Personal Data Retention and Destruction Policy ("Policy") aims to determine the procedures and principles regarding the retention and destruction activities carried out within Ames Europe Tekstil Sanayi ve Ticaret Anonim Şirketi (from now on referred to as "Data Controller").
As the Data Controller, our main principle is to process the personal data of data subjects such as Employee, Supplier Employee, Potential Product or Service Purchaser, Supplier Official, Product or Service Purchaser, Shareholder/Partner, Public Official, Parent / Guardian / Representative, Employee Candidate, Employee Relative, Workplace Doctor, Doctor, Occupational Health and Safety Specialist, Visitor, Intern, Party to Lawsuit /Execution File, Website Visitor and other third parties, in accordance with the Constitution of the Republic of Turkey, international conventions and Law No. 6698 on the Protection of Personal Data ("Law"), and other relevant legislation. In this context, it is prioritized that the data subjects shall not suffer any loss of rights and use their rights effectively.
This Personal Data Retention and Destruction Policy has been prepared in accordance with the Personal Data Protection Law No. 6698, the Regulation on the Deletion, Destruction or Anonymization of Personal Data ("Regulation"), which entered into force in the Official Gazette dated 28.10.2017 and numbered 30224, and other legislation provisions.
| Recipient Group | The category of natural or legal person to whom personal data is transferred by the data controller. |
| Explicit Consent | Consent on a specific subject, based on the information and expressed with free will. |
| Anonymization | Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
| Employee | An Employee of the Data Controller |
| Electronic Environment | Environments where personal data can be created, read, modified, and written with electronic devices. |
| Non-Electronic Environment | All written, printed, visual, etc. other than electronic enviroments. |
| Service Provider | A natural or legal person who provides services under a specific contract with the Data Controller. |
| Data Subject | The natural person whose personal data is processed. |
| Relevant User | Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection, and backup of the data. |
| Destruction | Deletion, destruction, or anonymization of personal data. |
| Law | Law No. 6698 on the Protection of Personal Data. |
| Recording Environment | Any environment where personal data is processed by fully or partially automated or non-automated means provided that it is part of any data recording system. |
| Personal Data | Any information that makes a person specific or identifiable. |
| Personal Data Processing Inventory | Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal grounds for processing personal data, the data category, the group of recipients transferred and the group of data subjects, and by explaining the maximum retention period required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security. |
| Processing of Personal Data | Any operation performed on personal data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. |
| PDPB | Personal Data Protection Board. |
| Sensitive Personal Data | Personal Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
| Periodic Destruction | Deletion, destruction, or anonymization to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all of the conditions for processing personal data specified in the law disappear. |
| Policy | Personal Data Retention and Destruction Policy. |
| Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. |
| Data Recording System | A recording system where personal data is structured and processed according to certain criteria. |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| Data Controllers Registry Information System | The information system created and managed by the Presidency, accessible via the internet, which data controllers will use in the application to the Registry and other related transactions regarding the Registry. |
| VERBIS | Data Controllers Registry Information System. |
| Regulation | Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017. |
The table given below shows the environments where the personal data is retained by the Data Controller. Personal data are retained in the most appropriate recording environment according to the nature and legal status of the personal data retained by the Data Controller.
| Data Retention Environments |
| Computer |
| Locked Archive Cabinet |
| Server |
| Archive Cabinet |
| Unit Archive |
| Double Locker in Controlled Zone |
| Software Program - Domestic |
| Encrypted File |
| Locked Cabinet |
| Domestic Email Server |
| Access Restricted File |
| Abroad Email Server |
Pursuant to subparagraph f of Article 6 of the Regulation, it is regulated the titles, duties, and units of the persons involved in the retention and destruction processes of personal data must be specified. In this context, the titles, duties, and units of the persons within the Data Controller are specified in the management of data security, storage and destruction processes, taking technical, and administrative measures in order to prevent unlawful processing and access to personal data and to ensure that personal data are retained in accordance with the law.
| Title | Descripton of Duties |
| The Personal Data Manager | The Personal Data Manager is responsible for directing all kinds of planning, analysis, research, and risk identification studies in the projects carried out in the process of compliance with the Law; managing the processes to be carried out in accordance with the Law, Personal Data Processing and Protection Policy and Personal Data Retention and Destruction Policy and other policies and procedures regulated and deciding on the requests received by the relevant persons. |
| Data Controller Personal Data Protection Specialist (Technical and Administrative) | Data Controller Personal Data Protection Specialist (Technical and Administrative) Responsible for examining the requests of the data subjects and reporting them to the Personal Data Manager for evaluation; carrying out the transactions regarding the requests of the data subjects evaluated and decided by the Personal Data Manager in accordance with the decision of the Personal Data Manager; auditing the retention and destruction processes and reporting these audits to the Personal Data Manager; carrying out the retention and destruction processes. |
Personal data are processed in accordance with the provisions of the Law and retained in the recording environments specified in this Policy and destroyed as specified in this policy.
Personal data are retained based on one or more of the personal data processing conditions specified in Articles 5 and 6 of the Law and within this scope, personal data are retained during the validity of the conditions specified for the processing of personal data, when the aforementioned processing conditions expire or upon the application of the relevant person to the Data Controller (after checking other legal obligations that the Data Controller must comply with), if deemed appropriate, the personal data retained at the request of the data subject are deleted, destroyed or anonymized.
Personal data processed by the Data Controller within the framework of its activities are retained for the period stipulated in the relevant legislation. In this context, personal data are retained for the periods stipulated in other secondary regulations in force pursuant to the following laws.
The Data Controller stores the personal data it processes within the framework of its activities for certain purposes. In this context, the purposes are listed below:
| Processing Purposes |
| Execution / Supervision of Business Activities |
| Execution of Goods / Services Production and Operation Processes |
| Execution of Management Activities |
| Ensuring the Security of Movable Property and Resources |
| Execution of Marketing Processes of Products / Services |
| Execution of Finance and Accounting Affairs |
| Execution of Logistics Activities |
| Execution of Activities in Compliance with the Legislation |
| Execution of Occupational Health / Safety Activities |
| Execution of Risk Management Processes |
| Ensuring the Security of Data Controller Operations |
| Execution of Business Continuity Ensuring Activities |
| Receiving and Evaluating Suggestions for Improvement of Business Processes |
| Execution of Goods / Service Procurement Processes |
| Execution of Supply Chain Management Processes |
| Execution of Goods / Service Sales Processes |
| Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees |
| Monitoring and Execution of Legal Affairs |
| Execution of Contract Processes |
| Execution of Customer Relationship Management Processes |
| Execution of Activities for Customer Satisfaction |
| Providing Information to Authorized Persons, Institutions and Organizations |
| Organization and Event Management |
| Execution of Goods / Services After Sales Support Services |
| Execution of Communication Activities |
| Tracking Requests / Complaints |
| Execution of Information Security Processes |
| Planning Human Resources Processes |
| Execution of Employee Satisfaction and Loyalty Processes |
| Execution of Fringe Benefits and Benefits Processes for Employees |
| Conducting Audit / Ethics Activities |
| Conducting Internal Audit / Investigation / Intelligence Activities |
| Execution of Emergency Management Processes |
| Execution of Access Authorizations |
| Ensuring Physical Space Security |
| Conducting Training Activities |
| Execution of Employee Candidate Application Processes |
| Execution of Employee Candidate / Intern / Student Selection and Placement Processes |
| Execution of Assignment Processes |
| Execution of Human Resources Processes |
| Execution of Personnel Attendance Control System |
| Execution of Performance Evaluation Processes |
| Execution of Termination Procedures |
| Execution of Wage Policy |
| Execution of Company / Product / Service Loyalty Processes |
| Conducting Marketing Analysis Studies |
| Execution of Strategic Planning Activities |
| Creating and Tracking Visitor Records |
| Implementation of Social Responsibility and Civil Society Activities |
The Data Controller takes all necessary technical and administrative measures in accordance with the characteristics of the relevant personal data and the environment in which it is kept in order to retain personal data securely and to prevent unlawful processing and access. In addition, the Data Controller also takes technical and administrative measures within the framework of adequate measures determined and announced by the Personal Data Protection Authority for special categories of personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law.
These measures include but are not limited to, the following administrative and technical measures to the extent appropriate to the nature of the personal data concerned and the environment in which it is kept.
The Data Controller takes the following technical measures in all environments where personal data is retained in accordance with the characteristics of the data and the environment where the data is retained:
| Technical Measures |
| Network security and application security are ensured |
| A closed system network is used for personal data transfers through the network |
| Key management is in place |
| Security measures are taken within the scope of procurement, development, and maintenance of information technology systems |
| Security of personal data retained in the cloud is ensured |
| Access logs are kept regularly |
| Corporate policies on access, information security, use, storage, and disposal have been prepared and implemented |
| Data masking measures are applied when necessary |
| Up-to-date anti-virus systems are used |
| Firewalls are used |
| Personal data is backed up and the security of the backed-up personal data is also ensured |
| User account management and authorization control system is implemented and monitored |
| Log records are kept without user intervention |
| Intrusion detection and prevention systems are used |
| Cyber security measures have been taken and their implementation is constantly monitored |
| Encryption is performed |
| Sensitive personal data transferred in portable memory, CD, and DVD media are transferred by encrypting the data |
| Data loss prevention software is used |
The Data Controller takes the following administrative measures in accordance with the nature of all environments where personal data is retained, the relevant data, and the environment where the data is retained:
| Administrative Measures |
| Disciplinary arrangements are in place for employees that include data security provisions |
| Training and awareness activities on data security for employees are carried out at regular intervals |
| Authorization matrix has been created for employees |
| Confidentiality commitments are made |
| Employees who change their position or leave their job are de-authorized in this area |
| The signed contracts contain data security provisions |
| Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format |
| Personal data security policies and procedures have been determined |
| Personal data security issues are quickly reported |
| Personal data security is monitored |
| Necessary security measures are taken for entering and exiting physical environments containing personal data |
| Physical environments containing personal data are secured against external risks (fire, flood, etc.) |
| Security of environments containing personal data is ensured |
| Personal data is minimized as much as possible |
| Internal periodic and/or random audits are conducted and commissioned |
| Existing risks and threats have been identified |
| Protocols and procedures for the security of sensitive personal data have been determined and implemented |
| Awareness of data processing service providers on data security is ensured |
| Reasons for Destruction |
| Personal Data Protection Board's Decision on Destruction of Personal Data |
| Expiration of the Retention Period |
| Data Subject Request |
The deletion, destruction, and anonymization techniques used by the Data Controller are listed below:
Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way for the relevant users.
Personal data is deleted using one or more of the methods given in the table below.
| Deletion Methods for Personal Data Retained in Physical Environment | |
| Data Obscuring | Personal data in the physical environment are erased using the darkening method. The obscuring process is carried out by cutting out the personal data on the relevant document, where possible, and making it invisible by using fixed ink, which is irreversible and unreadable with technological solutions, in cases where this is not possible. |
| Deletion Methods for Personal Data Retained in Cloud and Local Digital Environment/Software | |
| Secure deletion from software | Personal data retained in the cloud or local digital environments are deleted and rendered unusable by digital command at the end of the retention period, in a means that cannot be accessed in any way by other relevant employees, except the database administrator. |
| Personal Data on Servers | |
| Deletion by unauthorizing access | Deletion by removing access authorization for those personal data on the servers whose retention period has expired, the access authorization of the relevant users is removed by the system administrator and deletion is made. |
Destruction of personal data is the process of making personal data inaccessible, unrecoverable, and unusable by anyone in any way.
Personal data is destroyed using one or more of the methods given in the table below.
| Destruction Methods for Personal Data Retained in Physical/Materialized Environment | |
| Physical destruction | Physical destruction Documents kept in printed form are destroyed by document shredders in such a way that they cannot be reassembled. |
| Destruction Methods for Personal Data Retained on Local Digital Media and Servers | |
| Physical destruction | The process of physically destroying optical and magnetic media containing personal data, such as melting, burning, or pulverizing them. Data is rendered inaccessible by melting, burning, pulverizing, or passing optical or magnetic media through a metal grinder. |
| De-magnetization (degauss) | De-magnetization (degaussing) The process of exposing magnetic media to a high magnetic field to distort the data on it so that it is unreadable. |
| Overwriting | Random data consisting of 0s and 1s are written at least seven times on magnetic media and rewritable optical media, preventing old data from being read and recovered. |
| Destruction by removing access authorization | Destruction by removing access authorization For the personal data on the servers, the system administrator removes the access authorization of the relevant users and destroys them so that they cannot be accessed again. |
| Destruction Methods for Personal Data Retained in the Cloud | |
| Secure deletion from software | Personal data retained in the cloud is deleted by the digital command in such a way that it cannot be recovered, and all copies of the encryption keys necessary to make the personal data usable are destroyed when the cloud computing service relationship ends. Data deleted in this way cannot be accessed again. |
Anonymization of personal data is the process of making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data.
Personal data is anonymized by using one or more of the methods given in the table below.
| Anonymization Methods for Personal Data Retained in Physical/Materialized Environment | |
| Removing variables | It is the removal of one or more of the direct identifiers that are included in the personal data of the person concerned and that can be used to identify the person concerned in any way. This method can be used to anonymize personal data, or it can be used to delete personal data if it contains information that is not suitable for the purpose of data processing. |
| Regional hiding | It is the process of deleting the information that may be distinctive for the data that is an exception in the data table where personal data are collectively anonymized. |
| Generalization | Generalization It is the process of bringing together personal data belonging to many people and turning them into statistical data by removing their distinctive information. |
| Lower and upper limit coding / Global coding | Lower and upper bound coding / Global coding defining ranges for a certain variable and categorizing them. If the variable does not contain a numeric value, then data close to each other within the variable are categorized. Values within the same category are merged. |
| Micro-assembly | With this method, all records in the dataset are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, the value of each subset for the specified variable is averaged and the value of that variable of the subset is replaced with the average value. In this way, the indirect identifiers in the data are distorted, making it difficult to associate the data with the data subject. |
| Data mixing and corruption | Data mixing and corruption Direct or indirect identifiers in personal data are mixed or corrupted with other values, severing their relationship with the data subject and making them lose their identifying characteristics. |
| Anonymization Methods for Personal Data Retained in Digital Environment/Servers/Cloud Environment | ||
| Masking (Encryption, symbolization, blurring, obscuration, jamming, invalidation) | Masking (Encryption, symbolization, blurring, obscuring, jamming, invalidation) Data masking is the process of making personal data incomprehensible in order to prevent unauthorized access to personal data. This method is used to prevent confidential and sensitive information in the organization from leaking into and out of the organization and from being seized by malicious people. In data masking, the data format is not changed, only the values are changed, but this change is made in a way that cannot be detected and reversed in any way. In addition, by determining who can access which data, it is ensured that only authorized persons can see the information they need to see, and other information is masked. | |
Personal data are retained and destroyed within the scope of the following.
| Categories | Retention Period |
| Identity |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Contact Information |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Audiovisual Recordings |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Finance |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Location |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Customer Transaction |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Professional Experience |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Risk Management |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Process Security |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Legal Action |
10 years from the termination of the legal relationship 15 years from the termination of the employment contract |
| Personnel Information |
10 years from the termination of the legal relationship 15 years from the termination of the employment contract |
| Criminal Conviction and Security Measures | 15 years from the termination of the employment contract |
| Health Information |
15 years from the termination of the employment contract 6 months from the end of the pandemic 10 Years from the end of the activity 10 years from the end of the purpose of data processing 15 Years from the Termination of the Legal Relationship |
| Employee Family Member and Relative Information | 15 years from the termination of the employment contract |
| Physical Space Security |
15 years from the termination of the employment contract 25 days |
| Marketing | 10 years from the end of the purpose of data processing |
| Vehicle Information |
10 Years from the End of the Purpose of Data Processing 5 Years from the End of the Purpose of Data Processing |
The Data Controller deletes, destroys, or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize the personal data for which it is responsible in accordance with the Law, the relevant legislation, the Personal Data Processing and Protection Policy and this Personal Data Retention and Destruction Policy arises.
When the data subject applies to the Data Controller pursuant to Article 13 of the Law and requests the deletion or destruction of his/her personal data;
In the event that all of the conditions for the processing of personal data specified in the Law are eliminated; The Data Controller deletes, destroys, or anonymizes the personal data whose processing conditions have been eliminated by a process specified in this Personal Data Retention and Destruction Policy and to be carried out ex officio at recurring intervals.
Periodic destruction processes start for the first time on 01.01.2023 and repeat every 6 (six) months.
Personal data recorded by the Data Controller are subject to destruction as part of the periodic destruction processes due to the expiration of the retention period and/or legal retention periods in accordance with the Policy and the process is documented with the Personal Data Destruction Record.
The Policy is published in three different ways: wet signed (printed paper), printed or electronic QR Code, and directly in an electronic environment, and disclosed to the public on the Data Controller's website www.ames-europe.com. The printed paper copy is also kept in the KVKK file by the Board of Directors of the Data Controller or the Personal Data Manager.
The Policy is reviewed as required and the necessary sections are updated.
The Data Controller has the right to make changes to the retention and destruction policy of personal data in accordance with the provisions of the Legislation or as required by the Data Controller's policy.
AMES EUROPE TEKSTİL SANAYİ VE TİCARET ANONİM ŞİRKETİ