1. OBJECTIVE OF THE DESTRUCTION POLICY
The purpose of this Destruction Policy (Policy) is to demonstrate the procedures for the deletion, destruction, or anonymization of personal data by Internet Textile Industry and Trade Anonymous Company (Grimelange) in accordance with the Personal Data Protection Law numbered 6698 (Law) and the Regulation on Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated 28/10/2017, when the conditions for processing personal data, as specified in Articles 4, 5, and 6 of the Law, cease to exist, either ex officio by Grimelange or upon the request of the data subject.
Explicit Consent
Refers to consent expressed based on information and freely given will concerning a specific subject matter.
Related User
Individuals processing personal data within the data controller organization or based on the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of data.
Destruction
Deletion, destruction, or anonymization of personal data.
Record Environment
Any environment containing personal data processed wholly or partly by automatic means or by non-automatic means forming part of a data recording system.
Personal Data
Any kind of information related to a identified or identifiable natural person.
Personal Data Policy
Refers to the Personal Data Protection and Privacy Policy prepared by Grimelange.
Processing of Personal Data
Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of data through wholly or partly automatic means or non-automatic means forming part of a data recording system.
Anonymization of Personal Data
Rendering personal data such that it cannot be associated with a specific or identifiable natural person under any circumstances, even if matched with other data.
Deletion of Personal Data
Deletion of personal data means making personal data inaccessible and unusable for Related Users in any way.
Destruction of Personal Data
Destruction of personal data means making personal data inaccessible, irretrievable, and unusable by anyone in any way.
Board
Personal Data Protection Board
Special Categories of Personal Data
Refers to data related to individuals' race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade-unions, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.
Periodic Destruction
Deletion, destruction, or anonymization of personal data to be carried out periodically in accordance with the data storage and destruction policy in the event that all the conditions for processing personal data specified in the Law cease to exist.
Data Owner/Related Person
A real person whose personal data is processed.
Data Controller
A real or legal person determining the purposes and means of processing personal data and responsible for the establishment and management of the data recording system.
Regulation
Regulation on Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette on October 28, 2017
3. RECORD ENVIRONMENTS WHERE PERSONAL DATA ARE STORED
Personal data belonging to data owners are securely stored by Grimelange in the following listed environments, primarily in compliance with the relevant legislation, including the provisions of the Law:
Electronic environments:
• CRM
• MS SQL Server
• Email Box
• Microsoft Office Programs
• Image Recording Devices
Physical environments:
• Unit Cabinets
• Folders
• Archive
4. EXPLANATIONS OF REASONS REQUIRING STORAGE AND DESTRUCTION
Personal data of data owners, particularly by Grimelange, is stored securely in the physical and electronic environments listed above, primarily for the following reasons:
a. To sustain educational and commercial activities,
b. To fulfill legal obligations,
c. To plan and execute employee rights and benefits,
d. To manage customer relations within the limits specified by the Law and other relevant legislation.
Reasons requiring storage are as follows:
a. Directly related to the establishment and execution of contracts,
b. Establishment, use, or protection of a right,
c. In accordance with Grimelange's legitimate interests, provided they do not harm the fundamental rights and freedoms of individuals,
d. Fulfillment of any legal obligations of Grimelange,
e. Explicit provision in the legislation for the storage of personal data,
f. Existence of explicit consent of data owners for storage activities requiring explicit consent.
In accordance with the Regulation, personal data of data owners are deleted, destroyed, or anonymized by Grimelange ex officio or upon request under the following circumstances:
a. Amendment or annulment of the relevant legislation constituting the basis for the processing or storage of personal data,
b. Cessation of the purpose requiring
the processing or storage of personal data,
c. Elimination of the causes of illegitimate processing or storage of personal data,
d. Expiration of the maximum storage period stipulated by Grimelange or in the relevant legislation,
e. As per the Regulation, personal data belonging to data owners is deleted, destroyed, or anonymized by Grimelange ex officio or upon request under the following circumstances:
f. Cessation of the purpose requiring the processing or storage of personal data,
g. Consent of the data owner to be deleted, destroyed, or anonymized,
h. Expiration of the maximum storage period stipulated by Grimelange or in the relevant legislation,
i. If the processed data is not in compliance with the relevant legislation and the Board's decisions,
j. If the conditions for processing personal data, specified in Articles 4, 5, and 6 of the Law, cease to exist, either ex officio by Grimelange or upon the request of the data subject.
The deletion, destruction, or anonymization process may be carried out by Grimelange upon the request of the data owner or ex officio by Grimelange when the reasons for the storage of personal data cease to exist or upon the request of the relevant person/authority.
k. The information requested to be publicly available.
In this case, if the requested information is deemed to be publicly available, it will be taken into consideration during the evaluation process of the request according to the Regulation on Deletion, Destruction, or Anonymization of Personal Data. If the requested information is deemed to be publicly available and does not contain personal data, processes such as storage, usage, or deletion of this information will not be evaluated within the scope of personal data law. However, even in this case, the business may have certain record-keeping and reporting obligations. These obligations should be evaluated according to relevant legislation and sectoral regulations.
Under the heading "Information That Can Be Defined as Public Information", Grimelange will take into account whether the information requested by the data subject is publicly available to determine if it is publicly available information. If it is determined that the requested information is publicly available, the storage or sharing of the relevant information will not be subject to personal data law.