CORPORATE

Personal Data Retention and Destruction Policy

This Personal Data Retention and Destruction Policy (“Policy”) has been prepared by Çet Yapı Turizm A.Ş. (“Company”), in its capacity as data controller, to fulfill its obligations under the Personal Data Protection Law No. 6698 (“Law”) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”), which constitutes the secondary legislation of the Law. The Policy aims to inform data subjects about the principles for determining the maximum retention period required for the purpose of processing personal data, as well as the processes of deletion, destruction, and anonymization.

Definitions

  • Explicit Consent: Consent that is informed, specific, and freely given regarding a particular subject.
  • Relevant User: Persons who process personal data within the organization of the data controller or based on the authority and instructions received from the data controller, excluding those responsible for the technical storage, protection, and backup of the data.
  • Destruction: The process of deletion, destruction, or anonymization of personal data.
  • Recording Medium: Any medium where personal data is processed fully or partially by automated means or by non-automated means provided that it is part of a data recording system.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing of Personal Data: Any operation performed on personal data such as collection, recording, storage, retention, alteration, rearrangement, disclosure, transfer, retrieval, classification, or prevention of use, either by fully or partially automated means or by non-automated means provided that it is part of a data recording system.
  • Anonymization of Personal Data: Rendering personal data impossible to associate with an identified or identifiable natural person, even through matching with other data.
  • Deletion of Personal Data: Making personal data inaccessible and unusable for relevant users in any way.
  • Destruction of Personal Data: Making personal data inaccessible, irretrievable, and unusable by anyone in any way.
  • Board: The Personal Data Protection Board.
  • Periodic Destruction: The deletion, destruction, or anonymization of personal data, which is carried out ex officio at recurring intervals specified in the policy, in case the processing conditions of personal data no longer exist as per the Law.
  • Data Subject: The natural person whose personal data is processed.

Principles

The Company acts in accordance with the following principles when retaining and destroying personal data:

  • All activities regarding the deletion, destruction, and anonymization of personal data are carried out in full compliance with the Law, relevant legislation, decisions of the Board, and this Policy.
  • All transactions related to the deletion, destruction, and anonymization of personal data are recorded and these records are retained for at least 3 (three) years, excluding other legal obligations.
  • Unless otherwise decided by the Board, the appropriate method for deletion, destruction, or anonymization of personal data is selected by the Company. However, if requested by the data subject, the appropriate method will be chosen by providing justification.
  • If all conditions for personal data processing specified in Articles 5 and 6 of the Law no longer apply, personal data shall be deleted, destroyed, or anonymized ex officio or upon the request of the data subject.
    • Requests received from data subjects are responded to within 30 (thirty) days.
    • If the data has been transferred to third parties, the relevant third parties will be notified and the necessary actions will be ensured on their end.

Reasons Requiring Retention and Destruction

Personal data of data subjects is retained by the Company within the scope of the Law and relevant legislation, particularly for:

  • Continuation of commercial activities
  • Fulfillment of legal obligations
  • Planning and execution of employee rights and benefits

Reasons for Retention:

  • Necessity for the establishment and execution of contracts
  • Requirement for the establishment, exercise, or protection of a right
  • Legitimate interests of the Company, provided that fundamental rights and freedoms of the individual are not harmed
  • Fulfillment of a legal obligation
  • Explicit provision of retention in legislation
  • Existence of the data subject’s explicit consent

In accordance with the Regulation, personal data shall be deleted, destroyed, or anonymized by the Company ex officio or upon request in the following cases:

  • Changes or repeal of legal provisions forming the basis for data processing or retention
  • Disappearance of the purpose requiring data processing or retention
  • Disappearance of the conditions stated in Articles 5 and 6 of the Law
  • Withdrawal of explicit consent by the data subject, when data processing is based solely on consent
  • Acceptance by the Company of the data subject’s request under Article 11 of the Law to delete, destroy, or anonymize data
  • Decision by the Board upon a complaint by the data subject if the Company rejects the request, provides insufficient response, or does not respond within the legal time limit
  • Expiry of the maximum retention period, without a legal reason for continued retention

Retention and Destruction Periods

The following criteria are used by the Company when determining the retention and destruction periods of personal data:

  • If legislation prescribes a specific retention period for the data, that period is followed. Once expired, the following process is applied.
  • If there is no legally specified period:
    • Data is classified as personal or sensitive based on Article 6 of the Law. Sensitive data is immediately destroyed using appropriate methods.
    • The necessity of data retention under Article 4 is evaluated. If found to be contrary, data is deleted, destroyed, or anonymized.
    • The applicability of exceptions in Articles 5 and 6 is determined. Reasonable retention periods are established accordingly. Upon their expiry, data is deleted, destroyed, or anonymized.

Details of the Company’s retention, destruction, and periodic destruction periods are provided in the annex of this Policy. Personal data exceeding the retention period is anonymized or destroyed every 6 (six) months in accordance with this Policy. All actions taken are recorded and retained for at least 3 (three) years, excluding other legal obligations.

Technical and Administrative Measures for Retention and Destruction

Collected personal data is processed into the Company’s data recording system to:

  • Fulfill legal obligations
  • Exercise or protect a right
  • Provide customer services and benefits
  • Fulfill financial and legal responsibilities
  • Ensure the security and legitimate interests of the Company

Digitally stored data is saved on the Company server.

Administrative Measures:

  • Access to stored personal data is limited to authorized personnel
  • Data breaches are promptly reported to data subjects and the Board
  • Data sharing is protected by agreements or contractual clauses
  • Employees receive training on personal data protection laws and data security
  • Internal audits are conducted and deficiencies addressed
  • Necessary security measures are taken against physical threats (fire, flood, theft, etc.)

Technical Measures:

  • Internal controls are implemented
  • IT risk assessments and impact analyses are carried out
  • Infrastructure is secured against data leaks
  • Penetration testing is performed regularly
  • Access to personal data is strictly managed
  • Irretrievable destruction of data is ensured
  • Data storage systems are encrypted or cryptographically protected
  • Access logs are securely recorded
  • Systems and software used to access sensitive data are tested regularly
  • Data transfers via email are encrypted; physical transfers use classified document protocols; server transfers use VPN or sFTP methods

Duties and Responsibilities of the Data Protection Committee

The Committee is responsible for communicating the Policy and ensuring its implementation. It follows legislative changes, Board decisions, and court rulings, ensuring departments are informed and processes updated as needed.

Policy Enforcement, Violations, and Sanctions

  • This Policy becomes binding upon communication to all employees and applies to all departments, consultants, service providers, and data processors.
  • Compliance is monitored by supervisors. Violations are reported to higher authorities.
  • Serious violations are reported to the Data Protection Committee.
  • Disciplinary action is taken by Human Resources for violations.

ANNEX 1 – Table of Retention and Destruction Periods

ProcessRetention PeriodDestruction Period
Employment records (e.g., performance files)5 years after terminationWithin 180 days of expiry
Occupational health & safety data (e.g., medical reports)15 years after terminationWithin 180 days of expiry
Records under Social Security Law10 years after terminationWithin 180 days of expiry
Work accident/occupational illness documentation10 years after terminationWithin 180 days of expiry
Other data required by legislationAs prescribed by lawWithin 180 days of expiry
Data related to criminal offensesFor statute of limitationsWithin 180 days of expiry
Customer data10 years from recordingWithin 180 days of expiry

If the Company’s purpose for data use has not yet expired, or if legal regulations or statutes of limitations require longer retention, those longer periods shall apply.

CORPORATE

This site is registered on wpml.org as a development site.