Data Storage, Anonymization and Destruction Policy

Data Storage, Anonymization and Destruction Policy

1. Purpose

The purpose of this procedure is to ensure that all printed and written content, information technology assets and peripherals used in the acquisition, processing and storage of information are destroyed in a secure manner and in accordance with the Law No. 6698 on the Protection of Personal Data when necessary.

2. Scope

The procedure covers all personal, commercial data records and business processes.

3. Definitions

Law: Refers to Law No. 6698 on the “Protection of Personal Data”.
Personal Data: Personal data refers to any information related to an identified or identifiable natural person. The identification or identifiability of a person refers to the association of existing data with a natural person in any way, making that person identifiable.
Blackout: Operations such as crossing out, painting and freezing all personal data in a way that cannot be associated with an identified or identifiable natural person,
Recording medium: Any medium containing personal data processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system,
Personal data storage and destruction policy: The policy that data controllers base on for the process of determining the maximum period required for the purpose for which personal data is processed and for the deletion, destruction and anonymization processes,
Masking: Operations such as deleting, crossing out, painting and starring certain areas of personal data in a way that cannot be associated with an identified or identifiable natural person,
Special Personal Data: Data related to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. Periodic destruction: It is the process of erasing, destroying or anonymizing personal data specified in the storage and destruction policy and carried out ex officio at recurring intervals in the event that all of the processing conditions of personal data specified in the law are eliminated.

4. References

Regulation on the Erasure, Destruction or Anonymization of Personal Data of Law No. 6698, No. 30224, dated 28.10.2018

5. Application

5.1. Destruction of Assets

If the purpose of processing personal data is eliminated, explicit consent is withdrawn, or all of the conditions for processing personal data specified in Articles 5 and 6 of the Law are eliminated, or if there is a situation where none of the exceptions in the aforementioned articles can be applied, the personal data whose processing conditions are eliminated shall be deleted, destroyed or anonymized by the relevant business unit, taking into account business needs, within the scope of Articles 7, 8, 9 or 10 of the Regulation (Articles on Deletion, Destruction or Anonymization of Personal Data), by explaining the reason for the method applied. However, in the event of a final court decision, the destruction method ruled by the court decision must be applied.

The information on any device with information recording feature shall be deleted against unauthorized access, and the disk and recording mechanism on the device shall be physically destroyed. The Media/Device Destruction Report shall be filled out and signed by the information systems operator. Date, device information, reason for destruction, etc. information is entered and the destruction process is recorded.

Methods of Deleting Data

a. Personal Data on Paper: It is deleted by destroying it with a paper shredder or, when necessary, by using the blackout method.

b. Office Files on the Central Server: It is deleted with the delete command in the operating system.

c. Data on Portable Media: It is deleted with the delete command in the operating system.

d. Databases: The relevant lines containing the data are deleted with database commands.

Methods of Destruction of Assets and Data

a. In Local Systems: It is destroyed using the appropriate methods of demagnetization, physical destruction, overwriting.

b. Peripheral Systems:
•    Network devices (switch, router, etc.): It is destroyed with the appropriate methods specified in item a.

•    Flash-based media: It is destroyed with the methods recommended by the relevant manufacturer or the methods specified in item a.
•    Magnetic tape: Destroyed by demagnetizing or by physical methods such as burning, melting.

•    SIM cards and fixed memory cards: Destroyed by appropriate methods specified in item a.

•    Optical disks: Destroyed by physical methods such as burning, breaking into small pieces, melting.

•    Peripherals with fixed data recording media: Destroyed by appropriate methods specified in item a.

c. Printed Media: Destroyed using paper shredders. Original paper format is scanned by electronic means