Disposal Policy
PERSONAL DATA DISPOSAL POLICY
For the destruction of data within our company, January and July of the year have been determined as destruction periods. Personal data obtained from the data subjects will be deleted, destroyed or anonymized by the personnel/personnel responsible for data protection within the company within the following destruction period from the end of the storage period. The minutes of the destruction process will be kept for 3 (three) years by the personnel/personnel responsible for data protection within the company in an independent place. After three years, the said minutes will be destroyed. Regarding the disposal process, the provisions of the Regulation on the Deletion, Destruction or Anonymization of Personal Data dated 28 October 2017 and numbered 30224 and the Law on Protection of Personal Data No. 6698 will be taken as basis.
The reasons for destruction are:
- • Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing,
- • The disappearance of the purpose requiring its processing or storage,
- • In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his explicit consent,
- • In accordance with Article 11 of the Law, the application made by the Authority regarding the deletion and destruction of personal data within the framework of the rights of the person concerned,
- • In the event that the Institution rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the Law; Making a complaint to the Board and this request being approved by the Board,
- • The maximum period for keeping personal data has passed and there is no condition that justifies keeping personal data for a longer period of time.
In accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law, in accordance with the adequate measures determined and announced by the Board for the personal data to be stored securely, illegally processed and accessed, and for the destruction of personal data in accordance with the law, the technical and administrative measures are taken.
The technical measures taken by the company regarding the personal data it processes are listed below:
- • With the penetration tests, the risks, threats, vulnerabilities and vulnerabilities, if any, regarding the information systems of our Institution are revealed and necessary precautions are taken.
- • As a result of real-time analyzes with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
- • Access to information systems and authorization of users are made through security policies through the access and authorization matrix and the corporate active directory.
- • Necessary measures are taken for the physical security of the company's information systems equipment, software and data.
- • In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software. Measures are taken (firewalls, attack prevention systems, network access control, systems preventing malware, etc.).
- • Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and technical controls are carried out for the measures taken.
- • Access procedures are established within the company, and reporting and analysis studies are carried out regarding access to personal data.
- • Inappropriate access or access attempts are kept under control by recording the accesses to the storage areas where personal data is stored.
- • The Company takes the necessary measures to make the deleted personal data inaccessible and reusable for the relevant users.
- • In the event that personal data is obtained unlawfully by others, a system and infrastructure has been established by the Authority to notify the relevant person and the Board.
- • Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date.
- • Strong passwords are used in electronic environments where personal data is processed.
- • Secure record keeping (logging) systems are used in electronic environments where personal data is processed.
- • Data backup programs are used to keep personal data safe.
- • Access to personal data stored in electronic or non-electronic media is limited according to access principles.
- • It is encrypted with SHA 256 Bit RSA algorithm using secure protocol (HTTPS) for accessing the institution's web page.
- • A separate policy has been determined for the security of sensitive personal data.
- • Special quality personal data security trainings have been provided for employees involved in special quality personal data processing,
- • Confidentiality agreements have been made, and the authorizations of users who have access to data have been defined.
- • Electronic environments in which sensitive personal data are processed, stored and/or accessed are preserved using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of environments are constantly monitored, necessary security tests are regularly performed/have the test results recorded, to be taken under,
- • Adequate security measures are taken for physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entry and exit is prevented by ensuring physical security.
- • If sensitive personal data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment. If transferring is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between servers or using the sFTP method. If it is required to be transferred via paper media, necessary precautions are taken against the risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a "confidential" format.
- • Of these items, the company will specify which of them it can do.
The administrative measures taken by the Company regarding the personal data it processes are listed below:
- • Trainings are provided on prevention of illegal processing of personal data, prevention of illegal access to personal data, protection of personal data, communication techniques, technical knowledge and skills, Labor Law and other relevant legislation in order to improve the quality of employees.
- • Confidentiality agreements are signed by the employees regarding the activities carried out by the company.
- • A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
- • Before starting to process personal data, the Authority fulfills the obligation to inform the relevant persons.
- • Personal data processing inventory has been prepared.
- • Periodic and random audits are carried out within the company.
- • Information security trainings are provided for employees.
Personal data is destroyed by the request of the person concerned or ex officio by the company, upon the expiry of the legal period, in the following ways.
| DATA RECORDING ENVIRONMENT |
EXPLANATION |
| Personal Data on Servers |
The system administrator removes the access authorization of the relevant users and deletes data on the servers for those whose period has expired. |
| Personal Data in Electronic Media |
Among the personal data in the electronic environment, the ones whose period has expired a inaccessible and non-reusable for other employees (related users) except the database admin |
| Personal Data in Physical Environment |
Personal data kept in the physical environment is made inaccessible and non-reusable in any employees, except for the unit manager responsible for the document archive, for those who time has expired. In addition, the process of blackening is applied by drawing/painting/erasi that cannot be read. |
| Personal Data in Portable Media |
Of the personal data kept in flash-based storage media, the expired ones are encrypted by th administrator and the access authorization is given only to the system administrator, and the secure environments with encryption keys. |
| Personal Data in Physical Environment |
Of the personal data in the paper medium, the ones that need to be kept, which have expired irreversibly destroyed in the paper clipping machines. |
| Personal Data in Optical / Magnetic Media |
The physical destruction of the personal data in optical media and magnetic media, such as burning or pulverizing, is applied. In addition, magnetic media is passed through a special d data on it is rendered unreadable by exposing it to a high magnetic field. |
| PERSONAL DATA |
STORAGE |
| With the recruitment documents to the Social Security Institution; Personnel data that is the basis for notifications regarding length of service and wages |
It is retained for a period of 15 (fifteen) years as of t continuation of the service contract and from its e |
| With the recruitment documents to the Social Security Institution; Personnel data other than the personnel data that are the basis for |
It is retained for a period of 10 (ten) years from the beginning of the calendar year following the conti the service contract and the end of it. |
Personal data to be obtained from workers are stored and destroyed in different time periods depending on their qualifications. The storage periods of the said data are as follows. These data, whose storage period has expired, are destroyed in the nearest destruction period and the minutes of destruction are kept for 3 years.
| notifications regarding the length of service and wages. |
|
| Customer Information |
Pursuant to Article 82 of the Turkish Commercial C information that is the basis for the issuance of inv which constitute the basis for commercial books a records, is kept for 10 years in accordance with th aforementioned law, and Customer Information ot this is kept for the period required for the purpose they are processed. |
| Contracts on the basis of the commercial relationship and their data |
10 years in accordance with the provisions of the C Obligations No. 6098 and other legislation |
| Personal Health Files of Employees |
According to the Occupational Health and Safety legislation, personal health files must be kept for 1 |
| Employee Candidate Information |
It is stored for a maximum of 2 years until it is out |
| Visitor Information |
Stored for 2 years |
| Partner and Advisor Information |
It is kept for a period of 10 years in accordance wit 146 of the Turkish Code of Obligations, during and relationship with the company. |
| Information Shared with the Company by the Companies |
It is kept for a period of 10 years in accordance wit 146 of the Turkish Code of Obligations, during and relationship with the company. |
| Customer |
Each product/service purchased by the Custome for 10 years in accordance with the Turkish Code o Obligations art.146 and Turkish Commercial Code |
| Customer/Potential Customer Requests and Complaints |
It is stored for 10 years from the date of request an complaint. |
| The relevant personal data is subject to a crime within the scope of the Turkish Penal Code or other penal provisions. |
During the statute of limitations |
| Log Tracking Systems |
10 years |
| Execution of Hardware and Software Access Processes |
2 years |
| Records of Visitors and Meeting Participants |
If there is no contractual relationship, 2 years from of the event |
| Non-employee trainee, trainee information |
For the duration of training and other activities wit company and 1 year from the end of the relations |
| Personal data received from employee candidates |
In case the candidacy application is negative, until nearest destruction period. |
In the light of the explanations above, the destruction times for the data categories in the VERBIS Inventory record are as follows;
| Data Category |
Data Retention Period |
| 1-Identity |
Destruction Period After 10 Years Following the End of Other Legal Relation |
| 2-Contact |
Destruction Period After 10 Years Following the End of Other Legal Relation |
| 3-Location |
2 Years for Data Not Based on Other Contractual Relationship In case of Con Relationship, First Disposal Period After 10 Years |
| 4-Personality |
Destruction Period After 15 Years Following the End of Other Legal Relations |
| 5-Legal Action |
Destruction Period After 10 Years Following the End of Other Legal Relation |
| 6-Customer Transaction |
Destruction Period After 10 Years Following the End of Other Legal Relation |
| 7-Physical Space Security |
Although it is as long as the periods stipulated in other legislation, in any cas |
| 8-Transaction Security |
2 Years for Other Web and Log Records / 10 Years Later for Corporate Appl the Nearest Disposal Period |
| 9-Risk Management |
2 Years for Data Not Based on Other Contractual Relationship In case of Con Relationship, First Disposal Period After 10 Years |
| 10-Finance |
Destruction Period After 10 Years Following the End of Other Legal Relation |
| Data Category |
Data Retention Period |
| 11-Professional Experience |
Destruction Period After 10 Years Following the End of Oth Relationship |
| 12-Marketing |
5 Years for Data Not Based on Other Contractual Relationsh of Contractual Relationship, First Disposal Period After 10 Y |
| 13-Visual and Audio Recordings |
2 Years for Data Not Based on Other Contractual Relationsh of Contractual Relationship, First Disposal Period After 10 Y |
| 17-Disguise and Attire |
Destruction Period After 10 Years Following the End of Oth Relationship |
| 21-Health Information |
Destruction Period After 15 Years Following the End of Othe Relationship |
| 23-Criminal Conviction and Security Measures |
Destruction Period After 10 Years Following the End of Oth Relationship |
| 26-Other Information-Employee Family Information |
Destruction Period After 10 Years Following the End of Oth Relationship |
| 26-Other Information-Signature and Other Handwriting Information |
Destruction Period After 10 Years Following the End of Oth Relationship |
By our company, the months of July and January have been selected as the destruction periods, and the data whose storage period has expired will be destroyed and recorded in the month, which is the closest destruction period. In the said report, some letters or numbers will be removed from the TR or Name
information of the person and information will be included in a way that will not allow a clear determination. The said minutes will be kept for 3 years.
The person concerned, pursuant to the 13th article of the Law, SUMER ULUSLARARASI SANAYİ VE TİCARET A.Ş. when he requests the deletion or destruction of his personal data by applying to the company;
- If all the conditions for processing personal data have disappeared; The company deletes, destroys or anonymizes the personal data subject to the request with the appropriate destruction method, explaining the reason within 30 (thirty) days from the day it receives the request. In order for the Company to be deemed to have received the request, the person concerned must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, the company informs the person concerned about the transaction.
- If all the conditions for processing personal data have not been eliminated, this request may be rejected by the Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law and the refusal is notified to the relevant person in writing or electronically within thirty days at the latest. The right of the person concerned to complain to the institution is reserved. In this context, the persons concerned may apply to the Board within 60 (sixty days) after they learn that their requests have been rejected.
- In this context, applications to be made to our Company in “written” form,
- With the personal application of the Applicant,
- through a notary,
- By signing by the Applicant with the “secure electronic signature” defined in the Electronic Signature Law No. 5070
It can be forwarded to us by sending it to the registered e-mail address of the company. To exercise this right, our contact information is as follows:
Title : SUMER INTERNATIONAL INDUSTRY AND TRADE INC.
Mersis No / Tax No: 7860018595
E-mail Address:info@sumeras.com
Postal Address: BAŞKENT OSB MAHALLESİ BAŞKENT BULVARI NO:81 SİNCAN/ANKARA
Tel: 03124184129