| Fenomio Internet Advertising Services Trade Inc. -KVKK- POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA |
Effective Date | Effective Date | |
| Version No | 2.0 | ||
| Revision Date | February 1, 2023 | ||
| Document No. | 1.2 |
1. GENERAL INFORMATION ABOUT THE POLICY
1.1 ENTRANCE
As Fenomio Internet Advertising Services Trade Joint Stock Company ("Fenomio or the Şirket"), we show maximum sensitivity to ensure full compliance with the Law No. 6698 on the Protection of Personal Data (“KVKK” ya da “Kanun”) and other regulations regarding the implementation of this law and the security of your personal data. Within the framework of this Fenomio Personal Data Protection and Processing Policy (“Politika”), the principles adopted in the execution of personal data processing activities carried out by Fenomio and the basic principles adopted in terms of compliance of Fenomio data processing activities with the regulations in the law are explained, and thus Fenomio provides the necessary transparency by informing personal data owners. With full awareness of our responsibility in this context, your personal data is processed and protected within the scope of this Policy and necessary administrative and technical measures are taken.
1.2 PURPOSE
The purpose of this Policy is to ensure compliance with the obligations regarding the regulations on the Protection of Personal Data, to protect the confidentiality of the personal data processing activity collected by Fenomio by automatic or non-automatic methods and carried out in accordance with the law, and to inform the persons whose personal data are processed by Fenomio about the operation, internal controls and measures by determining the relevant internal responsibilities and to ensure transparency. The purpose of this Policy is to comply with the obligations regarding the regulations on the Protection of Personal Data.
1.3 SCOPE
Personal data belonging to data owners are stored securely in physical or electronic environments by Fenomio, especially for the purposes specified in Article 5 of the "Fenomio Personal Data Protection and Processing Policy", within the limits specified in the KVKK and other relevant legislation, as specified in the table below. (Fenomio Personal Data Protection and Processing Policy www.fenomio.com can be found on the website.)
1.4. DEFINITIONS
| ABBREVIATIONS | DEFINITIONS |
|---|---|
| Explicit Consent | It refers to consent on a specific subject, based on information and expressed with free will. |
| Related User | Except for the person or unit responsible for the technical storage, protection and backup of the data, they are the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller. |
| Annihilation | Deletion, destruction or anonymization of personal data. |
| Storage and Disposal Policy | Fenomio's Destruction Policy on the Storage, Deletion, Destruction and Anonymization of Personal Data, which is the basis for determining the maximum period required for the purpose for which personal data is processed and for the deletion, destruction and anonymization process. |
| Law/KVKK | Law No. 6698 on the Protection of Personal Data. |
| Recording Media | Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system. |
| Personal data | Any information relating to an identified or identifiable natural person. |
| Periodic Destruction | In the event that all of the conditions for processing personal data in the law disappear, the deletion, destruction or anonymization process to be carried out ex officio at repeated intervals specified in the personal data retention and destruction policy. |
| Register | Registry of data controllers maintained by the personal data protection authority. |
| Data Recording System | A recording system in which personal data is structured and processed according to certain criteria. |
| Board | Personal Data Protection Board. |
| Data Subject/Relevant Person | The natural person whose personal data is processed. |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| Anonymization of Personal Data | Making personal data unrelated to an identified or identifiable natural person in any way, even by matching it with other data. |
| Deletion of Personal Data | Deletion of personal data; making personal data inaccessible and unusable in any way for the Relevant Users. Destruction of Personal Data The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. |
2. RECORDING MEDIA OF PERSONAL DATA
Personal data belonging to data owners are stored securely in physical or electronic environments by Fenomio, especially for the purposes specified in Article 5 of the "Fenomio Personal Data Protection and Processing Policy", within the limits specified in the KVKK and other relevant legislation, as specified in the table below. (Fenomio Personal Data Protection and Processing Policy www.fenomio.com can be found on the website.)
| ELECTRONIC MEDIA | PHYSICAL ENVIRONMENT |
|---|---|
| Fenomio-allocated and/or personal desktop-laptops | Manual Data Records (Surveys, Guest Books, Printed Forms, etc.) |
| Mobile Devices (Phone, tablet, etc.) | Written, printed, visual media |
| Optical Discs (CD etc.) | Files stored as paper |
| Servers (Web, Email, Backup, Database, File Sharing, Exchange) | |
| Software (Office Software, Portal, Other Accounting, Human Resources) | |
| Information security devices (Firewall, intrusion detection and prevention, log files, anti-virus, etc.) | |
| Removable memory (USB, Memory card, etc.) | |
| Printer, scanner, copier |
3. REASONS FOR STORING AND DESTROYING PERSONAL DATA
3.1. Reasons Requiring the Storage of Personal Data
In Article 3 of the KVKK, the concept of processing personal data is defined, in Article 4, it is stated that the processed personal data should be connected, limited and measured for the purpose for which they are processed and should be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and in Articles 5 and 6, the processing conditions of personal data are listed. In the deletion, destruction or anonymization of personal data, the general principles in Article 4 of the Law and the technical and administrative measures to be taken within the scope of Article 12, the provisions of the relevant legislation, the decisions of the Board and the personal data storage and destruction policy are followed.
Accordingly, within the framework of Fenomio activities, personal data is stored for a period of time in accordance with our processing purposes stipulated in the relevant legislation or specified in Article 5 of the "Fenomio Personal Data Protection and Processing Policy".
In this context, our Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data is destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the data owner's application and with the specified destruction methods (deletion, destruction and/or anonymization).
All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations. In this context, personal data is subject to Article 5 of the KVKK regarding the processing conditions. In direct proportion to its substance, it is stored for the following reasons. Namely,
- Storing personal data as it is directly related to the establishment and performance of contracts,
- Storing personal data for the purpose of establishing, exercising or protecting a right,
- It is obligatory to store personal data for the legitimate interests of Fenomio, provided that it does not harm the fundamental rights and freedoms of individuals,
- Storing personal data for the purpose of fulfilling any legal obligation of Fenomio,
- The legislation clearly stipulates the storage of personal data,
- Obtaining the explicit consent of the data owners in terms of storage activities that require the explicit consent of the data owners.
3.2. Reasons Requiring the Destruction of Personal Data
In the following cases, the personal data of the data owners are deleted, destroyed or anonymized by Fenomio ex officio or upon request in accordance with the Regulation. Namely,
- Amendment or abolition of the provisions of the relevant legislation that form the basis for the processing or storage of personal data,
- The disappearance of the purpose requiring the processing or storage of personal data,
- In the event that the conditions requiring the processing of personal data in Articles 5 and 6 of the Law disappear, the data controller of the personal data ex officio or upon the request of the person concerned,
- In cases where the processing of personal data takes place only on the basis of explicit consent, the person concerned withdraws his consent,
- 11 of the Law. Acceptance by the data controller of the application made by the data subject regarding the deletion, destruction or anonymization of his data within the framework of his rights in accordance with the article,
- In cases where the data controller rejects the application made to him by the person concerned with the request for the deletion, destruction or anonymization of his personal data, his answer is found insufficient or he does not respond within the period stipulated in the Law; A complaint is made to the Board and this request is approved by the Board,
- Although the maximum period requiring the storage of personal data has passed, there are no conditions that would justify storing personal data for a longer period of time,
4. STORAGE AND DESTRUCTION PERIODS OF PERSONAL DATA
In determining the retention and destruction periods of your personal data obtained by Fenomio in accordance with the provisions of the KVKK and other relevant legislation, the following criteria are used, respectively:
a) If a period of time is stipulated in the legislation regarding the storage of the personal data in question, this period is complied with. After the expiry of the said period, action is taken on the data within the scope of subparagraph b. b) In the event that the period stipulated in the legislation regarding the storage of the personal data in question expires or no period is stipulated in the relevant legislation regarding the storage of the data in question, respectively; - Fenomio classifies personal data as personal data and sensitive personal data based on the definition in Article 6 of the KVKK. All personal data that is found to be of a private nature is destroyed. The method to be applied in the destruction of the data in question is determined according to the nature of the data and the importance of its storage in the eyes of Fenomio. - The compliance of the storage of the data with the principles specified in Article 4 of the KVKK is questioned. Data whose storage is found to be contrary to the principles in Article 4 of the KVKK is deleted, destroyed or anonymized. - It is determined which of the exceptions stipulated in Articles 5 and 6 of the KVKK can be considered within the scope of the storage of data. Within the framework of the exceptions identified, reasonable periods for which the data should be stored are determined. If these periods expire, the data is deleted, destroyed or anonymized.
Personal data whose storage period has expired are destroyed in accordance with the procedures set out in this Policy in 6-month periods, within the framework of the "Storage and Destruction Periods" specified below in this Policy. Regarding the personal data being processed by Fenomio;
- The retention periods on the basis of personal data related to all personal data within the scope of the activities carried out depending on the processes are in the Personal Data Processing Inventory,
- Process-based retention periods are given below in this Policy:
| PROCESS | DATA OWNER | RETENTION PERIOD | DISPOSAL TIME |
|---|---|---|---|
| Creating a Personnel File | Employee | 10 years following the termination of the Employment Contract | In the first periodic destruction period following the expiry of the storage period |
| In-Service Training Planning | Employee | 10 years following the termination of the employment contract | In the first periodic destruction period following the expiry of the storage period |
| Salary Payments | Employee | 10 years after leaving the job | In the first periodic destruction period following the expiry of the storage period |
| Resume of the employee candidate/intern candidate and information in the job application form | Employee-Intern Candidate | 6 months from the negative end of the application process | In the first periodic destruction period following the expiry of the storage period |
| Keeping Financial Records | Customers-Service Companies | 10 years from the end of the employment relationship | In the first periodic destruction period following the expiry of the storage period |
| Identity information, contact information, financial information, employee data of the cooperating institution/company regarding the execution of the commercial relationship between the cooperating institutions/companies (service providers) and Fenomio | Institutions/companies with which Fenomio cooperates (Service Providers) | It is kept for 10 years in accordance with Article 146 of the TCO and Article 82 of the TCC from the provision of each purchased service. | In the first periodic destruction period following the expiry of the storage period |
| Drafting contracts | Customers and Suppliers/Business Partners who benefit from Fenomio's products and services | 10 years following termination of the contract | In the first periodic destruction period following the expiry of the storage period |
| Execution of human resources processes | Employees | 10 years following the termination of activity | In the first periodic destruction period following the expiry of the storage period |
| For the security of the physical space, for the | Any natural person located at Fenomio | Stored for 3 months | In the first periodic destruction period |
| For the security of the physical space, for the security of the premises of all natural persons and visitors and other natural persons with whom the Company has relations, camera recordings, voice recordings | following the expiry of the storage period | ||
| Information about the shareholders and members of the board of directors of the company | Fenomio Shareholders and Fenomio Board Members | 10 years following termination of the Business Relationship | In the first periodic destruction period following the expiry of the storage period |
| Responding to court/enforcement information requests related to the employee | Employees | 10 years from the termination of the employment relationship | In the first periodic destruction period following the expiry of the storage period |
| Log/Record Tracking Systems | Employees | 2 years | In the first periodic destruction period following the expiry of the storage period |
| Administrative reports on security such as due diligence report, incident report | All Real Persons Involved | 5 years from the date of initial registration | In the first periodic destruction period following the expiry of the storage period |
| Customer request-complaint information | Customer | 15 years from receipt of registration | In the first periodic destruction period following the expiry of the storage period |
| Documents related to general company decisions such as powers of attorney, signature circulars, general assembly resolutions, dismissals | Fenomio shareholders and Fenomio board members | 10 years from the date of initial registration | In the first periodic destruction period following the expiry of the storage period |
| Allocating vehicles to employees | Employees | 2 years from the date of delivery of the vehicle | In the first periodic destruction period following the expiry of the storage period |
| Occupational Health and Safety Practices | Employees | Following the termination of the employment relationship 15 year | In the first periodic destruction period following the expiry of the storage period |
| Criminal Conviction and Security Measures | Employees | During the working period | In the first periodic destruction period following the expiry of the storage period |
All transactions related to the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations..
5. METHODS OF DESTRUCTION OF PERSONAL DATA
5.1. Techniques for Deletion of Personal Data
5.1.1. Deletion of Personal Data on Servers For those whose personal data on the servers have expired, the access authorization of the relevant users is removed and the deletion process is performed.
5.1.2. Deletion of Personal Data in Electronic Environment Personal data in the electronic environment, which requires storage of expired, are made inaccessible and unusable for employees (relevant users) in any way.
5.1.3. Deletion of Personal Data in the Physical Environment For those whose personal data kept in the physical environment has expired, the documents are made inaccessible and unusable for employees in any way. In addition, blackout is applied by scratching/painting/erasing in such a way that it cannot be read.
5.1.4. Deletion of Personal Data on Portable Media Personal data kept in flash-based storage media that require storage for the expiry period are encrypted by the system administrator and the access authority is given only to the system administrator and stored in secure environments with encryption keys.
5.2. Techniques for Destruction of Personal Data
5.2.1. Destruction of Personal Data in the Physical Environment Those whose personal data in the paper environment have expired are irreversibly destroyed in paper clipping machines.
5.2.2. Destruction of Personal Data on Optical/Magnetic Media Physical destruction of personal data in optical media and magnetic media, such as melting, burning or pulverizing, is applied. In addition, the magnetic media is passed through a special device and exposed to a high value magnetic field, making the data on it unreadable.
5.3. Techniques for Anonymizing Personal Data
5.3.1. Those who require the storage of personal data on servers, electronic media, physical media, portable media, optical/magnetic media are made unable to be associated with an identified or identifiable natural person in any way, even if the personal data is matched with other data. In this sense, Fenomio removes or changes all direct and/or indirect identifiers in a dataset, preventing the identification of the person concerned or losing them in a way that cannot be associated. Accordingly, Fenomio makes use of one or more of the automatic or non-automatic grouping, masking, derivation, generalization, randomization methods applied to the records in the data recording system where personal data is kept, according to the relevant data. Regarding the dataset owned while applying these anonymization methods; Data characteristics such as the nature and size of the data, the structure of its presence in the physical environment, its diversity, and the purposes of processing the data are taken into account. As a result of the application of these methods, it is impossible for the data obtained to identify a specific person.
6. PERIODIC DESTRUCTION TIME OF PERSONAL DATA
Pursuant to Article 11 of the Regulation, Fenomio has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out in June and December every year in the Institution.
7. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES IN THE STORAGE AND DESTRUCTION PROCESS OF PERSONAL DATA
All units and employees of Fenomio are responsible for the proper implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy, the training and awareness of the unit employees, monitoring and continuous supervision, and the processing of personal data in accordance with the law, the prevention of unlawful access to personal data and the legal storage of personal data, in order to ensure data security in all environments where personal data is processed. It actively supports the responsible units in taking technical and administrative measures. The details of the titles, duties and responsibilities of those involved in the storage and destruction processes of personal data are given below. Namely,
| APPELLATION | UNIT | TASK |
|---|---|---|
| Manager | Personal Data Retention and Destruction Policy Officer | It is responsible for ensuring that the processes within its duty comply with the storage period and for the management of the personal data destruction process in accordance with the periodic destruction period, and for the preparation, execution, publication and updating of the Policy in the relevant environments and for the Employees to act in accordance with the Policy. |
| Deputy | Personal Data Retention and Destruction Policy Officer | Management of the personal data destruction process in accordance with the periodic destruction period by ensuring that the processes within the scope of its duty comply with the retention period |
| Purchasing Officer | Purchasing Department: Responsible for implementing personal data retention and destruction policy | Management of the personal data destruction process in accordance with the periodic destruction period by ensuring that the processes within the scope of its duty comply with the retention period |
| Information Technology Officer | Information Technologies Department: Responsible for implementing personal data retention and destruction policy | It is responsible for ensuring that the processes within its duty comply with the retention period, managing the personal data destruction process in accordance with the periodic destruction period, and providing the technical solutions needed in the implementation of the Policy. |
| Accounting Officer | Accounting Department: Responsible for implementing personal data retention and destruction policy | Management of the personal data destruction process in accordance with the periodic destruction period by ensuring that the processes within the scope of its duty comply with the retention period |
| Human Resources Officer | Human Resources: Responsible for implementing personal data retention and destruction policy | Management of the personal data destruction process in accordance with the periodic destruction period by ensuring that the processes within the scope of its duty comply with the retention period |
| Front Office Supervisor | Parking Attendant | Security Officer |
| Other Units | ||
| He is responsible for the execution of the Policy in accordance with his duties. |
8. PUBLICATION AND STORAGE OF THE POLICY
This Policy is stored in two different media, wet signed (printed paper) and electronically, and is published by disclosing it to the public on the website. The printed paper copy is also kept in the file of the Board of Directors.
9. ENTRY INTO FORCE AND UPDATING OF THE POLICY
This policy contains information in accordance with the Law and other legislation on personal data and will enter into force on the date it is published on the www.fenomio.com website. This Policy may be updated from time to time due to changes in Fenomio personal data processing processes, legal changes or other reasons. Updates will be effective from the date of publication of the new Policy on the Website.
This Policy is published on the www.fenomio.com website and made available to the relevant persons.
10. REPEAL OF THE POLICY
In the event that it is decided to repeal this Policy, the old copies of the Policy with wet signatures are canceled and signed by the Fenomio Board of Directors (by stamping the cancellation or writing the cancellation) and kept by the Board of Directors for at least 3 years.
| Fenomio Internet Advertising Services Trade Inc -KVKK- PERSONAL DATA STORAGE AND DESTRUCTION POLICY |
History | January 1, 2020 | |
| Version No | 2.0 | ||
| Revision Date | February 1, 2023 | ||
| Document No. | 1.2 |
1. GENERAL INFORMATION ABOUT THE POLICY
1.1 ENTRANCE
This Fenomio Personal Data Storage and Destruction Policy ("Policy"), the Law No. 6698 on the Protection of Personal Data ("KVKK" or "Law") and the Regulation on the Deletion, Destruction or Anonymization of Personal Data, which entered into force after being published in the Official Gazette dated October 28, 2017, which constitutes the dual regulation of the Law ("Regulation") and to inform the data owners about the purpose for which your personal data is processed, the principles of determining the maximum storage period required for this purpose, and the protection, deletion, destruction and anonymization processes by Fenomio Internet Advertising Services Trade Joint Stock Company ("Fenomio or the Company") in its capacity as data controller.
1.2 PURPOSE
The purpose of this Policy is to ensure compliance with the obligations regarding the regulations on the Protection of Personal Data, to protect the confidentiality of the personal data processing activity collected by Fenomio by automatic or non-automatic methods and carried out in accordance with the law, and to inform the persons whose personal data are processed by Fenomio about the operation, internal controls and measures by determining the relevant internal responsibilities and to ensure transparency.
1.3 SCOPE
This Policy; It relates to all personal data of the Data Owner wholly or partially automated or processed by non-automatic means, provided that it is a part of any data recording system. Fenomio Company officials, Company shareholders, Employees, Employee Candidates, Interns, Suppliers, real persons (Customers) benefiting from Fenomio's products and services, Potential Customers, Dealers, Members, Visitors, Business Partners, Relevant Persons Visiting Our Websites and Mobile Applications, Employees, shareholders and officials of the cooperating institutions, service providers and other third parties personal data is within the scope of this Policy and this Policy applies to all recording media owned or managed by Fenomio where personal data is processed and activities for the storage and destruction of personal data.
1.4. DEFINITIONS
| ABBREVIATIONS | DEFINITIONS |
|---|---|
| Explicit Consent | It refers to consent on a specific subject, based on information and expressed with free will. |
| Recipient Group | The category of natural or legal person to whom personal data is transferred by the Data Controller. |
| Related User | Except for the person or unit responsible for the technical storage, protection and backup of the data, they are the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller. |
| Annihilation | Deletion, destruction or anonymization of personal data. |
| Storage and Disposal Policy | Fenomio's Destruction Policy on the Storage, Deletion, Destruction and Anonymization of Personal Data, which is the basis for determining the maximum period required for the purpose for which personal data is processed and for the deletion, destruction and anonymization process. |
| Law/KVKK | Law No. 6698 on the Protection of Personal Data. |
| Recording Media | Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system. |
| Personal data | Any information relating to an identified or identifiable natural person. |
| Periodic Destruction | In the event that all of the conditions for processing personal data in the law disappear, the deletion, destruction or anonymization process to be carried out ex officio at repeated intervals specified in the personal data retention and destruction policy. |
| Register | Registry of data controllers maintained by the personal data protection authority. |
| Data Recording System | A recording system in which personal data is structured and processed according to certain criteria. |
| Board | Personal Data Protection Board. |
| Data Subject/Relevant Person | The natural person whose personal data is processed. |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| Anonymization of Personal Data | Making personal data unrelated to an identified or identifiable natural person in any way, even by matching it with other data. |
| Deletion of Personal Data | Deletion of personal data; making personal data inaccessible and unusable in any way for the Relevant Users. Destruction of Personal Data The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. |
2. RECORDING MEDIA OF PERSONAL DATA
Personal data belonging to data owners are stored securely in physical or electronic environments by Fenomio, especially for the purposes specified in Article 5 of the "Fenomio Personal Data Protection and Processing Policy", within the limits specified in the KVKK and other relevant legislation, as specified in the table below. (Fenomio Personal Data Protection and Processing Policy www.fenomio.com can be found on the website.)
| ELECTRONIC MEDIA | PHYSICAL ENVIRONMENT |
|---|---|
| Fenomio-allocated and/or personal desktop-laptops | Manual Data Records (Surveys, Guest Books, Printed Forms, etc.) |
| Mobile Devices (Phone, tablet, etc.) | Written, printed, visual media |
| Optical Discs (CD etc.) | Files stored as paper |
| Servers (Web, Email, Backup, Database, File Sharing, Exchange) | |
| Software (Office Software, Portal, Other Accounting, Human Resources) | |
| Information security devices (Firewall, intrusion detection and prevention, log files, anti-virus, etc.) | |
| Removable memory (USB, Memory card, etc.) | |
| Printer, scanner, copier |
3. REASONS FOR STORING AND DESTROYING PERSONAL DATA
3.1. Reasons Requiring the Storage of Personal Data
In Article 3 of the KVKK, the concept of processing personal data is defined, in Article 4, it is stated that the processed personal data should be connected, limited and measured for the purpose for which they are processed and should be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and in Articles 5 and 6, the processing conditions of personal data are listed. In the deletion, destruction or anonymization of personal data, the general principles in Article 4 of the Law and the technical and administrative measures to be taken within the scope of Article 12, the provisions of the relevant legislation, the decisions of the Board and the personal data storage and destruction policy are followed.
Accordingly, within the framework of Fenomio activities, personal data is stored for a period of time in accordance with our processing purposes stipulated in the relevant legislation or specified in Article 5 of the "Fenomio Personal Data Protection and Processing Policy".
In this context, our Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data is destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the data owner's application and with the specified destruction methods (deletion, destruction and/or anonymization).
All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations. In this context, personal data is subject to Article 5 of the KVKK regarding the processing conditions. In direct proportion to its substance, it is stored for the following reasons. Namely,
- Storing personal data as it is directly related to the establishment and performance of contracts,
- Storing personal data for the purpose of establishing, exercising or protecting a right,
- It is obligatory to store personal data for the legitimate interests of Fenomio, provided that it does not harm the fundamental rights and freedoms of individuals,
- Storing personal data for the purpose of fulfilling any legal obligation of Fenomio,
- The legislation clearly stipulates the storage of personal data,
- Obtaining the explicit consent of the data owners in terms of storage activities that require the explicit consent of the data owners.
3.2. Reasons Requiring the Destruction of Personal Data
In the following cases, the personal data of the data owners are deleted, destroyed or anonymized by Fenomio ex officio or upon request in accordance with the Regulation. Namely,
- Amendment or abolition of the provisions of the relevant legislation that form the basis for the processing or storage of personal data,
- The disappearance of the purpose requiring the processing or storage of personal data,
- In the event that the conditions requiring the processing of personal data in Articles 5 and 6 of the Law disappear, the data controller of the personal data ex officio or upon the request of the person concerned,
- In cases where the processing of personal data takes place only on the basis of explicit consent, the person concerned withdraws his consent,
- 11 of the Law. Acceptance by the data controller of the application made by the data subject regarding the deletion, destruction or anonymization of his data within the framework of his rights in accordance with the article,
- In cases where the data controller rejects the application made to him by the person concerned with the request for the deletion, destruction or anonymization of his personal data, his answer is found insufficient or he does not respond within the period stipulated in the Law; A complaint is made to the Board and this request is approved by the Board,
- Although the maximum period requiring the storage of personal data has passed, there are no conditions that would justify storing personal data for a longer period of time,
4. STORAGE AND DESTRUCTION PERIODS OF PERSONAL DATA
In determining the retention and destruction periods of your personal data obtained by Fenomio in accordance with the provisions of the KVKK and other relevant legislation, the following criteria are used, respectively:
a) If a period of time is stipulated in the legislation regarding the storage of the personal data in question, this period is complied with. After the expiry of the said period, action is taken on the data within the scope of subparagraph b.
b) In the event that the period stipulated in the legislation regarding the storage of the personal data in question expires or no period is stipulated in the relevant legislation regarding the storage of the data in question, respectively;
- Fenomio classifies personal data as personal data and sensitive personal data based on the definition in Article 6 of the KVKK. All personal data that is found to be of a private nature is destroyed. The method to be applied in the destruction of the data in question is determined according to the nature of the data and the importance of its storage in the eyes of Fenomio.
- The compliance of the storage of the data with the principles specified in Article 4 of the KVKK is questioned. Data whose storage is found to be contrary to the principles in Article 4 of the KVKK is deleted, destroyed or anonymized.
- It is determined which of the exceptions stipulated in Articles 5 and 6 of the KVKK can be considered within the scope of the storage of data. Within the framework of the exceptions identified, reasonable periods for which the data should be stored are determined. If these periods expire, the data is deleted, destroyed or anonymized.
Personal data whose storage period has expired are destroyed in accordance with the procedures set out in this Policy in 6-month periods, within the framework of the "Storage and Destruction Periods" specified below in this Policy. Regarding the personal data being processed by Fenomio;
- The retention periods on the basis of personal data related to all personal data within the scope of the activities carried out depending on the processes are in the Personal Data Processing Inventory,
- Process-based retention periods are given below in this Policy:
| PROCESS | DATA OWNER | RETENTION PERIOD | DISPOSAL TIME |
|---|---|---|---|
| Creating a Personnel File | Employee | 10 years following the termination of the Employment Contract | In the first periodic destruction period following the expiry of the storage period |
| In-Service Training Planning | Employee | 10 years following the termination of the employment contract | In the first periodic destruction period following the expiry of the storage period |
| Salary Payments | Employee | 10 years after leaving the job | In the first periodic destruction period following the expiry of the storage period |
| Resume of the employee candidate/intern candidate and information in the job application form | Employee-Intern Candidate | 6 months from the negative end of the application process | In the first periodic destruction period following the expiry of the storage period |
| Keeping Financial Records | Customers-Service Companies | 10 years from the end of the employment relationship | In the first periodic destruction period following the expiry of the storage period |
| Identity information, contact information, financial information, employee data of the cooperating institution/company regarding the execution of the commercial relationship between the cooperating institutions/companies (service providers) and Fenomio | Institutions/companies with which Fenomio cooperates (Service Providers) | It is kept for 10 years in accordance with Article 146 of the TCO and Article 82 of the TCC from the provision of each purchased service. | In the first periodic destruction period following the expiry of the storage period |
| Drafting contracts | Customers and Suppliers/Business Partners who benefit from Fenomio's products and services | 10 years following termination of the contract | In the first periodic destruction period following the expiry of the storage period |
| Execution of human resources processes | Employees | 10 years following the termination of activity | In the first periodic destruction period following the expiry of the storage period |
| For the security of the physical space, for the security of the premises of all natural persons and visitors and other natural persons with whom the Company has relations, camera recordings, voice recordings | Any natural person located at Fenomio | Stored for 3 months | In the first periodic destruction period |
| Information about the shareholders and members of the board of directors of the company | Fenomio Shareholders and Fenomio Board Members | 10 years following termination of the Business Relationship | In the first periodic destruction period following the expiry of the storage period |
| Responding to court/enforcement information requests related to the employee | Employees | 10 years from the termination of the employment relationship | In the first periodic destruction period following the expiry of the storage period |
| Log/Record Tracking Systems | Employees | 2 years | In the first periodic destruction period following the expiry of the storage period |
| Administrative reports on security such as due diligence report, incident report | All Real Persons Involved | 5 years from the date of initial registration | In the first periodic destruction period following the expiry of the storage period |
| Customer request-complaint information | Customer | 15 years from receipt of registration | In the first periodic destruction period following the expiry of the storage period |
| Documents related to general company decisions such as powers of attorney, signature circulars, general assembly resolutions, dismissals | Fenomio shareholders and Fenomio board members | 10 years from the date of initial registration | In the first periodic destruction period following the expiry of the storage period |
| Allocating vehicles to employees | Employees | 2 years from the date of delivery of the vehicle | In the first periodic destruction period following the expiry of the storage period |
| Occupational Health and Safety Practices | Employees | Following the termination of the employment relationship 15 year | In the first periodic destruction period following the expiry of the storage period |
| Criminal Conviction and Security Measures | Employees | During the working period | In the first periodic destruction period following the expiry of the storage period |
All transactions related to the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations..
5. METHODS OF DESTRUCTION OF PERSONAL DATA
5.1. Techniques for Deletion of Personal Data
5.1.1. Deletion of Personal Data on Servers
For those whose personal data on the servers have expired, the access authorization of the relevant users is removed and the deletion process is performed.
5.1.2. Deletion of Personal Data in Electronic Environment
Personal data in the electronic environment, which requires storage of expired, are made inaccessible and unusable for employees (relevant users) in any way.
5.1.3. Deletion of Personal Data in the Physical Environment
For those whose personal data kept in the physical environment has expired, the documents are made inaccessible and unusable for employees in any way. In addition, blackout is applied by scratching/painting/erasing in such a way that it cannot be read.
5.1.4. Deletion of Personal Data on Portable Media
Personal data kept in flash-based storage media that require storage for the expiry period are encrypted by the system administrator and the access authority is given only to the system administrator and stored in secure environments with encryption keys.
5.2. Techniques for Destruction of Personal Data
5.2.1. Destruction of Personal Data in the Physical Environment
Those whose personal data in the paper environment have expired are irreversibly destroyed in paper clipping machines.
5.2.2. Destruction of Personal Data on Optical/Magnetic Media
Physical destruction of personal data in optical media and magnetic media, such as melting, burning or pulverizing, is applied. In addition, the magnetic media is passed through a special device and exposed to a high value magnetic field, making the data on it unreadable.
5.3. Techniques for Anonymizing Personal Data
5.3.1. Those who require the storage of personal data on servers, electronic media, physical media, portable media, optical/magnetic media are made unable to be associated with an identified or identifiable natural person in any way, even if the personal data is matched with other data. In this sense, Fenomio removes or changes all direct and/or indirect identifiers in a dataset, preventing the identification of the person concerned or losing them in a way that cannot be associated. Accordingly, Fenomio makes use of one or more of the automatic or non-automatic grouping, masking, derivation, generalization, randomization methods applied to the records in the data recording system where personal data is kept, according to the relevant data. Regarding the dataset owned while applying these anonymization methods; Data characteristics such as the nature and size of the data, the structure of its presence in the physical environment, its diversity, and the purposes of processing the data are taken into account. As a result of the application of these methods, it is impossible for the data obtained to identify a specific person.
6. PERIODIC DESTRUCTION TIME OF PERSONAL DATA
Pursuant to Article 11 of the Regulation, Fenomio has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out in June and December every year in the Institution.
7. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES IN THE STORAGE AND DESTRUCTION PROCESS OF PERSONAL DATA
All units and employees of Fenomio are responsible for the proper implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy, the training and awareness of the unit employees, monitoring and continuous supervision, and the processing of personal data in accordance with the law, the prevention of unlawful access to personal data and the legal storage of personal data, in order to ensure data security in all environments where personal data is processed. It actively supports the responsible units in taking technical and administrative measures. The details of the titles, duties and responsibilities of those involved in the storage and destruction processes of personal data are given below. Namely,
| APPELLATION | UNIT | TASK |
|---|---|---|
| Manager | Personal Data Retention and Destruction Policy Officer | It is responsible for ensuring that the processes within its duty comply with the storage period and for the management of the personal data destruction process in accordance with the periodic destruction period, and for the preparation, execution, publication and updating of the Policy in the relevant environments and for the Employees to act in accordance with the Policy. |
| Deputy | Personal Data Retention and Destruction Policy Officer | Management of the personal data destruction process in accordance with the periodic destruction period by ensuring that the processes within the scope of its duty comply with the retention period |
| Purchasing Officer | Purchasing Department: Responsible for implementing personal data retention and destruction policy | Management of the personal data destruction process in accordance with the periodic destruction period by ensuring that the processes within the scope of its duty comply with the retention period |
| Information Technology Officer | Information Technologies Department: Responsible for implementing personal data retention and destruction policy | It is responsible for ensuring that the processes within its duty comply with the retention period, managing the personal data destruction process in accordance with the periodic destruction period, and providing the technical solutions needed in the implementation of the Policy. |
| Accounting Officer | Accounting Department: Responsible for implementing personal data retention and destruction policy | Management of the personal data destruction process in accordance with the periodic destruction period by ensuring that the processes within the scope of its duty comply with the retention period |
| Human Resources Officer | Human Resources: Responsible for implementing personal data retention and destruction policy | Management of the personal data destruction process in accordance with the periodic destruction period by ensuring that the processes within the scope of its duty comply with the retention period |
| Front Office Supervisor | Other Units | He is responsible for the execution of the Policy in accordance with his duties. |
| Parking Attendant | ||
| Security Officer |
8. PUBLICATION AND STORAGE OF THE POLICY
This Policy is stored in two different media, wet signed (printed paper) and electronically, and is published by disclosing it to the public on the website. The printed paper copy is also kept in the file of the Board of Directors.
9. ENTRY INTO FORCE AND UPDATING OF THE POLICY
This policy contains information in accordance with the Law and other legislation on personal data and will enter into force on the date it is published on the www.fenomio.com website. This Policy may be updated from time to time due to changes in Fenomio personal data processing processes, legal changes or other reasons. Updates will be effective from the date of publication of the new Policy on the Website.
This Policy is published on the www.fenomio.com website and made available to the relevant persons.
10. REPEAL OF THE POLICY
In the event that it is decided to repeal this Policy, the old copies of the Policy with wet signatures are canceled and signed by the Fenomio Board of Directors (by stamping the cancellation or writing the cancellation) and kept by the Board of Directors for at least 3 years.