Gluten-Free Enjoyment, Health in Every Bite

Delicious and Gluten-Free: The Best Choices for Your Health

Home

Data Storage, Anonymization and Destruction Policy

Data Storage, Anonymization and Destruction Policy

1. Purpose

The purpose of this procedure is to ensure that all printed and written content, information technology assets and peripherals used in the acquisition, processing and storage of information are destroyed in a safe manner and in accordance with the Law No. 6698 on the Protection of Personal Data when necessary.

2. Scope

The procedure covers all personal, commercial data records and business processes.

3. Definitions

Law: Refers to Law No. 6698 on the “Protection of Personal Data”.
Personal Data: Personal data refers to any information related to an identified or identifiable natural person. The identification or identifiability of a person refers to the association of existing data with a natural person in any way, making that person identifiable.
Blackout: Operations such as crossing out, painting and freezing all personal data in a way that cannot be associated with an identified or identifiable natural person,
Recording medium: Any medium containing personal data processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system,
Personal data storage and destruction policy: The policy that data controllers base on for the process of determining the maximum period required for the purpose for which personal data is processed and for the deletion, destruction and anonymization processes,
Masking: Operations such as deleting, crossing out, painting and starring certain areas of personal data in a way that cannot be associated with an identified or identifiable natural person,
Special Personal Data: Data related to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. Periodic destruction: It is the process of erasing, destroying or anonymizing personal data specified in the storage and destruction policy and carried out ex officio at recurring intervals in the event that all the processing conditions of personal data specified in the law are eliminated.

4. References

Regulation on the Erasure, Destruction or Anonymization of Personal Data of Law No. 6698, No. 30224, dated 28.10.2018

5. Application

5.1. Destruction of Assets

If the purpose of processing personal data is eliminated, explicit consent is withdrawn or all of the conditions for processing personal data specified in Articles 5 and 6 of the Law are eliminated or if there is a situation where none of the exceptions in the aforementioned articles can be applied, the personal data whose processing conditions are eliminated are deleted, destroyed or anonymized by the relevant business unit, taking into account business needs, within the scope of Articles 7, 8, 9 or 10 of the Regulation (Articles on Deletion, Destruction or Anonymization of Personal Data), by explaining the reason for the method applied. However, in the event of a final court decision, the destruction method ruled by the court decision must be applied.

The information on any device with information recording feature is deleted against unauthorized access and the disk and recording mechanism on the device are physically destroyed. The Media/Device Destruction Report is filled out and signed by the information systems operator. Date, device information, reason for destruction, etc. information is entered and the destruction process is recorded.

Methods of Deleting Data

a. Personal Data on Paper: It is deleted by destroying it with a paper shredder or, when necessary, by using the blackout method.

b. Office Files on the Central Server: It is deleted with the delete command in the operating system.

c. Data on Portable Media: It is deleted with the delete command in the operating system.

d. Databases: The relevant lines containing the data are deleted with database commands.

Methods of Destruction of Assets and Data

a. In Local Systems: It is destroyed using the appropriate methods of demagnetization, physical destruction, overwriting.

b. Peripheral Systems:
•    Network devices (switch, router, etc.): It is destroyed with the appropriate methods specified in item a.

•    Flash-based media: It is destroyed with the methods recommended by the relevant manufacturer or the methods specified in item a.
•    Magnetic tape: Destroyed by demagnetizing or by physical methods such as burning, melting.

•    SIM Card and fixed memory cards: Destroyed by appropriate methods specified in item a.

•    Optical disks: Destroyed by physical methods such as burning, breaking into small pieces, melting.

•    Peripherals with fixed data recording medium: Destroyed by appropriate methods specified in item a.

c. Printed Media: Destroyed using paper shredders. Original paper format is scanned by electronic means

Personal data transferred to the onic environment are destroyed with appropriate methods according to the environment they are in.

Methods for Anonymizing Personal Data:

In the stage of anonymizing personal data, the appropriate method of anonymizing personal data shown in the Personal Data Deletion, Destruction or Anonymization Guide published by the Personal Data Protection Authority is used.

As a result of periodic reviews or when it is determined that the data processing conditions have been eliminated at any time, the relevant user or data owner will decide to delete, destroy or anonymize the relevant personal data from the recording environment in its own organization in accordance with this policy. In cases of hesitation, the relevant data owner business unit will be consulted and the action will be taken.

In the destruction of data, the regulation stating the storage periods published by the General Directorate of State Archives is taken into consideration. Data that is not harmful to destroy after the periods that should be in the unit archive, Institution archive or State Archives have expired are destroyed.

5.1.1. Destruction of Multi-Stakeholder Data

When a decision needs to be made regarding the destruction of personal data with multi-stakeholder data ownership in Central Information Systems, the opinion of the Data Controller Representative is obtained and a decision is made regarding the storage, deletion, destruction or anonymization of the data in question in accordance with this policy.

5.1.2. Destruction of Personal Data Upon Request by the Data Owner

When the natural person who is the owner of the personal data applies to the University with the “Personal Data Owner Application Form” pursuant to Article 13 of the Law and requests the deletion, destruction or anonymization of his/her personal data, the application will be finalized within thirty days at the latest from the date of application. Requests for the deletion or destruction of personal data will only be evaluated provided that the identity of the relevant person has been determined. The personal data owner who applies is informed through the methods specified in the application form. If the processing conditions have not been removed due to legal requirements; the data owner is informed that the personal data subject to the request cannot be deleted. The unit where the relevant data is processed examines whether all the conditions for processing personal data have been removed. If all processing conditions have been eliminated; it shall delete, destroy or anonymize the personal data subject to the request within three months at the latest. If all processing conditions for personal data have been eliminated and the personal data subject to the request has been transferred to third parties, the unit where the relevant data is processed shall immediately notify the third party to whom the transfer was made and ensure that the necessary procedures are carried out within the scope of the Regulation with the third party.

5.2. Periodic Review of Personal Data

All users and data owner units that process or store personal data shall review whether the conditions related to processing have been eliminated on the data recording media they use within six-month periods at the latest. Upon the application of the personal data owner or upon the notification of a court, the relevant users and units shall conduct this review on the data recording media they use regardless of the period of periodic inspection. All transactions related to the deletion, destruction or anonymization of personal data shall be recorded and the records in question shall be stored for at least three years, excluding other legal obligations.

In the deletion, destruction or anonymization of personal data, the general principles in Article 4 (Processing of Personal Data) of the law and the technical and administrative measures to be taken within the scope of Article 12 (Obligations Regarding Data Security), relevant legislative provisions, Board decisions and court decisions are complied with.

5.3. Storage of Personal Data

The processing periods of personal data are specified in the “Personal Data Processing Inventory”.

In periodic destruction or destruction processes to be carried out upon request, the storage and destruction periods in question will be taken into account. Storage and destruction processes may vary upon the request of the data owner, unless there is a legal obligation.

In order to ensure personal data security, physical security measures have been taken such as keeping devices such as paper documents, CDs, DVDs and USBs containing personal data under lock and key when not in use, allowing access only to authorized personnel and monitoring entrances and exits with cameras. Servers containing personal data kept in digital media are stored in the University system room with the necessary security measures taken.

The administrative and technical measures taken to ensure the security of personal data are detailed in the Personal Data Protection and Processing Policy.

6. Control

The documents are revised as needed, and periodically once a year is checked as .

Hipotenüs Powered by Hipotenüs® New Generation E-Commerce Systems.