ArkSigner Data Disposal Policy

1. IDENTITY OF THE DATA SUBJECT AND SCOPE OF THE POLICY

ARKSIGNER Personal Data Retention and Disposal Policy (hereinafter referred to as "POLICY"), ARKSIGNER YAZILIM ve DONANIM SAN. TRADE. A.S. (Address: Universiteler Mah. Cyberpark 1606 Cad. A Blok No: 4A/603 Çankaya ANKARA) (hereinafter referred to as “ARKSIGNER”) to determine the procedures and principles regarding data storage and destruction activities.

ARKSIGNER, company employees, employee candidates, service providers, visitors and other third parties' personal data belonging to T.R. Its constitution, international conventions, the Law on the Protection of Personal Data No. 6698 (hereinafter referred to as “KVKK”) and other relevant legislation have prioritized the processing and effective use of the rights of the persons concerned.

2. DEFINITIONS
Personal Data
Kimliği belirli veya belirlenebilir gerçek kişiye ilişkin her türlü bilgi.
Special Qualified Personal Data
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data
Data Owner / Relevant Person
Natural person whose personal data is processed
Data Controller
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
Data Processor
The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.
Open Consent
Consent, which is based on being informed about a particular subject and expressed with free will
Processing of Personal Data
Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.
Anonymization of Personal Data
The fact that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Deletion of Personal Data
Deletion of personal data; making personal data inaccessible and unusable for Relevant Users in any way
Destruction of Personal Data
Making personal data inaccessible, irretrievable and reusable by anyone in any way
Destruction
Deletion, destruction or anonymization of personal data
Recording Media
Any environment where personal data is processed wholly or partially automatically or non-automatically, provided that it is a part of any data recording system.
Data Recording System
The registration system in which personal data is processed and structured according to certain criteria.
Organisation
Personal Data Protection Authority
Board
Personal Data Protection Board
Regulation
Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.
3. LEGAL REASONS FOR DATA PROCESSING ACTIVITIES

Personal data processed within the framework of AKSIGNER's business activities are retained for the period stipulated in the relevant legislation. In this context, personal data;

  • Law No. 6698 on the Protection of Personal Data
  • Turkish Code of Obligations No. 6098
  • Turkish Penal Code No. 5237
  • Social Insurance and General Health Insurance Law No. 5510
  • Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts
  • Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions
  • Pharmaceutical and Medical Preparations Law of the Ministry of Health No. 1262
  • Occupational Health and Safety Law No. 6331
  • Labor Law No. 4857
  • Turkish Commercial Code No. 6102
  • Public Procurement Law No. 4734
  • Law No. 8529 on Public Procurement Contracts
  • Technology Development Zones Law No. 4691
  • Electronic Signature Law No. 5070
  • Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments
  • Regulation on Archive Services
  • Technology Development Zones Implementation Regulation
  • Regulation on the Procedures and Principles Regarding the Implementation of the Electronic Signature Law
  • Other secondary regulations, especially the repealed decisions of the Information Technologies Authority regarding secure electronic signature, which are in effect pursuant to these laws
4. RESPONSIBILITY

All units and employees of ARKSIGNER are responsible for taking technical and administrative measures to ensure data security in order to properly implement the technical and administrative measures taken within the scope of the Policy, to prevent the illegal processing and access of personal data, and to ensure that personal data is stored in accordance with the law. actively supports.

5. DATA PROCESSING PURPOSE

ARKSIGNER processes personal data within the framework of its business activities for the following purposes.

Execution of Emergency Management Processes
Execution of Information Security Processes
Execution of Application Processes of Employee Candidates
Execution of Employee Satisfaction and Loyalty Processes
Fulfillment of Employment Contract and Legislative Obligations for Employees
Execution of Benefits and Benefits Processes for Employees
Conducting Audit/Ethics Activities
Conducting Educational Activities
Execution of Access Authorizations
Execution of Activities in Compliance with the Legislation
Execution of Finance and Accounting Affairs
Execution of Company/Product/Services Loyalty Processes
Execution of Assignment Processes
Hukuk İşlerinin Takibi Ve Yürütülmesi
Carrying out Internal Audit / Investigation / Intelligence Activities
Execution of Communication Activities
Planning of Human Resources Processes
Execution / Supervision of Business Activities
Execution of Occupational Health / Safety Activities
Execution of Goods / Services Procurement Processes
Execution of Goods / Services After-Sales Support Services
Execution of Goods / Services Sales Processes
Execution of Goods / Services Production and Operation Processes
Execution of Customer Relationship Management Processes
Execution of Activities for Customer Satisfaction
Organization and Event Management
Execution of Marketing and Analysis Studies
Execution of Advertising / Campaign / Promotion Processes
Execution of Risk Management Processes
Execution of Storage and Archive Activities
Conducting Social Responsibility and Civil Society Activities
Execution of Contract Processes
Execution of Sponsorship Activities
Follow-up of Requests / Complaints
Ensuring the Security of Movable Property and Resources
Execution of Wage Policy
Execution of Marketing Processes of Products/Services
Ensuring the Security of Data Controller Operations
Execution of Talent/Career Development Activities
Providing Information to Authorized Persons, Institutions and Organizations
Execution of Management Activities
6. RECORDING ENVIRONMENTS

Personal data processed by ARKSIGNER are stored in the following physical environments.

  • personal computers
  • mobile devices
  • Magnetic and optical recording media
  • Portable memories
  • Servers
  • softwareYazılımlar
  • Information security devices and software
  • Audio and video recording devices and software
  • Document production, copying devices
  • Written, printed, visual materials
7. PERSONAL DATA STORAGE AND DISPOSAL TIMES
PERIOD
STORAGE PERIOD
STORAGE PERIOD
Preparation of contracts (employment contracts, sales contracts, etc.)
10 years after the expiry of the contract
At the first periodic disposal period following the end of the storage period
Conducting communication activities
10 years after the end of operations
At the first periodic disposal period following the end of the storage period
Human resources processes
10 years after the end of operations
At the first periodic disposal period following the end of the storage period
Customer transaction processes (buying and selling of goods and services, etc.)
10 years after the end of operations
At the first periodic disposal period following the end of the storage period
Finance and accounting processes (payroll information, invoices, etc.)
10 years after the end of operations
At the first periodic disposal period following the end of the storage period
Health Information record (Health reports within the scope of employment contract)
10 years after the expiry of the contract
At the first periodic disposal period following the end of the storage period
Criminal Conviction registration (Legal documents under employment contract)
10 years after the expiry of the contract
At the first periodic disposal period following the end of the storage period
Transaction security processes (data collected over the corporate network and website)
2 Years after data collection
At the first periodic disposal period following the end of the storage period
8. PERIODIC DISPOSAL TIME

In accordance with Article 11 of the ARKSIGNER Regulation, the period of periodic destruction has been determined as 1 year. Accordingly, periodic destruction is carried out in June every year.

9. DELETING PERSONAL DATA

Personal data processed by ARKSIGNER;

  • Changing or repealing the provisions of the relevant legislation, which is the basis for processing,
  • The disappearance of the purpose requiring its processing or storage,
  • In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his explicit consent,
  • In accordance with Article 11 of the Law, the application made by the company regarding the deletion and destruction of personal data within the framework of the rights of the person concerned,
  • The maximum period for keeping personal data has passed and there are no conditions to justify keeping personal data for a longer period of time,

When its conditions are met, it is deleted, destroyed or anonymized by ARKSIGNER.

Period;

  • Determining the personal data that will be the subject of the deletion process.
  • Identifying relevant users for each personal data using an access authorization and control matrix or a similar system.
  • Determining the authorizations and methods of the relevant users such as access, retrieval and reuse.
  • Closing and eliminating the access, retrieval, re-use authorization and methods of the relevant users within the scope of personal data

It will progress in shape.

10. MEASURES TAKEN FOR DATA SECURITY

ARKSIGNER takes the following technical and administrative measures for the protection of personal data.

Technical and administrative measures are periodically audited and problems are reported to the relevant units urgently.

10.1. ADMINISTRATIVE MEASURES

The administrative measures taken by ARKSIGNER regarding the processed personal data are listed below.

There are disciplinary regulations that include data security provisions for employees.
Training and awareness activities are carried out periodically for employees on data security.
An authorization matrix has been created for employees.
Confidentiality commitments are made.
The authorizations of employees who have a change of job or quit their job in this field are removed.
The signed contracts contain data security provisions.
Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly.
Personal data security is monitored.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
The security of environments containing personal data is ensured.
Personal data is reduced as much as possible.
Existing risks and threats have been identified.
Protocols and procedures for special quality personal data security have been determined and implemented.
Data processing service providers are periodically audited on data security.
Awareness of data processing service providers on data security is ensured.
10.2. TECHNICAL MEASURES

The technical measures taken by AKSIGNER regarding the processed personal data are listed below.

Network security and application security are provided.
A closed system network is used for personal data transfers via the network.
Key management is implemented.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
The security of personal data stored in the cloud is ensured.
Access logs are kept regularly.
Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
Data masking is applied when necessary.
Current anti-virus systems are used.
Firewalls are used.
Personal data is backed up and the security of the backed up personal data is also ensured.
User account management and authorization control system are implemented and these are also followed.
Log records are kept without user intervention.
If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using a KEP or corporate mail account.
Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
Intrusion detection and prevention systems are used.
Cyber ​​security measures have been taken and their implementation is constantly monitored.
Encryption is done.
Data of special persons transferred in portable memory, CD, DVD media are transferred by encrypting them.
Data loss prevention software is used.
11. DELETING AND DISPOSAL OF PERSONAL DATA

The personal data registered in the electronic environment will be rendered inaccessible and unusable for the relevant users under any circumstances when the period requiring their storage expires.

Personal data recorded in physical media are irreversibly destroyed in paper clipping machines when the period requiring their storage expires.

12. OTHER MATTERS
  1. The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website.
  2. In case of inconsistency between KVKK and relevant legislation provisions and this Policy, KVKK and related legislation provisions will be applied first.
  3. The policy is published on the ARKSIGNER corporate website and announced to the relevant persons.
  4. In case of an update to the policy, the new policy document will enter into force by being announced and published using the same method.
  5. This Policy, prepared by ARKSIGNER, entered into force on 06.04.2020.