Data Storage, Anonymization and Destruction Policy

1. Aim

The purpose of this procedure is to ensure that all printed and written content, information technology assets and peripheral units used in obtaining, processing and storing information are destroyed, when necessary, securely and in accordance with the Law on the Protection of Personal Data No. 6698.

2. Scope

The procedure covers all personal, business data records and business processes.

3. Definitions

Law : 6698 “Protection of personal data” expresses the law.
Personal Data : Personal data refers to any information regarding an identified or identifiable natural person. Making a person specific or identifiable means making that person identifiable by associating existing data with a real person in any way.
Blackou : Processes such as scratching, painting and icing all personal data in a way that cannot be associated with an identified or identifiable natural person.,
recording media : Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system,
Personal data retention and destruction policyı : The policy on which data controllers base their deletion, destruction and anonymization and the process of determining the maximum period required for the purpose for which personal data are processed,
maskin : Processes such as deleting, crossing out, painting and starring certain areas of personal data in a way that cannot be associated with an identified or identifiable natural person,
Special Personal Data : People's race, ethnic origin, political opinion, philosophical belief, religion, sect
or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal
data regarding convictions and security measures, as well as biometric and genetic data.
periodic destruction: It is the process of deleting, destroying or anonymizing personal data, which is specified in the personal data storage and destruction policy and will be carried out ex officio at recurring intervals, in case all the conditions for processing personal data specified in the law are eliminated.

4. References

6698 Regulation on the Deletion, Destruction or Anonymization of Personal Data, dated 28.10.2018, Law No. 30224 on the Protection of Personal Data

5. APPLICATION

5.1. Destruction of Assets

If the purpose of processing personal data disappears, explicit consent is withdrawn, or all of the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, or if there is a situation where none of the exceptions in the mentioned articles are applicable, personal data whose processing conditions are eliminated will be processed by the relevant business unit, taking into account business needs, in accordance with Articles 7, 8, 9 or 10 of the Regulation (Deletion, Destruction or Anonymous Data). It is deleted, destroyed or anonymized by explaining the justification of the method applied, within the scope of the Purification Clauses). However, in case of a final court decision, the destruction method ordered by the court decision must be applied.

Information on any device with information recording feature is deleted against unauthorized access, and the disk and recording mechanism on the device are physically destroyed. The Environment/Device Disposal Report is filled out and signed by the information systems operator. Date, device information, reason for destruction, etc. The destruction process is recorded by entering the information.

Data Deletion Methods

a. Personal Data on Paper: It is deleted by destroying it with a paper shredder or, when necessary, by using the blackout method.
b. Office Files on the Central Server: They are deleted with the delete command in the operating system.
c. Data on Removable Media: It is deleted with the delete command in the operating system.
d. Databases: The relevant rows containing the data are deleted with database commands.

Methods for Destruction of Assets and Data

a. In Local Systems: It is destroyed using the appropriate methods such as de-magnetization, physical destruction, and overwriting.
b. Environmental Systems:
•    Ağ cihazları (switch, router vb.):  It is destroyed by appropriate methods specified in article a.
•    Flash-based media: They are destroyed by the methods recommended by the relevant manufacturer or by the methods specified in article a.
•    Manyetik bant: It is destroyed by demagnetization or by physical methods such as burning or melting.
•    Sim Cards and fixed memory cards: Destroyed by appropriate methods specified in article a.
•    Optical discs are destroyed by physical methods such as burning, breaking into small pieces, and melting.
•    Peripheral units with fixed Data Recording Medium are: Destroyed by appropriate methods specified in article a.

c. Printed Media: Destroyed using paper shredders. Personal data transferred from the original paper format to electronic media by scanning are destroyed by appropriate methods according to the environment in which they are located.

Methods of Anonymization of Personal Data:

During the anonymization of personal data, the appropriate one of the Anonymization methods of Personal Data shown in the Guide on Deletion, Destruction or Anonymization of Personal Data published by the Personal Data Protection Authority is used.
 
As a result of periodic reviews or if it is determined that the data processing conditions have been eliminated at any time, the relevant user or data owner will decide to delete, destroy or anonymise the relevant personal data from its own recording environment in accordance with this policy. In cases of doubt, action will be taken by obtaining the opinion of the relevant data owner business unit.

When destroying data, the regulations stating the retention periods published by the General Directorate of State Archives are taken into consideration. Data that are safe to be destroyed in the Unit archive, Institution archive or State Archives are destroyed after the required period has expired.

5.1.1. Destruction of Multi-Stakeholder Data

When it is necessary to make a decision regarding the destruction of personal data with multi-stakeholder data ownership in the Central Information Systems, the opinion of the Data Controller Representative is taken and a decision is made to store or delete, destroy or anonymise the personal data in question in accordance with this policy.

5.1.2. Destruction of Personal Data Upon Data Owner's Request

The natural person who owns the personal data must submit the "Personal Data Owner Application Form" pursuant to Article 13 of the Law. When the student requests the deletion, destruction or anonymization of his/her personal data by applying to the University, it will be finalized within thirty days from the date of application. Requests for deletion or destruction of personal data will only be evaluated provided that the identity of the person concerned has been identified. The applicant personal data owner is informed through the methods specified in the application form. If the processing conditions are not lifted due to legal requirements; It is declared to the data owner that the personal data subject to the request cannot be deleted. The unit where the relevant data is processed examines whether all conditions for processing personal data are eliminated. If all processing conditions are eliminated; deletes, destroys or anonymizes the personal data subject to the request within three months at the latest. If all the conditions for processing personal data are eliminated and the personal data subject to the request is transferred to third parties, the unit where the relevant data is processed immediately notifies the third party to whom the relevant data was transferred and ensures that the necessary actions are taken within the scope of the Regulation before the third party.

5.2. Periodic Review of Personal Data

All users and data owner units that process or store personal data will review the data recording environments they use within six-month periods at the latest whether the conditions for processing have been eliminated. Upon the application of the personal data owner or the notification of a court, the relevant users and units will conduct this review of the data recording environments they use, regardless of the periodic audit period. All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.

In deleting, destroying or anonymizing personal data, the general principles in Article 4 (Processing of Personal Data) of the law and the technical and administrative measures required to be taken within the scope of Article 12 (Obligations Regarding Data Security), relevant legislative provisions, Board decisions and court decisions are followed.  

5.3. Storage of Personal DataStorage of Personal Data

Processing times of personal data “Personal Data Processing Inventory” is stated in.  
These storage and destruction periods will be taken into account in periodic destruction or destruction upon request.  Storage and destruction processes may vary upon the request of the data owner, unless there is a legal obligation.

To ensure personal data security, physical security measures have been taken, such as keeping paper documents containing personal data and devices such as CDs, DVDs and USBs locked when not in use, allowing access only by authorized personnel, and monitoring entrances and exits with cameras. Servers containing personal data held digitally are stored in the University system room with the necessary security measures taken.

Administrative and technical measures taken to ensure the security of personal data are detailed in the Personal Data Protection and Processing Policy.

6. Control

Documents are revised as needed and checked periodically once a year.