We provide detailed information about which data categories we retain for how long, our retention-destruction decision criteria, and our regular destruction procedures.
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
1. Introduction
1.1. Purpose This Personal Data Storage and Destruction Policy (“Politics”), Personal Data Protection Law No. 6698 (“KVKK" throw away "Law") and the Regulation on the Deletion, Destruction or Anonymization of Personal Data, which was published in the Official Gazette dated 28 October 2017 and entered into force, constituting the secondary regulation of the Law (“Regulations") in order to fulfill our obligations in accordance with the law, to make explanations about the personal data processing activities and the systems adopted for the protection of personal data within the framework of the legislation on personal data and to inform the relevant persons about the principles of determining the maximum storage period required for the purpose for which your personal data is processed and the processes of deletion, destruction and anonymization.HeraBiyo Biotechnology Research and Consulting Limited Company (“HeraWater" or "Company") Prepared by. 1.2. Scope * This Policy covers the storage and destruction of personal data of company customers, provided that they are natural persons, natural persons authorized to represent the legal entity in the case of legal entity customers, potential customers, their employees, employees, candidate employees, product/service purchaser representatives/employees, supplier representatives/employees, physical and virtual visitors and other third parties. This Policy applies to all recording media in which personal data is processed and to activities related to the storage and destruction of personal data owned or managed by the Company. * The scope of application of this Policy to the persons in the categories specified above may be the entire Policy (e.g., our Active Customers who are also our Visitors) or it may only have certain provisions (e.g., only our Visitors). * In cases where there are no provisions in this Policy regarding other matters such as the processing, storage and transfer of personal data, detailed information on these matters is available.www.herabiyo.biolocated at the addressHeraWaterIt can be accessed from the Personal Data Protection and Processing Policy. * In case of any conflict between the Policy and KVKK and other relevant legislation, the applicable legislation will apply. 1.3. Definitions
Definition Explanation Explicit Consent Consent based on informed consent and expressed freely on a specific matter. Worker Company employee. Contact Person The natural person whose personal data is processed. Related User Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data. Destruction Deletion, destruction or anonymization of personal data. Kanun ya da KVKK Personal Data Protection Law No. 6698. Recording Environment Any environment in which personal data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system. Personal Data Any information relating to an identified or identifiable natural person. Personal Data Processing Inventory The inventory in which data controllers create a detailed account of their personal data processing activities, which they carry out in connection with their business processes, by relating the purposes and legal basis of processing personal data, data category, recipient group to which the data is transferred, and the data subject group, and by explaining the maximum retention period required for the purposes for which personal data is processed, personal data intended to be transferred to foreign countries, and the measures taken regarding data security. Personal Data Protection and Processing Policy www.herabiyo.bioaddress at the addressHeraWaterPersonal Data Protection and Processing Policy. Related Person Application Form The application form that the relevant person, whose personal data is processed within the company, will use when applying for their rights explained in Article 11 of the Law. Processing of Personal Data Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system. Anonymization of Personal Data Making personal data in no way identifiable with an identified or identifiable natural person, even by matching it with other data. Deletion of Personal Data Making personal data inaccessible and non-reusable for the Relevant Users in any way. Destruction of Personal Data The process of making personal data inaccessible, irretrievable and reusable by anyone. Board Personal Data Protection Board. Organisation Personal Data Protection Authority. Special Personal Data Individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or unions,data regarding health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. Periodic Destruction In case all the processing conditions of personal data specified in the Law are eliminated, the deletion, destruction or anonymization process, which will be carried out ex officio at recurring intervals and as specified in the personal data storage and destruction policy. Politics Personal Data Storage and Destruction Policy. Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. Data Controller The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. Data Controllers Registry (VERBIS) Data controllers registry kept by the Presidency under the supervision of the Personal Data Protection Board. Regulations Regulation on the Deletion, Destruction or Anonymization of Personal Data, which entered into force upon publication in the Official Gazette dated 28 October 2017. The definitions used in this Policy are listed below:
2. Principles
The Company acts within the framework of the following principles in the processing, storage and destruction of personal data: * Personal data available or obtained by our Company is processed in accordance with Article 4 of the KVKK; (i) in accordance with the law and the rules of honesty, (ii) in a way that is accurate and up-to-date when necessary, (iii) for specific, clear and legitimate purposes, (iv) used in a way that is limited and proportionate to the purpose for which it is processed, and (v) retained for the period stipulated in the relevant legislation or necessary for the purpose for which it is processed and specified by the Company in this Policy. * Our company processes personal data with the express consent of the person concerned or without the express consent of the person concerned in the cases stipulated in Articles 5 and 6 of the KVKK.Special Personal Data (including Genetic and Health Data)Data subjects are informed by our Company regarding the personal data processing processes in accordance with Article 10 of the KVKK, and the necessary information is provided if the data subject requests information. * Our company clearly and precisely determines the purpose of processing personal data, which is based on a legitimate and lawful basis. In this regard, personal data is provided or planned to be provided.genetic analysis and consultancy servicesThe purpose for which personal data is processed is also stated before the personal data processing activity begins. * The procedures to be taken within the scope of Article 12 of the Law for the deletion, destruction and anonymization of personal data and those specified in Article 5 of this Policy.technical and administrative measures (especially bioinformatics security), We act in full compliance with the relevant legislation, Board decisions and this Policy. * All operations regarding the deletion, destruction and anonymization of personal data are recorded by the Company and the records in question are kept for at least 3 years, excluding other legal obligations. * In cases where it is necessary to process personal data in order to protect the life of a person or another person whose consent cannot be disclosed due to a de facto impossibility or whose consent cannot be given validity, or the life and physical integrity of a person or another person whose physical integrity cannot be recognized, the personal data of the data owner may be processed. * HeraWatermay process the data owner's personal data in order to fulfill its legal obligations (e.g. sending documents in response to questions from public institutions such as the Ministry of Health). * Unless otherwise decided by the Board, we will select the appropriate method for deleting, destroying, or anonymizing personal data ex officio. However, upon the Data Subject's request, the appropriate method will be selected with an explanation of the reason. * If all of the conditions for processing personal data stipulated in Articles 5 and 6 of the Law are no longer met, the personal data will be deleted, destroyed, or anonymized by the Company, either ex officio or upon the request of the relevant person. If the relevant person applies to the Company in this regard; * Requests submitted are finalized within 30 (thirty) days at the latest and the relevant person is informed. * If the data subject to the request has been transferred to third parties, this situation is notified to the third party to whom the data has been transferred and the necessary actions are taken with the third party.
3. Recording Media
Personal data of the relevant persons are processed by the Company in the environments listed in the table below, in accordance with the relevant legislation, especially the provisions of the KVKK, and within the framework of international data security principles, as stated in the table below (Table 1) are stored securely in the following environments: Table 1: Personal Data Recording Environments Table Electronic Media Non-Electronic Media These are the environments where data is kept in other technological devices such as computers and phones: These are the environments where data is kept by printing on paper or microfilm: - Servers (Domain, backup, email, database, web, file sharing, etc.); - Paper; - Bioinformatics Analysis Servers and Cloud Storage Areas; - Manual data recording systems (survey forms, visitor logbook,clinical record forms); - Software; - Written, printed and visual media. - Information security devices;
- Personal computers (Desktop, laptop);
- Mobile Devices (phone, tablet, etc.);
- Optical discs and removable memories (CD, DVD, USB, External disk, etc.).
4. Reasons Requiring Storage and Destruction
The Company stores and destroys personal data belonging to the relevant individuals in accordance with the Law. Detailed information regarding storage and destruction is provided below: 4.1. Explanations Regarding Storage Personal data of the relevant person is stored securely in the above-mentioned electronic or non-electronic media within the limits specified in the Law and other relevant legislation, in accordance with the personal data processing conditions specified in Articles 5 and 6 of the Law, in particular for the purposes of (i) maintaining commercial activities, (ii) fulfilling legal obligations and (iii) managing customer relations. Reasons for storage are as follows: * Storage of personal data is expressly provided for in the legislation. * Storing personal data because it is directly related to the establishment and execution of contracts.(For example, storing genetic data for the purpose of providing an analysis report to the customer.) * Storing personal data is necessary for the Company to fulfil any legal obligation it is obliged to comply with. * Storage of personal data due to the fact that it has been made public by the person concerned. * Storage of personal data in connection with the establishment, exercise or protection of a right. * It is mandatory to store personal data for the Company's legitimate interests, provided that it does not harm the fundamental rights and freedoms of individuals. * Storage activities that require the explicit consent of the relevant persons are subject to storage due to the explicit consent of the relevant persons. 4.2. Explanations Regarding Destruction Although stored in accordance with the provisions of the law and other relevant laws, personal data will be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the relevant person, if the reasons requiring its storage disappear. In this context, in accordance with the Law and Regulation, personal data of the relevant persons are deleted, destroyed or anonymized by the Company ex officio or upon request in the following cases: * Amendment or repeal of relevant legislative provisions that form the basis for the processing or storage of personal data. * The purpose for which personal data is processed or stored disappears. * The conditions requiring the processing of personal data in Articles 5 and 6 of the Law are eliminated. * In cases where the processing of personal data is carried out solely on the basis of explicit consent, the data subject withdraws his/her consent. * Acceptance by the data controller of the application made by the relevant person for the deletion, destruction or anonymization of his/her personal data within the framework of his/her rights in subparagraphs (e) and (f) of Article 11 of the Law. * In cases where the data controller rejects the application made by the relevant person requesting the deletion, destruction or anonymization of his/her personal data, or if the response is found insufficient or if the data controller does not respond within the period stipulated in the Law, a complaint can be made to the Board and this request can be approved by the Board. * Although the maximum period for which personal data must be stored has passed, there are no circumstances that would justify storing personal data for a longer period. In accordance with Article 12 of the Law, our Company takes all necessary technical and administrative measures to prevent the unlawful processing of personal data and unlawful access to personal data, and to ensure the appropriate level of security to ensure the preservation of personal data. In this context, the administrative and technical measures taken by the Company are listed below: 5.1. Administrative Measures The administrative measures taken by our company to prevent unlawful access to personal data are listed below: * Periodically, employees should be informed about data security.education and awareness activitiesis being done.(With particular emphasis on the ethics of biotechnology and genetic data security.) * The obligation to inform relevant persons is fulfilled. * Institutional policies regarding access, information security, usage, storage and destruction have been prepared and implemented. * Confidentiality commitments are made. * The signed contracts include data security provisions. * Personal data security policies and procedures have been determined. * Personal data security issues are reported quickly. * Necessary security measures are taken regarding entry and exit to physical environments containing personal data. * The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.). * The security of environments containing personal data is ensured. * Personal dataanonymization and pseudonymization techniquesis reduced as much as possible. * Existing risks and threats have been identified. * Periodic and/or random audits are carried out within the institution. * Protocols and procedures for the security of special personal data (Genetic Data) are determined and implemented. * Data processing service providers are made aware of data security. 5.2. Technical Measures The technical measures taken by our company to prevent unlawful access to personal data are listed below: * Network security and application security are provided. * A closed system network is used for personal data transfer via network. (Secure tunnels are preferred for genetic data transfer.) * Key management is implemented. * Security measures are taken within the scope of information technology systems procurement, development and maintenance. * An authority matrix has been created for employees. * Access logs are kept regularly. * The authority of employees who change their duties or leave their jobs is revoked in this area. * Firewalls are used. * Personal data security is monitored. * Personal data is backed up and the security of the backed up personal data is also ensured. * User account management and authorization control systems are implemented and monitored. * Log records are kept without user intervention. * Intrusion detection and prevention systems are used. * Cyber security measures have been taken and their implementation is constantly monitored.
6. STORAGE AND DESTRUCTION PERIODS
Our Company first determines whether the relevant legislation stipulates a retention period for personal data. If the relevant legislation stipulates a retention period, it complies with it; if no such period is specified, it retains personal data for the period necessary for the purpose for which it was processed. If the purpose of processing personal data has expired and the retention periods specified by the relevant legislation and/or our Company have expired, personal data may be stored only for the statutory limitations periods stipulated in the law, to serve as evidence in potential legal disputes, to assert relevant rights related to personal data, or to establish a defense. Our Company does not retain personal data based on the possibility of its future use. The retention and destruction periods determined by the Company based on the process are listed below. Additionally, the retention periods for all personal data within the scope of activities carried out in connection with the processes are included in the Personal Data Processing Inventory. Storage and Destruction Processes Based on Process: * Personal Data Regarding Customers/Contact Persons (including Genetic and Health Data): * Storage Period:10 years from the end of the contract * Destruction Time:During the first periodic destruction process following the end of the storage period. * Personal Data Regarding Suppliers or Legal Entity Supplier Officials/Employees: * Storage Period:10 years from the end of the contract * Destruction Time:During the first periodic destruction process following the end of the storage period. * Personal Data Obtained Due to Contract Transactions: * Storage Period:10 years from the end of the contract * Destruction Time:During the first periodic destruction process following the end of the storage period. * All Personal Data Regarding Accounting and Financial Transactions: * Storage Period:5 years from the year following the year of receipt * Destruction Time:During the first periodic destruction process following the end of the storage period. * All Personal Data Received from Company Employees and Interns During Other Processes Such as Performance of Employment Contract, AGI Payments, Provision of Side Benefits and Opportunities, and Processes to be Conducted Before the Social Security Institution (excluding data received due to Occupational Health and Safety): * Storage Period:10 years from the end of the contract * Destruction Time:During the first periodic destruction process following the end of the storage period. * Security Camera Footage: * Storage Period:30 Days from Registration Date * Destruction Time:During the first periodic destruction process following the end of the storage period. * Personal Data Regarding IP Addresses: * Storage Period:6 months from the date of receipt * Destruction Time:During the first periodic destruction process following the end of the storage period. * Personal Data Regarding Business Partners/Solution Partners/Consultants: * Storage Period:10 years from the end of the Business Relationship * Destruction Time:During the first periodic destruction process following the end of the storage period. * Personal Data Received from Potential Customers and Suppliers for Business Development: * Storage Period:1 year from the date of receipt * Destruction Time:During the first periodic destruction process following the end of the storage period.
7. PERIODIC DESTRUCTION AND PERSONAL DATA DESTRUCTION APPLICATION
7.1. Periodic Destruction * Company, Law, relevant legislation,HeraWaterIn accordance with the Personal Data Protection and Processing Policy and this Personal Data Storage and Destruction Policy, it deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data for which it is responsible arises. * In accordance with Article 11 of the Regulation, the Company shall determine the periodic destruction period1 yearAccordingly, the Company determines that theDecemberPeriodic destruction is carried out during the months. 7.2. Personal Data Destruction Application When the relevant person applies to the Company pursuant to Article 13 of the Law and requests the destruction of his/her personal data:
1. If all conditions for processing personal data have been eliminated;The company will process the personal data subject to the request from the day it receives the request.30 (thirty) daysThe Company will delete, destroy, or anonymize your personal data using an appropriate destruction method, explaining the reason for such destruction. For the Company to be deemed to have received the request, the relevant person must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, the Company will inform the relevant person of the action taken.
2. If all the conditions for processing personal data have not been eliminated,This request may be rejected by the Company, explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection will be notified to the relevant person in writing or electronically within thirty days at the latest.
8. PERSONAL DATA DESTRUCTION TECHNIQUES
At the end of the retention period stipulated in the relevant legislation or the retention period required for the purpose for which they were processed, personal data will be destroyed by the Company, either ex officio or upon the request of the relevant person, in accordance with the relevant legislation using the techniques specified below. In this context, all actions related to the deletion, destruction, and anonymization of personal data will be recorded, and such records will be retained for at least three years, excluding any other legal obligations. The deletion, destruction, and anonymization techniques most commonly used by the Company are listed below: 8.1. Methods of Deletion of Personal Data * Securely Deleting Software (Digital Media): * When deleting data processed by fully or partially automated means and stored in digital environments, methods are used to delete the data from the relevant software in a way that makes it inaccessible and reusable for the Relevant Users. * Deleting relevant data in the software system by issuing a delete command; removing the access rights of the relevant user on the file or the directory where the file is located on the central server; deleting relevant rows in databases with database commands or deleting data on removable media, i.e. flash media, using appropriate software can be considered within this scope. * However, if the deletion of personal data will result in the inability to access and use other data within the system, personal data will be deemed deleted if the personal data is archived and rendered incapable of being associated with the relevant person, provided that the following conditions are met: * It is not accessible to any other institution, organization or person. * Taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons. * Obscuration of Personal Data on Paper (Physical Media): * In order to prevent the unintended use of personal data or to delete data requested to be deleted, the relevant personal data is physically cut and removed from the document or made invisible or blocked using permanent ink in a way that is irreversible and unreadable with technological solutions. 8.2. Methods of Destroying Personal Data * Physical Destruction (Paper and Optical/Magnetic Media): * Documents kept in non-electronic media are destroyed using document shredders in a way that they cannot be put back together again. * It is the physical destruction of optical and magnetic media that contains personal data in an electronic environment, such as by melting, burning, or pulverizing them. Processes such as melting, burning, pulverizing, or grinding optical or magnetic media make the data inaccessible. * De-magnetization (Degauss): * It is the process of exposing magnetic media to a high magnetic field, thus corrupting the data on it to an unreadable state. * Overwrite: * By writing random data consisting of 0s and 1s at least seven times onto magnetic media and rewritable optical media, old data is prevented from being read and recovered. 8.3. Methods of Anonymizing Personal Data Personal data is anonymized using the techniques listed below, so that it cannot be associated with an identified or identifiable natural person in any way, even when matched with other data: * Anonymization Methods That Do Not Cause Value Disorder: * These methods are anonymization methods applied by generalizing any group of personal data, replacing them with each other, or removing a specific data or sub-group of data from the group, without making any changes or additions/deletions to the personal data being stored. * Variable Extraction:After the data collected by the descriptive data extraction method is brought together, the existing data set is anonymized by removing the "highly descriptive" variables from the created data set (e.g., name, surname, date of birth, etc.). * Extracting Records:The stored data is made anonymous by removing the data line containing singularity among the records. * Regional Hiding:If a single piece of data has a definitive nature because it creates a combination that is rarely visible, hiding the relevant data ensures anonymization. (For example, writing "Unknown" instead of a rare age/gender/disease combination.) * Lower and Upper Bound Coding:It is made anonymous by combining the values in a data set containing predefined categories by determining a specific criterion. (For example, using the category "between 5-10 years" instead of "5 years" or "7 years" of seniority.) * Generalization/Data Aggregation:Much data is aggregated, rendering personal data inaccessible to any individual. (For example, instead of providing individual employee ages, age ranges or averages are provided.) * Global Coding/Data Derivation:A more general content is created from the content of personal data, ensuring that personal data cannot be associated with any individual. (For example, specifying the region of residence instead of the full address.) * Anonymization Methods That Create Value Disorder: * These methods create distortion by altering some data within personal data sets. By ensuring that the aggregate statistics remain intact, the expected benefits from the data can continue to be achieved. * Adding Noise:Especially in a data set where numerical data is predominant, the data is made anonymous by adding some positive or negative deviations to the existing data at a specified rate. * Micro-Joining:Anonymization will be achieved by first separating all data into groups by arranging them in a meaningful order, and then writing the value obtained by taking the average of the groups in place of the relevant data in the current group. * Data Exchange:The values of a variable are interchanged between selected pairs from stored data. This method, used for categorized data, aims to transform the database by interchanging the data belonging to the relevant person.