Personal Data Retention, Destruction Policy

BAHAT ELECTRIC HOME APPLIANCES INDUSTRY AND FOREIGN TRADE LIMITED COMPANY

PERSONAL DATA STORAGE AND DESTRUCTION POLICY IN ACCORDANCE WITH THE LAW ON THE PROTECTION OF PERSONAL DATA NO. 6698 

  1. NATURE AND PURPOSE OF THE DESTRUCTION POLICY

The purpose of the Personal Data Retention and Destruction Policy ("Policy")  in accordance with the Law on the Protection of Personal Data No. 6698 is to explain the methods of deletion, destruction or anonymization of personal data by BAHAT ELECTRIC HOME APPLIANCES INDUSTRY AND FOREIGN TRADE LIMITED COMPANY ("Bahat") in accordance with the Regulation on Deletion, Destruction or Anonymization of Personal Data (“Regulation”); in the event that the conditions for the processing of personal data processed within the scope of the Law on the Protection of Personal Data No. 6698 ("Law") cease to exist.

This Policy covers personal data and special quality personal data kept in care of Bahat and defined by the Law, all customers who receive services in care of Bahat, website visitors, guests, business associates, potential customers, Bahat employees, employee candidates, Bahat interns, intern candidates, directors, counsellors, suppliers and, in all cases, their affiliates where personal data sharing is involved, external service providers and Real and legal persons with whom Bahat has entered into other legal and commercial relations.

  1. DEFINITIONS 

Explicit consent: Consent to a specific subject, based on being informed and explained with free will

Recipient Group: The category of natural or legal person to whom personal data is transferred by the data controller

Employee/intern and candidates: Bahat employee/intern and candidates

Electronic Media: Environments where personal data can be created, read, changed and written with electronic devices

Non-Electronic Media: All media other than electronic media

Service Provider: Natural or legal person providing services to Bahat

Person of interest: Natural person whose personal data is processed

User of interest:  The person responsible for the technical storage, protection and backup of the data or the persons who process the personal data in accordance with the authorization and instruction received from the data controller.

Destruction: Deletion, destruction or anonymization of personal data

Law: Law on the Protection of Personal Data No. 6698 

Recording Medium: Any environment where personal data is processed fully or partially, automatically or non-automatically, provided that it is a part of any data recording system.

Personal data: Any information relating to an identified or identifiable natural person

Anonymization of personal data: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data

Processing of personal data: Any operation performed on the data such as; obtaining completely or partially automatically or non-automatically provided that it is a part of any data registering system, registering, storing, keeping, changing, rearranging, disclosing, transferring, taking over, making available, classifying or prevent using of personal data.

Deletion of personal data: The process of making personal data inaccessible and nonreusable for the user of interest in any way

Destruction of personal data: Making personal data inaccessible, irretrievable and nonreusable by anyone in any way

Board: Personal Data Protection Board 

Special Quality Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data

Periodic destruction: In the event that the conditions for the processing of personal data contained in the Law disappear, the deletion, destruction or anonymization process to be carried out at repeated intervals specified in the personal data retention and destruction policy

Policy: Personal Data Storage and Destruction Policy 

Data Processor: Real or legal person who processes personal data on behalf of the data controller based on the authorization given by the data controller

Data Registering System: Registration system in which personal data is structured and processed according to certain criteria 

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data registering system 

Data Controllers Registry Information System (DCRIS-VERBİS) : The information system to be used by the data controllers in the application to the registry and other related transactions related to the registry, accessible over the internet, created and managed by the Personal Data Protection Board

Regulation: The Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

  1. PERSONAL DATA  

Identity data such as name, surname, T.R. identity number, passport number or temporary T.R. identity number of non-Turkish citizens, place of birth, date of birth, marital status, gender, parents' name, identity card serial number, sequence number, family serial number; contact data such as the submitted identity card, driver's license or copy of such documents, address, telephone number, electronic mail address; financial data such as bank account number, tax office, invoice information, credit card or IBAN number, private health insurance or Social Security Institution data, photocopy of identity card, passport photo, information and documents related to health status and data related to the service to be provided to the customer can be obtained by Bahat. 

For the purpose of evaluating the services and activities provided by Bahat; the answers and comments made on social media, online platforms or other platforms, opinions, requests and complaints, security camera footage, photographs and video footage processed when you attend the events organized by Bahat, and other data, audio recordings obtained and stored by informing Bahat during the phone call, audio and video recording obtained in case of video call service over remote access platforms, navigation information obtained during the use of the website and social media accounts, IP address, browser and location information can be obtained.

The above-mentioned personal data can be kept in both digital and physical environment by transferring them to Bahat's physical archives and information systems.

  1. METHODS OF COLLECTING PERSONAL DATA

Personal data is collected by natural or legal persons who are authorized by the data controller, within the conditions and purposes specified in the Law and secondary regulations under the Law.

Application of data owners to Bahat, the first notifying and creating a customer file can be obtained verbally, in writing or electronically, by automatic and non-automatic methods from forms and minutes kept in paper and electronic media, online through the SGK system, from the records shared in case of benefiting from a private insurance company, by submitting a CV or job applications, when Bahat is contacted for any purpose and service is received, the service is provided.

  1.  ENVIRONMENTS WHERE PERSONAL DATA IS STORED

The personal data stored by Bahat are kept in a recording medium in accordance with the nature of the relevant data and our legal obligations.

Personal data generally preserved in three basic environments; physical environment (environments where data is kept on paper), digital environment (media such as computer recordings, servers, hard or portable disks, optical disks) and cloud (environments in which Bahat uses encrypted internet-based systems).

Some data kept by Bahat may be found and kept in a different environment than the ones shown here, due to their special qualities or legal obligations.

  1. ENSURING THE SECURITY OF THE ENVIROMENTS 

Bahat takes all the necessary technical and administrative measures within the scope of the law, in accordance with the characteristics of the relevant personal data and the environment in which it is kept, in order to keep personal data safe and to prevent unlawful processing and access. These measures include but are not limited to, the following administrative and technical measures to the extent that they comply with the nature of the personal data and the environment in which it is kept.

  1. TECHNİCAL MEASURES

Up-to-date and secure systems are used in environments where personal data is kept.

Security tests and research are carried out to detect security vulnerabilities in information systems and the identified existing or potential issues posing a risk are eliminated.

Access to the environments where personal data kept is restricted, and only authorized persons are allowed to access this data, limited to the purpose of storing said data.

  1. ADMINISTRATIVE MEASURES

Studies are carried out to ensure that all Bahat employees who have access to personal data are aware of information security, personal data and privacy of private life.

Legal consultancy services are provided to follow the developments in the field of information security, privacy of private life and protection of personal data and to take the necessary actions.

  1. IN-HOUSE AUDIT 

Bahat conducts in-house audits regarding the implementation of the provisions of the Law and this Policy pursuant to Article 12 of the Law. If, as a result of these audits, deficiencies or defects related to the implementation of these provisions are detected, such deficiencies or defects shall be immediately rectified.

In the event that it is understood that the personal data under the responsibility of Bahat have been obtained by others through illegal means, Bahat shall notify this situation to the person of interest and the Personal Data Protection Board as soon as possible.

  1. REASONS FOR THE DESTRUCTION OF PERSONAL DATA

Personal data preserved by Bahat is destructed at the request of the person of interest in the events of;

The maximum period requiring the retention of personal data has passed and there are no conditions justifying the retention of personal data for a longer period of time,

Amendment or abolition of the provisions of the legislation that constitute the basis for the collection and processing of personal data,

The disappearance of the purpose requiring the collection, processing or storage of personal data,

In cases where the processing of personal data takes place only on the basis of the explicit consent requirement, the person of interest withdraws his/her explicit consent,

Bahat's approval of the application made for the deletion and destruction of personal data within the framework of the rights of the person of interest, pursuant to Article 11 of the Law,

When the data owner has forwarded the request for the deletion, destruction or anonymization of his/her personal data to Bahat and did not get any results from this application, filed a complaint upon and the said complaint was approved.

The procedure for the destruction of personal data of personal data owners is explained in Article 14 of this Policy.

  1. DESTRUCTION OF PERSONAL DATA

In accordance with Article 7 of the Law, in the event that the reasons that require or justify their processing disappear, personal data are destroyed by Bahat ex officio or upon the request of the personal data owner in accordance with the provisions of the legislation even if they are collected in accordance with the provisions of the relevant law. 

In cases where Bahat has the right and/or obligation to preserve personal data in accordance with the provisions of the relevant legislation, the right not to fulfill the request of the data owner is reserved.

  1.  DELETION OF PERSONAL DATA

In the event that the reasons that require or justify their processing disappear, personal data are deleted by Bahat ex officio or upon the request of the personal data owner in accordance with the provisions of the legislation even if they are collected in accordance with the provisions of the relevant law.  

Deletion process can be; deletion of data on servers, deletion of personal data on portable electronic devices, deletion of personal data in databases, deletion of personal data in cloud systems, deletion of personal data in physical environment.

  1. DESTRUCTION PERSONAL DATA

In the event that the reasons that require or justify their processing disappear, personal data are destroyed by Bahat ex officio or upon the request of the personal data owner in accordance with the provisions of the legislation even if they are collected in accordance with the provisions of the relevant law. 

Destruction of personal data is the process of making personal data inaccessible, irretrievable and nonreusable by anyone in any way.. 

Personal data is destroyed by methods such as destruction from electronic media, physical destruction, overwriting, destruction of all copies of it, including cloud storage. 

  1. ANONYMIZATION OF PERSONAL DATA

Anonymization of personal data makes it impossible to associate personal data with an identified or identifiable natural person under any circumstances, even through the use of appropriate techniques such as irreversibility and/or matching with other data.

Bahat can anonymize personal data with one of the following methods, provided that the reasons requiring the processing of personal data processed in accordance with the law are eliminated and if necessary, on the condition of taking all necessary technical and administrative measures.

Personal data is anonymized by methods such as data derivation, data hashing, generalization, masking, and sampling.

  1. STORAGE AND DESTRUCTION PERIODS

Personal data is preserved for the period necessary to fulfil the purpose for which they were collected. These periods are determined separately for each business process. 

The retention periods determined for the personal data being processed by Bahat are shown in detail in the VERBIS system (according to the data, category and process) and in this Personal Data Retention and Destruction Policy. Bahat has set the periodic destruction period as 6 months.

In the event that the retention periods expire, personal data is destroyed in accordance with the Law if there is no other reason for keeping personal data. In this context, the data is subject to deletion or destruction or anonymization. If a longer period has been issued in accordance with the legislation or if a longer period has been set for the statute of limitations, foreclosure or retention periods in accordance with the legislation, these periods shall be considered as the maximum retention period.

 

DATA TYPE

DATA RETENTION PERIOD

Fulfilment of Employer Obligations with Human Resources Processes

10 years from the termination of the service contract, if a legal process is in progress, it is kept until the end of the process. (In accordance with Article 86/1 of Law No. 5510)

Website visitor

Name, surname, e-mail address and navigation information of the website visitor are preserved for 1 year.

Fulfilment of Obligations Regarding Occupational Health and Safety

15 years from the termination of the service contract, if a legal process is in progress, it is kept until the end of the process. (In accordance with Article 7 of the Regulation on Occupational Health and Safety Services) 

Delivery of Healthcare

It is kept for 20 years in accordance with the relevant legal regulations and the requirements of the health service. If a legal process is in progress, it is stored until the process is over. (In accordance with Articles 146, 147, 478 of Turkish Code Of Obligations no. 6098 and Articles 66-72 of Turkish Penal Code no. 5237)

Receiving Services from Third Parties

10 years from the end of the contract, if a legal process is in progress, it is stored until the end of the process. (In accordance with Article 146 of Turkish Code Of Obligations no. 6098)

 

 

  1. RIGHTS OF DATA OWNERS TO PROTECT PERSONAL DATA

Data owners can apply to Bahat at any time with regard to their data held with Bahat, and make the following requests:

Can learn whether personal data is processed, the purpose of processing and whether it is used in accordance with this purpose and if it is processed, they can request all kinds of information on this subject.

Can learn about the third parties to whom their data is shared up country and abroad, and request information on this matter.

If it is thought that the data has been processed incompletely or incorrectly, it can be requested to correct these errors, and/or destroy, delete said personal data and notify these transactions, if any, to the third parties to whom the personal data has been transferred, and request them to take the same actions.

Object to the emergence of an unfavourable result due to the analysis of the information by automated systems.

If it is thought that the personal data has been registered, used or processed unlawfully and impairment has occurred due to this, it may be requested to eliminate this impairment.

 

The procedure for transmitting the specified rights of personal data owners to Bahat is explained in Article 14 of this Policy.

  1. PROCEDURE FOR EXERCISING THE RIGHTS REGARDING PROTECT PERSONAL DATA OF DATA OWNERS

Personal data held by Bahat are meticulously protected by the technical and administrative procedures stated above, and necessary security measures are taken.

In order to benefit from the above-mentioned rights within the scope of the Law, written applications can be made to the personal data owners Bahat.

In this context applications can be made with;

  1. After filling the document named "Application Form in Accordance with the Law on Protection of Personal Data", a copy with a wet signature will be delivered by hand in person or by notary public or sent to the address Çakıl Mah., Elbasan Cad., No: 130/1 Çatalca, İstanbul.

  2. If there is a natural person e-mail address registered in the Bahat database, an e-mail can be send to info@orca.com.tr

In this application, which can be made by the personal data owner to exercise the above-mentioned rights; the requested issue must be clear and understandable, the requested issue must be related to the person of the data owner or if acting on behalf of someone else, a special power of attorney certified by a notary public must be submitted in this regard.

The requests included in the applications will be concluded as soon as possible according to the nature of the request and within 30 (thirty) days at the latest. If the application process requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged.

In the applications, name-surname, signature, T.R. identity number, residence or workplace address, e-mail address, telephone number, the elements subject to the request must be included in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller. Information and documents related to the subject also must be attached to the application. Applications that do not contain these elements will be rejected by Bahat.

Bahat may request information and documents from the applicant and ask questions in order to determine whether the applicant is the owner of personal data or to fully understand the application. 

After evaluating the application, Bahat can reject the application by explaining the reason. In accordance with Article 14 of the Law, the personal data owner; In the event that the application is rejected, the response given is found to be insufficient or the application is not responded to in time, may file a complaint to the Personal Data Protection Board within thirty days from the date of learning of Bahat's response, and in any case within sixty days from the date of application.

  1. PUBLICATION AND STORAGE OF THE POLICY

This policy is published in two different media: wet signed (printed paper) and electronically. 

The printed paper copy is stored in The Law On The Protection Of Personal Data file created by Bahat.

  1. UPDATING THE POLICY

This policy is reviewed as needed and the necessary sections are updated. In the same way, updates can be made in this notification due to the changes in the legislation provisions and other laws that may change. 

The most current version of the policy will be published on the website.

 

  1. ENFORCEMENT AND ABOLISHMENT OF THE POLICY

This policy shall be deemed to have entered into force upon publication on Bahat's website. 

If it is decided to repeal, the old copies shall be canceled (written cancelled) signed by the board of directors and kept for at least 5 years.

  1. OTHER ISSUES

In case of incompatibility between the provisions of The Law On The Protection Of Personal Data and other relevant legislation and this policy, the provisions of The Law On The Protection Of Personal Data and other relevant legislation will be applied first..

The User/Users agree that they have read this Personal Data Protection Policy before entering the website, that they have been informed and enlightened about the subject, and that they will comply with all the issues stated herein.

 

DATA CONTROLLER

Bahat Electric Home Appliances Industry And Foreign Trade Limited Company

Çakıl Mah.,Elbasan Cad., No:130/1 Çatalca, İstanbul 

info@orca.com.tr