Skip to content

Cart

Your cart is empty

Personal Data Protection Law (KVKK)

 

1. INTRODUCTION AND PURPOSE OF PREPARATION OF THE POLICY

Personal Data Storage and Destruction Policy (“Policy”), Kalif Mimarlık Mühendislik Proje Yapı Taahhüt Üretim İthalat İhracat ve San. Ltd. Ltd. (“KALIF DESIGN” or “COMPANY”) has been prepared to determine the procedures and principles regarding the storage and destruction activities being carried out. Company; It aims to process personal data of all relevant persons, including company employees, customers, suppliers, employee candidates, members and visitors, in accordance with the Personal Data Protection Law No. 6698 (“Law”) and relevant legislation and to ensure that relevant persons exercise their rights effectively. All operations regarding the storage and destruction of personal data are carried out in accordance with this policy prepared accordingly by the Company.

2. SCOPE

Company employees

Employee candidates

Customers

Suppliers

Members

visitors

Person with whom there is a legal dispute

and other third parties' personal data are within the scope of this policy, and this Policy applies to all recording environments where personal data owned or managed by the Company is processed and activities related to personal data processing.

3. DEFINITIONS

Abbreviation

Definition

Explicit Consent

Consent regarding a specific issue, based on information and expressed with free will.

Related User

Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.

Destruction

Deletion, destruction or anonymization of personal data.

Law/KVKK

Personal Data Protection Law No. 6698.

Recording Media

Any environment where personal data is processed by fully or partially automated or non-automatic means, provided that it is part of any data recording system.

Personal Data

Any information regarding an identified or identifiable natural person.

Processing of Personal Data

Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data, such as blocking.

Personal Data

Anonymous Hale

Bringing

Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.

Deletion of Personal Data

Deletion of personal data; making personal data inaccessible and unusable in any way for Relevant Users.

Destruction of Personal Data

The process of making personal data inaccessible, irretrievable and reusable by anyone.

Board

Personal Data Protection Board.

Special Personal Data

Data regarding people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Periodic Destruction

The deletion, destruction or anonymization process specified in the personal data storage and destruction policy, which will be carried out ex officio at recurring intervals, in case all the conditions for processing personal data specified in the Law are eliminated.

VERBIS

Data recording system where personal data is structured and processed according to certain criteria.

Data Owner/Relevant Person

The real person whose personal data is processed.

Data Controller

The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

regulation

Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on 28 October 2017.

4. RECORDING MEDIA

The personal data of the relevant person is stored securely by the Company in the environments listed in the table below, within the framework of international data security principles in accordance with the relevant legislation, especially the provisions of the KVK Law:

Electronic Media:

company computers

Email servers

portable memories

Accounting programs

Social media accounts

Telephone

Non-Electronic Media:

Paper, documents and files

Written, printed, visual media

Lockers

5. PRINCIPLES

The company acts within the framework of the following principles in the storage and destruction of personal data:

Deletion, destruction and anonymization of personal data; We act in full compliance with the Law and relevant legislative provisions, Board decisions and this Policy.

During the processing of personal data by the company, the rights of the relevant persons are protected. Personal data is collected and processed in accordance with the general principles in KVKK article 4.

All transactions regarding the destruction of personal data are recorded by the Company and these records are kept for 10 (ten) years, excluding other legal obligations.

Unless otherwise decided by the Company, the appropriate personal data destruction method is chosen by the Company. However, upon the request of the relevant person, the appropriate method will be selected by explaining the rationale.

If all the conditions for processing personal data specified in Articles 5 and 6 of the Law are eliminated, personal data is destroyed by the Company ex officio or upon the request of the relevant person. If the relevant person applies to the Company regarding this matter;

Requests submitted are concluded within 30 (thirty) days at the latest and the relevant person is informed,

If the data subject to the request has been transferred to third parties, this situation is notified to the third party to whom the data was transferred and the necessary actions are taken before the third parties.

6. EXPLANATIONS ON STORAGE AND DISPOSAL

The personal data processed by the company is in accordance with the relevant legislation, provided that it is clearly stipulated in the law, is directly related to the establishment or execution of a contract, the processing of personal data of the parties to the contract is necessary, is mandatory for the data controller to fulfill its legal obligation, the establishment, exercise or protection of a right. It is stored securely in electronic or non-electronic media, within the limits specified in the KVK Law and other relevant legislation, within the scope of the necessity of data processing for the data controller, the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned, and the conditions for explicit consent processing.

6.1 Information on Storage

The retention periods of personal data processed by the Company have been determined by taking into account the principle of "KVK Law Article 4/2.d " Keeping them for the period foreseen in the relevant legislation or required for the purpose for which they are processed ".

In this context, detailed explanations regarding storage and disposal are given below.

6.1.1 Legal Reasons Requiring Storage

Personal data processed within the scope of the Company's activities are retained for the period stipulated in the relevant legislation. In this context, personal data;

European Union General Data Protection Regulation

Personal Data Protection Law No. 6698

Turkish Code of Obligations No. 6098

Law No. 6563 on the Regulation of Electronic Commerce

Law No. 6502 on Consumer Protection

Tax Procedure Law No. 213

Turkish Commercial Code No. 6102

Income Tax Law No. 193

Labor Law No. 4857

Criminal Procedure Law No. 5271

Lawyer Law No. 1136

5510 Social Insurance and General Health Insurance Law

Occupational Health and Safety Law No. 6331

Code of Civil Procedure No. 6100

Turkish Civil Code No. 4721

Law No. 5651 on Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications

Regulation on Commercial Communication and Commercial Electronic Messages

It is stored for the retention periods stipulated within the framework of other secondary regulations in force in accordance with these laws.

6.1.2 Processing Purposes Requiring Storage

The company preserves the personal data it processes within the scope of its activities for the following purposes.

- Law No. 6563 on the Regulation of Electronic Commerce, Regulation on Commercial Communication and Commercial Electronic Messages, Law No. 6502 on Consumer Protection, Tax Procedure Law No. 213, Tax Procedure Law General Communiqué, Labor Law No. 4857, Occupational Health and Safety Law No. 6331, Law no. 5510 Fulfilling legal obligations within the scope of the Social Insurance and General Health Insurance Law no. and other relevant legal legislation,

- Carrying out shopping transactions,

- Carrying out membership transactions,

- Providing viewing services for shopping history,

- Evaluation of requests,

- Execution of contract processes,

- E-invoice/e-archive invoice regarding your purchases can be sent to you,

- Issuing invoices and, in some cases, performing current account and reconciliation transactions,

- Fulfilling our obligations under the relevant legislation in case of purchasing a specific product that exceeds a certain amount or for which there is a clear regulation,

- Carrying out after-sales operational procedures,

- Fulfilling our after-sales support services,

- Purchased products can be delivered via cargo,

- Carrying out product return and refund processes,

- If commercial communication permission/explicit consent is given, general or personalized campaigns, advantages, promotions, advertisements, information, marketing activities and customer-oriented commercial communication activities (SMS, e-mail, etc.) can be carried out,

- In case of communication with customers through our communication channels (call center, e-mail, site, mobile application, social media, etc.), resolving your problems, complaints and requests submitted to us, and contacting customers regarding this when necessary,

- Exercising all kinds of lawsuits, right of reply and objection against official institutions and organizations such as courts, enforcement offices and arbitral tribunals in case of disputes that may arise, and carrying out negotiation and agreement processes regarding disputes.

- Following up cases and legal processes,

- To constitute evidence within the scope of security, examination and investigation,

- Carrying out activities in accordance with the legislation,

- Fulfillment of obligations and transactions arising from the employment contract,

- Execution of contract processes,

- Creating personnel files for employees,

- Monitoring the legal rights of employees,

- Determining whether the health condition of the employees is suitable,

- Carrying out communication activities,

- Preparing payrolls and paying employees' salaries,

- Making SSI employment entry and exit declarations,

- Carrying out permit processes,

- Carrying out training and information activities for employees,

- Providing the necessary support in case the personnel needs blood,

- Carrying out periodic examinations of employees by the workplace physician,

- Following up overtime and payroll transactions,

- Execution and follow-up of projects,

- Carrying out assignment processes,

- Carrying out emergency processes,

- To constitute evidence within the scope of security, examination, investigation and litigation.

- Receiving job applications for open positions,

- Examining and evaluating the professional qualifications of applicants,

- Carrying out the evaluation processes of candidate applications,

- Being able to communicate with candidates,

- Execution of contract processes.

- Execution and follow-up of purchasing processes,

- Keeping track of accounting for supplier payments,

- Following up supplier relations,

- Carrying out communication activities with suppliers,

- Updating suppliers' information,

- Carrying out communication activities,

- Carrying out payment transactions,

- Providing information to authorized public institutions and organizations.

6.2 Reasons Requiring Destruction

Personal data;

Amendment or cancellation of the relevant legislative provisions that constitute the basis for the processing or storage of personal data,

Elimination of the purpose requiring the processing or storage of personal data,

Elimination of the processing conditions that require the processing of personal data in Articles 5 and 6 of the KVK Law,

In cases where personal data is processed only on the basis of explicit consent, the relevant person withdraws his/her consent,

Our Company accepts the application for deletion and destruction of personal data, made within the framework of the rights of the relevant person in accordance with Article 11 of the KVK Law,

In cases where the data controller rejects the application made by the relevant person requesting the deletion, destruction or anonymization of his personal data, his response is found insufficient, or he does not respond within the time period stipulated in the Law; Making a complaint to the Board and this request being approved by the Board,

Although the maximum period requiring personal data to be stored has passed, there are no conditions that justify storing personal data for a longer period of time.

In such cases, it is deleted, destroyed or anonymized by the Company upon the request of the relevant person or ex officio.

7. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN

For the safe storage of personal data, prevention of unlawful processing and access, and lawful destruction of personal data; In accordance with Article 12 and Article 6/4 of the KVK Law, technical and administrative measures are taken by the Company within the framework of adequate measures determined and announced by the Board for special personal data.

All administrative and technical measures taken by the company are listed below:

7.1. Administrative Measures:

Within the scope of company administrative measures;

  • Before starting to process personal data, the Company fulfills its obligation to inform the relevant persons.
  • Personal data inventories were prepared and current risks and threats were identified.

  • It limits internal access to stored personal data to personnel who are required to access it according to their job description. In restricting access, whether the data is of special nature and its degree of importance are also taken into account.
  • The company has prepared a "Personal Data Breach Incident Response Policy and Plan" for crisis management. If the processed personal data is obtained by others through illegal means, it shall notify the relevant person and the Board as soon as possible (within 72 hours).

  • Regarding the transfer of personal data, it signs a contract regarding the protection of personal data and data security with the third real/legal persons to whom the personal data is transferred, or ensures data security with the provisions added to the existing contract.
  • It employs knowledgeable and experienced personnel regarding the processing of personal data and provides its personnel with the necessary training within the scope of personal data protection legislation and data security.

  • When behavior contrary to the policy is detected, the issue is immediately reported to the manager by the relevant employee's manager. Necessary action is taken against the employee who acts contrary to the policy, following an evaluation by Human Resources.
  • Disciplinary regulations that include data security provisions are made for employees.

  • Training and awareness activities are carried out at regular intervals for employees regarding information security and data security.
  • Corporate policies on access, information security, use, storage and destruction have been prepared and are being implemented.

  • Confidentiality commitments are made.
  • Provisions regarding personal data security have been added to contracts prepared by the company and employment contracts.

  • Periodic and random audit activities are carried out within the company.

  • Policies and procedures for the security of sensitive personal data have been determined and implemented.
  • Personal data is reduced as much as possible.

  • Employment contracts concluded by the Company include articles or sections (clauses) regarding the protection of personal data.

  • KVK Warning Text has been prepared to be used in company e-mails.

7.2. Technical Measures:

Within the scope of the company's technical measures;

  • The authorities of employees who change their duties or leave their jobs in this area are removed.

  • Firewalls are used.

  • Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.

  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  • The security of environments containing personal data is ensured.

  • Personal data is backed up and the security of the backed up personal data is ensured.

  • User account management and authorization control system is implemented and these are also monitored.
  • The Password Policy must contain at least 8 characters of uppercase, lowercase letters, numbers and special characters to be strong and complex.

9. DESTRUCTION OF PERSONAL DATA

The company retains personal data for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed. In this context, first of all, it is determined whether the relevant legislation stipulates a period for storing personal data, and if a period is determined, this period is complied with. If a period is not determined, personal data are stored for the period necessary for the purpose for which they are processed. If the period expires or the reasons requiring processing disappear, and there is no legal reason allowing them to be processed for a longer period of time, personal data is deleted, destroyed or anonymized by the Company in accordance with this policy.

If there is a contractual relationship, retention periods begin with the end of the contractual obligations of the parties and after the transaction is completed and the final result is received in terms of other activities.

In case of a legal dispute or lawsuit, personal data is stored until the legal process is completed.

10. DESTRUCTION TECHNIQUES OF PERSONAL DATA

At the end of the storage period, personal data is destroyed by the Company ex officio or upon the application of the relevant person, in accordance with the relevant legislation, using the techniques specified below.

Unless otherwise decided by the Board, the Company chooses the appropriate method to delete, destroy or anonymize personal data ex officio. If requested by the relevant person, he/she chooses the appropriate method by explaining the reason. All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records are kept for 10 (ten) years, excluding other legal obligations.

10.1 Deletion of Personal Data

Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way. The data controller is obliged to take all necessary technical and administrative measures to ensure that deleted personal data are inaccessible and unusable for relevant users.

In the article 4/b of the Regulation on Deletion, Destruction or Anonymization of Personal Data, " Relevant user: Except for the person or unit responsible for the technical storage, protection and backing up of the data, within the data controller organization or the authority and instruction received from the data controller." It is defined as " persons who process personal data in line with

Personal data is deleted by the methods given in the table below.

10.1 Deletion of Personal Data Table

DATA RECORDING MEDIUM

EXPLANATION

Personal data on servers

For personal data on the servers whose retention period has expired, the system administrator removes the access authorization of the relevant users and deletes them.

Personal Data in Electronic Media

Among the personal data in the electronic environment, those whose period of storage has expired are made inaccessible and unusable for other employees (relevant users) except the database administrator.

Personal Data in Physical Environment

For personal data kept in physical media whose period of storage has expired, they are made inaccessible and unusable in any way for other employees except the unit manager responsible for the document archive.

Personal Data Contained in Portable Media

Among the personal data kept in flash-based storage media, those that have expired are stored in secure environments with encryption keys, by being encrypted by the system administrator and access authorization is given only to the system administrator.

10.2 Destruction of Personal Data:

Destruction of personal data is the process of making personal data inaccessible, irretrievable and unusable by anyone. The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

Personal data is destroyed by the methods given in the table below.

Personal Data Destruction Table

DATA RECORDING MEDIUM

EXPLANATION

Personal Data in Physical Environment

Personal data stored on paper that have expired are irreversibly destroyed in paper shredding machines.

Personal Data Contained in Optical / Magnetic Media

Personal data contained in optical media and magnetic media whose storage period has expired are physically destroyed, such as melting, burning or pulverizing. In addition, the data on the magnetic media is rendered unreadable by passing it through a special device and exposing it to a high magnetic field.

10.3 Anonymization of Personal Data:

Anonymization of personal data means making it impossible to associate personal data with an identified or identifiable natural person in any way, even if it is matched with other data.

In order for personal data to be anonymized; Personal data must be made unassociatable with an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording environment and the relevant field of activity, such as returning the data by the data controller or third parties and/or matching the data with other data.

The data controller is obliged to take all necessary technical and administrative measures regarding the anonymization of personal data.

In addition, the Company uses the "Guide on Deletion, Destruction or Anonymization of Personal Data" published by the Authority ( https://www.kvkk.gov.tr/SharedFolderServer/ ) in the techniques of deleting, destroying or anonymizing personal data. CMSFiles/bc1cb353-ef85-4e58-bb99-3bba31258508.pdf ) and chooses the appropriate one from the examples published in this guide.

11. STORAGE AND DISPOSAL PERIOD

Regarding the personal data processed by the company within the scope of its activities;

Retention periods on a personal data basis regarding all personal data within the scope of activities carried out depending on the processes are included in the Personal Data Processing Inventory;

Process-based retention periods are included in the Personal Data Storage and Destruction Policy.

Updates are made to these retention periods by the "Company" if necessary.

For personal data whose storage period has expired; Ex officio deletion, destruction or anonymization is carried out by the "Company".

Table of Storage and Destruction Periods Based on Process

PERIOD

STORAGE PERIOD

DESTRUCTION PERIOD

Creation of Employees' Personal Files

Making Salary Payments

10 years from the expiry date of the Agreement/Legal Action

During the First Periodic Destruction Period Following the End of the Storage Period

Receiving Job Applications via Kariyer.net

1 year

During the First Periodic Destruction Period Following the End of the Storage Period

Processing of Customer Data Based on Incoming Orders

Issuing Invoices Issuing Payment Receipts

10 Years from the Termination of the Legal Relationship with the Relevant Person

During the First Periodic Destruction Period Following the End of the Storage Period

Processing of Personal Data of OHS Specialist and Workplace Physician (Service Procurement)

10 Years from the Termination of the Legal Relationship with the Relevant Person

During the First Periodic Destruction Period Following the End of the Storage Period

Conducting Periodic Examination/Patient Examination Procedures of Employees by the Workplace Physician

Carrying out Occupational Health and Safety Activities

15 Years from the termination of employment contract

During the First Periodic Destruction Period Following the End of the Storage Period

Processing of Personal Data of Natural Persons and Private Company Suppliers, Issuing Invoices

10 years

During the First Periodic Destruction Period Following the End of the Storage Period

In litigation, enforcement, mediation files, etc. personal data processed during trial processes

10 Years after the case is finalized

During the First Periodic Destruction Period Following the End of the Storage Period

Taking Camera Recording

7 DAYS

During the First Periodic Destruction Period Following the End of the Storage Period

Sending e-mails to customers within the scope of advertising and marketing

2 years

During the First Periodic Destruction Period Following the End of the Storage Period

12. PERIODIC DESTRUCTION PERIOD

In accordance with Article 11 of the Regulation on Deletion, Destruction or Anonymization of Personal Data, the Company has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out in the Company every year in June and December.

13. PUBLISHING AND STORAGE OF THE POLICY

The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is also kept by the Company.

14. UPDATED PERIOD OF THE POLICY

The Policy is reviewed by the Company as needed and the necessary sections are updated.

15. ENFORCEMENT AND REPEAL OF THE POLICY

The Policy is deemed to have entered into force upon its publication on the Company's website. If it is decided to repeal it, the old copy of the Policy with wet signature is signed (with a cancellation stamp or written as cancelled) and kept by the Company.