SECTION 1: NATURE AND PURPOSE OF THE DESTRUCTION POLICY

 

1.1. INTRODUCTION

 

This destruction policy has been prepared by Manuzone, acting in the capacity of the data controller, to determine the procedures and principles to be applied by Manuzone regarding the deletion, destruction, or anonymization of personal data we hold, in accordance with Law No. 6698 on the Protection of Personal Data and other relevant legislation.

In this context, the personal data of our employees, prospective employees, customers, and any individuals who have personal data within Manuzone are managed in accordance with the law under the framework of the Policy on the Processing and Protection of Personal Data and this Personal Data Storage and Destruction Policy.

 

1.2. DEFINITIONS

 

Direct Identifiers: Identifiers that reveal, disclose, and distinguish the person they relate to on their own,

Indirect Identifiers: Identifiers that, when combined with other identifiers, reveal, disclose, and distinguish the person they relate to,

Related Person: The real person whose personal data is processed,

Destruction: Deletion, destruction, or anonymization of personal data,

Law: The Law No. 6698 on the Protection of Personal Data, published in the Official Gazette dated 07.04.2016 and numbered 29677,

Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Turkish Official Gazette (Resmi Gazete ) dated 28.10.2017 and numbered 30224,

Board: The Personal Data Protection Board,

Recording medium: Any environment where personal data, which is processed entirely or partially automatically or non-automatically provided that they are part of a data recording system, is located,

Policy on Processing and Protection of Personal Data: The policy that determines the procedures and principles for managing the personal data held by Manuzone, which can be accessed from “https://manuzone.com”,

Data Recording System: Expresses the recording system in which personal data is processed according to specific criteria.

 

SECTION 2: MEDIUMS AND SECURITY MEASURES

 

2.1. MEDIA WHERE PERSONAL DATA IS STORED

 

Personal data stored under Manuzone is kept in a recording medium appropriate to the nature of the relevant data and our legal obligations.

The recording mediums generally used for storing personal data are listed below. However, some data, due to their special characteristics or our legal obligations, may be kept in a different medium than those indicated here. In any case, Manuzone acts as a data controller and processes and protects personal data in accordance with the Law, the Policy on Processing and Protection of Personal Data, and this Personal Data Storage and Destruction Policy.

a) Printed media: Environments where data is printed on paper or similar media.

b) Local digital media: Digital media within Manuzone, such as servers, fixed or portable disks, optical discs, and the like.

c) Cloud environments: Although not located within Manuzone, these are environments that use internet-based systems encrypted with cryptographic methods and are at Manuzone's disposal.

2.2. ENSURING THE SECURITY OF THE MEDIA

Manuzone takes all necessary technical and administrative measures in accordance with the characteristics of the relevant personal data and the medium in which it is stored to ensure that personal data is stored securely and to prevent its unlawful processing and access.

These measures include, but are not limited to, the following administrative and technical measures as appropriate to the nature of the relevant personal data and the medium in which it is stored:

2.2.1. Technical Measures

Manuzone takes the following technical measures in line with the characteristics of the relevant data and the medium in which it is stored for all environments where personal data is stored:

• Only up-to-date and secure systems suitable for technological advancements are used in environments where personal data is stored.
• Security systems are employed for environments where personal data is stored.
• The infrastructure of the computing environments of the website and other platforms from which personal data is obtained is provided by companies from which Manuzone purchases IT services.

2.2.2. Administrative Measures

Manuzone takes the following administrative measures suitable for the characteristics of the relevant data and the medium where it is stored:

• Training sessions and activities are organized to raise awareness and educate all Manuzone employees who have access to personal data about information security, personal data, and the privacy of private life.
• Legal and technical consultancy services are received to follow developments in the field of information security, the privacy of private life, and the protection of personal data, and to take necessary actions.
• In the event that personal data is transferred to third parties for technical or legal reasons, protocols are signed with the relevant third parties for the protection of personal data. All due diligence is shown to ensure that the relevant third parties comply with the obligations in these protocols.

 

2.2.3. Internal Audits

In accordance with Article 12 of the Law, Manuzone conducts internal audits regarding the implementation of the provisions of the Law and the provisions of this Personal Data Retention and Destruction Policy as well as the Personal Data Processing and Protection Policy.

If deficiencies or faults are detected regarding the implementation of these provisions as a result of internal audits, these deficiencies or faults are immediately remedied.

During an audit or otherwise, if it is understood that personal data under the responsibility of Manuzone has been obtained by others through unlawful means, Manuzone promptly informs the concerned party and the Board.

SECTION 3: DESTRUCTION OF PERSONAL DATA

3.1. REASONS FOR RETENTION AND DESTRUCTION

3.1.1. Reasons for Retention

Personal data held within Manuzone is stored for the purposes and reasons stated herein in accordance with the Law and our Personal Data Policy (you can access the relevant policy at "https://manuzone.com").

3.1.2. Reasons for Destruction

Personal data within Manuzone is deleted, destroyed, or anonymized according to this destruction policy either upon the request of the relevant person or when the reasons stated in Articles 5 and 6 of the Law no longer exist.

The reasons stated in Articles 5 and 6 of the Law are as follows:

• Explicitly foreseen in laws.
• It is necessary for the protection of the life or physical integrity of the person who cannot disclose his/her consent due to actual impossibility or whose consent is not legally valid.
• The processing of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the establishment or performance of a contract.
• It is necessary for the data controller to fulfill its legal obligation.
• It has been publicized by the relevant person himself/herself.
• Data processing is necessary for the establishment, exercise, or protection of a right.
• Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.

 

 

3.2. DESTRUCTION METHODS

Manuzone, in accordance with the Law and other regulations as well as the Personal Data Processing and Protection Policy, deletes, destroys, or anonymizes the personal data it keeps when the reasons for processing these data are eliminated, either upon the request of the relevant person or automatically within the periods specified in this Personal Data Retention and Destruction Policy.

The deletion, destruction, and anonymization techniques most commonly used by Manuzone are listed below:

3.2.1.1 Deletion Methods

Methods of Deleting Personal Data Kept in Printed Media

Blacking Out: Personal data in printed media is deleted using the blacking out method. The blacking out process involves cutting out personal data from the relevant documents where possible or, where it is not possible, making it invisible using permanent ink in such a way that it cannot be reverted or read with technological solutions.

Methods of Deleting Personal Data Stored in Cloud and Local Digital Environments

Secure Deletion via Software: Personal data stored in cloud or local digital environments is deleted by digital commands so that it can't be recovered. Data deleted in this way cannot be accessed again.

3.2.1.2 Destruction Methods

Methods of Destroying Personal Data Kept in Printed Media

Physical Destruction: Documents kept in printed media are destroyed using paper shredding machines so that they cannot be reassembled.

Methods of Destroying Personal Data Stored in Local Digital Environments

Physical Destruction: This involves physically destroying optical and magnetic media containing personal data, such as melting, burning, or grinding it into dust. Making data inaccessible by melting, burning, turning optical or magnetic media into dust, or passing it through a metal grinder.

Degaussing: This involves corrupting the data on magnetic media by exposing it to a high magnetic field, making it unreadable.

Overwriting: Random data consisting of 0s and 1s is written over magnetic media and rewritable optical media at least seven times to prevent the old data from being read and recovered.

Regional Concealment: This is the process of deleting potentially distinctive information about data outliers within a table where personal data is collectively stored in an anonymous manner.

Generalization: This method combines personal data from many individuals, removing distinguishing information to turn it into statistical data.

Lower and Upper Limit Encoding / Global Encoding: Ranges are defined for a particular variable and categorized. If the variable does not contain a numerical value, then closely related data within that variable are categorized. Values within the same category are merged.

Micro Aggregation: With this method, all records in the dataset are first arranged in a meaningful order, and then the entire set is divided into subgroups of a specific number. Then, the average value for a designated variable within each subgroup is calculated, and the value for that variable in the subgroup is replaced with this average value. This ensures that indirect identifiers in the data are altered, making it harder to associate data with a particular individual.

Data Shuffling and Distortion: Direct or indirect identifiers within personal data are mixed or altered, disconnecting their association with the relevant individual and causing them to lose their identifying characteristics.

Manuzone employs one or several of these anonymization methods depending on the nature of the relevant data. When using these anonymization techniques, Manuzone may utilize statistical methods such as K-Anonymity, L-Diversity, and T-Closeness.

 

SECTION 4: REQUEST FOR DELETION AND DESTRUCTION OF PERSONAL DATA BY THE DATA SUBJECT The data subject submits their requests regarding the application of the Law in writing or through other methods determined by the Board. Requests stated in the application by the data subject are concluded as soon as possible and within a maximum of 30 days free of charge. However, if the procedure requires an additional cost, a fee may be charged based on the tariff set by the Board. If the application results from a procedural error, no fee is taken, or if taken, it is refunded. The data subject is informed whether their request is accepted or denied, providing the reasons for the decision. The notification is made in writing or electronically.

SECTION 5: RETENTION AND DESTRUCTION PERIODS 5.1. PROCEDURAL RETENTION AND DESTRUCTION PERIODS Information about retention periods concerning personal data processed within the scope of manuzone's activities are:

• Personal data retention periods based on processes are in the Personal Data Processing Inventory,
• Retention periods for data categories are registered in VERBİS,
• Retention periods based on processes are in the Personal Data Retention and Destruction Policy. Updates and changes are made to retention periods in line with legal regulations or needs. Personal data whose retention period has expired are deleted, destroyed, or anonymized by the authorized Relevant User/Special Authorized User. For the determination of retention and destruction periods:
• If the processed personal data relates to processes within the scope of a contractual relationship, considering the statutory statute of limitations, it's kept for 10 years after the termination of the contract,
• If the processed personal data relates to processes within the scope of any commercial relationship established with commercial contracts, it's kept for 10 years after the termination of the commercial relationship, considering the legal statute of limitations,
• If the processed personal data indirectly relates to processes within the scope of a commercial or business contract, it's kept for 10 years after the termination of the legal relationship, considering the legal statute of limitations,
• If the processed personal data has no direct relation to any commercial transaction, but is provided for purposes such as making contact, visiting, acquaintance, bidding, applying for a job or internship, and does not turn into a business or commercial relationship afterward, it's kept for 2 years,
• Security records are automatically deleted within six months; if any section needs to be retained due to an event or footage, it's stored in accordance with the statute of limitations applicable to the legal reason and purpose. These principles are the basis for determining storage durations.

5.2. DELETION AND DESTRUCTION PERIODS UPON DATA SUBJECT'S APPLICATION When the data subject applies for the deletion or destruction of their personal data:

• If all conditions for processing personal data have disappeared, the relevant personal data is deleted, destroyed, or anonymized. The individual's request is concluded within 30 days and they are informed.
• If all conditions for processing personal data have disappeared and the relevant personal data has been transferred to third parties, the third party is notified; necessary actions are ensured in line with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.
• If not all conditions for processing personal data have disappeared, the request can be declined, providing the reasons, and the rejection is notified to the data subject in writing or electronically within 30 days.

5.3. DESTRUCTION PERIODS Personal data whose retention period has ended or whose retention purpose has disappeared are destroyed every six months. Periodic destruction is carried out in January and July of each year.

SECTION 6: PUBLICATION AND RETENTION OF THE POLICY The policy is established in two different media: wet-signed (printed paper) and electronically. The electronic version is published on the https://manuzone.com website. The printed version is retained in the KVKK (Personal Data Protection Law) file by manuzone.

SECTION 7: POLICY UPDATE PERIOD Changes in manuzone's activities and processed personal data groups, legal regulation changes, and decisions by the Personal Data Protection Board are monitored. As needs arise, the policy is reviewed, and necessary sections are updated, changed, or recreated.

SECTION 8: EFFECTIVENESS AND TERMINATION OF THE POLICY The policy takes effect when published on the https://manuzone.com website. If there's a change in the policy text or content, the old copy is archived for 5 years, and the updated version is placed in the KVKK file. Old electronic versions are completely destroyed, and if necessary, replaced with the new policy.