This Personal Data Retention and Destruction Policy (“Policy”) is prepared to determine the procedures and principles for our activities related to the retention and destruction of personal data, which we are performing as Benova Consulting Services Limited Company (“Benova Consulting”) in the capacity of data controller.
As a part of its legal and social responsibility, Benova Consulting is committed to comply with national regulations on personal data protection, processing, retention, and destruction under the Law on the Protection of Personal Data No. 6698 (“Law”).
Within this context, personal data of our employees, employee candidates, customers, service providers, visitors, and those whose personal data are held by Benova Consulting for any reason, are retained and destroyed in accordance with the Constitution of Turkey, international agreements, the Law, and other relevant legislation, within the scope of Benova Consulting Personal Data Processing and Protection Policy and this policy.
This Policy is implemented at Benova Consulting.
Personal data of Benova Consulting employees, employee candidates, customers, service providers, visitors and other third parties are within the scope of this Policy, and this Policy is applied in all records environments where our Company’s personal data is processed or managed by our Company and in activities related to personal data processing.
The Policy can be updated from time to time. Therefore, we kindly ask you to regularly visit www.benovaconsulting.com to access the most up-to-date version of the Policy.
Benova Consulting has appointed a “Personal Data Protection Officer” to manage this Policy and other policies associated with it.
Duties of the Personal Data Protection Officer
Your personal data held within Benova Consulting is securely stored in accordance with the nature of the data and our legal obligations in the environments listed below.
Benova Consulting takes all necessary technical and administrative measures to securely store your personal data, to prevent it from being processed and accessed unlawfully, and to destroy your personal data in accordance with the law.
In the environments where your personal data is stored, Benova Consulting takes the following technical and administrative measures as appropriate to the nature of the data and the environment where it is stored:
Personal data of our employees, job candidates, customers, visitors and suppliers/service providers who have relations with our company; are stored and destroyed in accordance with the Law, Regulation, Benova Consulting Personal Data Processing and Protection Policy and this Policy.
Benova Consulting only retains your personal data for the period required by the relevant legislation or for the purpose for which they were processed. In this context, first, it is determined whether a period is stipulated in the relevant legislation for the storage of personal data, if a period is specified, this period is complied with, if no period is specified, personal data are stored for the period necessary for the purposes for which they are processed.
At the end of the period or when the reasons requiring processing are eliminated, if there is no legal reason allowing them to be processed for a longer period, your personal data is deleted, destroyed or anonymized according to this Policy.
All transactions made by our Company regarding the deletion, destruction, and anonymization of personal data are recorded, and these records are stored for at least 3 (three) years, excluding other legal obligations.
In accordance with the Regulation, in the following cases, personal data of data owners are deleted, destroyed, or anonymized by Benova Consulting either ex officio or upon request:
For the destruction of personal data, all copies of the data will be individually destroyed using one or several of the following methods, according to the systems where the data is stored.
Degaussing is the process of passing a magnetic medium through a special device and exposing it to a high-value magnetic field, thereby distorting the data on it in an unreadable way.
Physical destruction is the process of physically destroying optical media and magnetic media by melting, burning, reducing to dust, or passing through a metal grinder. Physical destruction processes will be applied for solid-state drives that cannot be overwritten or degaussed.
Overwriting is the process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media.
Personal data written on a permanent and physical medium will be destroyed by dividing the main medium into small pieces that cannot be reassembled, preferably horizontally and vertically, to an incomprehensible size, using paper destruction or clipping machines since the data is permanently and physically written on the medium.
During the storage and use of personal data in these systems, all copies of the necessary encryption keys for the destruction of personal data will be destroyed as the data should be encrypted with cryptographic methods, and if possible, separate encryption keys should be used for each cloud solution where personal data is stored.
In addition to the above-mentioned environments, the destruction of personal data on devices that are malfunctioning or sent for maintenance will be carried out as follows:
Before transferring the related devices for maintenance and repair operations to third parties like the manufacturer, seller, service, the personal data contained in them will be destroyed using the appropriate methods mentioned in (8.1.).
In situations where destruction is not possible, the data storage medium will be dismantled and stored, and other defective parts will be sent to the manufacturer, seller, service or other third parties.
Necessary precautions will be taken to prevent personnel who come for maintenance and repair purposes from copying personal data and taking it outside the institution.
Anonymization of personal data is making the personal data
unable to be associated with an identifiable or identifiable real person in any way, even if it is matched with other data.
For personal data to be anonymized; it must be made unidentifiable with an identifiable or identifiable real person even by using appropriate techniques in terms of the recording medium and the related field of activity, such as the reversal of personal data by the data controller or recipient groups and/or matching data with other data.
None of the anonymization methods for personal data are used within Benova Consulting.
| Personal Data Category | Group of Data Subjects | Retention Period |
| ID (Name Surname – mother’s – father’s name, Date of birth, Place of birth, Marital status, serial number of the identity card, Republic of Turkey identification number etc) | Job Applicant | -2 years from the date of application for those whose job applications are not accepted -10 years from the termination of the employment contract |
| Employees | 10 years from the termination of the employment contract | |
| Employee’s Close Relatives | 10 years from the termination of the employment contract | |
| Shareholder/Partner | 10 years from the liquidation of the company | |
| Customer Representative Customer Employee | 10 years from the end of the contract 3 years if no contract is made | |
| Communication (Address number, E-mail address, Contact address, Registered Electronic Mail Address (REMA), Phone Number) | Job Applicant | -2 years from the date of application for those whose job applications are not accepted -10 years from the termination of the employment contract |
| Employees | 10 years from the termination of the employment contract | |
| Employee’s Relative | 10 years from the termination of the employment contract | |
| Shareholder/Partner | 10 years from the liquidation of the company | |
| Customer Representative Customer Employee | 10 years from the end of the contract 3 years if no contract is made | |
| Personnel Rights (Payroll information, Disciplinary investigation, Employment entry document records, Asset declaration information, Curriculum vitae details, Performance evaluation reports, etc.) | Employees | 10 years from the termination of the employment contract |
| Finance (Balance sheet information, Financial performance data, Credit and risk information, Asset liability information) | Employees | 10 years from the termination of the employment contract |
| Customer Representative Customer Employee | 10 years from the end of the contract | |
| Shareholder/Partner | 10 years from the liquidation of the company | |
| Customer Processes (Invoice, promissory note, check information, Information on counter receipts, Order details, Request information, etc.) | Customer Representative Customer Employee | 10 years from the end of the contract 3 years if no contract is made |
Benova Consulting fulfills its obligation to delete, destroy, or anonymize the personal data it is responsible for according to the Law, relevant legislation, Benova Consulting Personal Data Processing and Protection Policy, and this Personal Data Retention and Destruction Policy in the first periodic destruction process following the date it emerged (within 180 days at the latest following the retention period).
When the relevant person applies to Benova Consulting pursuant to Article 13 of the Law and requests the deletion or destruction of their personal data;
If all the conditions for processing personal data have disappeared; Benova Consulting deletes or destroys the personal data subject to the request within 30 (thirty) days from the date it received the request, explaining the reason with the appropriate destruction method. Benova Consulting informs the relevant person about the transactions made.
If all the conditions for processing personal data have not disappeared, this request can be rejected by Benova Consulting in accordance with the third paragraph of Article 13 of the Law, and the rejection answer is notified to the relevant person in writing or electronically within thirty days at the latest.
The 2nd paragraph of Article 11 of the Regulation is imperative: “The time interval at which periodic destruction will be carried out is determined in the personal data storage and destruction policy by the data controller. This period cannot exceed six months in any case.”
In accordance with the Regulation, Benova Consulting has determined the periodic destruction period as 6 months. Accordingly, the periodic destruction process is carried out by Benova Consulting every year in June and December.
This Policy will come into effect on 01/02/2022.
This Policy is published on the Company’s website at www.benovaconsulting.com. In case of discrepancy between the provisions of the Law and other relevant legislation and this Policy, the Law and other relevant legislation provisions will primarily be applied.
This Policy is updated as necessary and when needed. In case of changes in the Policy, the effective date of the Policy and the relevant articles are updated accordingly.
