ZİYLAN GAYRİMENKUL YATIRIM VE YÖNETİM ANONİM ŞİRKETİ / WATERGARDEN AVM
PERSONAL DATA RETENTION AND DESTRUCTION POLICY
***It is forbidden to copy, reproduce, use, publish and distribute all content in this Policy text in whole or in part without permission except for individual use. Legal action will be taken against those who do not comply with this prohibition in accordance with the Law No. 5846 on Intellectual and Artistic Works. All rights of the product are reserved.
TABLE OF CONTENTS
ZİYLAN GAYRİMENKUL YATIRIM VE YÖNETİM ANONİM ŞİRKETİ / WATERGARDEN AVM
PERSONAL DATA RETENTION AND DESTRUCTION POLICY
***It is forbidden to copy, reproduce, use, publish and distribute all content in this Policy text in whole or in part without permission except for individual use. Legal action will be taken against those who do not comply with this prohibition in accordance with the Law No. 5846 on Intellectual and Artistic Works. All rights of the product are reserved.
TABLE OF CONTENTS
- INTRODUCTION
- Objective
To fulfill our obligations in accordance with this Personal Data Storage and Destruction Policy (“Policy”), the Law on the Protection of Personal Data No. 6698 (“PDPL” or “Law”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”), which entered into force after being published in the Official Gazette dated October 28, 2017, which constitutes the secondary regulation of the Law, This policy has been prepared by ZİYLAN GAYRİMENKUL YATIRIM VE YÖNETİM ANONİM ŞİRKETİ (“Ziylan” or “Company”) as the data controller in order to make explanations about the personal data processing activity and the systems adopted for the protection of personal data within the framework of the legislation on personal data and to inform the relevant persons about the principles of determining the maximum retention period required for the purpose for which your personal data are processed and the processes of deletion, destruction and anonymization.
The company (“Ziylan” or “Company”), which is accepted as the data controller in this policy:
ZİYLAN GAYRİMENKUL YATIRIM VE YÖNETİM ANONİM ŞİRKETİ
Mersis No: 0998077118600017
Address: Mahmutbey Merkez Mahallesi Taş Ocağı Yolu Caddesi No:24/4
BAĞCILAR/ISTANBUL
- Scope
This Policy covers the storage and destruction of personal data related to employee candidates, product/service recipient officials/employees, supplier officials/employees, visitors and other third parties, and this Policy is applied in all recording environments where personal data owned or managed by the Company are processed and in activities for the storage and destruction of personal data.
The scope of application of this Policy regarding the relevant persons in the above-mentioned categories may be the entire Policy (e.g. our Active customers who are also our Visitors); only some of its provisions (e.g. only our Visitors).
As this Policy may be updated from time to time, we kindly ask you to visit the Company’s web address regularly to access the most up-to-date version of the Policy. In addition, in cases where there are no provisions on other issues such as processing, storage and transfer of personal data in this Policy, detailed information on these issues can be accessed from the Ziylan Personal Data Protection and Processing Policy at www.watergarden.com.tr.
In case of any conflict between the PDPL and other relevant legislation and the Policy, the legislation in force shall apply.
- Definitions
The definitions used in this Policy are given below:
Open Consent: | Consent related to a specific subject, based on information and expressed with free will. |
Contact Person: | Real person whose personal data is processed. |
Related User: | Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data. |
Destruction: | Deletion, destruction or anonymization of personal data. |
Law or PDPL: | Law No. 6698 on the Protection of Personal Data. |
Recording Environment: | Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system. |
Personal Date | Any information relating to an identified or identifiable natural person. |
Personal Data Protection and Processing Policy: | Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal grounds for processing personal data, the data category, the recipient group to which data is transferred and the data subject group, and by explaining the maximum retention period required for the purposes for which personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security. |
Personal Data Protection and Processing Policy: | Ziylan Personal Data Protection and Processing Policy at www.watergarden.com.tr |
Contact Person Application Form: | The application form to be used by the relevant person whose personal data is processed within the Company while using their applications regarding their rights described in Article 11 of the Law. |
Processing of Personal Data: | All kinds of operations performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. |
Anonymization of Personal Data: | Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
Deletion of Personal Data: | Making personal data inaccessible and non-reusable in any way for the Relevant Users. |
Destruction of Personal Data: | The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way. |
Board: | Personal Data Protection Board. |
Institution: | Personal Data Protection Authority. |
Sensitive Personal Data: | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
Periodic Disposal: | The process of deletion, destruction or anonymization to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all of the conditions for processing personal data specified in the Law disappear. |
Politics: | Personal Data Storage and Destruction Policy. |
Data Processor: | A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. |
Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
Data Controllers Registry (VERBİS): | The registry of data controllers kept by the Presidency under the supervision of the Personal Data Protection Board. |
Regulation: | Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017. |
- PRINCIPLES
The Company acts within the framework of the following principles in the processing, storage and destruction of personal data:
- Pursuant to Article 4 of the PDPL, personal data existing or acquired by our Company are processed (i) in accordance with the law and good faith, (ii) in a manner that is accurate and up-to-date when necessary, (iii) for specific, explicit and legitimate purposes, (iv) in connection with the purpose for which they are processed, used in a limited and measured manner, and (v) retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed and determined by the Company in this Policy.1
- Our Company processes personal data and sensitive personal data with the explicit consent of the data subject or without the explicit consent of the data subject in cases stipulated in Articles 5 and 6 of the PDPL. The data subjects are informed by our Company in accordance with Article 10 of the PDPL regarding the personal data processing processes and necessary information is provided in case the data subject requests information.
- In the deletion, destruction and anonymization of personal data, technical and administrative measures to be taken within the scope of Article 12 of the Law and specified in Article 5 of this Policy, the provisions of the relevant legislation, Board decisions and this Policy are fully complied with.
- All transactions regarding the deletion, destruction and anonymization of personal data are recorded by the Company and such records are kept for at least 3 years, excluding other legal obligations.
- Unless otherwise decided by the Board, the appropriate method of ex officio deletion, destruction or anonymization of personal data is selected by us. However, upon the request of the Data Subject, the appropriate method will be selected by explaining the reason.
- In the event that all of the conditions for the processing of personal data specified in Articles 5 and 6 of the Law disappear, personal data are deleted, destroyed or anonymized by the Company ex officio or upon the request of the data subject. In case the Data Subject applies to the Company in this regard;
- The requests are finalized within 30 (thirty) days at the latest and the relevant person is informed,
- In the event that the data subject to the request is transferred to third parties, this situation is notified to the third party to whom the data is transferred and it is ensured that necessary actions are taken before third parties
- RECORDING MEDIA
The personal data of the data subjects are securely retained by the Company in the environments listed in the table below (Table 1) in accordance with the relevant legislation, especially the provisions of the PDPL, and within the framework of international data security principles:
(Table 1: Table of Personal Data Recording Environments)
ELECTRONIC ENVIRONMENTS | NON-ELECTRONIC ENVIRONMENTS |
Environments where data is retained in technological devices such as computers, phones, etc.: Servers (Domain, backup, e-mail, database, web, file sharing, etc.); Software; Information security devices; Personal computers (desktop, laptop); Mobile Devices (phone, tablet, etc.); Optical disks and removable memories (CD, DVD, USB, External disk, etc.); Cloud storage (environments using internet-based systems encrypted with cryptographic methods). | These are environments where data are kept by printing on paper or microfilms: Paper; Manual data recording systems (survey forms, visitor logbooks); Written, printed, visual media. |
- REASONS REQUIRING RETENTION AND DESTRUCTION
The Company retents and destroys the personal data of the data subjects in accordance with the Law. In this context, detailed explanations regarding retention and destruction are given below respectively:
- Explanations on Retention
Personal data belonging to the data subject are retained by the Company within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, in particular; (i) to maintain commercial activities, (ii) to fulfill legal obligations and (iii) to manage customer relations, in electronic or non-electronic media listed above in a secure manner within the limits specified in the Law and other relevant legislation.
The reasons requiring retention are as follows:
- Retention of personal data due to the explicit stipulation of retention of personal data in the legislation,
- Retention of personal data as it is directly related to the establishment and performance of contracts,
- Storage of personal data in connection with the fulfillment of any legal obligation that the Company is obliged to comply with,
- Retention of personal data because they have been made public by the data subject himself/herself,
- Retention of personal data in connection with the establishment, exercise or protection of a right
- It is mandatory to keep personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of individuals,
- In terms of retention activities requiring the explicit consent of the data subjects, retention due to the existence of the explicit consent of the data subjects.
- Explanations on Destruction
Although it is retained in accordance with the provisions of the Law and other relevant laws, personal data shall be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject in the event that the reasons requiring its retention disappear. In this context, in accordance with the Law and the Regulation, in the cases listed below, the personal data of the relevant persons are deleted, destroyed or anonymized by the Company ex officio or upon request:
- Amendment or abolition of the provisions of the relevant legislation that constitute the basis for the processing or retention of personal data,
- The purpose requiring the processing or retention of personal data disappears,
- The disappearance of the conditions requiring the processing of personal data under Articles 5 and 6 of the Law,
- In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject’s withdrawal of consent,
- Acceptance by the data controller of the application made by the data subject for the deletion, destruction or anonymization of his/her personal data within the framework of his/her rights under paragraphs (e) and (f) of Article 11 of the Law,
- In cases where the data controller rejects the application made by the data subject with the request for the deletion, destruction or anonymization of his/her personal data, his/her response is found insufficient or he/she does not respond within the period stipulated in the Law; filing a complaint to the Board and this request is approved by the Board,
- Although the maximum period for retaining personal data has elapsed, there are no circumstances that justify retaining personal data for a longer period.
- ADMINISTRATIVE AND TECHNICAL MEASURES
In accordance with Article 12 of the Law, our Company takes all necessary technical and administrative measures to prevent unlawful processing of personal data and unlawful access to personal data, and to ensure the appropriate level of security to ensure the protection of personal data. In this context, the administrative and technical measures taken by the Company are listed below:
- Administrative Measures
The administrative measures taken by our Company to prevent unlawful access to personal data are listed below:
- Training and awareness activities on data security are carried out periodically for employees.
- The obligation to inform the relevant persons is fulfilled.
- Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
- Confidentiality undertakings are made.
- Signed contracts contain data security provisions.
- Personal data security policies and procedures have been determined.
- Personal data security issues are reported quickly.
- Necessary security measures are taken for entry and exit to physical environments containing personal data.
- Physical environments containing personal data are secured against external risks (fire, flood, etc.).
- Security of environments containing personal data is ensured.
- Personal data is minimized as much as possible.
- Internal periodic and/or random audits are carried out and conducted.
- Protocols and procedures for the security of special categories of personal data have been determined and implemented.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- Physical environments containing personal data are secured against external risks (fire, flood, etc.).
- Security of environments containing personal data is ensured.
- Personal data is minimized as much as possible.
- In-house periodic and/or random audits are conducted and commissioned.
- Protocols and procedures for the security of special categories of personal data are determined and implemented.
- Awareness of data processing service providers on data security is ensured.
- Technical Measures
The technical measures taken by our Company to prevent unlawful access to personal data are listed below:
- Network security and application security are ensured.
- Closed system network is used for personal data transfers through the network.
- Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
- An authorization matrix has been established for employees.
- Access logs are kept regularly.
- The authorizations of employees who change their duties or leave their jobs are removed.
- Up-to-date anti-virus systems are used.
- Firewalls are used.
- User account management and authorization control system are implemented and monitored.
- Log records are kept without user intervention.
- Intrusion detection and prevention systems are used.
- Penetration testing is applied.
- Cyber security measures have been taken and their implementation is constantly monitored.
- Encryption is performed.
- RETENTION AND DESTRUCTION PERIODS
Our Company first determines whether a period of time is stipulated in the relevant legislation for the retention of personal data. If a period is stipulated in the relevant legislation, it complies with this period; If a period is not stipulated, it retains personal data for the period required for the purpose for which they are processed. If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and / or our Company have expired, it will only be retained for the statute of limitations stipulated in the laws in order to constitute evidence in possible legal disputes, to assert the relevant right related to personal data or to establish a defense. Personal data are not retained by our Company based on the possibility of future use.
The process-based retention and destruction periods determined by the Company are given in the table below (Table 2). In addition, retention periods on the basis of personal data related to all personal data within the scope of activities carried out depending on the processes are included in the Personal Data Processing Inventory; retention periods on the basis of data categories are included in the registration to VERBIS.
(Table 2: Retention and Destruction Periods by Process)
PROCESS | RETENTİON PERİODS2 | DESTRUCTION PERIODS |
Personal Data on Product Service Recipients and Authorizations/Employees of Legal Entity Product Service Recipients | 15 years from the end of the contract | During the first periodic destruction following the end of the storage period |
Personal Data Regarding Suppliers or Legal Entity Supplier Authorized/Employees | 15 years from the end of the contract | During the first periodic destruction following the end of the storage period |
Personal Data Received as a Result of Contractual Transactions | 15 years from the end of the contract | During the first periodic destruction following the end of the storage period |
All Personal Data Related to Accounting and Financial Transactions | 15 years from the year following the year of receipt | During the first periodic destruction following the end of the storage period |
All Personal Data Related to Outsourced Services Received by the Workplace Physician and OHS Specialist in accordance with the Occupational Health and Safety Legislation | 15 years from the end of the contract | During the first periodic destruction following the end of the storage period |
Security Camera Footage | 15 years from the year following the year of receipt | During the first periodic destruction following the end of the storage period |
Personal Data Collected for Monitoring Building Entry and Exit Records | 6 months from the date of registration | During the first periodic destruction following the end of the storage period |
Personal Data Regarding Business Partners/Solution Partners/Consultants | 10 years from the end of the Employment Relationship | During the first periodic destruction following the end of the storage period |
Personal Data Received from Potential Customers and Suppliers for Business Development | 10 years from the year following the year of receipt | During the first periodic destruction following the end of the storage period |
Personal Data Regarding the General Assembly and Personal Data Regarding Immovables | Indefinite | During the first periodic destruction following the end of the storage period |
Personal Data Regarding IP Addresses | 6 months from the year following the year of receipt | During the first periodic destruction following the end of the storage period |
- PERIODIC DESTRUCTION – APPLICATION FOR PERSONAL DATA DESTRUCTION
- PERIODIC DESTRUCTION
The Company deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize the personal data for which it is responsible in accordance with the Law, relevant legislation, Ziylan Personal Data Protection and Processing Policy and this Personal Data Retention and Destruction Policy arises.
Pursuant to Article 11 of the Regulation, the Company has determined the period of periodic destruction as 6 months. Accordingly, the Company performs periodic destruction twice a year, in June and December. The Company has the right to change the periodic destruction dates, provided that the period between the two periodic destruction processes does not exceed 6 months
- Application for Personal Data Destruction
When the relevant person applies to the Company pursuant to Article 13 of the Law and requests the destruction of his personal data 3;
- If all the conditions for processing personal data have disappeared; The Company deletes, destroys or anonymizes the personal data subject to the request within 30 (thirty) days from the day it receives the request, explaining the reason for it, with the appropriate destruction method. In order for the Company to be deemed to have received the request, the person concerned must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, the Company shall inform the relevant person about the transaction.
- If all the conditions for processing personal data have not disappeared, this request may be rejected by the Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law and the rejection response shall be notified to the data subject in writing or electronically within thirty days at the latest.
- PERSONAL DATA DESTRUCTION TECHNIQUES
At the end of the period stipulated in the relevant legislation or at the end of the retention period required for the purpose for which they are processed, personal data are destroyed by the Company ex officio or upon the application of the person concerned, in accordance with the provisions of the relevant legislation, by the following techniques. In this context, all transactions regarding the deletion, destruction and anonymization of personal data are recorded and such records are kept for at least three years, excluding other legal obligations.
The most commonly used deletion, destruction and anonymization techniques used by the Company are listed below:
- Deletion of Personal Data
Personal data are deleted by the methods in the table below (Table 3):
(Table 3: Methods of Deletion of Personal Data)
METHOD | DESCRIPTION |
Secure Deletion from Software | When deleting data processed by fully or partially automated means and stored in digital media; methods are used to delete the data from the relevant software in such a way as to make it inaccessible and non-reusable in any way for the Relevant Users. Deleting the relevant data in the cloud system by giving a delete command; removing the access rights of the relevant user on the file or the directory where the file is located on the central server; deleting the relevant rows in databases with database commands or deleting the data in portable media, i.e. flash media, using appropriate software can be considered within this scope. However, if the deletion of personal data will result in the inability to access and use other data within the system, personal data will also be considered deleted if the personal data is archived by making it unassociated with the person concerned, provided that the following conditions are met. Being inaccessible to any other institution, organization or person, Taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons |
Obfuscation of Personal Data on Paper | In order to prevent the improper use of personal data or to delete the data requested to be deleted, it is the method of physically cutting the relevant personal data and removing it from the document or making it invisible by using fixed ink so that it cannot be reversed and cannot be read with technological solutions. |
- Destruction of Personal Data
Personal data are destroyed by the methods in the table below (Table 4):
(Table 4: Methods of Destruction of Personal Data)
METHOD | DESCRIPTION |
Physical Destruction | Documents kept in non-electronic media are destroyed by document shredders in such a way that they cannot be reassembled. It is the process of physically destroying optical and magnetic media containing personal data in electronic media, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting, burning, pulverizing or passing the optical or magnetic media through a metal grinder. |
De-magnetization (degauss) | It is the process of exposing magnetic media to a high magnetic field and distorting the data on it in an unreadable way. |
Overwriting | Random data consisting of 0s and 1s are written at least seven times on magnetic media and rewritable optical media, preventing old data from being read and recovered. |
- Anonymization of Personal Data
Personal data are anonymized by the methods in the table below (Table 5)4:
(Table 5: Methods of Anonymization of Personal Data)
METHOD | DECRIPTION |
Anonymization Methods that Do Not Provide Value Irregularity | Anonymization methods that do not provide value irregularity are anonymization methods applied by generalizing, substituting or removing a specific data or sub-data group from any personal data group without making any changes or additions/subtractions to the personal data being stored. Variable Extraction: With the method of removing descriptive data, the existing data set is anonymized by removing the “highly descriptive” variables from the variables in the data set created after the data collected are brought together. For example, anonymization is achieved by removing the name, surname, and place of residence of highly descriptive people. De-recording: In the de-recording method, the data line containing singularity among the data is removed from the records and the stored data is anonymized. For example, if there is only one senior manager in a company, the remaining data can be anonymized by removing the data of this person from the records where the seniority, salary and gender data of the employees at the same level with each other are kept. Regional Hiding: In the regional hiding method, anonymization is achieved by hiding the relevant data if it is determinative due to the fact that a single data creates a very rare combination. For example, if only one person is 65 years old among the relevant data controllers who are on the reserve list of the company’s football team, writing ‘Unknown’ instead of ‘Age: 65’ or leaving this section blank in a dataset where information on whether he/she is able to play football in terms of age, gender and health status is stored together will ensure anonymization. Lower and Upper Bound Coding: With the lower and upper bound coding method, the values in a data group containing predefined categories are anonymized by combining them by determining a certain criterion. For example, instead of directly specifying the years of seniority of the personnel working in a workplace, a definition can be used according to the years of work in the workplace. According to less than 5 years, between 5 and 10 years or more than 10 years; it can be anonymized by expressing it as very experienced, experienced or inexperienced and not specifying the specific seniority year. Generalization: With the data aggregation method, many data are aggregated and personal data cannot be associated with any individual. For example; revealing that there are Z number of employees of X age without showing the ages of the employees individually. Global Coding: With the data derivation method, a more general content is created from the content of the personal data and the personal data is made impossible to associate with any person. For example; specifying the ages of employees instead of their dates of birth, specifying the region of residence instead of the open address. |
Anonymization Methods Providing Value Irregularity | In anonymization methods that provide value irregularity, unlike those that do not provide value irregularity, it creates distortion by changing some data in personal data groups. When using these methods, deviations will need to be applied carefully in line with the expected/desired benefit to be obtained. By ensuring that the total statistics are not distorted, the expected benefit from the data can continue to be achieved. Adding Noise: The method of adding noise to the data, especially in a data set where numerical data is predominant, anonymizes the data by adding some deviations in the plus or minus direction to the existing data at a determined rate. For example, in a data set with weight values, a deviation of (+/-) 3 kg is used to prevent the display of real values and anonymize the data. The bias is applied equally to each value. Micro Aggregation: In the micro-aggregation method, all data will first be divided into groups by arranging them in a meaningful order (such as from largest to smallest), and the value obtained by averaging the groups will be anonymized by replacing the relevant data in the current group. For example, for salary information; if two groups are made below and above 10,000 TL, the sum of the salaries of people earning 10,000 TL and less is divided by the number of people and this value is written in the salary set of everyone earning less than 10,000 TL. Data Exchange: In the data exchange method, the values of a variable are exchanged between pairs selected from the stored data. In this method, which is generally used for categorizable data, the aim is to transform the database by exchanging the data of the relevant person with each other. |
- OTHER MATTERS
This Policy is published in two different media, wet signed (printed paper) and on the Company’s website www.watergarden.com.tr, and disclosed to the public on the website.
This Policy shall be updated in cases that require updating such as amendments to the Law, Board decisions or developments in the sector and the field of informatics and/or when necessary. Amendments made within this scope are immediately incorporated into the text and explanations regarding the amendments are included in the “Amendment Table” at the end of the policy.
This Policy and the amendments made to the Policy within the scope of the update shall be deemed to have entered into force upon its publication on the Company’s website.
TABLE OF CHANGES | ||
Article Number | Amendment Date | Explanation |
- INTRODUCTION
- Objective
To fulfill our obligations in accordance with this Personal Data Storage and Destruction Policy (“Policy”), the Law on the Protection of Personal Data No. 6698 (“PDPL” or “Law”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”), which entered into force after being published in the Official Gazette dated October 28, 2017, which constitutes the secondary regulation of the Law, This policy has been prepared by ZİYLAN GAYRİMENKUL YATIRIM VE YÖNETİM ANONİM ŞİRKETİ (“Ziylan” or “Company”) as the data controller in order to make explanations about the personal data processing activity and the systems adopted for the protection of personal data within the framework of the legislation on personal data and to inform the relevant persons about the principles of determining the maximum retention period required for the purpose for which your personal data are processed and the processes of deletion, destruction and anonymization.
The company (“Ziylan” or “Company”), which is accepted as the data controller in this policy:
ZİYLAN GAYRİMENKUL YATIRIM VE YÖNETİM ANONİM ŞİRKETİ
Mersis No: 0998077118600017
Address: Mahmutbey Merkez Mahallesi Taş Ocağı Yolu Caddesi No:24/4
BAĞCILAR/ISTANBUL
- Scope
This Policy covers the storage and destruction of personal data related to employee candidates, product/service recipient officials/employees, supplier officials/employees, visitors and other third parties, and this Policy is applied in all recording environments where personal data owned or managed by the Company are processed and in activities for the storage and destruction of personal data.
The scope of application of this Policy regarding the relevant persons in the above-mentioned categories may be the entire Policy (e.g. our Active customers who are also our Visitors); only some of its provisions (e.g. only our Visitors).
As this Policy may be updated from time to time, we kindly ask you to visit the Company’s web address regularly to access the most up-to-date version of the Policy. In addition, in cases where there are no provisions on other issues such as processing, storage and transfer of personal data in this Policy, detailed information on these issues can be accessed from the Ziylan Personal Data Protection and Processing Policy at www.watergarden.com.tr.
In case of any conflict between the PDPL and other relevant legislation and the Policy, the legislation in force shall apply.
- Definitions
The definitions used in this Policy are given below:
Open Consent: | Consent related to a specific subject, based on information and expressed with free will. |
Contact Person: | Real person whose personal data is processed. |
Related User: | Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data. |
Destruction: | Deletion, destruction or anonymization of personal data. |
Law or PDPL: | Law No. 6698 on the Protection of Personal Data. |
Recording Environment: | Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system. |
Personal Date | Any information relating to an identified or identifiable natural person. |
Personal Data Protection and Processing Policy: | Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal grounds for processing personal data, the data category, the recipient group to which data is transferred and the data subject group, and by explaining the maximum retention period required for the purposes for which personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security. |
Personal Data Protection and Processing Policy: | Ziylan Personal Data Protection and Processing Policy at www.watergarden.com.tr |
Contact Person Application Form: | The application form to be used by the relevant person whose personal data is processed within the Company while using their applications regarding their rights described in Article 11 of the Law. |
Processing of Personal Data: | All kinds of operations performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. |
Anonymization of Personal Data: | Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
Deletion of Personal Data: | Making personal data inaccessible and non-reusable in any way for the Relevant Users. |
Destruction of Personal Data: | The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way. |
Board: | Personal Data Protection Board. |
Institution: | Personal Data Protection Authority. |
Sensitive Personal Data: | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
Periodic Disposal: | The process of deletion, destruction or anonymization to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all of the conditions for processing personal data specified in the Law disappear. |
Politics: | Personal Data Storage and Destruction Policy. |
Data Processor: | A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. |
Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
Data Controllers Registry (VERBİS): | The registry of data controllers kept by the Presidency under the supervision of the Personal Data Protection Board. |
Regulation: | Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017. |
- PRINCIPLES
The Company acts within the framework of the following principles in the processing, storage and destruction of personal data:
- Pursuant to Article 4 of the PDPL, personal data existing or acquired by our Company are processed (i) in accordance with the law and good faith, (ii) in a manner that is accurate and up-to-date when necessary, (iii) for specific, explicit and legitimate purposes, (iv) in connection with the purpose for which they are processed, used in a limited and measured manner, and (v) retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed and determined by the Company in this Policy.1
- Our Company processes personal data and sensitive personal data with the explicit consent of the data subject or without the explicit consent of the data subject in cases stipulated in Articles 5 and 6 of the PDPL. The data subjects are informed by our Company in accordance with Article 10 of the PDPL regarding the personal data processing processes and necessary information is provided in case the data subject requests information.
- In the deletion, destruction and anonymization of personal data, technical and administrative measures to be taken within the scope of Article 12 of the Law and specified in Article 5 of this Policy, the provisions of the relevant legislation, Board decisions and this Policy are fully complied with.
- All transactions regarding the deletion, destruction and anonymization of personal data are recorded by the Company and such records are kept for at least 3 years, excluding other legal obligations.
- Unless otherwise decided by the Board, the appropriate method of ex officio deletion, destruction or anonymization of personal data is selected by us. However, upon the request of the Data Subject, the appropriate method will be selected by explaining the reason.
- In the event that all of the conditions for the processing of personal data specified in Articles 5 and 6 of the Law disappear, personal data are deleted, destroyed or anonymized by the Company ex officio or upon the request of the data subject. In case the Data Subject applies to the Company in this regard;
- The requests are finalized within 30 (thirty) days at the latest and the relevant person is informed,
- In the event that the data subject to the request is transferred to third parties, this situation is notified to the third party to whom the data is transferred and it is ensured that necessary actions are taken before third parties
- RECORDING MEDIA
The personal data of the data subjects are securely retained by the Company in the environments listed in the table below (Table 1) in accordance with the relevant legislation, especially the provisions of the PDPL, and within the framework of international data security principles:
(Table 1: Table of Personal Data Recording Environments)
ELECTRONIC ENVIRONMENTS | NON-ELECTRONIC ENVIRONMENTS |
Environments where data is retained in technological devices such as computers, phones, etc.: Servers (Domain, backup, e-mail, database, web, file sharing, etc.); Software; Information security devices; Personal computers (desktop, laptop); Mobile Devices (phone, tablet, etc.); Optical disks and removable memories (CD, DVD, USB, External disk, etc.); Cloud storage (environments using internet-based systems encrypted with cryptographic methods). | These are environments where data are kept by printing on paper or microfilms: Paper; Manual data recording systems (survey forms, visitor logbooks); Written, printed, visual media. |
- REASONS REQUIRING RETENTION AND DESTRUCTION
The Company retents and destroys the personal data of the data subjects in accordance with the Law. In this context, detailed explanations regarding retention and destruction are given below respectively:
- Explanations on Retention
Personal data belonging to the data subject are retained by the Company within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, in particular; (i) to maintain commercial activities, (ii) to fulfill legal obligations and (iii) to manage customer relations, in electronic or non-electronic media listed above in a secure manner within the limits specified in the Law and other relevant legislation.
The reasons requiring retention are as follows:
- Retention of personal data due to the explicit stipulation of retention of personal data in the legislation,
- Retention of personal data as it is directly related to the establishment and performance of contracts,
- Storage of personal data in connection with the fulfillment of any legal obligation that the Company is obliged to comply with,
- Retention of personal data because they have been made public by the data subject himself/herself,
- Retention of personal data in connection with the establishment, exercise or protection of a right
- It is mandatory to keep personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of individuals,
- In terms of retention activities requiring the explicit consent of the data subjects, retention due to the existence of the explicit consent of the data subjects.
- Explanations on Destruction
Although it is retained in accordance with the provisions of the Law and other relevant laws, personal data shall be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject in the event that the reasons requiring its retention disappear. In this context, in accordance with the Law and the Regulation, in the cases listed below, the personal data of the relevant persons are deleted, destroyed or anonymized by the Company ex officio or upon request:
- Amendment or abolition of the provisions of the relevant legislation that constitute the basis for the processing or retention of personal data,
- The purpose requiring the processing or retention of personal data disappears,
- The disappearance of the conditions requiring the processing of personal data under Articles 5 and 6 of the Law,
- In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject’s withdrawal of consent,
- Acceptance by the data controller of the application made by the data subject for the deletion, destruction or anonymization of his/her personal data within the framework of his/her rights under paragraphs (e) and (f) of Article 11 of the Law,
- In cases where the data controller rejects the application made by the data subject with the request for the deletion, destruction or anonymization of his/her personal data, his/her response is found insufficient or he/she does not respond within the period stipulated in the Law; filing a complaint to the Board and this request is approved by the Board,
- Although the maximum period for retaining personal data has elapsed, there are no circumstances that justify retaining personal data for a longer period.
- ADMINISTRATIVE AND TECHNICAL MEASURES
In accordance with Article 12 of the Law, our Company takes all necessary technical and administrative measures to prevent unlawful processing of personal data and unlawful access to personal data, and to ensure the appropriate level of security to ensure the protection of personal data. In this context, the administrative and technical measures taken by the Company are listed below:
- Administrative Measures
The administrative measures taken by our Company to prevent unlawful access to personal data are listed below:
- Training and awareness activities on data security are carried out periodically for employees.
- The obligation to inform the relevant persons is fulfilled.
- Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
- Confidentiality undertakings are made.
- Signed contracts contain data security provisions.
- Personal data security policies and procedures have been determined.
- Personal data security issues are reported quickly.
- Necessary security measures are taken for entry and exit to physical environments containing personal data.
- Physical environments containing personal data are secured against external risks (fire, flood, etc.).
- Security of environments containing personal data is ensured.
- Personal data is minimized as much as possible.
- Internal periodic and/or random audits are carried out and conducted.
- Protocols and procedures for the security of special categories of personal data have been determined and implemented.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- Physical environments containing personal data are secured against external risks (fire, flood, etc.).
- Security of environments containing personal data is ensured.
- Personal data is minimized as much as possible.
- In-house periodic and/or random audits are conducted and commissioned.
- Protocols and procedures for the security of special categories of personal data are determined and implemented.
- Awareness of data processing service providers on data security is ensured.
- Technical Measures
The technical measures taken by our Company to prevent unlawful access to personal data are listed below:
- Network security and application security are ensured.
- Closed system network is used for personal data transfers through the network.
- Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
- An authorization matrix has been established for employees.
- Access logs are kept regularly.
- The authorizations of employees who change their duties or leave their jobs are removed.
- Up-to-date anti-virus systems are used.
- Firewalls are used.
- User account management and authorization control system are implemented and monitored.
- Log records are kept without user intervention.
- Intrusion detection and prevention systems are used.
- Penetration testing is applied.
- Cyber security measures have been taken and their implementation is constantly monitored.
- Encryption is performed.
- RETENTION AND DESTRUCTION PERIODS
Our Company first determines whether a period of time is stipulated in the relevant legislation for the retention of personal data. If a period is stipulated in the relevant legislation, it complies with this period; If a period is not stipulated, it retains personal data for the period required for the purpose for which they are processed. If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and / or our Company have expired, it will only be retained for the statute of limitations stipulated in the laws in order to constitute evidence in possible legal disputes, to assert the relevant right related to personal data or to establish a defense. Personal data are not retained by our Company based on the possibility of future use.
The process-based retention and destruction periods determined by the Company are given in the table below (Table 2). In addition, retention periods on the basis of personal data related to all personal data within the scope of activities carried out depending on the processes are included in the Personal Data Processing Inventory; retention periods on the basis of data categories are included in the registration to VERBIS.
(Table 2: Retention and Destruction Periods by Process)
PROCESS | RETENTİON PERİODS2 | DESTRUCTION PERIODS |
Personal Data on Product Service Recipients and Authorizations/Employees of Legal Entity Product Service Recipients | 15 years from the end of the contract | During the first periodic destruction following the end of the storage period |
Personal Data Regarding Suppliers or Legal Entity Supplier Authorized/Employees | 15 years from the end of the contract | During the first periodic destruction following the end of the storage period |
Personal Data Received as a Result of Contractual Transactions | 15 years from the end of the contract | During the first periodic destruction following the end of the storage period |
All Personal Data Related to Accounting and Financial Transactions | 15 years from the year following the year of receipt | During the first periodic destruction following the end of the storage period |
All Personal Data Related to Outsourced Services Received by the Workplace Physician and OHS Specialist in accordance with the Occupational Health and Safety Legislation | 15 years from the end of the contract | During the first periodic destruction following the end of the storage period |
Security Camera Footage | 15 years from the year following the year of receipt | During the first periodic destruction following the end of the storage period |
Personal Data Collected for Monitoring Building Entry and Exit Records | 6 months from the date of registration | During the first periodic destruction following the end of the storage period |
Personal Data Regarding Business Partners/Solution Partners/Consultants | 10 years from the end of the Employment Relationship | During the first periodic destruction following the end of the storage period |
Personal Data Received from Potential Customers and Suppliers for Business Development | 10 years from the year following the year of receipt | During the first periodic destruction following the end of the storage period |
Personal Data Regarding the General Assembly and Personal Data Regarding Immovables | Indefinite | During the first periodic destruction following the end of the storage period |
Personal Data Regarding IP Addresses | 6 months from the year following the year of receipt | During the first periodic destruction following the end of the storage period |
- PERIODIC DESTRUCTION – APPLICATION FOR PERSONAL DATA DESTRUCTION
- PERIODIC DESTRUCTION
The Company deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize the personal data for which it is responsible in accordance with the Law, relevant legislation, Ziylan Personal Data Protection and Processing Policy and this Personal Data Retention and Destruction Policy arises.
Pursuant to Article 11 of the Regulation, the Company has determined the period of periodic destruction as 6 months. Accordingly, the Company performs periodic destruction twice a year, in June and December. The Company has the right to change the periodic destruction dates, provided that the period between the two periodic destruction processes does not exceed 6 months
- Application for Personal Data Destruction
When the relevant person applies to the Company pursuant to Article 13 of the Law and requests the destruction of his personal data 3;
- If all the conditions for processing personal data have disappeared; The Company deletes, destroys or anonymizes the personal data subject to the request within 30 (thirty) days from the day it receives the request, explaining the reason for it, with the appropriate destruction method. In order for the Company to be deemed to have received the request, the person concerned must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, the Company shall inform the relevant person about the transaction.
- If all the conditions for processing personal data have not disappeared, this request may be rejected by the Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law and the rejection response shall be notified to the data subject in writing or electronically within thirty days at the latest.
- PERSONAL DATA DESTRUCTION TECHNIQUES
At the end of the period stipulated in the relevant legislation or at the end of the retention period required for the purpose for which they are processed, personal data are destroyed by the Company ex officio or upon the application of the person concerned, in accordance with the provisions of the relevant legislation, by the following techniques. In this context, all transactions regarding the deletion, destruction and anonymization of personal data are recorded and such records are kept for at least three years, excluding other legal obligations.
The most commonly used deletion, destruction and anonymization techniques used by the Company are listed below:
- Deletion of Personal Data
Personal data are deleted by the methods in the table below (Table 3):
(Table 3: Methods of Deletion of Personal Data)
METHOD | DESCRIPTION |
Secure Deletion from Software | When deleting data processed by fully or partially automated means and stored in digital media; methods are used to delete the data from the relevant software in such a way as to make it inaccessible and non-reusable in any way for the Relevant Users. Deleting the relevant data in the cloud system by giving a delete command; removing the access rights of the relevant user on the file or the directory where the file is located on the central server; deleting the relevant rows in databases with database commands or deleting the data in portable media, i.e. flash media, using appropriate software can be considered within this scope. However, if the deletion of personal data will result in the inability to access and use other data within the system, personal data will also be considered deleted if the personal data is archived by making it unassociated with the person concerned, provided that the following conditions are met. Being inaccessible to any other institution, organization or person, Taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons |
Obfuscation of Personal Data on Paper | In order to prevent the improper use of personal data or to delete the data requested to be deleted, it is the method of physically cutting the relevant personal data and removing it from the document or making it invisible by using fixed ink so that it cannot be reversed and cannot be read with technological solutions. |
- Destruction of Personal Data
Personal data are destroyed by the methods in the table below (Table 4):
(Table 4: Methods of Destruction of Personal Data)
METHOD | DESCRIPTION |
Physical Destruction | Documents kept in non-electronic media are destroyed by document shredders in such a way that they cannot be reassembled. It is the process of physically destroying optical and magnetic media containing personal data in electronic media, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting, burning, pulverizing or passing the optical or magnetic media through a metal grinder. |
De-magnetization (degauss) | It is the process of exposing magnetic media to a high magnetic field and distorting the data on it in an unreadable way. |
Overwriting | Random data consisting of 0s and 1s are written at least seven times on magnetic media and rewritable optical media, preventing old data from being read and recovered. |
- Anonymization of Personal Data
Personal data are anonymized by the methods in the table below (Table 5)4:
(Table 5: Methods of Anonymization of Personal Data)
METHOD | DECRIPTION |
Anonymization Methods that Do Not Provide Value Irregularity | Anonymization methods that do not provide value irregularity are anonymization methods applied by generalizing, substituting or removing a specific data or sub-data group from any personal data group without making any changes or additions/subtractions to the personal data being stored. Variable Extraction: With the method of removing descriptive data, the existing data set is anonymized by removing the “highly descriptive” variables from the variables in the data set created after the data collected are brought together. For example, anonymization is achieved by removing the name, surname, and place of residence of highly descriptive people. De-recording: In the de-recording method, the data line containing singularity among the data is removed from the records and the stored data is anonymized. For example, if there is only one senior manager in a company, the remaining data can be anonymized by removing the data of this person from the records where the seniority, salary and gender data of the employees at the same level with each other are kept. Regional Hiding: In the regional hiding method, anonymization is achieved by hiding the relevant data if it is determinative due to the fact that a single data creates a very rare combination. For example, if only one person is 65 years old among the relevant data controllers who are on the reserve list of the company’s football team, writing ‘Unknown’ instead of ‘Age: 65’ or leaving this section blank in a dataset where information on whether he/she is able to play football in terms of age, gender and health status is stored together will ensure anonymization. Lower and Upper Bound Coding: With the lower and upper bound coding method, the values in a data group containing predefined categories are anonymized by combining them by determining a certain criterion. For example, instead of directly specifying the years of seniority of the personnel working in a workplace, a definition can be used according to the years of work in the workplace. According to less than 5 years, between 5 and 10 years or more than 10 years; it can be anonymized by expressing it as very experienced, experienced or inexperienced and not specifying the specific seniority year. Generalization: With the data aggregation method, many data are aggregated and personal data cannot be associated with any individual. For example; revealing that there are Z number of employees of X age without showing the ages of the employees individually. Global Coding: With the data derivation method, a more general content is created from the content of the personal data and the personal data is made impossible to associate with any person. For example; specifying the ages of employees instead of their dates of birth, specifying the region of residence instead of the open address. |
Anonymization Methods Providing Value Irregularity | In anonymization methods that provide value irregularity, unlike those that do not provide value irregularity, it creates distortion by changing some data in personal data groups. When using these methods, deviations will need to be applied carefully in line with the expected/desired benefit to be obtained. By ensuring that the total statistics are not distorted, the expected benefit from the data can continue to be achieved. Adding Noise: The method of adding noise to the data, especially in a data set where numerical data is predominant, anonymizes the data by adding some deviations in the plus or minus direction to the existing data at a determined rate. For example, in a data set with weight values, a deviation of (+/-) 3 kg is used to prevent the display of real values and anonymize the data. The bias is applied equally to each value. Micro Aggregation: In the micro-aggregation method, all data will first be divided into groups by arranging them in a meaningful order (such as from largest to smallest), and the value obtained by averaging the groups will be anonymized by replacing the relevant data in the current group. For example, for salary information; if two groups are made below and above 10,000 TL, the sum of the salaries of people earning 10,000 TL and less is divided by the number of people and this value is written in the salary set of everyone earning less than 10,000 TL. Data Exchange: In the data exchange method, the values of a variable are exchanged between pairs selected from the stored data. In this method, which is generally used for categorizable data, the aim is to transform the database by exchanging the data of the relevant person with each other. |
- OTHER MATTERS
This Policy is published in two different media, wet signed (printed paper) and on the Company’s website www.watergarden.com.tr, and disclosed to the public on the website.
This Policy shall be updated in cases that require updating such as amendments to the Law, Board decisions or developments in the sector and the field of informatics and/or when necessary. Amendments made within this scope are immediately incorporated into the text and explanations regarding the amendments are included in the “Amendment Table” at the end of the policy.
This Policy and the amendments made to the Policy within the scope of the update shall be deemed to have entered into force upon its publication on the Company’s website.
TABLE OF CHANGES | ||
Article Number | Amendment Date | Explanation |