PERSONAL DATA STORAGE, PROCESSING AND DESTRUCTION POLICY
This Personal Data Storage, Processing and destruction Policy (the “Policy”) covers all departments, employees of QNET Türkiye Promosyon Pazarlama ve Turizm Limited Şirketi (“QNET Turkey”) and third parties who have been involved in any personal data processing by QNET Turkey.
As QNET Turkey, it is our priority to ensure that personal data of real persons including but not limited to our customers and employees are processed in accordance with the relevant legislation, particularly the Constitution of the Republic of Turkey and international agreements regarding human rights that our country is a party to and the Personal Data Protection Law Numbered 6698 and data subjects whose data are processed effectively exercise their rights. Therefore, this Policy covers all acts of destruction to be implemented by QNET Turkey on personal data and shall be applicable as a result of all kinds of needs for destruction.
The relevant Policy shall not be applied to data which are not personal data. In the event that a new legislation is entered into force in relation to the subject matter or the relevant legislation is updated, QNET Turkey shall update the policy in a manner to comply with the relevant legislation and shall comply with the requirements of legislation.
|Receiver group||The category of real or legal persons to whom personal data are transmitted by the data controller|
|Relevant user||Persons processing personal data within the data controller’s organization or in line with the authority and instructions he/she received from the data controller, provided that person or unit responsible for technical storage, protection and backing up of data is excluded.|
|Destruction||Deletion, annihilation or anonymisation of personal data|
|Law||Personal Data Protection Law Numbered 6698|
|Filing environment||The name given to all kinds of environments containing personal data processed through fully or partly automatic means or through non-automatic means provided that it is a part of any data filing system.|
|Personal Data Processing Inventory||The inventory formed by data controllers by associating personal data processing with purposes of personal data processing, data categories, receiver group to whom transmission is made and the data subject, depending on the work processes.|
|Board||The Board of Protection of Personal Data.|
|Periodic destruction||Deletion, annihilation or anonymisation to be implemented ex officio, in recurring intervals stated in the personal data storage and destruction policy in the event that personal data processing conditions set forth in the Law cease to exist.|
|Register||Data Controllers Register kept by the Presidency of the Authority of Protection of Personal Data|
|Data filing system||Recording system through which personal data are processed by structuring according to specific criteria|
|Data controller||Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.|
|Regulation||Regulation regarding Deletion, Annihilation or Anonymisation of Personal Data|
Definitions in the Personal Data Protection Policy shall also be applicable to this Policy.
C. PURPOSE AND SCOPE
This Policy determined the principles to be applied to real or legal persons responsible for deletion, annihilation or anonymisation of personal data set forth in the Regulation prepared as per article 7 of the Law, and principles that should be complied with by QNET Turkey and/or third parties who are made contractually responsible by QNET Turkey.
As per the Regulation, QNET Turkey, as a Data Controller who is responsible for registering at the register, is obliged to prepare a Policy for storage of personal data in its possession in accordance with the personal data inventory and deletion, annihilation or anonymisation of the same when necessary, and act in line with such Policy.
The following principles shall be applicable in storage and destruction of personal data:
- General principles set forth in article 4 of the Law shall be complied with.
- QNET Turkey accepts that preparation of this Policy itself shall not mean that personal data are deleted, annihilated or anonymised in line with the Regulation, Law and relevant legislation.
- QNET Turkey accepts, declares and undertakes that when storing or deleting, annihilating or anonymising personal data, it shall act in compliance with the security measures set forth in article 12 of the Law, provisions of the relevant legislation, decisions to be taken by the Board of Protection of Personal Data and the Policy.
- QNET Turkey undertakes that it shall ensure compliance with this Policy and the means, programs and processes to be implemented based on this Policy during deletion, annihilation or anonymisation of personal data processed through fully or partly automatic means or through non-automatic means provided that it is a part of any data filing system.
D. PROCESSING ENVIRONMENTS
With this Policy, QNET Turkey accepts to include within the scope of the Policy the environments containing personal data and listed below as well as personal data in other environments that may arise in addition thereto:
- Computers/servers used in the name of QNET Turkey,
- Network devices,
- Shared/unshared disk drives used to store data in the network,
- Cloud systems,
- Mobile phones and all storage spaces therein,
- Adjacent units such as printer, fingerprint reader,
- Magnetic tapes,
- Optical disks,
- Portable memories.
E. CIRCUMSTANCES REQUIRING DESTRUCTION OF PERSONAL DATA
In the event of a violation within the scope mentioned below, QNET Turkey shall take action. QNET Turkey shall take all kinds of necessary technical administrative measures in relation to the secure storage of personal data and prevention of unlawful processing thereof and access thereto.
QNET Turkey undertakes that it shall not process personal data in a manner contrary to the manner stated in the Law. So far as the exceptions in the conditions for processing of personal data under articles 5 and 6 of the Law do not exist;
- Other than for exceptions stated in the Law, it shall not store personal data of persons whose explicit consent has not been taken.
- Where QNET Turkey stores special categories of personal data, it shall process the data in compliance with the applicable legislation.
2. Disappearance of Data Processing Conditions
QNET Turkey is responsible for the update of the data processing conditions and shares such responsibility with all its employees. In circumstances where data processing conditions disappear, the employees may not continue with data processing. IT Department is obliged to eliminate the environment wherein the conditions have disappeared, in line with this Policy. QNET Turkey accepts that data processing conditions shall be deemed to have disappeared in cases listed below and stated in the Regulation:
- Amendment to or revocation of provisions of the relevant legislation constituting the basis of the processing of personal data, automatic termination of the agreement, termination of or withdrawal from the agreement,
- No agreement having been established between the parties, invalidity of the agreement,
- Cessation of the purpose necessitating the processing of personal data,
- Processing of personal data is against the law or the honesty rule,
- Where processing of personal data is realized only upon explicit consent, revocation of consent by the data subject,
- Acceptance by the data controller of the application duly made by data subject in relation to the activity of personal data processing as per his/her rights under paragraphs (e) and (f) of article 11 of the Law,
- Rejection by the data controller of the application made by the data subject for deletion or destruction of personal data, insufficiency of the response given or failure to respond within the period envisaged in the Law; filing of a complaint at the Board and such request being found appropriate by the Board,
- Absence of any condition that would justify the storage of personal data for a longer time despite the expiry of the maximum period required for storage of personal data.
F. DESTRUCTION OF PERSONAL DATA
Destruction of personal data may be realized through three methods such as deletion, annihilation or anonymisation of data. The purpose of destruction is the impossibility to reach the real person with the remaining data. QNET Turkey shall take all kinds of necessary technical and administrative measures in relation to lawful deletion, annihilation and anonymisation of personal data.
1. Deletion of Personal Data
Deletion of personal data processed fully or partly through automated means is the act of rendering such personal data inaccessible and unusable by the relevant users. The data controller shall describe how the conditions prescribed in its relevant policies and procedures for deeming personal data deleted, are satisfied.
Deletion of personal data processed by means that form a part of any data processing system and are not automatic; shall be realized through anonymisation of unnecessary personal data in the form of paper transmitted to electronic environment through scanning or without being digitalized. These actions shall be implemented where QNET Turkey processes data fully or automatically, and in case of deletion of personal data, QNET shall transform the data to a completely inaccessible or non-reusable.
When conducting such act, QNET Turkey shall ensure that data cannot be accessed or reused by any user. This obligation is under the responsibility of the data controller. If personal data that should not be deleted are also being affected during deletion and become inaccessible and/or unusable, satisfaction of the below methods concomitantly shall also be deemed as deletion:
- Archiving of personal data in a manner that renders the same unattributable to the data subject,
- Closing all kinds of access to personal data,
- Taking all kinds of necessary technical and administrative measures to ensure access to personal data only when necessary by only authorized persons.
Abovementioned methods which shall be deemed as deletion are based on the Regulation and it shall be the Data Controller QNET Turkey’s responsibility to update the same when applicable.
2. Annihilation of Personal Data
The act of annihilation shall be conducted where QNET Turkey processes data on physical processing environments and QNET Turkey shall be obliged to make such data irrecoverable. During such acts, QNET Turkey employees and relevant departments shall be obliged to notify the relevant data to be annihilated and thereafter QNET Turkey shall take all kinds of necessary technical and administrative measures.
3. Anonymisation of Personal Data
The act of anonymisation is, where QNET Turkey processes personal data fully or through automatic means, the act of rendering of personal data unattributable to an identified or identifiable real person even when such data are matched up with other data.
Anonymisation of personal data is the duty of the data owner business unit within QNET Turkey. Data owner business unit may obtain support from different departments of QNET Turkey for destruction of data, provided that supervision thereof shall be conducted by the data subject business unit.
During anonymisation of data, QNET Turkey may use methods such as encryption through unidirectional functions. If one cannot be sure of the correctness of the method to be applied, the Board of Directors should be consulted.
G. METHODS AND PROCESS OF DESTRUCTION OF PERSONAL DATA
For the purpose of destruction of personal data, QNET Turkey defines all methods that may be used in destruction in this Policy. Data owner business unit is obliged to determine and apply the appropriate method to the appropriate circumstances under this Policy. During destruction of personal data, QNET Turkey employees shall select the suitable one from among the below methods and realize destruction:
It is the process of rendering the former data unreadable by writing numerical data composed of 0 and 1 through software over the magnetic media and re-writable optic media at least 8 times.
It is the process where magnetic media is made subject to physical transformation in a highly magnetic environment and the data thereon is rendered unreadable.
3. Physical Destruction
It means the physical destruction of optical media or magnetic media through melting, trituration, grinding and similar processes. It may be utilized where magnetization or overwriting methods are not successful.
4. Annihilation of cloud
It is the annihilation of all copies of encryption keys of personal data following the service of notification regarding annihilation of personal data stored in cloud systems, to the contracted service provider.
5. Destruction of Personal Data Located in Adjacent Systems
It is the destruction process whereby overwriting, magnetization or physical destruction must be conducted over the internal unit if any and if not, all devices containing the personal data located in systems such as printer, fingerprint unit, entrance turnstile. Such type of destructions must be implemented before such devices are subject to back-up, maintenance and similar processes.
H. STORAGE AND DESTRUCTION PERIODS
1. Periodic destruction and Statutory Storage Periods
Physical and digital data that have fulfilled their statutory storage and destruction periods shall be destroyed periodically. QNET Turkey shall delete, destroy or anonymise personal data in the first act of periodic destruction following the date as of which its obligation to delete, destroy or anonymise personal data arises. Periodic destruction shall be realized in 6 monthly intervals for all personal data.
Processes regarding the deleted, destroyed and anonymised data shall be stored for at least 3 years free from other legal obligations.
2. Deletion and Destruction upon Request of Data Owners
Where data owners apply to QNET Turkey and request deletion or annihilation of his/her personal data, it shall check the current status of the personal data processing conditions and takes the relevant actions depending thereon.
If all personal data processing conditions have ceased to exist, personal data subject to request shall be deleted, destroyed or anonymised. QNET Turkey shall conclude the request of the data subject and inform the data subject within thirty days at the latest.
If all personal data processing conditions have ceased to exist and personal data subject to request have been transferred to third parties, the data controller shall notify such situation to the third party; and ensures that the necessary actions are taken by the third party within the scope of the Regulation.
If all personal data processing conditions have not ceased to exist, QNET Turkey may reject the request by stating its justification to the relevant data owner and notify the rejection to the data subject in writing or through electronic environment within thirty days at the latest.
I. AMENDMENTS TO BE MADE IN THE POLICY
Following all kinds of official amendment to be made in the relevant legislation, this Policy may be amended by QNET Turkey in a manner to comply with such changes. QNET Turkey shall share via e-mail and provide access over the corporate website to the updated Policy in a manner that changes made in the Policy can be reviewed.
J. COOKIES POLICY
How Are Website Cookies Used?
They are used to determine how you use the website, including but not limited to monitoring of how you use the website such as from where you connect to www.qnetturkiye.com.tr, which contents you view on the website and duration of your visit.
Cookies in www.qnetturkiye.com.tr are used for the purpose of advertisement/promotion in order to provide contents and advertisements that are more suitable to your interest areas and to you. In this way, when you use the website, mobile application, they provide you with contents that are more suitable to you, customized special offers and products and does not provide the contents or offers that you previously stated as not wanted.
How does the website use third party cookies for advertisement and re-targeting?
In your utilizations of our Company’s website, all credit card transactions and approvals are realized online between the relevant Bank and similar Card Institutions and you, independently from our Company (Information such as credit card “password” are not seen and recorded by our Company).
Information entered into our website for purposes of membership, purchase of product/service and information update, likewise confidential information regarding credit cards and bank cards may not be viewed by other internet users.
Members/customers shall be liable for all decisions taken, all kinds of transactions and practices conducted within the framework of information obtained by the same from our website or other websites whose links are provided in our website, information, promotion and advertisements, likewise all kinds of recommendations provided to them via electronic communication, together with all consequences thereof.
If members/customers purchase a product/service as a result of information of such members/customers through stated means and/or provision of correspondences, information, promotions and advertisements to them, the aforementioned transaction shall be subject to the consumer agreement to be executed separately and in a legally appropriate manner. Consumer agreement shall be implemented in accordance with its own terms and between the parties thereof. In your shopping in our website, terms of the order preliminary information form-distant sale agreement that you shall see at the time of each transaction.
Our members/customers may reach our Company through the below-mentioned channels and suspend personal data utilization/processing and/or commercial electronic communications made to them, at any time and without showing any justification. Depending on the member’s/customer’s explicit notification to such effect, personal data transactions and/or communications to him/her through channels stated by the same shall cease within the statutory maximum period. If the member/customer wishes, he/she may apply to our Company at any time and obtain information in relation to transactions regarding processing of his/her personal data. Applications and requests in this regard shall be satisfied within the statutory maximum periods or may be rejected by way of explanation of legal justification thereof.
QNET Promosyon Pazarlama ve Turizm Limited Şirketi
Büyükdere Cad. Likör Fabrikası
Sok. Akabe İş Merkezi No: 78 / 80-11 Kat:2
Mecidiyeköy/ Şişli/ İstanbul
Tel: + 90 212 356 56 76
Fax: + 90 212 356 56 51
(You may submit you queries and opinions to our Customer Support Group)
Registered Electronic Mail Address: email@example.com