- PURPOSE
The processing and protection of personal data in accordance with the Constitution of the Republic of Türkiye, the Law No. 6698 on the Protection of Personal Data, and other relevant legislation is among the priorities of Kadıköy Terminal Real Estate Services Trade Joint Stock Company (“Company”).
This Personal Data Retention and Destruction Policy (“Policy”) has been prepared to determine the procedures and principles regarding retention and destruction activities carried out by the Company and to ensure transparency by informing data subjects.
This Policy applies to all physical and electronic records and environments, including originals and copies, in line with the Company’s data processing activities.
The Policy has been prepared in accordance with Article 5 of the Regulation on the Deletion, Destruction or Anonymization of Personal Data, in line with the Inventory and the decisions of the Authority. - DEFINITIONS AND ABBREVIATIONS
Term | Definition |
Explicit Consent | Consent given freely, based on information, and related to a specific matter |
Akfen | Akfen Holding Joint Stock Company and, where applicable, its direct and indirect subsidiaries |
Active Records | Data actively used within the scope of Company activities |
Inactive Records | Data not actively used but that may be needed |
Anonymization | Rendering personal data impossible to associate with an identified or identifiable natural person |
IT Department | Information Technologies Department |
Inventory | Personal Data Processing Inventory |
Secondary Legislation | Regulations, communiqués, decisions, and guidelines issued by the Authority |
Relevant Users | Authorized persons or units processing personal data |
Destruction | Deletion, destruction, and/or anonymization |
Law | Law No. 6698 on the Protection of Personal Data |
Records | All active and inactive records |
Personal Data | Any information relating to an identified or identifiable natural person |
Authority | Personal Data Protection Authority |
Special Categories of Personal Data | Data such as health, criminal record, biometric data |
Policy | Personal Data Retention and Destruction Policy |
Deletion | Making data inaccessible and unusable |
Data Processor | Natural or legal person processing data on behalf of the data controller |
Data Protection Committee | Committee responsible for compliance |
Data Subject | Natural person whose personal data is processed |
Data Controller | Entity determining purposes and means of processing |
Destruction | Making data irreversibly inaccessible |
Regulation | Regulation on Deletion, Destruction or Anonymization of Personal Data |
3. PRINCIPLES
Personal data shall be processed in compliance with the law and good faith, accurately and where necessary kept up to date, for specific, explicit, and legitimate purposes, in a manner limited and proportionate to the purposes, and retained for the period required by legislation or processing purposes.
- DATA PROTECTION COMMITTEE
The Data Protection Committee established by Akfen/Company is responsible for managing inventories, overseeing retention and destruction processes, evaluating requests from data subjects, ensuring coordination between departments, and fulfilling obligations under the legislation and this Policy.
All departments, employees, and suppliers must act in compliance with the Committee. - RETENTION
Personal data of employees, job applicants, interns, customers, suppliers, visitors, shareholders, Company executives, and group employees is retained and destroyed in accordance with the Law.
4.LEGAL GROUNDS FOR RETENTION
Legal Ground | Description |
Explicitly prescribed by law | Processing required by legislation |
Protection of life | Necessary to protect life or physical integrity |
Contract | Necessary for establishment or performance of a contract |
Legal obligation | Necessary to fulfill legal obligations |
Public disclosure | Data made public by the data subject |
Legal claims | Necessary for establishment, exercise, or protection of a right |
PURPOSES OF RETENTION
Purpose |
Human resources processes |
Legal compliance and reporting |
Communication with stakeholders |
Evidence for legal disputes |
Information security |
Event management |
Finance and accounting |
Corporate communication |
Facility security |
Customer relations |
Sales and marketing |
Risk management |
Contract and supply chain management |
STORAGE OF PHYSICAL RECORDS
Record Type | Storage Method |
Active Records | Locked cabinets in secure offices |
Inactive Records | Company archive with restricted access |
STORAGE OF ELECTRONIC RECORDS
Record Type | Storage Method |
Digital files | Secure systems with access control |
Audio/visual data | Encrypted electronic environments |
Applications | Protected IT infrastructure |
RETENTION PERIODS
Data Type | Retention Period |
Employee records | As required by labor and social security laws |
Job applicant data | As determined in the Inventory |
Customer data | As required by commercial legislation |
Financial records | As required by tax legislation |
CCTV data | As determined by legitimate interest |
- DESTRUCTION
Personal data is destroyed when retention periods expire, processing purposes cease, consent is withdrawn, or upon lawful request by the Authority or data subject. - DESTRUCTION METHODS – DELETION
Storage Medium | Method |
Server data | Removal of access rights |
Electronic data | Making inaccessible to users |
Physical data | Redaction or restricted access |
5.DESTRUCTION METHODS – PHYSICAL DESTRUCTION
Storage Medium | Method |
Paper records | Shredding |
Electronic media | Physical destruction or overwriting |
ANONYMIZATION
Method | Description |
Masking | Removing identifiers |
Aggregation | Combining data |
Randomization | Preventing re-identification |
6. TECHNICAL AND ADMINISTRATIVE MEASURES
TECHNICAL MEASURES
Measure |
Penetration testing |
Access control |
Logging systems |
Encryption |
Backup and data recovery |
Network security |
Antivirus and firewalls |
7.ADMINISTRATIVE MEASURES
Measure |
Confidentiality agreements |
Internal policies |
Disciplinary procedures |
Access revocation |
Incident reporting |
Physical security |
8. VIOLATION OF THE POLICY
Violations may result in disciplinary action, termination of contracts, or legal consequences. The Board of Directors is authorized to investigate violations and take corrective measures.
9.EFFECTIVE DATE AND ENFORCEMENT
This Policy is made available to employees in writing. The Board of Directors is responsible for enforcement and may update the Policy when necessary.
