Personal Data Protection Law

Personal data are securely stored by Aydoğan Örme, as described in the table listed below and specified in the GPRO / 002 Documented Information Recording Procedure, in accordance with the law.
Personal data storage media
Electronic Media
Servers (Domain, backup, e-mail, database, web, file sharing, etc.)
Software (office software, portal, EDMS, VERBİS.)
Information security devices (firewall, intrusion detection and blocking, log file, antivirus, etc.) Personal computers (Desktop, laptop)
Mobile devices (phone, tablet, etc.)
Optical discs (CD, DVD, etc.)
Removable sticks (USB, Memory Card etc.)
Printer, scanner, copier
Non-Electronic Environments
Paper
Manual data recording systems (survey forms, visitor logbook)
Written, printed, visual media

By Aydoğan Örme; Personal data belonging to employees, candidates for employees, visitors and employees of third parties, institutions or organizations with whom we deal as service providers are stored and destroyed in accordance with the Law. In this context, detailed explanations regarding storage and disposal are given below.

• Explanations Regarding Storage In Article 3 of the Law, the concept of processing personal data has been defined, it is stated in Article 4 that the processed personal data should be related, limited and measured with the purpose for which they are processed, and should be kept for the period stipulated in the relevant legislation or for the purpose for which they are processed, 5 and 6 In the third article, the processing conditions of personal data are listed. Accordingly, within the framework of our company’s activities, personal data are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.
• Legal Reasons Requiring Storage In our company, personal data processed within the framework of its activities are kept for the period stipulated in the relevant legislation. In this context, personal data;
• Law No. 6698 on the Protection of Personal Data,
• Turkish Code of Obligations No. 6098,
• Public Procurement Law No. 4734,
• Social Insurance and General Health Insurance Law No. 5510,
• Law No. 5651 on Regulating Broadcasts Made on the Internet and Combating Crimes Committed Through These Publications
• Public Financial Management Law No. 5018,
• Occupational Health and Safety Law No. 6331,
• Law No. 4982 on Obtaining Information,
• 4857 numbered Labor Law,
• Retirement Health Law No. 5434,
• Social Services Law No. 2828
• Regulation on Health and Safety Measures to be Taken in Workplace Building and Extensions,
• Regulation on Archive Services

It is kept for the storage periods stipulated in the framework of other secondary regulations in force pursuant to these laws.

3. Processing Purposes Requiring Preservation Our company stores the personal data processed within the framework of its activities for the following purposes.

• To carry out human resources processes.
• To provide corporate communication.
• To ensure the safety of Aydoğan Örme,
• To be able to do statistical studies.
• To be able to execute work and transactions as a result of contracts and protocols signed.
• Within the scope of VERBİS, to determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, to organize the services provided accordingly and to update them if necessary.
• To ensure the fulfillment of legal obligations as required or required by legal regulations.
• To contact real / legal persons who have business relations with our company.

Personal data;

• The amendment or abolition of the relevant legislation provisions that form the basis of its processing,
• No longer the purpose requiring processing or storage,
• In cases where the processing of personal data takes place only on the condition of express consent, the person concerned withdraws his express consent,
• In accordance with Article 11 of the Law, Aydoğan Örme’s application for the deletion and destruction of personal data within the framework of the rights of the person concerned is accepted by Aydoğan Örme,
• In cases where Aydoğan Örme refuses the application made by the person concerned with the request for deletion, destruction or anonymization of his personal data, finds his answer insufficient or does not respond within the period stipulated in the Law; Complaining to the Board and approval of this request by the Board,
• In cases where the maximum period requiring the storage of personal data has passed and there is no condition to justify the storage of personal data for a longer period, Aydoğan Örme will be deleted, destroyed or ex officio deleted, destroyed or anonymous at the request of the person concerned. made.

In accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law in order to keep personal data securely, to prevent unlawful processing and access, and to destroy personal data in accordance with the law, Aydoğan Örme will ensure that the special quality personal data is determined and announced by the Board within the framework of adequate measures. technical and administrative measures are taken.

1-Technical Measures

Technical measures taken by Aydoğan Örme regarding the personal data it processes are listed below:

• Penetration tests reveal risks, threats, vulnerabilities and gaps, if any, against Aydoğan Örme information systems and take necessary measures.
• As a result of real-time analysis with information security event management, risks and threats that will affect the continuity of information systems are constantly monitored.
• Access to information systems and authorization of users are done through access and authorization matrix and security policies over the corporate active directory.
• The necessary measures are taken for the physical security of Aydoğan Örme information systems equipment, software and data.
• In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, physical security of edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc. ) and software (firewalls, attack prevention systems, network access control, systems that prevent malicious software, etc.) are taken. · Risks are determined to prevent unlawful processing of personal data, technical measures are taken in accordance with these risks and technical controls are carried out for the measures taken.
• In our company Aydoğan Örme, reporting and analyzing access to personal data by creating access policies / procedures.
• Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control.
• Aydoğan Örme takes the necessary precautions to ensure that deleted personal data are inaccessible and unavailable for the relevant users, and is described in a broader scope in the GPRO / 002 Records Control Procedure .
• Following security vulnerabilities, appropriate security patches are installed and information systems are kept up-to-date.
• Strong passwords are used in electronic environments where personal data are processed.
• Secure record keeping (logging) systems are used in electronic environments where personal data are processed.
• Data backup programs are used to keep personal data safe.
• Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
• It is encrypted with SHA 256 Bit RSA algorithm using secure protocol (HTTPS) to access the Aydoğan Örme web page.
• A separate policy / procedure has been determined for the security of special quality personal data.
• Special quality personal data security training has been provided for employees involved in processing processes of special quality personal data, confidentiality agreements have been made, and the authorizations of users with access to data have been defined.
• Electronic environments where personal data of special nature are processed, stored and / or accessed are preserved using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are constantly monitored, necessary security tests are carried out regularly, recording test results,
• Adequate security measures are taken in the physical environments where personal data of special nature are processed, stored and / or accessed, and unauthorized entries and exits are prevented by ensuring physical security.
• If special quality personal data needs to be transferred via e-mail, they are transmitted encrypted using a corporate e-mail address or a REP account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment. If transfer is made between servers in different physical environments, data transfer is performed between servers by setting up a VPN or using the sFTP method. If it is required to be transferred through paper media, necessary measures are taken against risks such as theft, loss or being seen by unauthorized persons and the document is sent in “confidential” format.

& nbsp;

• Administrative Measures

Administrative measures taken by Aydoğan Örme regarding the personal data it processes are listed below:

• In order to improve the quality of employees, training is provided on the prevention of illegal processing of personal data, prevention of unlawful access to personal data, protection of personal data, communication techniques, technical knowledge skills, the Law and other relevant legislation.
• Confidentiality agreements are signed by employees regarding the activities carried out by Aydoğan Örme.
• A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
• Before starting to process personal data, Aydoğan Örme fulfills the obligation to inform the relevant persons.
• Periodic and random inspections are made within Aydoğan Örme.
• Information security training is provided for employees.

At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, the personal data are destroyed by Aydoğan Örme, either on its own initiative or upon the application of the relevant person, using the following techniques and as described in the Destruction item in the GPRO / 002 Records Control Procedure. .

• Deletion of Personal Data

Personal Data on Servers : Personal Data For those who require the storage of personal data on the servers, the system administrator removes the access authority of the relevant users and deletes them.

Personal Data in Electronic Environment: Those who have expired from personal data in electronic environment are made inaccessible and unavailable in any way for other employees (relevant users) except the database administrator.

Personal Data in the Physical Environment: For those who require the storage of personal data kept in a physical environment, it is made inaccessible and unavailable in any way, except for the department manager responsible for the document archive. In addition, the process of darkening is also applied by scratching / painting / wiping it in an illegible way.

Personal Data on Portable Media : Those that require storage of personal data kept in Flash-based storage media are encrypted by the system administrator and are stored in secure environments with encryption keys, with access authorization given only to the system administrator.

& nbsp;

• Destruction of Personal Data

Personal Data in Physical Environment: Those that require their storage from personal data in paper media are irreversibly destroyed in paper trimming machines.

Personal Data on Optical / Magnetic Media: Physical destruction, such as melting, burning or pulverizing the personal data in optical media and magnetic media, which have expired, is applied. In addition, magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.

• Anonymizing Personal Data

The anonymization of personal data is to render personal data in no way associated with an identified or identifiable natural person, even if they are matched with other data. In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of personal data by the data controller or third parties and / or matching the data with other data.

Regarding the personal data being processed by Aydoğan Örme within the scope of its activities;

Storage periods based on personal data related to all personal data within the scope of activities carried out depending on processes

In GPRO / 002 Records Control procedure; For personal data whose retention periods have expired, the process of ex officio deletion, destruction or anonymization is carried out as described in the article on Destruction.