{"id":1673,"date":"2025-04-17T12:14:37","date_gmt":"2025-04-17T09:14:37","guid":{"rendered":"http:\/\/localhost\/cet-yapi\/kisisel-veri-saklama-ve-imha-politikasi\/"},"modified":"2025-04-18T01:08:59","modified_gmt":"2025-04-17T22:08:59","slug":"personal-data-retention-and-destruction-policy","status":"publish","type":"page","link":"https:\/\/www.cetyapi.com.tr\/en\/personal-data-retention-and-destruction-policy\/","title":{"rendered":"Personal Data Retention and Destruction Policy"},"content":{"rendered":"\n<p>This Personal Data Retention and Destruction Policy (\u201cPolicy\u201d) has been prepared by \u00c7et Yap\u0131 Turizm A.\u015e. (\u201cCompany\u201d), in its capacity as data controller, to fulfill its obligations under the Personal Data Protection Law No. 6698 (\u201cLaw\u201d) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (\u201cRegulation\u201d), which constitutes the secondary legislation of the Law. The Policy aims to inform data subjects about the principles for determining the maximum retention period required for the purpose of processing personal data, as well as the processes of deletion, destruction, and anonymization.<\/p>\n\n\n\n<p><strong>Definitions<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Explicit Consent:<\/strong> Consent that is informed, specific, and freely given regarding a particular subject.<\/li>\n\n\n\n<li><strong>Relevant User:<\/strong> Persons who process personal data within the organization of the data controller or based on the authority and instructions received from the data controller, excluding those responsible for the technical storage, protection, and backup of the data.<\/li>\n\n\n\n<li><strong>Destruction:<\/strong> The process of deletion, destruction, or anonymization of personal data.<\/li>\n\n\n\n<li><strong>Recording Medium:<\/strong> Any medium where personal data is processed fully or partially by automated means or by non-automated means provided that it is part of a data recording system.<\/li>\n\n\n\n<li><strong>Personal Data:<\/strong> Any information relating to an identified or identifiable natural person.<\/li>\n\n\n\n<li><strong>Processing of Personal Data:<\/strong> Any operation performed on personal data such as collection, recording, storage, retention, alteration, rearrangement, disclosure, transfer, retrieval, classification, or prevention of use, either by fully or partially automated means or by non-automated means provided that it is part of a data recording system.<\/li>\n\n\n\n<li><strong>Anonymization of Personal Data:<\/strong> Rendering personal data impossible to associate with an identified or identifiable natural person, even through matching with other data.<\/li>\n\n\n\n<li><strong>Deletion of Personal Data:<\/strong> Making personal data inaccessible and unusable for relevant users in any way.<\/li>\n\n\n\n<li><strong>Destruction of Personal Data:<\/strong> Making personal data inaccessible, irretrievable, and unusable by anyone in any way.<\/li>\n\n\n\n<li><strong>Board:<\/strong> The Personal Data Protection Board.<\/li>\n\n\n\n<li><strong>Periodic Destruction:<\/strong> The deletion, destruction, or anonymization of personal data, which is carried out ex officio at recurring intervals specified in the policy, in case the processing conditions of personal data no longer exist as per the Law.<\/li>\n\n\n\n<li><strong>Data Subject:<\/strong> The natural person whose personal data is processed.<\/li>\n<\/ul>\n\n\n\n<p><strong>Principles<\/strong><\/p>\n\n\n\n<p>The Company acts in accordance with the following principles when retaining and destroying personal data:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All activities regarding the deletion, destruction, and anonymization of personal data are carried out in full compliance with the Law, relevant legislation, decisions of the Board, and this Policy.<\/li>\n\n\n\n<li>All transactions related to the deletion, destruction, and anonymization of personal data are recorded and these records are retained for at least 3 (three) years, excluding other legal obligations.<\/li>\n\n\n\n<li>Unless otherwise decided by the Board, the appropriate method for deletion, destruction, or anonymization of personal data is selected by the Company. However, if requested by the data subject, the appropriate method will be chosen by providing justification.<\/li>\n\n\n\n<li>If all conditions for personal data processing specified in Articles 5 and 6 of the Law no longer apply, personal data shall be deleted, destroyed, or anonymized ex officio or upon the request of the data subject.\n<ul class=\"wp-block-list\">\n<li>Requests received from data subjects are responded to within 30 (thirty) days.<\/li>\n\n\n\n<li>If the data has been transferred to third parties, the relevant third parties will be notified and the necessary actions will be ensured on their end.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>Reasons Requiring Retention and Destruction<\/strong><\/p>\n\n\n\n<p>Personal data of data subjects is retained by the Company within the scope of the Law and relevant legislation, particularly for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Continuation of commercial activities<\/li>\n\n\n\n<li>Fulfillment of legal obligations<\/li>\n\n\n\n<li>Planning and execution of employee rights and benefits<\/li>\n<\/ul>\n\n\n\n<p><strong>Reasons for Retention:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Necessity for the establishment and execution of contracts<\/li>\n\n\n\n<li>Requirement for the establishment, exercise, or protection of a right<\/li>\n\n\n\n<li>Legitimate interests of the Company, provided that fundamental rights and freedoms of the individual are not harmed<\/li>\n\n\n\n<li>Fulfillment of a legal obligation<\/li>\n\n\n\n<li>Explicit provision of retention in legislation<\/li>\n\n\n\n<li>Existence of the data subject\u2019s explicit consent<\/li>\n<\/ul>\n\n\n\n<p><strong>In accordance with the Regulation, personal data shall be deleted, destroyed, or anonymized by the Company ex officio or upon request in the following cases:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Changes or repeal of legal provisions forming the basis for data processing or retention<\/li>\n\n\n\n<li>Disappearance of the purpose requiring data processing or retention<\/li>\n\n\n\n<li>Disappearance of the conditions stated in Articles 5 and 6 of the Law<\/li>\n\n\n\n<li>Withdrawal of explicit consent by the data subject, when data processing is based solely on consent<\/li>\n\n\n\n<li>Acceptance by the Company of the data subject\u2019s request under Article 11 of the Law to delete, destroy, or anonymize data<\/li>\n\n\n\n<li>Decision by the Board upon a complaint by the data subject if the Company rejects the request, provides insufficient response, or does not respond within the legal time limit<\/li>\n\n\n\n<li>Expiry of the maximum retention period, without a legal reason for continued retention<\/li>\n<\/ul>\n\n\n\n<p><strong>Retention and Destruction Periods<\/strong><\/p>\n\n\n\n<p>The following criteria are used by the Company when determining the retention and destruction periods of personal data:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If legislation prescribes a specific retention period for the data, that period is followed. Once expired, the following process is applied.<\/li>\n\n\n\n<li>If there is no legally specified period:\n<ul class=\"wp-block-list\">\n<li>Data is classified as personal or sensitive based on Article 6 of the Law. Sensitive data is immediately destroyed using appropriate methods.<\/li>\n\n\n\n<li>The necessity of data retention under Article 4 is evaluated. If found to be contrary, data is deleted, destroyed, or anonymized.<\/li>\n\n\n\n<li>The applicability of exceptions in Articles 5 and 6 is determined. Reasonable retention periods are established accordingly. Upon their expiry, data is deleted, destroyed, or anonymized.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Details of the Company\u2019s retention, destruction, and periodic destruction periods are provided in the annex of this Policy. Personal data exceeding the retention period is anonymized or destroyed every 6 (six) months in accordance with this Policy. All actions taken are recorded and retained for at least 3 (three) years, excluding other legal obligations.<\/p>\n\n\n\n<p><strong>Technical and Administrative Measures for Retention and Destruction<\/strong><\/p>\n\n\n\n<p>Collected personal data is processed into the Company\u2019s data recording system to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fulfill legal obligations<\/li>\n\n\n\n<li>Exercise or protect a right<\/li>\n\n\n\n<li>Provide customer services and benefits<\/li>\n\n\n\n<li>Fulfill financial and legal responsibilities<\/li>\n\n\n\n<li>Ensure the security and legitimate interests of the Company<\/li>\n<\/ul>\n\n\n\n<p>Digitally stored data is saved on the Company server.<\/p>\n\n\n\n<p><strong>Administrative Measures:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Access to stored personal data is limited to authorized personnel<\/li>\n\n\n\n<li>Data breaches are promptly reported to data subjects and the Board<\/li>\n\n\n\n<li>Data sharing is protected by agreements or contractual clauses<\/li>\n\n\n\n<li>Employees receive training on personal data protection laws and data security<\/li>\n\n\n\n<li>Internal audits are conducted and deficiencies addressed<\/li>\n\n\n\n<li>Necessary security measures are taken against physical threats (fire, flood, theft, etc.)<\/li>\n<\/ul>\n\n\n\n<p><strong>Technical Measures:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Internal controls are implemented<\/li>\n\n\n\n<li>IT risk assessments and impact analyses are carried out<\/li>\n\n\n\n<li>Infrastructure is secured against data leaks<\/li>\n\n\n\n<li>Penetration testing is performed regularly<\/li>\n\n\n\n<li>Access to personal data is strictly managed<\/li>\n\n\n\n<li>Irretrievable destruction of data is ensured<\/li>\n\n\n\n<li>Data storage systems are encrypted or cryptographically protected<\/li>\n\n\n\n<li>Access logs are securely recorded<\/li>\n\n\n\n<li>Systems and software used to access sensitive data are tested regularly<\/li>\n\n\n\n<li>Data transfers via email are encrypted; physical transfers use classified document protocols; server transfers use VPN or sFTP methods<\/li>\n<\/ul>\n\n\n\n<p><strong>Duties and Responsibilities of the Data Protection Committee<\/strong><\/p>\n\n\n\n<p>The Committee is responsible for communicating the Policy and ensuring its implementation. It follows legislative changes, Board decisions, and court rulings, ensuring departments are informed and processes updated as needed.<\/p>\n\n\n\n<p><strong>Policy Enforcement, Violations, and Sanctions<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This Policy becomes binding upon communication to all employees and applies to all departments, consultants, service providers, and data processors.<\/li>\n\n\n\n<li>Compliance is monitored by supervisors. Violations are reported to higher authorities.<\/li>\n\n\n\n<li>Serious violations are reported to the Data Protection Committee.<\/li>\n\n\n\n<li>Disciplinary action is taken by Human Resources for violations.<\/li>\n<\/ul>\n\n\n\n<p><strong>ANNEX 1 \u2013 Table of Retention and Destruction Periods<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Process<\/strong><\/th><th><strong>Retention Period<\/strong><\/th><th><strong>Destruction Period<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Employment records (e.g., performance files)<\/td><td>5 years after termination<\/td><td>Within 180 days of expiry<\/td><\/tr><tr><td>Occupational health &amp; safety data (e.g., medical reports)<\/td><td>15 years after termination<\/td><td>Within 180 days of expiry<\/td><\/tr><tr><td>Records under Social Security Law<\/td><td>10 years after termination<\/td><td>Within 180 days of expiry<\/td><\/tr><tr><td>Work accident\/occupational illness documentation<\/td><td>10 years after termination<\/td><td>Within 180 days of expiry<\/td><\/tr><tr><td>Other data required by legislation<\/td><td>As prescribed by law<\/td><td>Within 180 days of expiry<\/td><\/tr><tr><td>Data related to criminal offenses<\/td><td>For statute of limitations<\/td><td>Within 180 days of expiry<\/td><\/tr><tr><td>Customer data<\/td><td>10 years from recording<\/td><td>Within 180 days of expiry<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>If the Company&#8217;s purpose for data use has not yet expired, or if legal regulations or statutes of limitations require longer retention, those longer periods shall apply.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This Personal Data Retention and Destruction Policy (\u201cPolicy\u201d) has been prepared by \u00c7et Yap\u0131 Turizm A.\u015e. (\u201cCompany\u201d), in its capacity as data controller, to fulfill its obligations under the Personal Data Protection Law No. 6698 (\u201cLaw\u201d) and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (\u201cRegulation\u201d), which constitutes the secondary legislation of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1673","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.cetyapi.com.tr\/en\/wp-json\/wp\/v2\/pages\/1673","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cetyapi.com.tr\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.cetyapi.com.tr\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.cetyapi.com.tr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cetyapi.com.tr\/en\/wp-json\/wp\/v2\/comments?post=1673"}],"version-history":[{"count":2,"href":"https:\/\/www.cetyapi.com.tr\/en\/wp-json\/wp\/v2\/pages\/1673\/revisions"}],"predecessor-version":[{"id":1676,"href":"https:\/\/www.cetyapi.com.tr\/en\/wp-json\/wp\/v2\/pages\/1673\/revisions\/1676"}],"wp:attachment":[{"href":"https:\/\/www.cetyapi.com.tr\/en\/wp-json\/wp\/v2\/media?parent=1673"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}