PERSONAL DATA STORAGE AND DESTRUCTION POLICY

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

 

Objective

This Policy has been prepared in accordance with the Law No. 6698 on the Protection of Personal Data by the data controller Imuneks Farma İlaç San. Tic. A.Ş. (“Company”) to determine the procedures and principles regarding the processing and protection of personal data carried out in accordance with the legal Legislation on which this Policy is based, and the deletion, destruction and anonymisation of the processed personal data.

 

Scope 

This Policy covers the cases where the personal data of the employees and interns, employee family members, employee candidates, real person potential and actual product and service buyers, supplier employees and officials and visitors that the Company is related to within the scope of its activities are processed by the Company by fully or partially automated or non-automated means provided that they are part of any data recording system.

All of this Policy may be applied to the above-mentioned personal data owners, or only some of its provisions may be applied.

 

Basis

This Policy has been prepared based on the Personal Data Protection Law No. 6698, the Regulation on the Data Controllers Registry No. 30286 and the Regulation on the Deletion, Destruction or Anonymisation of Personal Data No. 30224.

If there is a difference between this Policy and the legislation in force regarding the processing, protection and destruction of personal data, the provisions of the Legislation will be applied primarily.

 

Definitions

In the application of this Policy;

  1. Data Recipient: refers to the category of natural or legal persons to whom personal data is transferred by the data controller.
  2. Inventory: refers to the Personal Data Inventory prepared by the Company in accordance with the relevant legislation.
  3. Relevant User: refers to individuals who technically store, protect, and process personal data within the organization or process personal data on behalf of the data controller in accordance with the authority and instructions received.
  4. Destruction: refers to the deletion, destruction, or anonymization of personal data.
  5. Law: refers to Law No. 6698 on the Protection of Personal Data dated 24/3/2016.
  6. Record Environment: refers to any medium containing personal data processed by automated or non-automated means or forming part of any data recording system.
  7. Personal Data: refers to any kind of information relating to an identified or identifiable natural person.
  8. Data Subject/Relevant Person: refers to the natural person whose personal data is processed.
  9. Personal Data Processing Inventory: refers to the inventory prepared by the Company, associating the personal data processing activities carried out by the Company with the purposes of processing personal data, data category, recipient group to whom the data is transferred, and the group of data subjects, and detailing the inventory by explaining the maximum period necessary for the purposes for which personal data are processed, personal data intended to be transferred to foreign countries, and measures taken for data security.
  10. Anonymization of Personal Data: refers to rendering personal data incapable of being associated with any identified or identifiable natural person in any way, even if matched with other data.
  11. Processing of Personal Data: refers to any operation performed on personal data, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, making available, classifying, or preventing the use of data.
  12. Deletion of Personal Data: refers to rendering personal data inaccessible and unusable for relevant users.
  13. Destruction of Personal Data: refers to rendering personal data inaccessible, irretrievable, and unusable by any means by anyone.
  14. Board: refers to the Personal Data Protection Board.
  15. Institution: refers to the Personal Data Protection Institution.
  16. Logging: refers to the form of record monitoring that includes the analysis of event logs generated by all critical networks and devices, also known as logs, which consists of steps such as comprehensive collection, preservation in their original form, analysis and presentation of text, aimed at obtaining indicators and evidence of potential attacks, providing insights into when and through which channels the attack occurred, what protocols were used, and where the attack originated.
  17. Special Categories of Personal Data: refers to data related to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation, or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
  18. Periodic Destruction: refers to the deletion, destruction, or anonymization of personal data at regular intervals, resolutely carried out when all conditions for processing personal data specified in the law are eliminated.
  19. Policy: refers to this Personal Data Storage and Destruction Policy, which serves as the basis for the deletion, destruction, and anonymization of personal data, as well as determining the maximum period necessary for the purposes for which personal data are processed, assumed by the Company, which is deemed to be the data controller in accordance with the law.
  20. Registry: refers to the registry of data controllers maintained by the Presidency of the Personal Data Protection Authority.
  21. Company: refers to the company with the commercial name İmuneks Farma İlaç San. Tic. A.Ş.
  22. Data Processor: refers to natural or legal persons who process personal data on behalf of the data controller based on the authorization given by the data controller.
  23. Data Recording System: refers to the system where personal data is processed in a structured manner according to specific criteria.
  24. Data Controller: refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

For the definitions not covered by this Policy, the ones in the Law shall apply.

 

Personal Data Recording Environments

Personal data belonging to data subjects are stored securely by the Company in the environments listed in the table below, in compliance with relevant legislation, primarily the provisions of KVKK (Personal Data Protection Law), and international data security principles:

Technical Data Recording Environments:

  • Computers
  • Central servers
  • Shared/unshared disk drives used for storing data over the network
  • Cloud services
  • Mobile phones and all storage areas within them
  • Flash drives
  1. Non-Technical Data Recording Environments:
  • Papers
  • Unit cabinets.

 

General Principles on Storage and Destruction of Personal Data

The Company acknowledges, declares, and undertakes that it is a Data Controller obligated to register with the Registry and is responsible for storing the personal data it holds in accordance with the Inventory and for acting in compliance with this Policy when deleting, destroying, or anonymizing personal data as necessary.

The following principles will be applicable for the storage and destruction of personal data:

  1. The Company will comply with the general principles stated in Article 4 of the Law.
  2. The mere preparation of this Policy by the Company does not imply that personal data has been deleted, destroyed, or anonymized in compliance with the legislation.
  3. The Company will adhere to the security measures specified in Article 12 of the Law, relevant provisions in legislation, decisions of the Board, and this Policy when storing, deleting, destroying, or anonymizing personal data.
  4. The Company will ensure compliance with this Policy and the tools, programs, and processes to be implemented in line with the Policy when deleting, destroying, or anonymizing personal data processed by automated or non-automated means, whether in whole or in part, or forming part of any data recording system.
  5. The Company will keep records of all operations related to the deletion, destruction, and anonymization of personal data and will retain such records for a minimum of 3 (three) years, except for other legal obligations.

Acceptance, declaration, and commitment.

 

Processing Purposes Requiring Storage

Personal data are processed by the data controller Company for the following purposes in accordance with Article 20 of the Constitution and Article 4 of the Personal Data Protection Law (KVKK):

  • Execution of information security processes
  • Carrying out employee candidate / intern / student selection and placement processes
  • Carrying out the application processes of employee candidates
  • Carrying out employee satisfaction and loyalty processes
  • Fulfilling labour contractual and legislative obligations for employees
  • Carrying out fringe benefits and benefits processes for employees
  • Carrying out audit/ethical activities
  • Carrying out training activities
  • Carrying out access authorisations
  • Carrying out activities in accordance with the legislation
  • Carrying out financial and accounting affairs
  • Carrying out company/product/service loyalty processes
  • Ensuring physical space security
  • Carrying out assignment processes
  • Carrying out and tracking legal affairs
  • Carrying out internal audit/investigation/intelligence activities
  • Carrying out communication activities
  • Planning of human resources processes
  • Carrying out business activities/supervision
  • Carrying out occupational health/safety activities
  • Receiving and evaluating suggestions for the improvement of business processes
  • Carrying out activities to ensure business continuity
  • Carrying out logistics activities
  • Carrying out goods/service procurement processes,
  • Carrying out after-sales support services for goods/services
  • Carrying out sales services of goods/services
  • Carrying out goods/service production and operation processes
  • Carrying out customer relationship management processes
  • Carrying out activities for customer satisfaction
  • Organisation and event management
  • Carrying out marketing and analysis studies
  • Carrying out performance evaluation processes
  • Carrying out advertising campaign promotion processes
  • Carrying out risk management processes
  • Carrying out storage and archive activities
  • Carrying out social responsibility and civil society activities
  • Carrying out contract processes
  • Carrying out sponsorship activities
  • Carrying out strategic planning activities
  • Tracking requests/complaints
  • Ensuring the security of movable property and resources
  • Carrying out supply chain management processes
  • Carrying out the remuneration policy
  • Carrying out marketing processes of products/services
  • Ensuring the security of data controller operations
  • Carrying out investment processes
  • Carrying out talent/career development activities
  • Informing authorised persons, institutions and organisations
  • Carrying out management activities
  • Creating and tracking visitor records

 

 

Legal, Technical, and Other Reasons Requiring the Destruction of Personal Data

Personal data belonging to relevant individuals by the Company is destroyed for legal, technical, and other reasons, including but not limited to:

  1. General principles stated in Article 4 of the Law.
  2. Requests from the data subject.
  3. Termination of legal obligations.

These are among the reasons for destruction, but not limited to, as similar purposes and reasons may also apply.

 

Technical and Administrative Measures Taken for Secure Storage of Personal Data and Prevention of Unlawful Processing and Access

The technical measures taken by the Company for the secure storage of personal data belonging to data subjects and for the prevention of unlawful processing and access are listed below:

  1. Network security and application security are ensured.
  2. Closed system network is used for personal data transfers via network.
  3. Key management is implemented.
  4. Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
  5. The security of personal data stored in the cloud is ensured.
  6. Access logs are kept regularly.
  7. Data masking measures are applied when necessary.
  8. Up-to-date anti-virus systems are used.
  9. Firewalls are used.
  10. User account management and authorisation control system is implemented and these are also monitored.
  11. Log records are kept without user intervention.
  12. Attack detection and prevention systems are used.
  13. Cyber security measures have been taken and their implementation is constantly monitored.
  14. Data loss prevention software is used.

 

The administrative measures taken by the Company for the secure storage of personal data belonging to data subjects and for the prevention of unlawful processing and access are listed below:

  1. There are disciplinary regulations containing data security provisions for employees.
  2. Training and awareness raising activities on data security for employees are carried out at regular intervals.
  3. Corporate policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
  4. Confidentiality undertakings are made.
  5. The authorisations of employees who change their duties or leave their jobs in this area are removed.
  6. The signed contracts contain data security provisions.
  7. Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidentiality-grade document format.
  8. Personal data security policies and procedures have been determined.
  9. Physical environments containing personal data are secured against external risks (fire, flood, etc.).
  10. Security of environments containing personal data is ensured.
  11. Personal data is minimised as much as possible.
  12. Personal data are backed up and the security of backed up personal data is also ensured.
  13. Internal periodic and/or random audits are carried out and carried out.
  14. Existing risks and threats have been identified.

 

Technical and Administrative Measures Taken for the Destruction of Personal Data in Accordance with the Law

Technical measures taken by the Company for the destruction of personal data of data subjects in accordance with the law:

  1. Using the most up-to-date technologically necessary systems for the destruction of personal data, taking confidentiality and information security measures,
  2. Closure, elimination of the access, retrieval and reuse authorisations and methods of the relevant Users within the scope of personal data, and removal of the authorisation to restore deleted data,
  3. With cloud systems, personal data on the central server is irreversibly deleted by issuing a deletion command,
  4. Preferring the appropriate method of destruction (physical de-magnetisation, overwriting) or anonymisation for the appropriate technical recording media, depending on the nature of the personal data,
  5. Application of erasure (blackout, etc.), destruction (physical destruction) methods for the destruction of personal data in non-technical recording media,

as the most important factor.

Administrative measures taken by the Company for the destruction of personal data of data subjects in accordance with the law,

  1. Carrying out the necessary implementation work on the destruction of personal data on a regular basis,
  2. Providing the necessary equipment for the physical destruction of non-technical data recording media within the workplace of the Company,

as the most important factor.

 

Units in Charge of Personal Data Storage and Destruction Processes and Information

The list showing the titles and job descriptions of the personnel working in the units in charge of the Company’s personal data storage and destruction processes is given in Annex-1.

 

Storage and Destruction Periods

The table showing the retention and destruction periods according to the categories of personal data belonging to data subjects is given in Annex-2.

 

Periodic Destruction Periods

Periodic destruction periods are 6 (six) months, except for the periods specified in the table showing the storage and destruction periods attached to this Policy according to the categories of personal data processed by the Company.

 

Periods for Deletion and Destruction of Personal Data upon Request of the Data Subject

When the relevant person applies to the Company pursuant to Article 13 of the Law and requests the deletion or destruction of his/her personal data;

  1. If all the conditions for processing personal data have disappeared; the Company deletes, destroys or anonymises the personal data subject to the request. The Company finalises the request of the data subject within 30 (thirty) days at the latest and informs the data subject.
  2. If all the conditions for processing personal data have disappeared and the personal data subject to the request have been transferred to third parties, the Company shall notify the third party within 10 (ten) days at the latest and ensure that the necessary actions are taken before the third party.
  3. If all the conditions for processing personal data have not disappeared, this request may be rejected by the Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection response shall be notified to the relevant person in writing or electronically within 30 (thirty) days at the latest.

 

Enforcement

This Policy prepared by the Company has entered into force as of the date of its publication on the Company’s Website.

In case of any incompatibility between the provisions of the LPPD and other relevant legislation and this Policy, the provisions of the LPPD and other relevant legislation shall be applied first.

 

ANNEX-1: TABLE OF RESPONSIBLE DEPARTMENTS AND INFORMATION

The titles, units and job descriptions of the Company employees involved in personal data storage and destruction processes in the field of personal data protection are given in the table below.

Only the job descriptions of all employees listed below regarding the protection of personal data are included, and all of them have the duty to ensure compliance with the retention periods of personal data related to the processes included in their job descriptions.

TITLE DEPARTMENT JOB DESCRIPTION
Management Management It is responsible for taking and implementing the administrative decisions required for the Company to act in accordance with the legislation.
Management Management It is responsible for the company’s employees to act in accordance with the KVKK and the relevant legislation, to carry out training and awareness activities on the legislation and to process the personal data of the employees in accordance with the legislation.

It is responsible for conducting periodic and/or random audits within the company to determine whether the company and its employees act in accordance with the KVKK legislation.

It is responsible for the destruction of personal data stored by the Company in non-technical data recording media (paper, unit cabinets, archive) and reporting after destruction.
Management Management It is responsible for ensuring the security of personal data processed by the Company in electronic media in accordance with the legislation and for the implementation of the technical measures to be taken by the Company in this regard.

 

ANNEX-2: STORAGE AND DESTRUCTION PERIODS TABLES

The storage and destruction periods of the data processed by the Company are determined in the Personal Data Processing Inventory based on the category of personal data and are given in the table below.

 

TABLE A – TABLE ON PERSONAL DATA OF EMPLOYEES AND INTERNS

PERSONAL DATA CATEGORY PERSONAL DATA IN CATEGORY CONTENT STORAGE PERIOD DESTRUCTION PERIOD
Identity Name, surname, parents’ name, date of birth, place of birth, marital status, identity card serial number, Turkish ID number, passport details 10 years from the Termination of the Labour Relationship Within 6 months after the expiry of the storage period
Contact E-mail address, contact address, telephone no
Personnel Payroll information, disciplinary investigations, employment records, CV information, performance evaluation reports, etc.
Legal Action Salary garnishment notification etc.
Professional Experience Diploma information, courses attended, vocational training information, certificates, transcript information, etc. 10 years from the Termination of the Labour Relationship

 

TABLE B – TABLE ON PERSONAL DATA OF EMPLOYEE CANDIDATES

PERSONAL DATA CATEGORY PERSONAL DATA IN CATEGORY CONTENT STORAGE PERIOD  

DESTRUCTION PERIOD
Identity Name, surname, date of birth, marital status 1 year from the Obtaining of Data through Application to a Job Advertisement or Direct CV Transmission by the Candidate Within 6 months after the expiry of the storage period
Contact E-mail address, contact address, telephone no etc.
Personnel CV information and candidate assessment notes etc.
Professional Experience Diploma information, courses attended, vocational training information, certificates, transcript information, etc.

 

TABLE C – TABLE ON PERSONAL DATA OF POTENTIAL PRODUCT BUYERS

PERSONAL DATA CATEGORY PERSONAL DATA IN CATEGORY CONTENT  

STORAGE PERIOD

  

DESTRUCTION PERIOD
Identity Name-surname 10 years from the acquisition of the data Within 6 months after the expiry of the storage period
Contact E-mail address, contact address, telephone no.

…except recordings), sound recordings
Marketing Information obtained through campaign work, etc.

 

TABLE D – TABLE ON PERSONAL DATA OF PRODUCT & SERVICE RECIPIENTS

PERSONAL DATA CATEGORY PERSONAL DATA IN CATEGORY CONTENT STORAGE PERIOD DESTRUCTION PERIOD
Identity Name-surname, Turkish ID No, passport details 10 years from the Termination of the Labour Relationship Within 6 months after the expiry of the storage period
Contact E-mail address, contact address, registered electronic mail address (REM), telephone no.
Customer Processing Invoice information, order and request information

 

TABLE F – TABLE ON PERSONAL DATA OF SUPPLIER EMPLOYEES

PERSONAL DATA CATEGORY PERSONAL DATA IN CATEGORY CONTENT STORAGE PERIOD DESTRUCTION PERIOD
Identity Name-surname, Turkish ID No, passport details 10 years from the termination of the business relationship with the supplier Within 6 months after the expiry of the storage period
Contact E-mail address, contact address, telephone no.

 

TABLE G – TABLE ON PERSONAL DATA OF SUPPLIER AUTHORISED PERSONS

PERSONAL DATA CATEGORY PERSONAL DATA IN CATEGORY CONTENT STORAGE PERIOD DESTRUCTION PERIOD
Identity Name-surname, Turkish ID No, passport details 10 years from the termination of the business relationship with the supplier Within 6 months after the expiry of the storage period
Contact E-mail address, contact address, registered electronic mail address (REM), telephone no
Customer Processing Invoice information, order and request information

 

TABLE G – TABLE ON PERSONAL DATA OF SHAREHOLDERS/PARTNERS

PERSONAL DATA CATEGORY PERSONAL DATA IN CATEGORY CONTENT STORAGE PERIOD DESTRUCTION PERIOD
Identity Name-surname, Turkish ID No, passport details 10 years from the termination of the business relationship with the supplier Within 6 months after the expiry of the storage period
Contact E-mail address, contact address, registered electronic mail address (REM), telephone no.
Finance Balance sheet, financial performance information, credit-risk information, asset information and similar

  

ANNEX-3: UPDATE TABLE

The changes made in this Policy are given in the table below.

UPDATE DATE/VERSION SCOPE OF UPDATES
[•]17.09.2020 Date of policy publication
[•] [•]