Policy on the Deletion, Destruction, and Anonymization of Personal Data

PURPOSE OF THE DESTRUCTION POLICY

This Policy is to set forth the procedures for the deletion, destruction, or anonymization of personal data by Miss Diamond, either ex officio or upon request, in cases where the conditions for processing personal data, as regulated in Articles 4, 5, and 6 of the Personal Data Protection Law, cease to exist for personal data that has been processed in accordance with the Law.

DEFINITIONS

  • Explicit Consent: Consent on a specific subject, based on information and expressed with free will.
  • Anonymization: Rendering personal data in such a way that it can no longer be associated with an identified or identifiable natural person, even by matching it with other data.
  • President: The President of the Personal Data Protection Authority.
  • Data Subject: The natural person whose personal data is processed.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, wholly or partially by automated means or otherwise than by automated means which form part of a data recording system.
  • Board: The Personal Data Protection Board.
  • Authority: The Personal Data Protection Authority.
  • Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
  • Data Recording System: Any recording system in which personal data are structured and processed according to specific criteria.
  • Regulation: The Regulation on the Data Controllers Registry.
  • Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

RECORDING MEDIA WHERE PERSONAL DATA IS STORED

Personal data belonging to data subjects is securely stored by Miss Diamond in the following media, in compliance with the provisions of the Personal Data Protection Law (KVKK) and relevant legislation:

Electronic Media:

  • CRM
  • ENTİ
  • E-Mail Inbox
  • Microsoft Office Programs
  • Image and Sound Recording Devices

Physical Media:

  • Unit Cabinets
  • Folders
  • Archives

REASONS REQUIRING RETENTION AND DESTRUCTION

Personal data of data subjects is retained by Miss Diamond within the limits specified by the KVKK and other relevant legislation, in the physical or electronic media listed above, particularly for the purposes of (i) sustaining commercial activities, (ii) fulfilling legal obligations, (iii) planning and executing employee rights and benefits, and (iv) managing customer relationships.

The reasons requiring retention are as follows:

  1. Retention of personal data is directly related to the establishment and performance of contracts.
  2. Retention of personal data is necessary for the establishment, exercise, or protection of a right.
  3. It is mandatory for Miss Diamond to retain personal data for its legitimate interests, provided that it does not harm the fundamental rights and freedoms of individuals.
  4. Retention of personal data is necessary for Miss Diamond to fulfill any of its legal obligations.
  5. Retention of personal data is explicitly stipulated in the legislation.
  6. The explicit consent of the data subjects exists for retention activities that require it.

Pursuant to the Regulation, in the following cases, personal data belonging to data subjects shall be deleted, destroyed, or anonymized by Miss Diamond ex officio or upon request:

  1. Amendment or repeal of the relevant legislative provisions that constitute the basis for the processing or storage of personal data.
  2. The purpose requiring the processing or storage of personal data ceases to exist.
  3. The conditions requiring the processing of personal data under Articles 5 and 6 of the Law cease to exist.
  4. In cases where the processing of personal data is based solely on the condition of explicit consent, the data subject withdraws their consent.
  5. The data controller accepts the data subject's application for the deletion, destruction, or anonymization of their personal data within the framework of their rights under Article 11(2)(e) and (f) of the Law.
  6. In cases where the data controller rejects the application made by the data subject for the deletion, destruction, or anonymization of their personal data, finds the response insufficient, or does not respond within the period prescribed by the Law; a complaint is filed with the Board, and this request is approved by the Board.
  7. The maximum period for retaining personal data has passed, and there are no conditions that would justify retaining the personal data for a longer period.

MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the KVKK, Miss Diamond takes the necessary technical and administrative measures to ensure the appropriate level of security to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to the data, and to ensure the preservation of the data. In this regard, necessary audits are conducted or commissioned by our Company. All technical and administrative measures taken are specifically regulated in the Personal Data Policy. In the event that the processed personal data is obtained by third parties through unlawful means despite all technical and administrative measures being taken, Miss Diamond will notify the relevant units as soon as possible, take immediate measures to rectify the situation, and review the existing measures.

1. Technical Measures:

  • Necessary security controls have been implemented through log reporting via software and hardware devices in all relevant areas to control access to information and prevent unauthorized access, taking into account potential deliberate or unintentional threats from employees within the organization.
  • Technical measures are taken in line with technological developments, and the measures taken are periodically updated and renewed.
  • Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a business unit basis.
  • Access rights are restricted, and authorizations are regularly reviewed.
  • The technical measures taken are periodically audited, and issues posing a risk are re-evaluated to produce mandatory technological solutions.
  • Software and hardware including virus protection systems and firewalls are installed.
  • Personnel knowledgeable in technical matters are employed, and in-house training is provided.
  • Applications where personal data is collected are regularly subjected to security scans to detect security vulnerabilities. The identified vulnerabilities are addressed.
  • When necessary, penetration testing services are procured to check for system vulnerabilities.
  • The destruction of personal data is carried out in a way that is non-recyclable and leaves no audit trail.

2. Administrative Measures:

  • Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.
  • Access and authorization processes for personal data within Miss Diamond are designed and implemented in accordance with legal compliance requirements for personal data processing on a business unit basis. The special nature and importance of the data are also considered when restricting access.
  • All documents regulating the relationship between Miss Diamond and its personnel that contain personal data include provisions stating the necessity of acting in accordance with the obligations stipulated by the KVKK for the lawful processing of personal data, that personal data should not be disclosed, that personal data should not be used unlawfully, and that the confidentiality obligation regarding personal data continues even after the termination of the employment contract with Miss Diamond. Failure of personnel to comply with these obligations may result in sanctions up to and including termination of the employment contract.
  • Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the KVKK and cannot use it for purposes other than processing, and that this obligation will continue after they leave their job. Necessary commitments are obtained from them in this regard.
  • Contracts concluded by Miss Diamond with persons to whom personal data is lawfully transferred include provisions stating that the persons to whom personal data is transferred will take the necessary security measures for the protection of personal data and will ensure compliance with these measures in their own organizations.
  • In the event that processed personal data is obtained by others through unlawful means, it shall notify the data subject and the Board as soon as possible.
  • It employs knowledgeable and experienced personnel for the processing of personal data and provides its personnel with the necessary training on personal data protection legislation and data security.
  • It conducts or commissions the necessary audits within its own legal entity to ensure the implementation of the provisions of the Law. It remedies the privacy and security vulnerabilities that emerge as a result of the audits.
  • Miss Diamond is responsible, in accordance with Article 12 of the KVKK, for ensuring that third parties to whom it transfers personal data also fulfill their obligations to process and preserve the data lawfully and to access the data lawfully in accordance with this Policy and the provisions of the KVKK. Therefore, when transferring data to third parties, Miss Diamond must obtain commitments in contracts and all arrangements that ensure these conditions are met and that it is granted the authority to conduct audits. Furthermore, Miss Diamond must specifically inform all its personnel about the responsibilities arising from the processes of transferring personal data to third parties.

METHODS OF PERSONAL DATA DESTRUCTION

Although processed in accordance with the relevant legal provisions, Miss Diamond may delete or destroy personal data upon its own decision or at the request of the data subject when the reasons for its processing cease to exist. An effective data tracking process will be managed by Miss Diamond to define and monitor the personal data destruction processes.

a. Deletion of Personal Data
The deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way. As a method of deleting personal data, Miss Diamond may use one or more of the following methods:

  • Personal data on paper will be processed by redacting, painting over, cutting, or erasing.
  • Access rights of the user(s) to office files located in the central file will be removed.
  • Rows or columns containing personal information in databases will be deleted with the 'Delete' command.
  • When necessary, it will be securely deleted with the help of an expert.

b. Destruction of Personal Data
The destruction of personal data is the process of making personal data inaccessible, irretrievable, and unusable by anyone in any way.

  • Physical Destruction
  • Destruction with a Paper Shredder
  • Degaussing: A method of making the data on magnetic media unreadable by passing it through special devices where it is exposed to high magnetic fields.

c. Anonymization of Personal Data
The anonymization of personal data means rendering personal data in such a way that it can no longer be associated with an identified or identifiable natural person, even by matching it with other data. Miss Diamond may use one or more of the following methods to anonymize personal data:

  • Masking: Data masking is a method of anonymizing personal data by removing the basic identifying information from the data set. Example: Transforming a data set in a way that makes it impossible to identify the data subject by removing information that enables identification, such as name, Turkish ID number, etc.
  • Removing Records: In the record removal method, the data row containing singularity among the data is removed from the records, thus anonymizing the stored data.
  • Regional Hiding: In the regional hiding method, if a single piece of data has a defining characteristic due to creating a very rare combination, hiding the relevant data provides anonymization.

In accordance with Article 28 of the KVKK, anonymized personal data may be processed for purposes such as research, planning, and statistics. Such processing is outside the scope of the KVKK, and the explicit consent of the data subject will not be sought.

PERSONAL DATA RETENTION AND DESTRUCTION PERIODS

Miss Diamond retains personal data for the period necessary for the purpose for which they are processed. In the event that the primary purpose of collecting the personal data or any secondary processing ground specified in this Policy ceases to exist, the personal data may continue to be retained for the periods specified in APPENDIX-1.

If a period for the retention of the personal data in question is stipulated in the legislation, this period shall be complied with. In the absence of a period stipulated in the legislation, personal data will be retained for the maximum period for the retention of personal data set out in the table in APPENDIX-1. These periods have been determined by evaluating Miss Diamond's data categories and data subject groups, and ensuring that the data obtained as a result of this evaluation will fulfill the obligations in the laws and considering the statute of limitations in the Turkish Code of Obligations (10 years).

In the event that the obligation to delete, destroy, or anonymize arises due to the expiration of these periods, Miss Diamond will delete, destroy, or anonymize the personal data in the first periodic destruction process following this date.

MISS DIAMOND's PERIODIC DESTRUCTION PERIODS

Miss Diamond's periodic destruction period is 6 months. Personal data whose retention period has expired are destroyed in accordance with the procedures set forth in this Policy in 6-month periods within the framework of the destruction periods specified in APPENDIX-1 of this Policy. The information on such systems will be irretrievably deleted from tools such as documents, files, CDs, floppy disks, and hard disks where the data is recorded.

All transactions related to the deletion, destruction, and anonymization of personal data are recorded, and these records are kept for at least three years, excluding other legal obligations.

PERSONNEL

Within the scope of the KVKK, Miss Diamond, as the data controller, has provided the necessary personnel training on the Protection of Personal Data and has informed employees and managers about the destruction processes. In this context, each department manager will be responsible for supervising whether the Relevant Users in their departments act in accordance with this Policy and the Personal Data Policy prepared within the framework of the Law and Regulation.

APPLICATION AND RIGHTS OF THE DATA SUBJECT

The data subject may apply to Miss Diamond in accordance with Article 13 of the KVKK and request the deletion or destruction of their personal data.

  1. If all the conditions for processing personal data have ceased to exist, the data controller deletes, destroys, or anonymizes the personal data subject to the request. The data controller concludes the data subject's request within thirty days at the latest and informs the data subject.
  2. If all the conditions for processing personal data have ceased to exist and the personal data subject to the request has been transferred to third parties, the data controller notifies this situation to the third party and ensures that the necessary actions are taken before the third party within the scope of the Regulation.
  3. If all the conditions for processing personal data have not ceased to exist, this request may be rejected by the data controller with a justification, and the rejection response is notified to the data subject in writing or electronically within thirty days at the latest.

Data subjects may submit their requests free of charge to Miss Diamond through the following methods, along with information and documents that will identify them:

  • By sending an e-mail to the e-mail address [email protected],
  • By submitting an Application Form in person or through a notary to the address Mesihpaşa Mah. Sait efendi Sok. Fatih / Istanbul.

For third parties to make an application request on behalf of the personal data subject, there must be a special power of attorney issued by the data subject through a notary in the name of the person who will make the application.

APPENDICES

APPENDIX 1: Data Retention and Destruction Periods Table

TRANSACTION OR PROCESS INVOLVING PERSONAL DATA RETENTION PERIOD DESTRUCTION PERIOD
General Assembly Transactions and Company Shareholder Information 10 years from the termination of the company's legal personality Within 180 days following the end of the retention period
Financial Information 10 years from the termination of the legal relationship Within 120 days following the end of the retention period
Professional Experience 10 years from the termination of the legal relationship Within 120 days following the end of the retention period
Marketing Activities 10 years from the termination of the legal relationship Within 120 days following the end of the retention period
Health Information 10 years from the termination of the employment contract Within 120 days following the end of the retention period
Criminal Record 10 years from the termination of the employment contract Within 120 days following the end of the retention period
Responding to court/execution office information requests regarding personnel 10 years following the termination of the employment relationship Within 180 days following the end of the retention period
Contact Information 10 years from the termination of the legal relationship Within 180 days following the end of the retention period
Contract Processes 10 years following the termination of the contractual relationship Within 180 days following the end of the retention period
Identity Information 10 years from the termination of the legal relationship Within 180 days following the end of the retention period
Risk Management 10 years from the termination of the legal relationship Within 180 days following the end of the retention period
Job applications (unsuccessful) 5 years from the rejection of the application Within 180 days following the end of the retention period
Personnel files 10 years following the termination of the employment contract Within 180 days following the end of the retention period
Occupational Health and Safety practices 10 years following the termination of the employment relationship Within 180 days following the end of the retention period
Board of Directors and Representative Information 10 years from the termination of the company's legal personality Within 180 days following the end of the retention period
Payment Transactions/Accounting 10 years following the termination of the business/legal relationship Within 180 days following the end of the retention period
Personnel Financing Processes 10 years following the termination of the employment relationship Within 180 days following the end of the retention period
Filing of training records 10 years following the termination of the employment contract Within 180 days following the end of the retention period
Security Camera Footage and Audio Recordings 40 days from the date the image and audio were recorded Within 180 days following the end of the retention period
Request/Complaint Management Information 2 years from the date of the request/complaint registration Within 180 days following the end of the retention period
cultureSettings.RegionId: 0 cultureSettings.LanguageCode: EN