Data Storage, Anonymization, and Destruction Policy

MyLamp Data Storage, Anonymization, and Destruction Policy

  1. Purpose

The purpose of this procedure is to ensure the secure and compliant destruction of all printed and written content, information technology assets, and peripheral devices used in obtaining, processing, and storing information in accordance with the Law on the Protection of Personal Data numbered 6698 when necessary.

       2. Scope

The procedure covers all personal and commercial data records and business processes.

  1. Definitions

Law: Refers to Law No. 6698 on the Protection of Personal Data.

Personal Data: Personal data refers to any information related to an identified or identifiable natural person. The identifiability of a person means that the person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Masking: Processes such as obliterating, painting, frosting, or any other methods that render personal data as unattributable to a specific or identifiable natural person.

Record Medium: Any medium containing personal data, whether completely or partially automatic or non-automatic, provided that it is part of any data recording system.

Personal Data Storage and Destruction Policy: The policy adopted by data controllers as a basis for determining the maximum period necessary for the purposes for which personal data are processed and for the processes of deletion, destruction, and anonymization.

Masking: Processes such as erasing, obliterating, painting, and masking specific areas of personal data to render them unattributable to a specific or identifiable natural person.

Special Categories of Personal Data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, and data concerning a person's sex life or sexual orientation.

Periodic Destruction: The process of deletion, destruction, or anonymization carried out automatically at recurring intervals, as specified in the personal data storage and destruction policy, when all processing conditions for personal data stipulated by law cease to exist.

4. References

Law No. 6698 on the Protection of Personal Data and Regulation on Deletion, Destruction, or Anonymization of Personal Data dated 28.10.2018 with number 30224. 

5. Implementation

5.1. Destruction of Assets

In cases where the purpose element of processing personal data is eliminated, explicit consent is withdrawn, or all processing conditions for personal data specified in Articles 5 and 6 of the Law are no longer applicable, or none of the exceptions mentioned in these articles can be applied, the personal data for which the processing conditions have ceased to exist are deleted, destroyed, or anonymized by the relevant department, taking into account the business needs, within the scope of Articles 7, 8, 9, or 10 of the Regulation (Articles on the Deletion, Destruction, or Anonymization of Personal Data), and the rationale for the applied method is explained. However, in the case of a final court decision, the destruction method mandated by the court decision must be applied.

Information on any device with record features is erased against unauthorized access, and the disk and recording mechanism on the device are physically destroyed. The Destruction Record of the Environment/Device is filled out and signed by the information systems operator. The destruction process is documented by entering information such as the date, device information, destruction reason, etc.

Methods of Data Deletion

a. Personal Data in Paper Format: Personal data in paper format is destroyed by using a paper shredder or, when necessary, by employing masking methods. b. Office Files Located on the Central Server: Deleted using the delete command in the operating system. c. Data on Portable Media: Deleted using the delete command in the operating system. d. Databases: Relevant rows containing data are deleted using database commands.

Methods of Asset and Data Destruction

a. Local Systems: Destroyed using appropriate methods such as demagnetization, physical destruction, or overwriting.

b. Environmental Systems:

• Network devices (switches, routers, etc.): Destroyed using suitable methods as specified in item a.

• Flash-based media: Destroyed using methods recommended by the manufacturer or methods specified in item a.

• Magnetic tape: Destroyed by demagnetization or physical methods such as burning or melting.

• SIM cards and fixed memory cards: Destroyed using appropriate methods as specified in item a.

• Optical disks: Destroyed using physical methods such as burning, breaking into small pieces, or melting.

• Data Recording Environment fixed peripheral devices: Destroyed using appropriate methods as specified in item a.

c. Printed Environments: Destroyed using paper shredders. Personal data transferred to the electronic environment through scanning from the original paper format is destroyed using suitable methods based on their respective environments. 

Methods for Making Personal Data Anonymous:

During the process of making personal data anonymous, the appropriate method is used from those shown in the Personal Data Protection Board's guide on the Erasure, Destruction, or Anonymization of Personal Data.

Upon determining, through periodic reviews or at any time, that the data processing conditions have ceased to exist, the relevant user or data owner will decide to delete, destroy, or anonymize the relevant personal data from its own records in accordance with this policy. In cases of doubt, the opinion of the relevant data owner department will be sought before any action is taken.

In the destruction of data, the regulation specifying the retention periods published by the State Archives General Directorate is taken into consideration. Data that is no longer needed after the required periods in the unit's archive, institution's archive, or the State Archives can be safely destroyed.

5.1.1. Destruction of Multi-Stakeholder Data

When a decision is needed for the destruction of personal data with multi-stakeholder ownership in the Central Information Systems, the opinion of the Data Controller Representative is obtained. Based on this opinion, a decision is made regarding whether the personal data in question should be stored, deleted, destroyed, or anonymized according to this policy.

5.1.2. Destruction of Personal Data Upon Data Subject Request

When the data subject, a natural person, applies to the University with the "Personal Data Subject Application Form" pursuant to Article 13 of the Law and requests the deletion, destruction, or anonymization of their personal data, the process is concluded within a maximum of thirty days from the application date. Requests for the deletion or destruction of personal data will be evaluated only if the identity of the relevant individual has been verified. The individual who submitted the application is informed through the methods specified in the application form. If the processing conditions are not eliminated due to legal requirements, it is explained to the data subject that the personal data subject to the request cannot be deleted. The unit processing the relevant data examines whether all the processing conditions for personal data have been eliminated. If all the processing conditions are eliminated, the personal data subject to the request is deleted, destroyed, or anonymized within three months at the latest. If all processing conditions are eliminated, and the personal data subject to the request has been transferred to third parties, the unit processing the relevant data immediately notifies the third party about this situation and ensures that necessary procedures are carried out at the third party under the Regulation.

5.2. Periodic Review of Personal Data

All users and units processing or storing personal data will review whether the conditions for processing have been eliminated at least every six months in the data recording environments they use. In case of a request from the data subject or a notification from a court, the relevant users and units will conduct this review in the data recording environments they use, regardless of the periodic audit period. All processes related to the deletion, destruction, or anonymization of personal data are recorded, and these records, except for other legal obligations, are kept for at least three years.

The deletion, destruction, or anonymization of personal data is carried out in accordance with the general principles in Article 4 (Processing of Personal Data) and the obligations related to data security in Article 12 (Obligations Regarding Data Security) of the law, technical and administrative measures to be taken within the scope of legislation, decisions of the Board, and court decisions.

5.3. Storage of Personal Data

The processing periods of personal data are specified in the 'Personal Data Processing Inventory.' In the deletion processes to be carried out periodically or upon request, the storage and destruction periods specified will be taken into account. Storage and destruction processes may vary upon the data subject's request unless there is a legal obligation.

For ensuring the security of personal data, physical security measures have been taken, such as keeping documents containing personal data, devices like CDs, DVDs, and USBs under lock and key when not in use, restricting access to authorized personnel only, and monitoring entries and exits with cameras. Servers containing digitally stored personal data are kept in the university server room with necessary security measures in place.

Administrative and technical measures taken to ensure the security of personal data are detailed in the Personal Data Protection and Processing Policy.

6. Control

Documents are periodically reviewed annually and revised as needed.

Hipotenüs Powered by Hipotenüs® New Generation E-Commerce Systems.