Benova Consulting Yönetim Danışmanlığı
Benova Consulting Yönetim Danışmanlığı

Personal Data Retention and Destruction Policy

Benova Consulting Yönetim Danışmanlığı

1. Purpose

This Personal Data Retention and Destruction Policy (“Policy”) is prepared to determine the procedures and principles for our activities related to the retention and destruction of personal data, which we are performing as Benova Consulting Services Limited Company (“Benova Consulting”) in the capacity of data controller.

As a part of its legal and social responsibility, Benova Consulting is committed to comply with national regulations on personal data protection, processing, retention, and destruction under the Law on the Protection of Personal Data No. 6698 (“Law”).

Within this context, personal data of our employees, employee candidates, customers, service providers, visitors, and those whose personal data are held by Benova Consulting for any reason, are retained and destroyed in accordance with the Constitution of Turkey, international agreements, the Law, and other relevant legislation, within the scope of Benova Consulting Personal Data Processing and Protection Policy and this policy.

2. Scope of Data Protection Retention and Destruction Policy

This Policy is implemented at Benova Consulting.

Personal data of Benova Consulting employees, employee candidates, customers, service providers, visitors and other third parties are within the scope of this Policy, and this Policy is applied in all records environments where our Company’s personal data is processed or managed by our Company and in activities related to personal data processing.

The Policy can be updated from time to time. Therefore, we kindly ask you to regularly visit www.benovaconsulting.com to access the most up-to-date version of the Policy.

3. Responsibility and Personal Data Protection Unit

Benova Consulting has appointed a “Personal Data Protection Officer” to manage this Policy and other policies associated with it.

Duties of the Personal Data Protection Officer

  • To prepare the main policies related to the Protection and Processing of Personal Data and submit them for the approval of the Board of Directors.
  • To decide how the implementation and supervision of policies related to the Protection and Processing of Personal Data will be performed, to ensure coordination among departments, and to propose to the Board of Directors for internal appointments within this framework.
  • To identify what needs to be done to ensure compliance with the Law and related legislation and to submit it to the approval of the Board of Directors; to monitor its implementation and ensure its coordination.
  • To increase awareness about the Protection and Processing of Personal Data within the Company and among the institutions cooperating with the Company.
  • To identify the risks that may arise in the Company’s personal data processing activities and ensure the necessary precautions are taken.
  • To design training on the protection of Personal Data and the implementation of policies and ensure its execution.
  • To make decisions on the applications of Personal Data owners.
  • To coordinate the execution of informative and educational activities to ensure that Personal Data owners are informed about personal data processing activities and their legal rights.
  • To prepare changes in the basic policies related to the Protection and Processing of Personal Data and submit them for the approval of the Board of Directors.
  • To monitor developments and regulations related to the Protection of Personal Data; to propose to the Board of Directors about what needs to be done within the Company in accordance with these developments and regulations.
  • To coordinate relations with the Personal Data Protection Board and the Authority.
  • To carry out periodic destruction processes in June and December of each year.
  • To fulfill other duties imposed by the personal data protection legislation on the data controller.
  • To execute other tasks that the Board of Directors will give on the protection of Personal Data.

4. Environments where Personal Data is Stored

Your personal data held within Benova Consulting is securely stored in accordance with the nature of the data and our legal obligations in the environments listed below.

5. Ensuring the Security of the Record Environments

Benova Consulting takes all necessary technical and administrative measures to securely store your personal data, to prevent it from being processed and accessed unlawfully, and to destroy your personal data in accordance with the law.

5.1.Technical and Administrative Measures

In the environments where your personal data is stored, Benova Consulting takes the following technical and administrative measures as appropriate to the nature of the data and the environment where it is stored:

  • Network and application security is provided.
  • Access logs are regularly kept.
  • An authority matrix has been created for employees.
  • Authorities in this field of employees who have changed jobs or left the job are removed.
  • Monitoring of personal data security is being done.
  • Necessary security measures are taken regarding the entrances and exits to physical environments containing personal data.
  • The security of physical environments containing personal data is provided against external risks (fire, flood, etc.).
  • The security of environments containing personal data is provided.
  • Encryption is performed.

6. Statements Regarding Reasons Requiring Storage and Destruction

Personal data of our employees, job candidates, customers, visitors and suppliers/service providers who have relations with our company; are stored and destroyed in accordance with the Law, Regulation, Benova Consulting Personal Data Processing and Protection Policy and this Policy.

Benova Consulting only retains your personal data for the period required by the relevant legislation or for the purpose for which they were processed. In this context, first, it is determined whether a period is stipulated in the relevant legislation for the storage of personal data, if a period is specified, this period is complied with, if no period is specified, personal data are stored for the period necessary for the purposes for which they are processed.

At the end of the period or when the reasons requiring processing are eliminated, if there is no legal reason allowing them to be processed for a longer period, your personal data is deleted, destroyed or anonymized according to this Policy.

All transactions made by our Company regarding the deletion, destruction, and anonymization of personal data are recorded, and these records are stored for at least 3 (three) years, excluding other legal obligations.

6.1. Reasons Requiring Retention

  • Due to its direct relation to the establishment and performance of contracts,
  • For the purpose of establishing, using or protecting a right,
  • Provided that it does not harm the fundamental rights and freedoms of individuals, due to the necessity of being stored for Benova Consulting’s legitimate interests,
  • For the purpose of fulfilling Benova Consulting’s legal obligations,
  • Due to the explicit provision of the storage of personal data in the legislation;
    • Law on the Protection of Personal Data No. 6698
    • Turkish Code of Obligations No. 6098
    • Social Insurance and General Health Insurance Law No. 5510
  • Information Law No. 4982
    • Labor Law No. 4857
    • Turkish Commercial Code No. 6102 and other secondary regulations in force in accordance with these laws
  • It is stored because the consent of the data owners is required for storage activities requiring the consent of the data owners.

6.2. Reasons Requiring Destruction

In accordance with the Regulation, in the following cases, personal data of data owners are deleted, destroyed, or anonymized by Benova Consulting either ex officio or upon request:

  • Changes or abolition of the relevant legislative provisions that form the basis for the processing or storage of personal data,
  • Disappearance of the purpose that necessitates the processing or storage of personal data,
  • Disappearance of the conditions that necessitate the processing of personal data under the 5th and 6th articles of the Law,
  • In cases where the processing of personal data is based solely on the condition of explicit consent, the withdrawal of consent by the relevant person,
  • The acceptance by the data controller of the application made by the related person within the framework of their rights under paragraphs (e) and (f) of the 11th article of the Law regarding the deletion, destruction or anonymization of their personal data,
  • In cases where the data controller rejects the application made by the related person for the deletion, destruction or anonymization of their personal data, finds the answer given inadequate, or does not respond within the period stipulated in the Law; the filing of a complaint to the Board and the approval of this request by the Board,
  • Absence of any condition justifying the storage of personal data for a longer period despite the expiry of the maximum period required for the storage of personal data.

7. Methods for the Destruction of Personal Data

For the destruction of personal data, all copies of the data will be individually destroyed using one or several of the following methods, according to the systems where the data is stored.

7.1. Degaussing

Degaussing is the process of passing a magnetic medium through a special device and exposing it to a high-value magnetic field, thereby distorting the data on it in an unreadable way.

7.2. Physical Destruction

Physical destruction is the process of physically destroying optical media and magnetic media by melting, burning, reducing to dust, or passing through a metal grinder. Physical destruction processes will be applied for solid-state drives that cannot be overwritten or degaussed.

7.3. Overwriting

Overwriting is the process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media.

7.4. Paper and Microfilm Environments

Personal data written on a permanent and physical medium will be destroyed by dividing the main medium into small pieces that cannot be reassembled, preferably horizontally and vertically, to an incomprehensible size, using paper destruction or clipping machines since the data is permanently and physically written on the medium.

7.5. Cloud Environment

During the storage and use of personal data in these systems, all copies of the necessary encryption keys for the destruction of personal data will be destroyed as the data should be encrypted with cryptographic methods, and if possible, separate encryption keys should be used for each cloud solution where personal data is stored.

In addition to the above-mentioned environments, the destruction of personal data on devices that are malfunctioning or sent for maintenance will be carried out as follows:

Before transferring the related devices for maintenance and repair operations to third parties like the manufacturer, seller, service, the personal data contained in them will be destroyed using the appropriate methods mentioned in (8.1.).

In situations where destruction is not possible, the data storage medium will be dismantled and stored, and other defective parts will be sent to the manufacturer, seller, service or other third parties.

Necessary precautions will be taken to prevent personnel who come for maintenance and repair purposes from copying personal data and taking it outside the institution.

7.6. Anonymization of Personal Data

Anonymization of personal data is making the personal data

 unable to be associated with an identifiable or identifiable real person in any way, even if it is matched with other data.

For personal data to be anonymized; it must be made unidentifiable with an identifiable or identifiable real person even by using appropriate techniques in terms of the recording medium and the related field of activity, such as the reversal of personal data by the data controller or recipient groups and/or matching data with other data.

None of the anonymization methods for personal data are used within Benova Consulting.

8. Retention and Destruction Periods

8.1 Retention Periods

Personal Data CategoryGroup of Data SubjectsRetention Period
ID (Name Surname – mother’s – father’s name, Date of birth, Place of birth, Marital status, serial number of the identity card, Republic of Turkey identification number etc)Job Applicant-2 years from the date of application for those whose job applications are not accepted -10 years from the termination of the employment contract
Employees10 years from the termination of the employment contract
Employee’s Close Relatives10 years from the termination of the employment contract
Shareholder/Partner10 years from the liquidation of the company
Customer Representative Customer Employee10 years from the end of the contract 3 years if no contract is made
Communication (Address number, E-mail address, Contact address, Registered Electronic Mail Address (REMA), Phone Number)Job Applicant-2 years from the date of application for those whose job applications are not accepted -10 years from the termination of the employment contract
Employees10 years from the termination of the employment contract
Employee’s Relative10 years from the termination of the employment contract
Shareholder/Partner10 years from the liquidation of the company
Customer Representative Customer Employee10 years from the end of the contract 3 years if no contract is made
Personnel Rights (Payroll information, Disciplinary investigation, Employment entry document records, Asset declaration information, Curriculum vitae details, Performance evaluation reports, etc.)Employees10 years from the termination of the employment contract
Finance (Balance sheet information, Financial performance data, Credit and risk information, Asset liability information)Employees10 years from the termination of the employment contract
Customer Representative Customer Employee10 years from the end of the contract
Shareholder/Partner10 years from the liquidation of the company
Customer Processes (Invoice, promissory note, check information, Information on counter receipts, Order details, Request information, etc.)Customer Representative Customer Employee10 years from the end of the contract 3 years if no contract is made

8.2 Destruction Periods

Benova Consulting fulfills its obligation to delete, destroy, or anonymize the personal data it is responsible for according to the Law, relevant legislation, Benova Consulting Personal Data Processing and Protection Policy, and this Personal Data Retention and Destruction Policy in the first periodic destruction process following the date it emerged (within 180 days at the latest following the retention period).

When the relevant person applies to Benova Consulting pursuant to Article 13 of the Law and requests the deletion or destruction of their personal data;

If all the conditions for processing personal data have disappeared; Benova Consulting deletes or destroys the personal data subject to the request within 30 (thirty) days from the date it received the request, explaining the reason with the appropriate destruction method. Benova Consulting informs the relevant person about the transactions made.

If all the conditions for processing personal data have not disappeared, this request can be rejected by Benova Consulting in accordance with the third paragraph of Article 13 of the Law, and the rejection answer is notified to the relevant person in writing or electronically within thirty days at the latest.

9. Periodic Destruction

The 2nd paragraph of Article 11 of the Regulation is imperative: “The time interval at which periodic destruction will be carried out is determined in the personal data storage and destruction policy by the data controller. This period cannot exceed six months in any case.”

In accordance with the Regulation, Benova Consulting has determined the periodic destruction period as 6 months. Accordingly, the periodic destruction process is carried out by Benova Consulting every year in June and December.

10. Enforcement, Publication, and Update of the Policy

This Policy will come into effect on 01/02/2022.

This Policy is published on the Company’s website at www.benovaconsulting.com. In case of discrepancy between the provisions of the Law and other relevant legislation and this Policy, the Law and other relevant legislation provisions will primarily be applied.

This Policy is updated as necessary and when needed. In case of changes in the Policy, the effective date of the Policy and the relevant articles are updated accordingly.

İletişim Formu_EN
magnifiercross
×