PERSONAL DATA PROTECTION, STORAGE AND DESTRUCTION POLICY

1. OBJECTIVE

Our personal data storage and disposal policy has been prepared in order to determine the procedures and principles regarding the operation of the storage and destruction activities carried out within Cult & Glint in accordance with the Law on the Protection of Personal Data No.6698, and to be known by our parties.

2. SCOPE

It covers all recording media and activities where personal data managed in our company are processed and personal data of Company employees, customers, employee candidates, service providers, visitors and other third parties.

3. ABBREVIATIONS AND DEFINITIONS

Company:	Cult&Glint
Personal Data:	All kinds of information regarding an identified or identifiable natural person.
Special Quality Personal Data:	Data on race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress code, association foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Processing of Personal Data	Obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or using Personal Data by fully or partially automated or non-automatic means provided that it is a part of any data recording system. all kinds of operations performed on data such as blocking
Personal Data Owner / Relevant Person	Company Authorities, Business Partners / Suppliers, Employees, Employee Candidates, Visitors, Company and Group Company Customers, Potential Customers Shared by the company / companies with which the company cooperates and / or third parties acquired by the Company on behalf of these institutions / companies and Third Parties People.
Data Record System	It refers to the recording system in which personal data are structured and processed according to certain criteria.
Data Supervisor	A natural or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system.
Data Processor	Real and legal person who processes personal data on behalf of the data controller based on the authority given by her/him.
Explicit consent:	It is the consent of a specific subject, based on information and expressed with free will.
Anonymization:	It is the rendering of personal data that cannot be associated with an identified or identifiable natural person under any circumstances, even by matching other data.
Electronic environment	Call server / IK software / Project Software / barrier system server / File sharing common area (NAS), company computers and phones
Non-electronic environment	Locked filing cabinets identified by numbering / Archive
Service provider:	Internet Service provider / Customer based call service provider
Destruction:	It is the deletion, destruction or anonymization of personal data.
Law:	Refers to the Law No. 6698 on the Protection of Personal Data.
Regulation	Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224
Recording medium:	Any medium containing personal data that is fully or partially automated or processed in non-automatic ways, provided that it is a part of any data recording system.

 

4. Processing of Personal Data

Personal data in Cult & Glint; It is processed in accordance with the principles set forth below by law.

1. a) In accordance with the law and good faith,
2. b) Keeping it accurate and updated when necessary,
3. c) To be processed for specific, explicit and legitimate purposes,

ç) In connection with the purpose for which they are processed, although they are needed, in a limited and measured manner,

1. d) By keeping for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
2. Conditions of processing personal data

Personal data are not processed without the express consent of the data subject. However, in the presence of one of the following conditions specified by the law, it is possible to process personal data without the explicit consent of the person concerned:

1. a) It is clearly stipulated in the laws.
2. b) It is mandatory for the protection of the life or body integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid.
3. c) It is necessary to process personal data belonging to the parties of the contract, provided that it is directly related to the establishment or performance of a contract.

ç) It is mandatory for the data controller to fulfill his legal obligation.

 

1. d) It is made public by the person concerned.
2. e) Data processing is mandatory for the establishment, use or protection of a right.
3. f) It is mandatory to process data for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
4. Conditions for processing special personal data

According to the Law, individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, membership of associations, foundations or trade unions, health, sexual life, criminal conviction and security measures and biometric and genetic data are personal data of special nature. Our company does not process special quality personal data without the express consent of the person concerned. Receiving personal data of special nature is only possible for personalized orders, and in any case, express consent must be given by order.

In these cases, all technical and administrative measures will be taken when processing special quality data.

7. Transfer of personal data / Transfer of personal data abroad

Personal data cannot be transferred without the express consent of the person concerned. However, if one of the conditions specified in Articles 5 and 6 is met, it can be transferred without the express consent of the person concerned. Necessary confidentiality conditions and security measures can be taken by the data controller and transferred to third parties. Personal Data by our company; In case of CTL to foreign countries declared by the Board to have adequate protection, or the lack of adequate protection of those responsible for an adequate protection of data in Turkey and in the relevant foreign country can be transferred to foreign countries that pledged in writing.

8. Deletion, destruction (destruction) or anonymization and storage of personal data

Although it has been processed in accordance with the provisions of the Law and other relevant laws, personal data are deleted, destroyed or anonymized by the data controller, either ex officio or upon the request of the person concerned, in the event that the reasons for its processing disappear. Responsibilities and methods for these transactions are detailed in the following articles. These;

1. a) Purpose of preparing personal data storage and destruction policy,
2. b) Recording media regulated by personal data storage and destruction policy,
3. c) Definitions of legal and technical terms included in the personal data storage and disposal policy,

ç) Explanation regarding legal, technical or other reasons that require the storage and destruction of personal data,

1. d) Technical and administrative measures taken to prevent the safe storage of personal data and illegal processing and access,
2. e) Technical and administrative measures taken for the legal destruction of personal data,
3. f) The titles, units and job descriptions of those involved in the personal data storage and disposal processes,
4. g) Table showing storage and disposal periods,

ğ) Periodic destruction periods,

1. h) If an update has been made in the current personal data storage and disposal policy, information regarding the change in question.

 

 

The storage, retention periods and procedures of personal data are explained together with the security measures taken within the same procedure. The main measures taken to ensure the legal processing of personal data in our company can be listed as follows.

Technical measures;

* Personal data processing activities that take place are periodically tested and audited by established technical systems.

* Providing technical controls is done by employing competent personnel.

* It is updated periodically by taking technical measures in accordance with technological developments.

* Users are given the minimum required authority.

* Access and authorization technical solutions are implemented within the framework of legal requirements on the basis of our units.

* Access privileges are limited and reviewed regularly. Inappropriate access or access attempts are detected and reported by logging access to data storage areas containing personal data.

* Software and hardware including virus protection and firewall systems are used.

* Technical and administrative measures are taken according to the cost of technological facilities and applications in order to keep personal data in secure environments and to prevent them from being destroyed or changed for illegal purposes.

* Technical security systems are established for hiding areas, security tests and researches are carried out to detect security vulnerabilities on information systems, and existing or potential risks identified as a result of tests and researches are eliminated. The technical measures taken are periodically reported to the relevant person and senior management as required by the internal audit mechanism.

* Backup programs are used in accordance with the law to ensure the safe storage of Personal Data.

Administrative measures;

* Information and awareness training is given to our employees periodically.

* All personal data activities carried out in our company are analyzed specifically for the processing unit and other interacting units, and processing activities are revealed.

* In these activities, activities are determined by considering the conditions required by the law by the units that process and interact.

* Awareness is created by the units in order to meet legal compliance requirements, implementation rules are determined and policies, procedures, instructions, tables, etc. to ensure that these issues are audited. are implemented through documents and trainings.

* Contract (s) and approved instructions are put into practice to manage the legal relationship with our employees and customers.

9. Supervision of personal data protection activities

With internal audits, in accordance with Article 12 of the Law, implementation processes such as personal data processing, storage, storage and destruction are checked and reported, and the necessary technological and administrative solutions are immediately taken for the elements that pose risks. Investments are planned in the long term by determining the improvements.

10. Protection of the legal rights of personal data owners and measures to be taken in case of disclosure of personal data

With this policy and our activities, we take all necessary measures to protect the rights of personal data owners by observing all legal rights, especially for data of special nature. In the event that Personal Data processed in accordance with Article 12 of the Law are obtained by others illegally, a system is implemented to notify the relevant Personal Data Owner and the KVK Board as soon as possible. If deemed necessary by the KVK Board, this may be announced on the website of the KVK Board or by any other method.

11. The data controller's obligation to inform

Our company informs the personal data owners of our related parties with an informative text in accordance with the protection of personal data. This text provides information about the identity of the Data controller and its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and other rights listed in the disclosure text.

In case the application made by the personal data owner to the Company is rejected by the Company, the response is found to be insufficient or the application is not responded in time; the data subject has the right to make a complaint to the KVK Board within thirty days from the date of learning the answer, and in any case within sixty days from the date of application.

12. Update and implementation of changes

Our company reserves the right to make changes in this policy and other related policies in accordance with the decisions of the KVK Board or the developments in the sector or information field due to the changes made in the Law. In the legal updates that occur, actions are started to be revised immediately.