DATA RETENTION, ANONIMIZATION AND DISPOSAL POLICY
Data Retention, Anonymization and Disposal Policy
1. Purpose
The purpose of this procedure is to ensure that all printed and written content, information technology assets and peripherals used in the acquisition, processing and storage of information are safely destroyed when necessary and in accordance with the Law on the Protection of Personal Data No. 6698.
2. Scope
The procedure covers all personal, commercial data records and business processes.
3. Definitions
Law : Refers to the law 6698 “Protection of personal data”.
Personal Data : Personal data refers to any information relating to an identified or identifiable natural person. The fact that a person is specific or identifiable means making that person identifiable by associating existing data with a natural person in any way.
Blackout : Processes such as scratching, painting and icing all of the personal data in a way that cannot be associated with an identified or identifiable natural person,
Recording media : Any environment where personal data is processed wholly or partially automatically or non-automatically provided that it is a part of any data recording system,
Personal data retention and destruction policy : The policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization,
Masking : Processes such as deleting certain areas of personal data in a way that cannot be associated with an identified or identifiable natural person, scratching, painting and starring,
Special Qualified Personal Data : People's race, ethnic origin, political thought, philosophical belief, religion, sect
or other beliefs, attire, association, foundation or union membership, health, sexual life, punishment
Conviction and security measures, as well as biometric and genetic data.
periodic destruction : It is the process of deletion, destruction or anonymization, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are eliminated.
4. References
Regulation on the Protection of Personal Data No. 6698, No. 30224, on the Deletion, Destruction or Anonymization of Personal Data dated 28.10.2018
5. Application
5.1. Disposal of Assets
In the event that the purpose of the processing of personal data is eliminated, the express consent is withdrawn, or all of the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, or if there is a situation where none of the exceptions in the aforementioned articles can be applied, the processing conditions are eliminated. Personal data is deleted by the relevant business unit, taking into account business needs, within the scope of Articles 7, 8, 9 or 10 of the Regulation (Deletion, Destruction or Anonymization of Personal Data), by explaining the reason for the method applied, destroyed or anonymized. However, in case of a finalized court decision, the method of destruction determined by the court decision must be applied.
Information on any device with information recording feature is deleted against unauthorized access, and the disk and recording mechanism on the device are physically destroyed. The Media/Device Disposal Report is filled in and signed by the information systems operator. Date, device information, reason for destruction, etc. The destruction process is recorded by entering the information.
Data Deletion Methods
a. Personal Data in Paper Media: They are deleted by destroying with a paper shredder or by using the blackout method when necessary.
b. Office Files on the Central Server: They are deleted with the delete command in the operating system.
c. Data in Removable Media: It is deleted with the delete command in the operating system.
D. Databases: Relevant rows with data are deleted with database commands.
Methods of Destruction of Assets and Data
a. In Local Systems: De-magnetizing, physical destruction, overwriting is destroyed by using the appropriate method.
b. Environmental Systems:
• Network devices (switch, router, etc.): it is destroyed by appropriate methods specified in item a.
• Flash-based media: It is destroyed by the methods recommended by the relevant manufacturer or by the methods specified in item a.
• Magnetic tape: It is destroyed by demagnetizing or by physical methods such as burning and melting.
• Sim Card and fixed memory cards: They are destroyed by the appropriate methods specified in item a.
• Optical discs: they are destroyed by physical methods such as burning, breaking into small pieces, melting.
• Peripherals with fixed Data Recording Media: They are destroyed by the appropriate methods specified in item a.
c. Printed Media: Destroyed using paper shredders. Personal data transferred from original paper format to electronic media by scanning are destroyed by appropriate methods according to their environment.
Methods of Anonymization of Personal Data:
In the process of making personal data anonymized, the appropriate method of making Personal Data Anonymous is used, which is shown in the Guide on Deletion, Destruction or Anonymization of Personal Data published by the Personal Data Protection Authority.
As a result of periodic reviews or when it is determined that the data processing conditions have disappeared at any time, the relevant user or data owner will decide to delete, destroy or anonymize the relevant personal data from the recording medium within its own body in accordance with this policy. In case of hesitation, action will be taken by obtaining the opinion of the relevant data owner business unit.
In the destruction of data, the regulation stating the retention periods published by the General Directorate of State Archives is taken into consideration. The data that are not inconvenient to be destroyed are destroyed after the required time has expired in the unit archive, the institution archive or the state archives.
5.1.1. Destruction of Multi-Stakeholder Data
When it is necessary to take a decision regarding the destruction of personal data with multi-stakeholder data ownership in the Central Information Systems, it is decided to store or delete, destroy or anonymize the data in accordance with this policy, by taking the opinion of the Data Controller Representative.
5.1.2. Destruction of Personal Data Upon Data Owner's Request
When the real person who owns the personal data requests the deletion, destruction or anonymization of his personal data by applying to the University with the "Personal Data Owner Application Form" pursuant to Article 13 of the Law, it is finalized within thirty days at the latest from the application date. Requests for the deletion or destruction of personal data will only be considered if the identity of the person concerned has been identified. The applicant is informed through the methods specified in the application form. If the processing conditions have not been lifted due to legal requirements; It is declared to the data owner that the personal data subject to the request cannot be deleted. The unit where the relevant data is processed examines whether all the conditions for processing personal data have disappeared. If all the processing conditions have disappeared; deletes, destroys or anonymizes the personal data subject to the request within three months at the latest. If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the unit to which the relevant data is processed immediately notifies the third party to which the data is transferred and ensures that the necessary actions are taken within the scope of the Regulation before the third party.
5.2. Periodic Review of Personal Data
All users who process or store personal data and data subject units will review the data recording media they use, within six-month periods at the latest, whether the conditions related to the processing have been eliminated. Upon the application of the personal data owner or the notification of a court, the relevant users and units will make this review in the data recording media they use, regardless of the period of periodic inspection. All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.
In the deletion, destruction or anonymization of personal data, it is necessary to act in accordance with the general principles of Article 4 (Processing of Personal Data) and technical and administrative measures to be taken within the scope of Article 12 (Data Security Obligations), provisions of the relevant legislation, Board decisions and court decisions. is being done.
5.3. Storage of Personal Data
The processing times of personal data are specified in the "Personal Data Processing Inventory".
The storage and destruction periods in question will be taken into account in the periodic destruction or on-demand destruction processes. Storage and destruction processes may vary upon the request of the data owner, unless there is a legal obligation.
In order to ensure personal data security, physical security measures such as documents in paper media containing personal data, CD, DVD and USB devices are kept locked when not in use, only authorized personnel can access them and the entrances and exits are monitored by camera. The servers containing the personal data kept in the digital environment are stored in the University system room, with the necessary security measures taken.
Administrative and technical measures taken to ensure the Security of Personal Data are detailed in the Personal Data Protection and Processing Policy.
6. Control
Documents are periodically checked once a year as they are revised as needed.