationship.

Destroyed during the first periodic destruction process following the end of the retention period.

Workplace opening procedures

The processed personal data are retained for 10 years.

Destroyed during the first periodic destruction process following the end of the retention period.

Invoice accrual

Retained for 10 years in cases arising from the Turkish Commercial Code and for 5 years in cases arising from the Tax Procedure Law.

Destroyed during the first periodic destruction process following the end of the retention period.

Preparation of tax returns

Retained for 5 years pursuant to the Tax Procedure Law.

Destroyed during the first periodic destruction process following the end of the retention period.

Part of the contract process and retention of the contract

10 years from the date of termination of the business relationship

Destroyed during the first periodic destruction process following the end of the retention period.

Personal data protection processes, including disclosure notices, explicit consent, applications and complaints

15 years from the date the relevant record is created

Destroyed during the first periodic destruction process following the end of the retention period.

Postal and cargo transaction records

1 year from the transaction date

Destroyed during the first periodic destruction process following the end of the retention period.

Personal data relating to customers

10 years from the end of the legal/contractual relationship

Destroyed during the first periodic destruction process following the end of the retention period.

8. PERIODIC DESTRUCTION PERIOD

Pursuant to Article 11 of the Regulation, FABCO has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out at FABCO every year in June and December.

9. PUBLICATION AND RETENTION OF THE POLICY

The Policy is published electronically and made publicly available on the website.

10. UPDATE PERIOD OF THE POLICY

The Policy is reviewed as needed and the necessary sections are updated.

11. ENTRY INTO FORCE AND REVOCATION OF THE POLICY

The Policy is deemed to have entered into force upon its publication on FABCO’s website. If it is decided to revoke the Policy, the old wet-signed copies of the Policy shall be cancelled and signed by the company official and retained for at least 5 years.

Step Into The Space

More Information

For questions about orders, production or materials used, please visit our FAQ section.

View FAQ