Data Storage, Anonymization and Disposal Policy

1. Aim

The purpose of this procedure is to ensure that all printed and written content, information technology assets and peripherals used in the acquisition, processing and storage of information are safely destroyed when necessary and in accordance with the Law on the Protection of Personal Data No. 6698.

2. Extent

The procedure covers all personal, commercial data records and business processes.

3. Definitions

Law: Refers to the law 6698 “Protection of Personal Data”.
Personal Data:
Personal data refers to any information relating to an identified or identifiable natural person. The fact that a person is specific or identifiable means making that person identifiable by associating existing data with a natural person in any way.
Sanitization : Processes such as scratching, painting and icing all of the personal data in a way that cannot be associated with an identified or identifiable natural person,
Data Recording Medium: Any environment where personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system,
Personal data storage and disposal policy: The policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, disposal and anonymization,
Masking: Processes such as deleting certain areas of personal data in a way that cannot be associated with an identified or identifiable natural person, scratching, painting and starring,
Special Categories of Personal Data: The person's race, origin, origin, political thought, belief, religion, biometric beliefs with themselves, their appearance and beliefs, health life, criminal convictions and those related to trust, and biometric beliefs and security.
Periodic Disposal:
It is the process of deletion, disposal or anonymization, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and disposal policy, in case all the processing conditions of personal data in the law are eliminated..

4. References

Regulation on the Protection of Personal Data No. 6698, No. 30224, on the Deletion, Destruction or Anonymization of Personal Data dated 28.10.2018

5. Application

5.1. Asset Disposal

If the purpose of the processing of personal data is eliminated, the express consent is withdrawn, or all the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, or if there is a situation where none of the exceptions in the mentioned articles can be applied, the processing conditions are eliminated. Personal data is deleted by the relevant business unit, considering business needs, within the scope of Articles 7, 8, 9 or 10 of the Regulation (Deletion, Disposal or Anonymization of Personal Data), by explaining the reason for the method applied, disposed or anonymized. However, in case of a finalized court decision, the method of disposal determined by the court decision must be applied.

The information on any device with information recording feature is deleted against unauthorized access and the disk and recording mechanism on the device are physically destroyed. Media/Device Disposal Report is filled in and signed by the information systems operator. Date, device information, reason for disposal, etc. The destruction process is recorded by entering the information.

Data Deletion Methods

a. Personal Data in Paper Media: They are deleted by destroying with a paper shredder or by using the sanitization method when necessary.
b. Office Files Located on the Central Server: They are deleted with the delete command in the operating system.
c. Data on Removable Media: It is deleted by the delete command in the operating system.
d. Databases: Relevant rows containing data are deleted with database commands.

Assets and Data Disposal Methods

a. In Local Systems: De-magnetizing, physical destruction, overwriting is destroyed by using the appropriate method.
b. Environmental Systems:
•    Network devices (switches, routers, etc.): Destroyed by appropriate methods specified in item a.
•    Flash-based media: It is destroyed by the methods recommended by the relevant manufacturer or by the methods specified in item a.
•    Magnetic tape: It is destroyed by demagnetizing or by physical methods such as burning or melting.
•    Sim Card and fixed memory cards: They are destroyed by the appropriate methods specified in item a.
•    Optical discs are destroyed by physical methods such as burning, shredding, melting.
•    Peripherals with fixed Data Recording Media: They are destroyed by the appropriate methods specified in item a.

c. Printed Media: Destroyed by using paper shredders. Personal data transferred from original paper format to electronic media by scanning are destroyed by appropriate methods according to their environment.

Methods of Making Personal Data Anonymous:

At the stage of anonymizing personal data, the appropriate method of making Personal Data Anonymous is used, which is shown in the Guide on Deletion, Destruction or Anonymization of Personal Data published by the Personal Data Protection Authority.
 
As a result of periodic reviews or when it is determined at any time that the data processing conditions have been removed, the relevant user or data owner will decide to delete, destroy or anonymize the relevant personal data from the recording medium within its own body in accordance with this policy. In case of hesitation, action will be taken by obtaining the opinion of the relevant data owner business unit.

In the destruction of data, the regulation stating the retention periods published by the General Directorate of State Archives is taken into consideration. The data that are not inconvenient to be destroyed are destroyed after the required time has expired in the unit archive, the institution archive or the state archives.

5.1.1. Disposal of Multi-Stakeholder Data

When it is necessary to take a decision regarding the destruction of personal data with multi-stakeholder data ownership in the Central Information Systems, it is decided to store or delete, destroy or anonymize the data, in accordance with this policy, by taking the opinion of the Data Controller Representative.

5.1.2. Destruction of Personal Data Upon Data Owner's Request

When the real person who owns the personal data requests the deletion, destruction or anonymization of his personal data by applying to the University with the "Personal Data Owner Application Form" pursuant to Article 13 of the Law, it is finalized within thirty days at the latest from the application date. Requests for the deletion or destruction of personal data will only be considered if the identity of the person concerned has been identified. The applicant is informed through the methods specified in the application form. If the processing conditions have not been lifted due to legal requirements; It is declared to the data owner that the personal data subject to the request cannot be deleted. The unit where the relevant data is processed examines whether all the conditions for processing personal data have disappeared. If all the processing conditions have disappeared; deletes, destroys or anonymizes the personal data subject to the request within three months at the latest. If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the unit where the relevant data is processed immediately notifies the third party to whom the data is transferred and ensures that the necessary actions are taken within the scope of the Regulation before the third party.

5.2. Periodic Review of Personal Data

All users who process or store personal data and data subject units will review the data recording media they use, within six-month periods at the latest, whether the conditions related to processing have disappeared. Upon the application of the personal data owner or the notification of a court, the relevant users and units will make this review in the data recording media they use, regardless of the periodical inspection period. All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.

In the deletion, destruction or anonymization of personal data, the general principles of Article 4 (Processing of Personal Data) and the technical and administrative measures to be taken within the scope of Article 12 (Data Security Obligations), the provisions of the relevant legislation, Board decisions and court decisions. are being.  

5.3. Storage of Personal Data

The processing times of personal data are specified in the "Personal Data Processing Inventory".

The storage and destruction periods in question will be taken into account in the periodic destruction or on-demand destruction processes. Storage and destruction processes may vary at the request of the data owner, unless there is a legal obligation.

In order to ensure personal data security, physical security measures such as documents in paper media containing personal data, CD, DVD and USB devices are kept under lock when not in use, only authorized personnel can access them and the entrances and exits are monitored by camera. Servers with personal data kept in the digital environment are stored in the University system room, with the necessary security measures taken.

In order to ensure personal data security, physical security measures such as documents in paper media containing personal data, CD, DVD and USB devices are kept under lock when not in use, only authorized personnel can access them and the entrances and exits are monitored by camera. The servers where the personal data kept in the digital environment are stored in the University system room, with the necessary security measures taken. Administrative and technical measures taken to ensure the Security of Personal Data are detailed in the Personal Data Protection and Processing Policy. It is included in the Data Protection and Processing Policy.

6. Control

The documents are checked periodically once a year, as they are revised as needed.

Hipotenüs Powered by Hipotenüs® New Generation E-Commerce Systems.