elvan@elvan.com.tr

0 212 592 32 00


Data Retention Policy

ELVAN FOOD PERSONAL DATA STORAGE and DESTRUCTION POLICY

14/12/2019

1. INTRODUCTION. 4

1.1. Purpose. 4

1.2 Abbreviations and Definitions. 4

1.3. Scope of the Policy and Personal Data Owners 6

2. RESPONSIBILITY AND DISTRIBUTIONS OF DUTIES. 6

3. RECORDING MEDIA 7

4. EXPLANATIONS ON STORAGE AND DISPOSAL .. 7

4.1 Explanations Regarding Storage. 7

4.1.1 Legal Reasons Requiring Storage. 7

4.1.2 Processing Purposes Requiring Protection 8

4.2 Causes Requiring Disposal. 8

5. TECHNICAL AND ADMINISTRATIVE MEASURES .. 9

5.1. Technical Measures: 9

5.2 Administrative Measures. 10

6. PERSONAL DATA DISPOSAL TECHNIQUES. 10

6.1 Deletion of Personal Data 10

6.2 Destruction of Personal Data 12

6.3 Anonymizing Personal Data 12

7. STORAGE AND DESTRUCTION PERIODS. 12

8. PERIODIC DESTRUCTION TIME. 14

9. PUBLISHING AND KEEPING THE POLICY. 14

10. UPDATING PERIOD OF THE POLICY

11. ENFORCEMENT AND TERMINATION OF THE POLICY. 14

 

1. INTRODUCTION.
1.1 Purpose

The Personal Data Storage and Destruction Policy (“Policy”) has been prepared in order to determine the processes, procedures and principles regarding the storage and disposal activities carried out by Elvan Food Industry and Commerce Limited Company (“Elvan Food”).

Elvan Food aims to provide the processing of the personal data of Elvan Food employees, employee candidates, suppliers and other third parties in accordance with the Turkish Constitution, international agreements, Personal Data Protection Law No.6698 (“PDPL”) and other relevant legislation and the effective use of their rights..

The processes regarding the storage and destruction of personal data are carried out in accordance with the Personal Data Storage and Destruction Policy (“Policy”) prepared by Elvan Food in this direction.

1.2 Abbreviations and Definitions.

Buyer Group

Real or legal persons to whom personal data is transferred by the data controller by the personal data controller.
Explicit Consent

Consent about a specific subject based on information and expressed in free will.

Anonymization:

Making personal data not to be associated with any identified or identifiable real person in any way, even when paired with other data.
Employee

Real persons that Elvan Food employs based on a service contract.
Employee Candidate

Real persons who have applied to Elvan Food for employment.
Electronic Environment

Media environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Environment

Other environments such as all written, printed, visual, etc. except electronic media

Supplier

Real persons or ordinary companies that provide goods and / or services to Elvan Food under a certain contract.
Relevant Person

Real person whose personal data is processed.

Disposal

Deletion, destruction or anonymization of personal data.

PDPL

Law on Protection of Personal Data No. 6698

Recording Medium

Any environment in which personal data are processed, which are fully or partially in automated ways or non-automated ways provided that being part of any data recording system.

Personal Data

Any information related to identified or identifiable real persons.

Personal Data Processing

Inventory

It means the inventory created and elaborated by data controllers by associating personal data processing activities carried out by data controllers depending on the business processes and personal data processing purposes and the legal reason with the data category, the transferred recipient group and the data subject group, and where they explain the maximum retention period required for the purposes for which the personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.

Processing of Personal Data

 

Any sorts of processes on personal data, such as acquiring, saving, storing, protecting, changing, reorganizing, making public, transferring, making available to obtain, classifying or preventing from being used the personal data automatically in whole or in part, or manually, provided that they are part of any data recording system.

Board

Personal Data Protection Board

Sensitive Personal Data:

It means personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures, and the biometric and genetic data.

Periodic Destruction

In the event that all the processing conditions of personal data in the Law disappear, the process of deletion, destruction, or anonymization of the personal data that will be carried out at regular intervals specified in the storage and destruction policy.

Policy

Personal Data Protection and Destruction Policy

Data Processor

A natural or legal person who processes personal data on his behalf on the basis of the authority conferred by the data officer.

Data Recording System

A recording system in which personal data are structured and processed according to certain criteria.

Data Controller

Real or legal person responsible for identifying the purposes and means of personal data processing, and installing and managing data recording system.

Data Controllers Registry Information System

The information system that data controllers will use in the application to the Registry and in other relevant transactions related to the Registry, accessible on the internet, created and managed by the Presidency.

VERBIS

Data Controllers Registry Information System

Regulations

The Regulations published in the Official Gazette dated 28 October 2017,

on the Deletion, Destruction or Anonymization of Personal Data.

1.3. Scope of the Policy and Personal Data Owners

This Policy has been prepared for Elvan Food Employees, Elvan Food Board Members, Employee Candidates, Suppliers, Visitors and Third Parties, especially those whose personal data are processed by our Company, automatically or by non-automatic means provided that they are part of any data recording system and it will be implemented limited to these persons. This Policy will in no way apply to legal entities and legal entity data.

Our company informs the mentioned Personal Data Owners about the Law by publishing this Policy on the website. For the employees of our company, the Personal Data Processing Policy for Employees will be applied. This Policy will not apply if the data is not included in the scope of “Personal Data” within the scope specified below or if the Personal Data processing activity carried out by our Company is not in the above-mentioned ways. In this context, personal data owners within the scope of this Policy are as follows:

Elvan Food Staff

:

They are real persons that Elvan Food employs within the framework of a Service Contract.

Elvan Food Board Members

:

They are real persons appointed as members of the company’s board of directors or as a legal entity representative.

Employee Candidates

:

They are real persons who have applied for a job to Elvan Food in any way or who have shared their curriculum vitae and related information with Elvan Food.

Suppliers

:

They are real persons who provide goods and services to Elvan Food.

Third Person

:

They are other real persons who do not fall under the scope of the Personal Data Protection and Processing Policy prepared for Elvan Food Employees and in any category of personal data owner in this Policy.

2. RESPONSIBILITY AND DISTRIBUTION OF TASKS

Elvan Food and all units and employees authorized to access the personal data of the Related Persons in Elvan Food, aim to prevent the unlawful processing of personal data through the implementation of the technical and administrative measures taken within the scope of the Policy and the relevant legislation, the training and awareness of the unit employees, their monitoring and continuous supervision.

Those involved in the storage and destruction of personal data are as follows.

Position
Unit
Position
Human Resources Director
Human Resources
Ensuring that the personal data of Employee and Employee Candidates are stored and processed in accordance with the Policy
Finance Manager
Finance
Ensuring that the financial data of Employee and Employee Candidates are stored and processed in accordance with the Policy
Occupational physician
—–
Ensuring that the health data of Elvan Food Employees are stored and processed in accordance with the Policy
IT Department
IT Department
Ensuring that the data in the Elvan Food Soft environment are stored and processed in accordance with the Policy

3. RECORDING MEDIA
Personal data is securely stored by Elvan Food in the environments listed in the table below in accordance with the law.

Electronic Media

Non-electronic Media

Servers (Domain, backup, e-mail, database, web, file sharing, etc.)

Software (office software, portal software.)

Information security devices (firewall, intrusion detection and blocking, log file, antivirus, etc. )

Personal Computers (Desktop, laptop)

Mobile devices (Notebook.)

Removable devices (USB, Memory Card etc.)

Paper

Manual data recording systems (Data Information Forms)

Printed Paper Filing Systems

4. EXPLANATIONS ON STORAGE AND DISPOSAL

Elvan Food stores personal data regarding Employees, Employee Candidates and Suppliers in accordance with the provisions of PDPL and secondary legislation and destroys them at the end of their storage period. In this context, detailed explanations regarding storage and disposal are given below.

4.1 Explanations Regarding Storage.

Elvan Food stores the personal data of its Employees, Employee Candidates and Suppliers for periods suitable for the purposes of processing and limited to the periods stipulated by the relevant legislation to which the personal data is subject.

4.1.1 Legal Reasons Requiring Storage

Elvan Food stores the personal data it processes within the framework of its activities for a limited period of time stipulated in the relevant legislation below. In this context, personal data are kept limited to the prescription periods stipulated within the framework of the following laws and other secondary regulations in force in accordance with these laws.;
Law on Protection of Personal Data No. 6698,
Turkish Code of Obligations No. 6098,
Public Procurement Law No. 4734,
Labour Law No. 4857,
Occupational Health and Safety Law No. 6331,
Turkish Commercial Code No. 6102
Income Tax Law No. 193
Tax Procedure Law No. 213
Social Security and General Health Insurance Law No. 5510,
Regulation on Health and Safety Precautions to be taken in buildings and additions of the company
,
4.1.2 Processing Purposes Requiring Protection

Elvan Food stores the personal data of the relevant persons regarding photographs and health information based on explicit consent for the following purposes.
Your photo is for the use of identification cards in the workplace, personal file presentation, promotion to security forces,
Evaluating health data in terms of the requirements of the work to be done, making business processes safer / more efficient.
Elvan Food stores the personal data it processes without the need for explicit consent within the framework of its activities for the following purposes.
To carry out human resources processes.
To maintain communication.
To be able to carry out works and transactions as a result of contracts and protocols signed.
Within the scope of VERBİS, to determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, to organize the services provided accordingly and to update them if necessary.
To ensure that our legal obligations are fulfilled as required or required by legal regulations.
To fulfill the obligation of proof as evidence in legal disputes that may arise in the future.
4.2. Causes Requiring Destruction
Personal data;

The termination of the reason that forms the basis for its processing
Changing or abolishing of the relevant legislation provisions that form the basis of its processing,
The termination of the purpose that requires the processing or storage of personal data,
In cases where the processing of personal data takes place only in accordance with the explicit consent condition, the relevant person’s withdrawal of his/her consent,
In accordance with Article 11 of the PDPL , the application for the deletion and destruction of personal data within the framework of the rights of the person concerned is accepted,
As a result of the complaint made to the Board; In accordance with the decision of the board
In cases where the maximum period that requires the storage of personal data has expired and there are no conditions to justify the storage of personal data for a longer period, it is ex officio deleted, destroyed or anonymized in the first destruction period following the emergence of the cause that requires destruction.
5. TECHNICAL AND ADMINISTRATIVE MEASURES

 

Elvan Food , for the safe storage of Personal Data, to prevent unlawful processing and access and to destroy personal data in accordance with the law; takes the following technical and administrative measures in accordance with Article 12 and paragraph 6/4 of the PDPL, adequate measures determined and announced by the Board for special quality personal data.

5.1 Technical Precautions
The technical measures taken by Elvan Food in relation to the personal data it processes are listed below:

With Penetration tests on the data in the information processing environment, the risks, threats, vulnerabilities and gaps, if any, of the Elvan Food information systems network are revealed and necessary measures are taken.
Risks and threats that will affect the continuity of information systems are continuously monitored as a result of real-time analysis and investigation studies with information security event management.
Access to information systems and user authorization is carried out partially through the access and authorization matrix and security policies for the corporate active directory.
Elvan Food’s information systems equipment takes necessary measures for the physical security of data and sofware.
User Account Management
Network Security
Application Security
Encryption
Penetration Test
Attack Detection and Prevention Systems are implemented and used.
Log records
Data Masking
and Data loss prevention software are used per the Law 5651.
Back Up
Current Anti-Virus software are used.
To ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 7/24 monitoring system, physical security of edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software measures (firewalls, attack prevention systems, network access control, systems that prevent malicious software, etc.) are taken .
The company takes the necessary measures to ensure that the deleted personal data cannot be accessed and reused for the relevant users.
In case personal data is illegally obtained by others, a suitable system and infrastructure has been established by the Company to inform the relevant person and the Board.
Secure record keeping (logging) systems are used in electronic environments where personal data are processed.
Access to personal data stored in electronic or non-electronic media is restricted according to access principles. Key Management is implemented.
5.2 Administrative Measures:

Administrative measures taken by Elvan Food regarding the personal data it processes are listed below:

Communication techniques and training in technical knowledge skills are provided to improve the quality of employees, prevent unlawful processing of personal data, prevent unlawful access to personal data, and ensure protection of personal data.
Confidentiality agreements are made with the employees regarding the activities carried out by Elvan Food.
A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
Before starting to process personal data, the Company fulfills the obligation to inform the relevant persons.
Personal data inventory has been prepared.
Periodic and random audits are carried out within the company.
Information security training is provided for employees.
6. DISPOSAL TECHNIQUES OF PERSONAL DATA

Upon the occurrence of the reasons for destruction specified in paragraph 4.2, the personal data are destroyed by Elvan Food either ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, using the following techniques.

6.1 Deletion of Personal Data
Personal data are deleted in the following ways.

Data Recording Media

Description

Personal Data on Servers

For those whose contract termination date has expired for the keeping of personal data on the servers, the system administrator removes the access authority of the relevant users and deletes them.

Personal Data in Electronic Environment

Those whose duration for keeping the personal data in electronic environment have expired, are made inaccessible and unavailable in any way for other employees (relevant users) except the database manager.

Personal Data in the Physical Environment

Except for the department manager responsible for the document archive, for those who have expired from the personal data kept in a physical environment, they are made inaccessible and unusable in any way. In addition, the blackening process is also applied by scratching / painting / wiping it in an illegible way.

6.2 Destruction of Personal Data

Personal data is destroyed by Elvan Food through the methods stated below.

 

Data Recording Media

Description

Personal Data in the Physical Environment

Those whose duration for keeping the personal data in the paper environment that require their storage are irreversibly destroyed in paper trimming machines or by burning method.

 

6.3 Anonymization of Personal Data

Anonymization of personal data means making personal data unlikely to be associated with any identifiable real person in any way even when personal data is paired with other data.

In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of personal data by the data controller or third parties and / or matching the data with other data.

Elvan Food does not anonymize personal data.

7. STORAGE AND DISPOSAL PERIODS

Regarding the personal data being processed within the scope of its activities, Elvan Food;

Data based retention periods in Personal Data Processing Inventory;
Storage periods based on data categories are registered to VERBIS;
Retention periods based on processes are explained in the Personal Data Retention and Destruction Policy.
Updates are made on the said storage periods, if necessary, by Elvan Food .

For personal data whose retention periods have expired, the process of ex officio deletion and / or destruction is carried out by the Personal Data Protection Board and its members established within Elvan Food.

 

PROCESS

STORAGE PERIOD

DESTRUCTION TIME

Human Resources Job Applications

In the first destruction period after the job application date, if there is no employment

In the first periodic disposal process following the expiry of the storage period

Performing of Human Resources

Processes

10 years

In the first periodic disposal process following the expiry of the storage period

Preparation of Supply Contracts

5 years

In the first periodic disposal process following the expiry of the storage period

Contact

During the working period

In the first periodic disposal process following the expiry of the storage period

Health file creation

Unless the relevant legislation stipulates otherwise, 15 years in addition to the employment period

In the first periodic disposal process following the expiry of the storage period

Inspection processes (driver’s license and documents)

2 years in addition to the duration of employment

In the first periodic disposal process following the expiry of the storage period

Camera Recordings

Following the registration period within 90 days

It is destroyed after 90 days as of the registration date.

8. PERIODIC DESTRUCTION TIME
Periodic destruction period of Elvan Food is determined as 6 months. Accordingly, Elvan Food destroyes data periodically in March and October every year.

9. PUBLISHING AND STORAGE OF THE POLICY.

The policy is published in two different media: wet signed (printed paper) and electronic media.

10. UPDATING PERIOD OF THE POLICY

The policy is reviewed as needed and the required sections are updated.

11. ENFORCEMENT AND TERMINATION OF THE POLICY.

The policy is deemed to have entered into force after its publication in Elvan Food.
In case of a decision to annul it, old copies of the Policy with wet signature are canceled and signed (by stamping the cancellation stamp or writing cancellation) and kept for at least 5 years.