Data Retention, Anonymisation and Destruction Policy
1. Objective
The purpose of this procedure is to ensure that all printed and written content, information technology assets and peripherals used in obtaining, processing and storing information are destroyed securely and in accordance with the Law No. 6698 on the Protection of Personal Data.
2. Scope
The procedure covers all personal and commercial data records and business processes.
3. Definitions
Law : 6698 refers to the "Protection of personal data" law.
Personal Data : Personal data refers to any information relating to an identified or identifiable natural person. The fact that a person is specific or identifiable means that the existing data is associated with a natural person in any way, making that person identifiable.
Blackout : Processes such as crossing out, painting and icing of the whole personal data in a way that cannot be associated with an identified or identifiable natural person,
Recording media : Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system,
Personal data storage and destruction policy : The policy on which data controllers make the basis for the process of determining the maximum period of time required for the purpose for which personal data are processed and the process of deletion, destruction and anonymisation,
Masking : Operations such as deleting, crossing out, colouring and starring certain areas of personal data in such a way that they cannot be associated with an identified or identifiable natural person,
Sensitive Personal Data : Race, ethnic origin, political opinion, philosophical belief, religion, sect
or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal offences
data on convictions and security measures, and biometric and genetic data.
Periodic destruction : It is the process of deletion, destruction or anonymisation of personal data to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in case all the conditions for processing personal data specified in the law disappear.
4. References
Law No. 6698 on the Protection of Personal Data No. 30224 dated 28.10.2018 Regulation on Deletion, Destruction or Anonymisation of Personal Data
5. Application
5.1. Destruction of Assets
In the event that the purpose for the processing of personal data disappears, the explicit consent is withdrawn or all of the conditions for the processing of personal data in Articles 5 and 6 of the Law disappear or in the event of a situation where none of the exceptions in the aforementioned articles can be applied, the personal data whose processing conditions disappear are deleted, destroyed or anonymised by the relevant business unit, taking into account the business needs, within the scope of Articles 7, 8, 9 or 10 of the Regulation, by explaining the reason for the method applied., 8., 9. or 10. articles of the Regulation (Deletion, Destruction or Anonymisation of Personal Data articles), by explaining the justification of the method applied. However, in case of a finalised court decision, the destruction method ruled by the court decision must be applied.
The information on all kinds of devices with information recording feature is deleted against unauthorised access and the disc and recording mechanism on the device is physically destroyed. The Media/Device Destruction Record is filled and signed by the information systems operator. Date, device information, reason for destruction, etc. information is entered and the destruction process is recorded.
Data Deletion Methods
a. Personal Data on Paper Media: It is erased by destroying it with a paper shredder or by using the blackout method when necessary.
b. Office Files on the Central Server: It is deleted with the delete command in the operating system.
c. Data on Portable Media: It is deleted with the delete command in the operating system.
d. Databases: The related rows containing the data are deleted with the database commands.
Methods of Destruction of Assets and Data
a. Local Systems: Destroyed by de-magnetisation, physical destruction, overwriting methods.
b. Environmental Systems:
- Network devices (switch, router, etc.): Destroyed by appropriate methods specified in item a.
- Flash-based media: Destroyed by the methods recommended by the relevant manufacturer or by the methods specified in item a.
- Magnetic tape: Destroyed by de-magnetising or physical methods such as burning or melting.
- Sim Card and fixed memory cards: Destroyed with the appropriate methods specified in item a.
- Optical discs: destroyed by physical methods such as burning, shredding, melting.
- Peripherals with fixed Data Recording Media: Destroyed by appropriate methods specified in item a.
c. Printed Media: Destroyed by using paper shredders. Personal data transferred from the original paper format to electronic media by scanning are destroyed by appropriate methods according to the media they are in.
Methods of Anonymisation of Personal Data:
During the anonymisation of personal data, the appropriate one of the methods of anonymisation of personal data shown in the Guidelines for Deletion, Destruction or Anonymisation of Personal Data published by the Personal Data Protection Authority is used.
As a result of periodic reviews or at any time when it is determined that the conditions for data processing have disappeared, the relevant user or data owner will decide to delete, destroy or anonymise the relevant personal data from the recording medium within its own structure in accordance with this policy. In cases of hesitation, the relevant data owner will be consulted from the business unit and action will be taken.
In the destruction of the data, the regulation stating the retention periods published by the General Directorate of State Archives is taken into consideration. After the expiry of the periods required to be in the Unit archive, the Institution archive or the State Archives, the data that are not objectionable to be destroyed are destroyed.
5.1.1. Destruction of Multi-Stakeholder Data
When it is necessary to take a decision for the destruction of personal data with multi-stakeholder data ownership in the Central Information Systems, it is decided to keep or delete, destroy or anonymise the data according to this policy by taking the opinion of the Data Controller Representative and according to this policy about the personal data in question.
5.1.2. Destruction of Personal Data upon Data Subject Request
When the real person who owns the personal data applies to the University with the "Personal Data Owner Application Form" in accordance with Article 13 of the Law and requests the deletion, destruction or anonymisation of his/her personal data, it will be finalised within thirty days at the latest from the date of application. Requests for the deletion or destruction of personal data will only be evaluated provided that the identity of the person concerned has been identified. The applicant personal data owner shall be informed through the methods specified in the application form. If the processing conditions are not removed due to legal requirements; it is declared to the data subject that the personal data subject to the request cannot be deleted. The unit where the relevant data is processed examines whether all the conditions for processing personal data have disappeared. If all of the processing conditions have disappeared; it deletes, destroys or anonymises the personal data subject to the request within three months at the latest. If all of the conditions for processing personal data have disappeared and the personal data subject to the request have been transferred to third parties, the unit where the relevant data is processed shall immediately notify this situation to the third party to whom the transfer is made and ensure that the necessary actions are taken within the scope of the Regulation before the third party.
5.2. Periodic Review of Personal Data
All users and data owner units that process or store personal data shall review whether the conditions for processing have disappeared or not in the data recording media they use, at the latest within a period of six months. Upon the application of the personal data subject or upon notification of a court, the relevant users and units shall carry out this review in the data recording media they use, regardless of the period of periodic audits. All transactions regarding the deletion, destruction or anonymisation of personal data shall be recorded and such records shall be kept for at least three years, excluding other legal obligations.
In the deletion, destruction or anonymisation of personal data, the general principles in Article 4 (Processing of Personal Data) of the law and the technical and administrative measures to be taken within the scope of Article 12 (Obligations Regarding Data Security), the provisions of the relevant legislation, Board decisions and court decisions are acted in accordance with.
5.3. Storage of Personal Data
The processing periods of personal data are specified in the "Personal Data Processing Inventory".
Such retention and destruction periods shall be taken into account in periodic destruction or destruction operations to be carried out upon request. Storage and destruction processes may vary upon the request of the data subject, unless there is a legal obligation.
In order to ensure personal data security, measures have been taken for physical security such as keeping paper documents containing personal data, devices such as CDs, DVDs and USBs under lock and key when not in use, access only by authorised personnel and monitoring the entrances and exits with a camera. Servers containing personal data kept in digital media are stored in the University system room with the necessary security measures taken.
The administrative and technical measures taken to ensure the security of personal data are detailed in the Personal Data Protection and Processing Policy.
6. Control
The documents are revised when necessary and periodically checked once a year.