TSA Savunma A.S. Personal Data Storage and Annihilation Policy
This Personal Data Storage and Annihilation Policy (Policy), Personal Data Protection Law No. 6698 (KVKK or Law) and Deletion of Personal Data constituting the secondary regulation of the Law, in order to fulfill our obligations pursuant to the Regulation (Regulation) on the Destruction or Anonymization of your personal data, and to inform the data owners about the principles of determining the maximum storage period required for the purpose for which your personal data is processed, and the processes of deletion, destruction and anonymization, TSA Defence A.Ş. has been prepared.
A. Definitions
The definitions of terms and abbreviations used within the scope of this Policy are as follows:
| Abridgment | Definition |
| Express Consent: | It is the consent given by the free will of the person concerned, based on information, related to a specific subject. |
| Anonymization: | It is to render the processed personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching them with other data. |
| Related person: | The real person whose personal data is processed. |
| Annihilation | Deletion, annihilation or anonymization of personal data. |
| Personal Data: | It is all kinds of information relating to an identified or identifiable natural person. |
| Processing of personal data: | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system it is any operation performed on the data, such as blocking. |
| Storage of personal data | It is the storage of personal data in physical or electronic media, in a way that is accessible only to authorized persons, by taking the necessary technical and administrative measures for as long as required by the purpose of processing. |
| Deletion of personal data: | It is the process of making personal data inaccessible and unusable for the relevant users in any way. |
| Disposal of Personal Data | It is the process of making personal data inaccessible, unrecoverable and nonreusable by anyone. |
| Data Processor: | It is the real or legal person who processes personal data on behalf of the data controller based on the authority given by him/her. |
| Data supervisor: | It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| Visitor | They are real people who have visited our company’s physical places or website, regardless of their purpose. |
B.Our Personal Data Processing Principles
Our company acts within the framework of the general principles set forth in the Law and other relevant legislation and the procedures and principles stipulated in the processing of personal data collected in accordance with the Law. In this context, our Company declares and undertakes that it will act in accordance with the following principles in accordance with Article 4 of the Law during the protection and processing of this data:
a) Compliance with the law and the rules of honesty,
b) Being accurate and up-to-date when necessary,
c) Processing for specific, explicit and legitimate purposes,
ç) Being connected, limited and restrained with the purpose for which they are processed,
d) To be kept for the period required by the relevant legislation or for the purpose for which they are processed.
C. Scope and Modification of the Policy
This Policy has been prepared in accordance with the Law on Protection of Personal Data No. 6698 and other relevant legislation. The policy covers all kinds of data obtained automatically or non-automatically, provided that it is a part of any data recording system, , belonging to employees, employee candidates, visitors, etc. other third parties.
The articles in this Policy published by our company will be renewed and/or updated in whole or in part, in accordance with the laws, within the scope of the necessary situations. Accordingly, the Company always reserves the right to edit and/or change it.
D. Conditions for Processing Personal Data:
Your personal data is only processed in accordance with Article 5 of the KVKK, with the express consent of the persons concerned or in the presence of one of the following conditions of compliance with the law. These;
- It is clearly foreseed in the laws,
- The person who is unable to express his or her consent due to actual impossibility or whose consent is not given legal validity is compulsory for the protection of himself or someone else’s life or physical integrity,
- Provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract,
- It is mandatory for the data controller to fulfill its legal obligation,
- The person concerned has been made public by himself,
- Data processing is mandatory for the establishment, exercise or protection of a right,
- Provided that it does not harm the fundamental rights and freedoms of the person concerned, cases where data processing is mandatory for the legitimate interests of the data controller.
E. Conditions for Processing Special Quality Personal Data:
The company, person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data it only works if people give explicit consent.
The company may process personal data related to health and sexual life without seeking the explicit consent of the person concerned, within the framework of confidentiality obligation, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
F. Purposes of Personal Data Processing
Personal data collected within the company; Carrying out necessary studies to ensure all kinds of legal security of persons who benefit from the services offered by our company and who are in business and / or commercial relations, Determining and implementing our company’s commercial and business strategies, Ensuring the execution of our company’s human resources policies, ty ensure the security of physical environments, to carry out customer relations, to update customer contact information, to fulfill financial obligations, to carry out advertising and promotion activities, to analyze customer complaints and needs and based on the fulfillment of the legal obligation of the data controller specified in Article 5 of the KVKK Personal Data Protection Law. although the service provided may vary depending on the business and/or commercial activities; website, e-mail, social media channels, mobile applications, marketing studies, security cameras, customer complaint forms, Providing information on personal data by real and/or legal persons who have a business and/or commercial relationship with our company and persons working with and/or on behalf of these persons, It can be collected verbally, in writing or electronically through the data subject’s informing about her/his personal data due to a job application and / or starting to work in the units of our company.
G. Explanations Regarding the Reasons Requiring Storage and Disposal of Data
Personal data of data owners, particularly by the company (i) the ability to continue business activities (ii) fulfillment of legal obligations, (iii) the Law for the planning and execution of employee rights and fringe benefits; and are kept within the limits specified in other relevant legislation.
The reasons for keeping it are as follows:
- Storing personal data as it is directly related to the establishment and performance of contracts,
- Storing personal data for the purpose of establishing, exercising or protecting a right,
- It is obligatory to keep personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of individuals,
- Storing personal data in order for the Company to fulfill any of its legal obligations,
- Clearly stipulating the storage of personal data in the legislation,
- Explicit consent of data subjects for storage activities that require explicit consent of data subjects.
In accordance with the Regulation, personal data belonging to data owners in the cases listed below, It is deleted, destroyed or anonymized by the company ex officio or upon request:
- In case it is necessary due to the amendment or repeal of the provisions of the relevant legislation, which is the basis for the processing or storage of personal data,
- The disappearance of the purpose that requires the processing or storage of personal data,
- Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law,
- In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his consent,
- Relevant person, deletion of personal data within the framework of the rights in Article 11 of the Law, the application made for the destruction or anonymization of the data controller is accepted by the data controller,
- Deletion of personal data of the data controller by the person concerned, rejecting the application made to him with a request to be destroyed or anonymized, in cases where the answer given is insufficient or he does not respond within the time stipulated in the Law; complaining to the Board and approval of this request by the Board,
- There are no conditions to justify keeping personal data for a longer period of time, even though the maximum period for keeping personal data has passed.
H. Protection of Personal Data (CAUTIONS)
Our company, it fulfills all its obligations for the purpose of legally processing personal data within the scope of the provisions of the Law. For the purpose of preventing unlawful access to data processed in accordance with the law and in the data recording system technical measures are taken by taking into consideration the technological possibilities and implementation costs. Personal data is processed fully or partially automatically or by non-automatic means as part of the data recording system, all kinds of administrative measures are taken to ensure that these data are not obtained or learned by unauthorized persons. Necessary administrative and technical measures are taken to ensure that personal data processed by the Company is not disclosed to others and used for purposes other than processing. In case it is determined that the personal data processed by the company has been obtained by others unlawfully, this situation will be reported to the person concerned and the KVK Board as soon as possible.
I. Persons and Their Responsibilities in the Processes of Storing and Destroying Personal Data
Law within the company, all employees in fulfilling the requirements regarding the destruction of data specified in the Regulation and Policy, external service providers and otherwise, which otherwise stores and processes personal data before the company everyone is responsible for meeting these requirements.
Each business unit is obliged to store and protect the data it produces in its own business processes; however, if the data produced is only available in information systems outside the control and authority of the business unit, the data in question will be stored by the units responsible for information systems.
It will affect business processes and disrupt data integrity, periodic destructions that will cause data loss and results contrary to legal regulations, the type of personal data concerned, it will be done by the relevant information systems departments, taking into account the systems in which it is located and the data owner business unit.
J. Storage and Disposal Periods of Personal Data
Obligations brought by legal regulations are taken into account when determining the retention period of personal data. Except for legal regulations, the storage period is determined by taking into account the purposes of processing personal data. In the event that the purpose of data processing disappears, the data is deleted, destroyed or anonymized unless there is another legal reason or basis that allows the data to be kept.
Purpose of processing personal data has ended; if the relevant legislation and the retention periods determined by the company have come to an end, or if the company has decided that the processing of personal data is no longer necessary; personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. The statute of limitations for asserting the right mentioned in the establishment of the periods herein despite the expiry of the statute of limitations, storage periods are determined based on the examples in the requests made by the Company on the same issues before. These times are shown in the table below. After these periods expire, personal data is deleted, destroyed or anonymized.
Regarding the storage of the said personal data, in the event that the period stipulated in the legislation expires or no period is stipulated in the relevant legislation regarding the storage of the said data the data is deleted, destroyed or anonymized by the data controller in 6 month periods.
Unless a contrary decision is taken by the institution, the appropriate method of deleting, destroying or anonymizing personal data is selected by the company, taking into account this request, if the relevant person requests it.
When the person concerned applies to the company and requests the deletion or destruction of his personal data, the relevant request is evaluated according to whether the conditions for processing personal data have been lifted. If the processing conditions of personal data are completely eliminated, the company deletes, destroys or anonymizes the personal data subject to the request. In any case, requests are finalized within 30 days and notified to the relevant person.
K. Periodic Destruction
In the event that all the conditions for the processing of personal data in the law are eliminated; the company deletes, destroys or anonymizes the personal data whose processing conditions have been eliminated, through a process that will be carried out ex officio at repetitive intervals and specified in this Personal Data Retention and Disposal Policy
Periodic destruction processes start on 30.06.2018 for the first time and repeat every 6 (six) months.
L. Surveillance and Control
The Company will oversee and control the destruction processes, which it performs ex officio, both upon request and in periodic destruction processes, by acting in accordance with the Law, other legislation and this Personal Data Retention and Destruction Policy.