Disposal Policy
PERSONAL DATA DISPOSAL POLICY
Within our company, January and July have been determined as the disposal periods for data disposal. Personal data obtained from data subjects will be deleted, destroyed, or anonymized by the personnel responsible for data protection within the company during the following disposal period after the retention period expires. The records of disposal procedures will be kept by the personnel responsible for data protection in an independent location for 3 (three) years. After three years, these records will be disposed of. The disposal procedures will be conducted in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data numbered 30224 dated October 28, 2017, and the provisions of the Personal Data Protection Law numbered 6698.
The reasons for disposal are as follows:
- • Amendment or abolition of the relevant legislation provisions that form the basis for processing,
- • The disappearance of the purpose requiring processing or storage,
- • Withdrawal of explicit consent by the data subject in cases where processing is based solely on explicit consent,
- • Application by the data subject for the deletion or destruction of personal data within the scope of their rights under Article 11 of the Law,
- • Rejection of the application made by the data subject for the deletion, destruction, or anonymization of their personal data by the Institution, finding the response insufficient, or not responding within the period stipulated by the Law; filing a complaint with the Board and the Board finding this request appropriate,
- • The maximum retention period for personal data has passed, and there is no justified reason to retain the personal data for a longer period.
In accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law, technical and administrative measures are taken in compliance with the law to ensure the secure storage of personal data, to prevent unlawful processing and access, and for their disposal in line with the adequate measures determined and announced by the Board.
The technical measures taken by the Company regarding the processed personal data are listed below:
- • Penetration tests are conducted to identify any risks, threats, vulnerabilities, and security gaps in our Institution's information systems, and necessary measures are taken.
- • Information security incident management ensures continuous monitoring of risks and threats that may affect the continuity of information systems through real-time analysis.
- • Access to information systems and user authorization are managed through access and authorization matrices and corporate Active Directory security policies.
- • Necessary measures are taken to ensure the physical security of the Company's information system equipment, software, and data.
- • Measures are taken to protect information systems against environmental threats, including hardware (access control systems allowing only authorized personnel to enter server rooms, 24/7 monitoring systems, physical security of edge switches forming the local area network), fire suppression systems, air conditioning systems, etc., and software measures (firewalls, intrusion prevention systems, network access control, anti-malware systems, etc.).
- • Risks that may lead to unlawful processing of personal data are identified, appropriate technical measures are taken against these risks, and technical controls are performed on the implemented measures.
- • Access procedures have been established within the Company, and reporting and analysis studies on access to personal data are conducted.
- • Access to storage areas where personal data is kept is recorded, and unauthorized access or access attempts are kept under control.
- • The Company takes necessary measures to ensure that deleted personal data are inaccessible and unusable for relevant users.
- • Systems and infrastructure have been established to notify the relevant person and the Board if personal data are obtained unlawfully by others.
- • Security vulnerabilities are tracked, appropriate security patches are installed, and information systems are kept up to date.
- • Strong passwords are used in electronic environments where personal data are processed.
- • Secure log recording systems are used in electronic environments where personal data are processed.
- • Data backup programs are used to ensure the security of personal data.
- • Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
- • Access to the Institution's website is encrypted using the secure protocol (HTTPS) with SHA 256 Bit RSA algorithm.
- • A separate policy has been established for the security of special categories of personal data.
- • Employees processing special categories of personal data have received training on the security of such data,
- • Confidentiality agreements have been signed, and the authorities of users with access to data have been defined.
- • Electronic environments where special categories of personal data are processed, stored, and/or accessed are protected by cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are continuously monitored, and necessary security tests are regularly conducted. /Test results are recorded,
- • Adequate security measures are taken for physical environments where special categories of personal data are processed, stored, and/or accessed, and physical security is ensured to prevent unauthorized entry and exit.
- • If special categories of personal data need to be transferred via email, they are encrypted and sent using the corporate email address or Registered Electronic Mail (KEP) account. If transfer is required via portable media such as USB drives, CDs, or DVDs, the data is encrypted using cryptographic methods, and the cryptographic key is stored in a separate medium. If transfer is required between servers in different physical environments, data transfer is performed by establishing a VPN between the servers or using the sFTP method. If transfer is required on paper, necessary measures are taken against risks such as theft, loss, or viewing by unauthorized persons, and the document is sent as "confidential".
- • The Company will determine which of these items it can implement.
The administrative measures taken by the Company regarding the processed personal data are listed below:
- • Trainings are provided to improve employee quality on preventing unlawful processing of personal data, preventing unlawful access to personal data, protecting personal data, communication techniques, technical knowledge and skills, Labor Law, and other relevant legislation.
- • Employees sign confidentiality agreements regarding the activities carried out by the Company.
- • A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
- • The Institution fulfills its obligation to inform the relevant persons before starting to process personal data.
- • A personal data processing inventory has been created.
- • Periodic and random audits are conducted within the Company.
- • Employees receive information security training.
Personal data are disposed of by the Company upon the request of the relevant person after the legal period expires or ex officio in the following ways:
| DATA RECORDING MEDIUM |
EXPLANATION |
| Personal Data on Servers |
The system administrator revokes the access rights of relevant users |
| Personal Data in Electronic Media |
Personal data in electronic media whose retention period has expired are made inaccessible and unusable. |
| Personal Data in Physical Media |
Personal data kept in physical media whose retention period has expired are made unusable. Additionally, they are rendered unreadable |
| Personal Data in Portable Media |
Personal data stored in flash-based storage media are encrypted, and encryption keys are kept by the system administrator |
| Personal Data in Physical Media |
Personal data on paper media are destroyed irreversibly. |
| Personal Data in Optical/Magnetic Media |
Personal data in optical and magnetic media are destroyed. Additionally, magnetic media are passed through a special device. |
| PERSONAL DATA |
STORAGE |
| Documents for employment to be submitted to the Social Security Institution; |
Employee data based on seniority and wage declarations |
| Documents for employment to be submitted to the Social Security Institution; |
Employee data other than those based on seniority and wage declarations |
Personal data obtained from employees are stored and disposed of for different periods according to their nature. The retention periods for these data are as follows. Data whose retention period has expired are disposed of during the nearest disposal period, and disposal records are kept for 3 years.
| service period and wage declarations. |
|
| Customer Information |
According to Article 82 of the Turkish Commercial Code, commercial books and records based on investments are kept for 10 years as per the mentioned law, and Customer Information related to these is kept for the period necessary for the purpose for which they are processed. |
| Contracts based on commercial relations and their data |
10 years according to the provisions of Law No. 6098 on Obligations and other legislation |
| Employees' Personal Health Files |
According to Occupational Health and Safety legislation, personal health files must be kept for 1 day. |
| Candidate Employee Information |
Stored for up to 2 years until exhausted. |
| Visitor Information |
Stored for 2 years |
| Partner and Consultant Information |
Stored during the relationship with the Company and for 10 years after the termination of the relationship according to Article 146 of the Turkish Code of Obligations. |
| Information Shared by Companies with the Company |
Stored during the relationship with the Company and for 10 years after the termination of the relationship according to Article 146 of the Turkish Code of Obligations. |
| Customer |
For each product/service purchased by the Customer, stored for 10 years according to Article 146 of the Turkish Code of Obligations and the Turkish Commercial Code |
| Customer/Potential Customer Requests and Complaints |
Stored for 10 years from the date of the complaint request. |
| Personal data that constitute a crime under the Turkish Penal Code or other penal provisions. |
For the duration of the statute of limitations |
| Daily Tracking Systems |
10 years |
| Hardware and Software Access Processes |
2 years |
| Records of Visitors and Meeting Participants |
2 years from the event if there is no contractual relationship |
| Information of non-employee trainees, course participants |
During the training and other activities with the Company and for 1 year after the termination of the relationship |
| Personal data obtained from candidate employees |
Until the nearest disposal period if the candidate application is rejected. |
In light of the above explanations, the disposal periods for the data categories included in the VERBIS Inventory record are as follows;
| Data Category |
Data Retention Period |
| 1-Identity |
Disposal Period 10 Years After the Termination of Other Legal Relationships |
| 2-Communication |
Disposal Period 10 Years After the Termination of Other Legal Relationships |
| 3-Location |
2 Years for Data Not Based on Another Contractual Relationship / 10 Years After the Termination of Reciprocal Relationship for the First Disposal Period |
| 4-Personality |
Disposal Period 15 Years After the Termination of Other Legal Relationships |
| 5-Legal Transaction |
Disposal Period 10 Years After the Termination of Other Legal Relationships |
| 6-Customer Transaction |
Disposal Period 10 Years After the Termination of Other Legal Relationships |
| 7-Physical Space Security |
For the periods stipulated in other legislation, but in any case |
| 8-Transaction Security |
2 Years for Other Web and Log Records / 10 Years for Corporate Applications for the Nearest Disposal Period |
| 9-Risk Management |
2 Years for Data Not Based on Another Contractual Relationship / 10 Years After the Termination of Reciprocal Relationship for the First Disposal Period |
| 10-Finance |
Disposal Period 10 Years After the Termination of Other Legal Relationships |
| Data Category |
Data Retention Period |
| 11-Professional Experience |
Disposal Period 10 Years After the Termination of Other Relationships |
| 12-Marketing |
5 Years for Data Not Based on Another Contractual Relationship / 10 Years After the Termination of Contractual Relationship for the First Disposal Period |
| 13-Visual and Audio Recordings |
2 Years for Data Not Based on Another Contractual Relationship / 10 Years After the Termination of Contractual Relationship for the First Disposal Period |
| 17-Appearance and Disguise |
Disposal Period 10 Years After the Termination of Other Relationships |
| 21-Health Information |
Disposal Period 15 Years After the Termination of Other Relationships |
| 23-Criminal Conviction and Security Measures |
Disposal Period 10 Years After the Termination of Other Relationships |
| 26-Other Information-Employee Family Information |
Disposal Period 10 Years After the Termination of Other Relationships |
| 26-Other Information-Signature and Other Written Information |
Disposal Period 10 Years After the Termination of Other Relationships |
Our Company has selected July and January as disposal periods, and data whose retention period has expired will be disposed of during the nearest disposal month and recorded. In this report, some letters or numbers from the TR or Name section will be removed.
Information will be included in a way that does not allow clear identification of the person and their information. These records will be kept for 3 years.
When the relevant person requests the deletion or destruction of their personal data by applying to SÜMER ULUSLARARASI SANAYİ VE TİCARET A.Ş. in accordance with Article 13 of the Law;
- If all conditions for processing personal data have disappeared; The Company deletes, destroys, or anonymizes the personal data subject to the request using the appropriate disposal method within 30 (thirty) days from the date the request is received, explaining the reason. For the Company to consider the request as received, the relevant person must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, the Company informs the relevant person about the process.
- If not all conditions for processing personal data have disappeared, this request may be rejected by the Company with justification in accordance with the third paragraph of Article 13 of the Law, and this situation is notified to the relevant person in writing or electronically within thirty days at the latest. The relevant person's right to complain to the Institution is reserved. In this context, the relevant persons may apply to the Board within 60 (sixty) days from the date they learn that their request has been rejected.
- In this context, applications to our Company "in writing" can be made,
- By the Applicant's personal application;
- Through a notary,
- By sending it to the Company's registered email address after signing with a "secure electronic signature" as defined in the Electronic Signature Law No. 5070 by the Applicant
Our contact information to exercise this right is as follows:
Title: SÜMER ULUSLARARASI SANAYİ VE TİCARET A.Ş.
MERSIS No / Tax No: 7860018595
Email Address:info@sumeras.com
Mailing Address: BAŞKENT OSB MAHALLESİ BAŞKENT BULVARI NO:81 SİNCAN/ANKARA
Tel: 03124184129