January and July are designated as destruction periods for the destruction of data within our company. Personal data obtained from relevant persons will be deleted, destroyed or anonymized by the personnel/personnel responsible for the protection of data within the company within the following destruction period after the expiry of the retention period. Minutes regarding the destruction process will be kept in an independent location by the personnel responsible for the protection of data within the company for 3 (three) years. These minutes will be destroyed after three years. Regarding the destruction process, the Regulation on Deletion, Destruction or Anonymization of Personal Data No. 30224 dated 28 October 2017 and the provisions of the Personal Data Protection Law No. 6698 will be taken as basis.
The legislative provisions underlying storage periods are as follows;
• Personal Data Protection Law no. 6698,
• Turkish Code of Obligations no. 6098,
• Occupational Health and Safety Law no. 6331, •
Labor Law no. 4857
• Social Security and General Health Insurance Law no. 5510
• Regulation of Publications Made on the Internet No. 5651 Law
No. 4982 on Access to Information, •
Law No. 3071 on the Exercise of the Right to Petition,
• Turkish Commercial Code No. 6102
• Law on Consumer Protection No. 6502
• Law No. 6563 on the Regulation of Electronic Commerce •
Tax Procedure Law No. 213 Law
• Income Tax Law No. 193
• Regulation on Distance Contracts Published in the Official Gazette No. 27866
• Regulation on Commercial Communication and Commercial Electronic Messages Published in the Official Gazette No. 29417 dated 15.07.2015 •
After-Sales Services Regulation Published in the Official Gazette No. 29029 and dated 13.06.2014
• Regulation on Measures Concerning the Prevention of Laundering Proceeds of Crime and Financing of Terrorism No. 26751.
The reasons requiring destruction are as follows:
• Change or abolition of the relevant legislative provisions on which the data in question is based
• Elimination of the purpose that forms the basis for processing and storing the data,
• Processing personal data can only be done with explicit consent. • If the relevant person's
application to the company for deletion, destruction or anonymization of data within the scope of Article 11 No. 6698 is accepted,
• If the request for anonymization, destruction or destruction made to the Company is not deemed appropriate, and if the request of the relevant person is accepted in the complaint made to the Board,
• The storage period has expired and there are no conditions specific to the concrete event that would justify storing for a longer period of time
. Safe storage of personal data, In order to prevent unlawful processing and access of personal data and to destroy personal data in accordance with the law, technical and administrative measures are taken by the Company within the framework of adequate measures determined and announced by the Board for special personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law.
The technical measures taken by the company regarding the personal data it processes are listed below:
• Information and data security is ensured by performing penetration tests as routine and random applications.
• Reporting on risks and threats is made through real-time Information Security Analyzes provided by the company or its solution partners.
• Data and information security is ensured by defining the authorization matrix and not allowing exceptional applications.
• Physical space security of the IT and systems, servers and other security-related devices and applications within the company is ensured. Security has been taken against possible physical attacks by third parties.
• Hardware (access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, ensuring the physical security of the edge switches that form the local area network, fire extinguishing system, air conditioning system, etc.) and software to protect information systems against immediate environmental threats. Necessary precautions (firewalls, attack prevention systems, network access control, malware blocking systems, etc.) have been taken.
• Risk analyzes are carried out by the company and corrective technical measures are taken.
• Access restrictions are imposed for employees within the company and necessary risk analyzes and reporting are carried out.
• Access to storage areas, especially the servers where log records are kept, are recorded and possible unauthorized access is controlled.
• Necessary software and physical precautions are taken to prevent the data in question from being reinstated after deletion.
• Authorization procedures for informing the board in case of possible violations have been effectively defined.
• Applications and methods to ensure information security are kept up to date and appropriate security patches are installed when necessary.
• Password policy has been determined. Strong passwords that are changed at regular intervals are used.
• Logging is done. Log backup is also made.
• Authorizations regarding data held in digital and non-digital media are limited.
• The website served by the company is encrypted with the SHA 256 Bit RSA algorithm using the HTTPS method.
• Separate policies have been determined regarding the protection of sensitive personal data.
• Necessary efforts have been made to inform employees and other third parties who are responsible for storing and processing private personal data, commitments have been taken and confidentiality agreements have been signed.
• Routine information trainings are provided to increase the awareness of employees.
In addition to all these, in accordance with the Decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 regarding "Adequate Precautions to be Taken by Data Controllers in the Processing of Special Personal Data", at least the following measures are taken regarding special personal data:
1- Determination of a systematic, clearly defined, manageable and sustainable separate policy and procedure for the security of personal data,
2- For employees involved in the processing of special personal data,
a) Regular procedures regarding the law and related regulations and special personal data security issues.
b) Making confidentiality agreements, c
) Clearly defining the users who have access to data, their authorization scope and duration,
d) Periodically performing authorization checks,
d) Immediately removing the authorizations of employees who change their duties or leave their jobs. In this context, receiving the return of the inventory allocated to it by the data controller,
3- Environments where special personal data are processed, stored and/or accessed, electronic media:
a) Preserving the data using cryptographic methods,
b) Keeping the cryptographic keys in secure and different environments ,
c) Securely logging the transaction records of all movements performed on the data,
ç) Continuously monitoring the security updates of the environments where the data is located, performing the necessary security tests regularly, recording the test results,
d) If the data is accessed through a software, user authorizations for this software are made, regular security tests of these software are carried out, the test results are recorded,
e) If remote access to data is required, at least a two-stage authentication system is provided,
4- Special qualifications The environments in which personal data are processed, stored and/or accessed are physical environments:
a) Ensuring that adequate security measures are taken (against situations such as electricity leakage, fire, flood, theft, etc.) depending on the nature of the environment where sensitive personal data is located,
b) This preventing unauthorized entries and exits by ensuring the physical security of the environments,
5- If special personal data is to be transferred,
a) If the data must be transferred via e-mail, it must be transferred encrypted using the corporate e-mail address or Registered Electronic Mail (KEP) account,
b) Portable Memory, CD, If it is necessary to transfer it through media such as DVD, it must be encrypted with cryptographic methods and the cryptographic key is kept in a different environment,
c) If the transfer is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between the servers or by sFTP method,
d) If the data must be transferred through paper media, the document is stolen, lost or Necessary precautions must be taken against risks such as being seen by unauthorized persons and the documents must be sent in the format of "confidential documents".
6- In addition to the above-mentioned measures, technical and administrative measures to ensure the appropriate security level specified in the Personal Data Security Guide published on the website of the Personal Data Protection Authority are also taken into account.
Administrative measures taken by the company regarding the personal data it processes are listed below:
• Awareness training is given at regular intervals in order to raise the awareness of employees, especially the personnel responsible for private personal data, about the processing, transfer, destruction and storage of data.
• Commitments are taken from employees regarding their areas of business activity and confidentiality agreements are signed.
• Disciplinary penalties are foreseen for information security violations within the scope of the KVKK Regulation and Disciplinary Regulation.
• Information texts are delivered to the relevant people before data processing begins.
• Explicit consent forms are taken from the relevant persons in order to meet the conditions. After the forms in question are provided and consents are obtained, data processing activities begin.
• A personal data processing inventory has been prepared.
• Periodic and random audits are carried out within the company.
Upon expiration of the legal periods, personal data is destroyed upon the request of the relevant person or ex officio by the company in the following ways.
| DATA RECORDING MEDIUM | EXPLANATION |
| Server and Data on Servers | The data in question is destroyed by the system administrator by removing access privileges during the first destruction period following the expiration of the retention period. |
| Personal Data in Electronic Media | Following the end of the storage period, the data in question is destroyed by the database administrator by removing access to other employees during the first destruction period. |
| Personal Data in Physical Environment | Personal data kept in physical environment is destroyed by burning/painting, drawing/cutting/erasing/embossing method and scratching method in the first destruction period following the expiration of their storage period. These processes are applied at an intensity that does not allow the data to be recognized or understood by third parties. |
| Personal Data Contained in Portable Media | During the destruction period at the end of the storage period, personal data kept in such storage media is deleted by the system administrator in a way that other employees and third parties cannot reach, and destroyed if deemed necessary. If the destruction process is to be done physically, it is done by separating the data stored in the flash-based environment in such a way that its integrity is no longer ensured. |
| Personal Data Contained in Optical / Magnetic Media | Personal data contained in optical media and magnetic media are destroyed within the first destruction period after the expiration of their storage period, by physical destruction such as burning or pulverization, in a way that does not allow access by third parties. In addition to physical destruction, the data is made impossible to read by magnetic processing with special devices. |
Personal data collected from those concerned are stored and destroyed in different time periods depending on their characteristics. These data, whose retention period has expired, are destroyed within the nearest destruction period and the records regarding the destruction are kept for 3 years. The general application table regarding personal data retention period and basis is as follows.
| PERSONAL DATA | STORAGE PERIOD |
| Call Center Voice Recordings | It will be stored for 3 years in accordance with Law No. 6563 and Related Legislation. |
| Log Records of Employees | In accordance with Law No. 5651, they will be kept for 2 years and 10 years if they are the subject of a legal dispute. |
| Information Received from Customers as a Basis for Invoices | It will be stored for 10 years in accordance with the Turkish Commercial Code No. 6102. |
| Customer Transaction Information | It will be kept for 10 years in accordance with the Turkish Code of Obligations No. 6098. 3 years in cases falling within the scope of Law No. 6563. |
| Data Collected from Cookie Applications | Transaction Cookies will be kept for 12 months, and visit measurement cookies that store user ID will be kept for 13 months. Session cookies, among the Transaction Cookies, keep data during the session. The periods in question are determined according to the nature of the application, European GDPR and established practices. |
| Transaction Records Regarding After-Sales Services (Ex: Product Installation Date, Information and Documents Given to the Customer After Renovation, Customer Contact Information) | In accordance with the After-Sales Services Regulation published in the Official Gazette dated 13/6/2014 and numbered 29029, some of the products in the attached list will be stored for 10 years. The Regulation in question was revised in some aspects on 12 February 2020. |
| Personal Data Regarding Customers | If a buying and selling relationship has been entered into, it is kept for 10 years in accordance with the Turkish Commercial Code No. 6102, the Code of Obligations No. 6098, Law No. 6502 and Law No. 213. |
| Personal Data Processed for Security Purposes Pursuant to CCTV Cameras (Camera Recordings) | The data obtained through these cameras is stored for 90 days. |
| Data Obtained Pursuant to Contracts Participated in Within the Scope of Company Activity | The data obtained in accordance with the Turkish Commercial Code No. 6102 will be stored for 10 years after the contractual relationship ends. |
| Approval Records for Commercial Electronic Messages Sent to Recipients' Electronic Communication Addresses for Marketing, Promotion and Information Purposes | It is stored for 1 year in accordance with paragraph 13/2 of the regulation on Commercial Communication and Commercial Electronic Messages published in the Official Gazette No. 29417 dated 15.07.2015. |
| Personal Data Regarding Tax Records | It is kept for 5 years in accordance with the Tax Procedure Law No. 213 |
| Personal Data Processed with Documents That Must Be Kept According to Tax Procedure Law, Such as Invoice/Expense Note/Receipt | It is kept for 5 years in accordance with the Tax Procedure Law No. 213. |
| Visitor Personal Data | Book records of visitors and records related to Wi-Fi usage (in accordance with Law No. 5651) are kept for 2 years. Visual records are kept for 6 months. |
| Data Processed within the Scope of Network Services Offered by the Company (Ip Addresses, Data Regarding Transferred Data Type and Capacity, Data Regarding User Information Defined for Open IP and Time Intervals Regarding Service Procurement) | It is stored for 2 years in accordance with law no. 5651. Visual records are kept for 6 months. |
| Personnel File Information | It is kept for 10 years after the end of the contractual relationship in accordance with the Labor Law No. 4857 and Related Legislation and the Turkish Code of Obligations No. 6098. |
| Data within the Scope of Occupational Health and Safety (Routine Health Test Results, OHS Training Records and Other Records Received on Occupational Health and Safety) | It is kept for 15 years from the termination of the contractual relationship in accordance with Article 86 of the Occupational Health and Safety Law No. 6331 and the Occupational Health and Safety Services Regulation. |
| Data on Company Partners and Board Members | It is kept for 10 years in accordance with the Turkish Commercial Code No. 6102. |
| Data Related to Job Application/Internship Application/Application and Candidate Applications (Ex: CV, Resume, Cover Letter, Application Form, etc.) | If the acceptance of the persons in question is not made by the company, the documents are kept as per custom for 6 months from the date of receipt. |
| Data on Suppliers and Transporters | In accordance with Law No. 6102, Law No. 6098 and Law No. 213, it is kept for 10 years following the end of the contractual relationship. |
| Data on Online Visitors | It is stored for 2 years in accordance with Law No. 5651 |
| Membership and Reservation Records | It is kept for 10 years in accordance with Law No. 6098. |
| Satisfaction Surveys Received from Employees and Customers | It is stored for 1 year in order to ensure proportionality between the sectoral practice and the company's legitimate interest and the nature of the personal data. |
| Data Subject to Internal Complaint and Request Information | The data in question is stored for 10 years in accordance with the Turkish Commercial Code No. 6102, the Code of Obligations No. 6098 and the Labor Law No. 4857, in case they may be the subject of a legal dispute. |
| Personal Data of the Relevant Person in Case of Fatal Excavation | It will be kept for 20 years in accordance with the Regulation on Personal Health Data published in the Official Gazette No. 30808 dated 21.06.2018. |
Our company has chosen July and January as the destruction periods, and the data whose retention period has expired will be destroyed and recorded in the report in the month that is the nearest destruction period. The said report will include the person's Unit or Name information. These minutes will be kept for 3 years.
The relevant person is ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC., pursuant to Article 13 of the Law. When LTD.ŞTİ requests the deletion or destruction of its personal data;
1. If all the conditions for processing personal data have been eliminated; The Company deletes, destroys or anonymizes the personal data subject to the request using an appropriate destruction method, explaining the reason within 30 (thirty) days from the day it receives the request. In order for the Company to be deemed to have received the request, the relevant person must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, the company informs the relevant person about the transaction.
2. If all the conditions for processing personal data have not been eliminated, this request may be rejected by the Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection response will be notified to the relevant person in writing or electronically within thirty days at the latest. The person concerned reserves the right to complain to the institution. In this context, relevant persons may apply to the Board within 60 (sixty days) after they learn that their requests have been rejected.
3. Within this framework, applications to be made to our Company in "written" form,
• By the Applicant's personal application,
• Through a notary public,
• By signing by the Applicant with the "secure electronic signature" defined in the Electronic Signature Law No. 5070 and
sent to the Company's registered e-mail address. may be forwarded to us. Our contact information to exercise this right is as follows:
Title: ALMİN ALÜMİNYUM PROFİL SANAYİ VE TİC. LTD. ŞTİ.
Mersisno: 0-0550-4031-2600017
E-mail address: bilgiislem@alminprofil.com.tr
Postal Address: ASO 1. Org. Singing. Region. Dagestan Cad. No:9 Sincan/ANKARA
Tel: 0312 267 58 80
