+90 531 222 2717
About Us
Data Storage, Anonymization and Destruction Policy
1. Purpose
The purpose of this procedure is to ensure that all printed and written content, information technology assets and peripherals used in the acquisition, processing and storage of information are destroyed when necessary, in a safe manner and in accordance with Law No. 6698 on the Protection of Personal Data.
2. Scope
The procedure covers all personal, commercial data records and business processes.
3. Definitions
Law : 6698 refers to the law on “Protection of Personal Data”.
Personal Data : Personal data refers to any information relating to an identified or identifiable natural person. The identification or identifiability of a person means that the existing data is associated with a natural person in any way, making that person identifiable.
Blackout : Operations such as crossing out, painting or blurring personal data in a way that cannot be associated with an identified or identifiable natural person,
Recording medium : Any environment containing personal data processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system,
Personal data storage and destruction policy : The policy on which data controllers base their decision on the process of determining the maximum period required for the purpose for which personal data is processed and the process of erasing, destroying and anonymizing personal data,
Masking : Operations such as deleting, crossing out, coloring and starring certain areas of personal data in a way that cannot be associated with an identified or identifiable natural person,
Special Personal Data : Race, ethnic origin, political thought, philosophical belief, religion, sect of the persons
or other beliefs, appearance and dress, membership of associations, foundations or unions, health, sexual life, criminal
data related to convictions and security measures, as well as biometric and genetic data.
Periodic destruction : It is the process of deleting, destroying or anonymizing personal data, which is specified in the personal data storage and destruction policy and will be carried out ex officio at recurring intervals, in the event that all the processing conditions of personal data specified in the law are eliminated.
4. References
Regulation on the Deletion, Destruction or Anonymization of Personal Data No. 30224 of the Law on the Protection of Personal Data No. 6698, dated 28.10.2018
5. Application
5.1. Destruction of Assets
If the purpose of processing personal data is eliminated, explicit consent is withdrawn, or all of the conditions for processing personal data specified in Articles 5 and 6 of the Law are eliminated, or if there is a situation where none of the exceptions in the aforementioned articles can be applied, the personal data for which the processing conditions have been eliminated shall be deleted, destroyed or anonymized by the relevant business unit, taking into account business needs, within the scope of Articles 7, 8, 9 or 10 of the Regulation (Articles on Deletion, Destruction or Anonymization of Personal Data), by explaining the reasoning for the method applied. However, in the event of a final court decision, the destruction method ruled by the court decision must be applied.
Information on any device with data recording feature is deleted against unauthorized access and the disk and recording mechanism on the device are physically destroyed. The Media/Device Destruction Report is filled out and signed by the information systems operator. The destruction process is recorded by entering information such as date, device information, reason for destruction, etc.
Data Deletion Methods
a. Personal Data on Paper: They are deleted by destroying them with a paper shredder or, if necessary, by using the blackening method.
b. Office Files Located on the Central Server: Deleted with the delete command in the operating system.
c. Data on Removable Media: Deleted by the delete command in the operating system.
d. Databases: The relevant rows containing the data are deleted with database commands.
Methods of Destroying Assets and Data
a. In Local Systems: Destroyed using appropriate methods such as demagnetization, physical destruction, or overwriting.
b. Environmental Systems:
• Network devices (switch, router, etc.): Destroyed using the appropriate methods specified in item a.
• Flash-based media: Destroyed using the methods recommended by the relevant manufacturer or the methods specified in item a.
• Magnetic tape: Destroyed by demagnetization or physical methods such as burning or melting.
• SIM cards and fixed memory cards: They are destroyed using the appropriate methods specified in item a.
• Optical discs: are destroyed by physical methods such as burning, breaking into small pieces, melting.
• Peripherals with fixed Data Recording Medium: are destroyed by the appropriate methods specified in item a.
c. Printed Media: They are destroyed using paper shredders. Personal data transferred from the original paper format to electronic media by scanning are destroyed using appropriate methods according to the medium in which they are located.
Methods of Anonymizing Personal Data:
During the anonymization phase of personal data, the appropriate method of anonymizing personal data shown in the Personal Data Deletion, Destruction or Anonymization Guide published by the Personal Data Protection Authority is used.
As a result of periodic reviews or if it is determined at any time that the data processing conditions have ceased to exist, the relevant user or data owner will decide to delete, destroy or anonymize the relevant personal data from its own storage medium in accordance with this policy. In cases of hesitation, the relevant data owner business unit will be consulted and the action will be taken.
When destroying data, the regulation specifying the retention periods published by the General Directorate of State Archives is taken into consideration. Data that is safe to destroy after the required periods in the unit archive, institution archive or state archive are destroyed.
5.1.1. Destruction of Multi-Stakeholder Data
If a decision needs to be taken regarding the destruction of personal data with multi-stakeholder data ownership in Central Information Systems, the opinion of the Data Controller Representative is obtained and a decision is made regarding the storage, deletion, destruction or anonymization of the personal data in question in accordance with this policy.
5.1.2. Destruction of Personal Data Upon Request of the Data Owner
When the natural person who is the owner of the personal data applies to the University with the “Personal Data Owner Application Form” in accordance with Article 13 of the Law and requests the deletion, destruction or anonymization of his/her personal data, the application will be finalized within thirty days at the latest from the date of application. Requests for the deletion or destruction of personal data will only be evaluated provided that the identity of the relevant person has been determined. The personal data owner who applies will be informed through the methods specified in the application form. If the processing conditions have not been removed due to legal requirements; the data owner will be informed that the personal data subject to the request cannot be deleted. The unit where the relevant data is processed will examine whether all the conditions for processing the personal data have been removed. If all the conditions for processing have been removed; it will delete, destroy or anonymize the personal data subject to the request within three months at the latest. If all the conditions for processing the personal data have been removed and the personal data subject to the request has been transferred to third parties, the unit where the relevant data is processed will immediately notify the third party to whom the transfer was made and ensure that the necessary procedures are carried out within the scope of the Regulation with the third party.
5.2. Periodic Review of Personal Data
All users and data owner units that process or store personal data shall review the data recording media they use, at least every six months, to determine whether the conditions related to processing have been eliminated. Upon the application of the personal data owner or upon the notification of a court, the relevant users and units shall conduct this review on the data recording media they use, regardless of the period of periodic inspection. All transactions related to the deletion, destruction or anonymization of personal data shall be recorded and the records in question shall be kept for at least three years, excluding other legal obligations.
In the deletion, destruction or anonymization of personal data, the general principles in Article 4 (Processing of Personal Data) of the law and the technical and administrative measures to be taken within the scope of Article 12 (Obligations Regarding Data Security), relevant legislation provisions, Board decisions and court decisions are complied with.
5.3. Storage of Personal Data
The processing times of personal data are specified in the “Personal Data Processing Inventory”.
In periodic destruction or destruction upon request, the storage and destruction periods in question will be taken into account. Storage and destruction processes may vary upon the request of the data owner, unless there is a legal obligation.
In order to ensure personal data security, physical security measures have been taken such as keeping personal data-containing devices such as paper documents, CDs, DVDs and USBs under lock and key when not in use, allowing access only to authorized personnel and monitoring entrances and exits with cameras. Servers containing personal data kept in digital media are stored in the University system room with the necessary security measures taken.
The administrative and technical measures taken to ensure the security of personal data are included in detail in the Personal Data Protection and Processing Policy.
6. Control
Documents are revised when necessary and periodically checked once a year.
