Personal Data Retention and Destruction Policy
PENEZOĞLU LAW FIRM PERSONAL DATA RETENTION AND DESTRUCTION POLICY
Any personal data processed by Penezoğlu Law Firm (“Penezoğlu Law”) within the scope of the data processing actions conducted under the law will be destroyed in the event that the purpose stated in the data inventory and the maximum period for retention terminates. The data may be destroyed by one or more actions such as erasure, destruction or anonymization in accordance with the provisions of the legislation. By this Personal Data Retention and Destruction Policy (“Policy”) the people whose personal data is processed by Penezoğlu Law will be informed and hence transparency will be ensured, the existence of valid reasons for retention of processed personal data will be checked regularly and the personal data will be destroyed with the termination of the valid reason.
This Policy shall cover all the units and employees of Penezoğlu Law that are involved in the personal data processing activities as well as the third parties. This Policy shall cover all the retention and destruction processes that Penezoğlu Law will implement regarding the personal data. In addition, this Policy shall apply for the destruction and retention of personal data only. In case of any changes, amendments or updates to, or abolishment of, the Law, Regulations or other legislation, whether in part or in full, Penezoğlu Law will make changes to this Policy by updating it in accordance with the new Law, Regulations or legislation.
The terms used in this Policy shall mean the following:
|Explicit Consent||Consent that relates to a specified issue, declared by free will and based on information.|
|Recipient Group||Group of natural and legal persons to which the personal data are transferred by the data controller.|
|Anonymization||Altering personal data irreversibly in a manner that it cannot be identified as personal data. Rendering personal data impossible to link with an identified or identifiable real person through technical means such as masking, generalization, perturbation and etc.|
|Application Form||Which explains the manner of application with the link provided here in the policy and which will include the application of the personal data owners so that they may exercise their rights. “Application Form to Data Controller for Real Persons (Data Subject) under Personal Data Protection Law No. 6698”.|
|Direct Identifiers||Identifiers that directly reveal, disclose or identify on their own the person they are associated with.|
|Relevant User||Person(s) processing personal data within the data controller’s organisation or with the authority and instruction received from the data controller, save for the person or unit responsible for technical retention, protection and back up of the data.|
|Destruction||Erasure, destruction or anonymization of personal data.|
|Employees, Shareholders or Authorised Persons of Collaborated Corporations||Real persons of corporations that Penezoğlu Law collaborates with (including but not limited to business partners, suppliers, outsourcers, client firms and etc.) including the shareholders and authorised persons of such corporations.|
|Law||Personal Data Protection Law No. 6698|
|Obscuration||Processes such as scratching, colouring and blurring rendering the integrity of the personal data impossible to link with an identified or identifiable real person.|
|Data Recording Medium||Any media that personal data is kept which is fully or partially automatic or which is processed through non-automatic ways provided that it is part of a data recording system.|
|Anonymization of Personal Data||Process of rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data|
|Processing of Personal Data||All types of processes performed on personal data such as collection in fully partially automatic or non-automatic ways provided that it is part of a data recording system, recording, retention, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification or prevention of use.|
|Inventory of Personal Data Processing||Inventory where data controllers create and detail the data processing activities that they are required to perform in accordance with their work processes, the purpose of processing personal data and data category by associating it with the recipients the data is transferred to or the persons owning such data.|
|Personal Data||Any information relating to an identified or identifiable real person.|
|Personal Data Owner||Real person whose personal data is processed.|
|Erasure of Personal Data||Process of rendering personal data inaccessible and unusable for the relevant users in any way.|
|Destruction of Personal Data||Destruction of personal data is the process of rendering personal data inaccessible, unrecoverable and unusable by anyone in any way.|
|Board||Personal Data Protection Board|
|Authority||Personal Data Protection Authority|
|Masking||Erasing, scratching, colouring and using symbols such as asterisks on part of the personal data in a manner rendering it impossible to link with an identified or identifiable real person.|
|Special Categories of Personal Data||Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, fund or union membership, health, sex life, criminal conviction and safety measures as well as your biometric and genetic data.|
|Periodical Destruction||In the event that all the conditions for processing personal data stipulated in the Law vanish, the process of erasure, destruction, or anonymization of the personal data that will be carried out at regular intervals specified in this policy.|
|Register||Data Controllers Register to be kept by the Board under the Regulations on Data Controllers Register which is currently not in effect.|
|Service Provider||Parties providing contract-based services to Penezoğlu Law in line with the orders and instructions of Penezoğlu Law when Penezoğlu Law conducts its activities.|
|Data Processor||Real person or legal entity processing personal data with the authority granted by the Data Controller.|
|Data Recording System||Recording system in which personal data will be structured and processed based on specific criteria.|
|Data Controller||Real person or legal entity identifying the purposes and means of processing personal data and responsible for installation and management of the data recording system.|
|Regulations||Regulation on Erasure, Destruction and Anonymization of Personal Data|
D. RECORDING MEDIA
The personal data of data owners are retained safely by Penezoğlu Law in the media listed below and any other media that may arise in addition to these in accordance with the Personal Data Protection Law, in particular, the relevant legislation and international data security principles.
- Penezoğlu Law's computers / servers
- Network devices
- Shared or non-shared disk drives used for storing data on the network
- Cloud systems
- Mobile phones and all internal device storage
- Peripheral devices such as printer, fingerprint sensor
- Magnetic tapes
- Optic discs
- Flash disks
- Unit cupboards
E. REASONS REQUIRING RETENTION AND DESTRUCTION OF PERSONAL DATA
The personal data which is processed by Penezoğlu Law so that Penezoğlu Law may carry out its activities, establish the rights of its employees and fulfil its legal obligations are retained in a secure medium in accordance with the provisions of the relevant legislation. By this Policy, the personal data that was processed unlawfully and the personal data that was processed previously, due to the fact that the relevant data processing conditions vanished, shall be destroyed.
Penezoğlu Law does not retain the personal data of data owners without explicit consent. The exceptions provided under articles 5 and 6 of the Law are reserved. In this context, the reasons requiring retention of personal data are listed below:
- Retention of personal data since they are directly related to entry into or performance of contracts,
- Retention of personal data to establish, exercise or protect a right or so that Penezoğlu Law may fulfil its legal liability,
- Retention of personal data in line with the legal interest of Penezoğlu Law
While Penezoğlu Law shall be responsible for the data processing conditions being up-to-date, no data shall be processed by Penezoğlu Law after the data processing conditions vanish. The cases in which data processing conditions vanish are listed below and in such cases the data shall be ex officio or upon request will be erased, destroyed or anonymized by Penezoğlu Law:
- The provisions of the relevant legislation forming the basis of processing personal data being changed or abolished,
- The purpose requiring the processing of personal data vanishes,
- The conditions for processing personal data stipulated by articles 5 and 6 of the Law vanish,
- Revocation of the explicit consent in cases requiring explicit consent for processing personal data,
- Acceptance by the data controller of the data subject’s application, which is made in line with the rights stipulated under article 11(e) and (f) requesting erasure, destruction or anonymization of the personal data,
- Rejection by the data controller of the data subject’s application for erasing, destroying and anonymizing personal data, the response being considered insufficient, or in cases where no response was given within the time period stipulated by Law, a complaint being filed with the Board and the Board approving such complaint,
- Although the maximum period for retention of personal data has expired, the fact that no condition exists justifying the retention of personal data for a longer period,
- Processing personal data being unlawful or contrary to integrity principle,
- The fact that no agreement has been entered into between the parties, the agreement is void, the agreement has terminated automatically, the agreement has been terminated or rescinded.
F. TECHNICAL AND ADMINISTRATIVE MEASURES
Penezoğlu Law accepts and undertakes that Penezoğlu Law shall take all technical and administrative measures in order to retain personal data in a secure manner and to prevent unlawful processing of or unlawful access to such data.
G. KİŞİSEL VERİLERİN İMHASI, İMHA YÖNTEMLERİ VE SÜRECİ
Personal data obtained by Penezoğlu Law shall be destroyed in accordance with the provisions of the legislation ex officio or upon application of the data subject in the event that the purposes for processing data vanish or the data owner revokes its explicit consent.
Destruction of personal data can be performed in three different manners such as erasure, destruction or anonymization of data as detailed below.
The relevant business units, the information systems where personal data is retained, application owners, Internal Control and other persons or sections that may be relevant at Penezoğlu Law shall decide on the method of destruction of the personal data based on the reason for destruction and in writing. In accordance with this written decision, any of the destruction methods stipulated in article (g) of this Policy shall be performed in line with the Guidelines on Erasure, Destruction and Anonymization of Personal Data published by the Board.
The Penezoğlu Law shall also create technical pools regarding the methods to be used for retention and destruction of personal data. All the methods that can be used for destruction of personal data shall be defined in this policy and in the case of new technological developments, these will be added to this Policy.
Monitoring of the destruction process is the responsibility of the relevant business unit that is the data owner at the Penezoğlu Law. Such business unit shall request support from different units of Penezoğlu Law, provided that the destruction process shall be supervised by the business unit.
- Erasure of Personal Data
Erasure of personal data is the process of erasure of data that has been processed through partially or fully automatic means and the process of rendering such data inaccessible and unusable for the relevant users in any way.
During the erasure of the personal data, which has been part of the data recording system and which has been processed by non-automatic means, the personal data to be erased is identified by also taking into consideration the legal period for retention. In terms of access and authorisation for the personal data, Penezoğlu Law will perform the updates and identify the relevant users in accordance with the role and authority matrix that is applied on the current information system and applications of Penezoğlu Law. The Relevant User’s authorities and methods of access, retrieval and reuse are identified within this scope.
In the event that Penezoğlu Law erases personal data, it shall render such data inaccessible or nonreusable. In doing so Penezoğlu Law warrants that the relevant data may not be accessed or reused by any user.
- Destruction of Personal Data
Destruction of personal data is the process of rendering personal data inaccessible, unretrievable and unusable by anyone in any way.
The destruction process shall be carried out in cases where Penezoğlu Law processes data on physical recording media and Penezoğlu Law is responsible for rending such data unretrievable.
This will be performed for paper and microfiche media and the media shall be destroyed by shredding to small pieces, which are inconceivable and which leave no possibility for data assembly, through paper shredders. Penezoğlu Law will also be able to outsource the destruction service.
- Anonymization of Personal Data
Anonymizing personal data means, in cases where Penezoğlu Law processes personal data through fully or partially automatic means, rendering personal data impossible to link with an identified or identifiable real person even through matching them with other data.
Penezoğlu Law shall ensure that the personal data loses its distinctive nature within a group rendering it impossible to link with a real person by removing or changing all direct and / or indirect identifiers in the data set in order to prevent the identity of the relevant person being revealed.
Method and Process of Destruction of Personal Data
For destruction of the personal data, Penezoğlu Law defines all the methods that can be used during destruction in this Policy and its annexes. The business unit which is the data owner is responsible for identifying and implementing the proper method based on the proper circumstances within this Policy.
During destruction of the personal data, Penezoğlu Law will carry out the destruction by choosing one of the following methods based on the written decision made by Penezoğlu Law.
Process of making previous data illegible by overwriting 7 times digital data consisting of 0 thorough software over magnetic media and rewritable optic media.
Forcing magnetic media to physical change in high magnetic field and thus making the data illegible.
- Physical Destruction
Physical destruction of optic or magnetic media through melting, pulverising, grinding and etc. This method can be used in cases where the magnetising and overwriting methods fail.
- Cloud Destruction
Destruction of all copies of the encryption keys of personal data retained on cloud systems after a notice of destruction is given to the contracted service provider.
- Destruction of Personal Data on Peripheral Devices
A method of destruction that should be implemented, if available, on the internal unit or, if not available, on the entire device which includes personal data in the systems such as printer, fingerprint sensor and entrance turnstile by using overwriting, magnetising or physical destruction method. This type of destructions is required to be implemented before the devices are subject to back up, maintenance and similar processes.
H. RETENTION AND DESTRUCTION PERIODS
- Periodic Destruction and Legal Retention Periods
The personal data shall be retained and destroyed in accordance with the Record Management Procedure by taking the necessary safety measures at Penezoğlu Law during the period required for the purpose of processing the personal data, provided that the retention periods stipulated in the legislation are reserved. Penezoğlu Law shall periodically destruct the personal data, the retention and destruction period of which has expired. The retention and destruction periods shall be determined based on the Data Inventory. In cases where a specific period is stipulated by the legislation for retention of personal data, the personal data shall be destroyed in compliance with such period.
In the event that the period stipulated by law for retention of personal data expires or no period is stipulated by the relevant law for retention of personal data, the personal data which may contradict the principles mentioned in article 4 of the Law shall be erased, destroyed or anonymized.
The personal data shall be erased by Penezoğlu Law during the first periodic destruction process that will take place following the date on which the obligation to erase, destroy or anonymize personal data has emerged.
Periodic destruction shall be performed at 6 months intervals for all the personal data. The destruction shall be performed during the first periodic destruction that will take place following the date on which the obligation to destroy personal data has emerged. All actions relating to the destroyed personal data shall be recorded and the records shall be kept for 3 years.
- Destruction Process Requested by Data Owners
In cases where data owners apply to Penezoğlu Law requesting their personal data be destroyed, Penezoğlu Law shall check the current status in terms of the conditions for processing of personal data. As a result of this check:
- If it is found out that the conditions for processing of personal data have vanished, the personal data shall be destroyed within thirty days at the latest in accordance with the decision and methods set out in this Policy and the relevant person shall be informed.
- If it is found out that the conditions for processing of personal data have vanished and the personal data has been transferred to third parties, Penezoğlu Law notify the third parties and ensure that the relevant actions be taken by the third parties in accordance with the Regulations.
- If all the conditions for processing of personal data have vanished, Penezoğlu Law may decline the request by providing the reason to the data owner and sends the response to the relevant person either in writing or by email within thirty days at the latest.
In order to receive and respond to the requests of data owners, Management Process of Requests and Complaints Received from Data Owners shall be developed within Penezoğlu Law.
I. AUTHORISATION DURING RETENTION AND DESTRUCTION PROCESSES
Penezoğlu Law and the persons who are assigned a duty during retention and destruction processes of personal data and their description of duty are as follows:
- Personal Data Protection Law Study Group:The group takes decisions regarding the policies and methods by working with the relevant business units of Penezoğlu Law for retention and destruction of personal data; keeps the Policy and its annexes up to date; works closely with the relevant units of Penezoğlu Law, as required, in order to ensure proper and accurate application of the Policy in line with the Law and the Regulations.
- Internal Check and Law:They provide consultancy regarding retention and destruction of personal data; notify the relevant business unit in cases of changes to the Law, Regulations or the relevant legislation; and ensure proper application of the Policy in line with the Law and Regulations.
- Information Technologies:They ensure that the relevant retention and destruction processes, which are in line with the decisions and methods set out in the Policy, be performed in accordance with the Law and Regulations.
- Relevant Business Units of the Penezoğlu Law:They provide their opinions and reasons to determine the policy and methods for retention and destruction of personal data and follow up the performance of the relevant actions in line with this Policy.
J. CHANGES TO THE POLICY
In the event that the Law, Regulations or other legislation are changed, amended, updated or abolished in part or in full, Penezoğlu Law shall amend this Policy in line with the new Law, Regulations or legislation.
Penezoğlu Law shall share the updated Policy, which will allow for the changes to be reviewed, by email with the employees and also make it available on Penezoğlu Law’s intranet for the access of the employees.