Data Storage and Destruction Policy

1.LOGIN

1.1 AIM

We, NART Insurance and Reinsurance Brokerage A.Ş. (“ NART ”), we are aware of how important your personal data is to you. While performing our activities, we regard your personal data in our body as trust and protect your personal data by taking all necessary administrative and technical measures with the responsibility of a “Depositor”.

This PERSONAL DATA STORAGE AND DISPOSAL POLICY (“Policy”) has been prepared in order to determine the procedures and principles regarding the storage and destruction of personal data kept by NART within the scope of Article 9, Clause 5 of the Regulation on Data Controllers Registry .

1.2 SCOPE

This Policy will be applied for the processing of personal data of NART personnel, employee candidates, suppliers, service providers, customers, online and real person visitors and other third parties in all recording environments where personal data is kept within NART .

The storage and destruction of personal data kept by NART is carried out within the scope of this Policy.

1.3 ABBREVIATIONS AND DEFINITIONS

Buyer Group : The category of natural or legal person to whom personal data is transferred by the data controller.
Open Consent : Consent on a specific subject, based on information and expressed with free will.
Anonymization : Even by matching personal data with other data, in no way with an identified or identifiable natural person.

rendering it unrelated.

Worker : Personal Data Protection Authority personnel.
EBYS : Electronic Document Management System
Electronic environment : Environments where personal data can be created, read, changed and written by electronic devices.
Non- Electronic Media : All written, printed, visual etc. other than electronic media. other environments.
Service provider : A natural or legal person who provides services within the framework of a certain contract with the Personal Data Protection Authority.
Related person : The natural person whose personal data is processed.
Related User : Except for the person or unit responsible for technical storage, protection and backup of data, personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.

persons processing the data.

Destruction : Deletion, destruction or anonymization of personal data.
Law : Law on Protection of Personal Data No. 6698.
Recording Media : Fully or partially automated or non-automatic provided that it is part of any data recording system

Any medium in which personal data are processed.

Personal Data : Any information relating to an identified or identifiable natural person .
Personal Data Processing Inventory : Personal data processing activities carried out by data controllers depending on their business processes; By explaining the purposes and legal reason for processing personal data, the data category, the transferred recipient group and the maximum storage period required for the purposes for which personal data is created by associating with the data subject group, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security .

their detailed inventory.

Processing of Personal Data : Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system data such as the

any transaction performed.

Board : Personal Data Protection Board
Special Qualified Personal Data : Data on people’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures.

biometric and genetic data.

Periodic Destruction : In the event that all of the personal data processing conditions in the law are eliminated, the deletion, destruction or

anonymization process.

Policy : Personal Data Retention and Disposal Policy
Data Processor : Based on the authority given by the data controller, the data controller

natural or legal person who processes personal data on behalf of.

Data Recording System : The registration system in which personal data is processed and structured according to certain criteria .
Data Controller : The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system .
Data Controllers Registry Information System : An information system created and managed by the Presidency, accessible over the internet, to be used by the data controllers in the application to the Registry and other related transactions related to the Registry.
VERBIS : Data Controllers Registry Information System
regulation : Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017 .

 

2ND.      DISTRIBUTION OF RESPONSIBILITIES AND DUTIES

All of our units working within NART have been informed and trained within the scope of this Policy, and are organized, supervised and directed by our responsible units, which we have detailed below.

In this context , our responsible units working within NART are responsible for the proper implementation of technical and administrative measures, raising the training and awareness of unit employees, monitoring and regular auditing, and taking technical and administrative measures to ensure data security.

The distribution of the titles, units and job descriptions of those involved in the storage and destruction of personal data is as follows:

Our Chairman of the Board of Directors is responsible for our personnel to act in accordance with the Policy .

Our General Manager is responsible for the preparation, development, execution, publication and updating of the Policy .

Our Accounting Manager is responsible for performing the necessary audits within the scope of the Policy, conducting awareness studies, training the personnel within the scope of the Law, putting them through examinations and making the necessary organizations in line with the needs.

Our administrative supervisors are responsible for the execution of the Policy in accordance with their duties .

 

3.      RECORDING ENVIRONMENTS

Personal data kept within NART is stored in electronic and non-electronic media in accordance with the law, by taking security measures.

 

As NART , data storage activities can be carried out in the following electronic media:

 

  • Servers (Domain, backup, email, database, web, file sharing, etc.)
  • software(office software, portal, EBYS, VERBIS.)
  • Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc. )
  • Personal computers (Desktop, laptop)
  • Mobile devices (phone, tablet, etc.)
  • Optical discs (CD, DVD, etc.)
  • Removable memories (USB, Memory Card etc.)
  • Printer, scanner, copier machine

 

Our non-electronic environments where we carry out personal data storage activities are as follows:

  • Paper
  • Manual data recording systems (visitor logbook)
  • Written, printed, visual media

 

4.      EXPLANATIONS ON STORAGE AND DISPOSAL

As NART , we take the utmost care in keeping and destroying the personal data we hold in accordance with the Law.

In this context, you can find more detailed explanations regarding our storage and disposal activities below.

4.1 RETENTION OF PERSONAL DATA

NART processes personal data in accordance with the law and honesty rules (KVKK 4.2.a.) , accurately and up-to-date when necessary (KVKK 4.2.b.) , for specific, clear and legitimate purposes (KVKK 4.2.c.) , for the purpose for which they are processed. connected, limited and restrained (KVKK 4.2.ç.) , i maintains or foreseen amount of time required for this purpose they are processed and uses the related legislation (KVKK 4.2.d.) .

NART personal data is required to process personal data of the parties to the contract, provided that it is clearly stipulated in the law (KVKK 5.2.a.) , is directly related to the establishment or performance of a contract (KVKK 5.2.c.) , it is necessary for us to fulfill our legal obligation ( KVKK 5.2.ç.) , the fact that the data subject has been made public by himself (KVKK 5.2.d.) , data processing is mandatory for the establishment, use or protection of a right (KVKK 5.2.e.) , provided that it does not harm the fundamental rights and freedoms of the person concerned. We process the data in cases where data processing is necessary for our legitimate interests (KVKK 5.2.f.) or by obtaining the explicit consent of the data subject (KVKK 5.1.) .

Again, as NART , we process sensitive personal data other than health and sexual life, in cases stipulated by the laws (KVKK 6.3.) . Personal data related to health and sexual life can only be provided by persons who are under the obligation to keep confidential for the purpose of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing (KVKK 6.3.) or the express consent of the person concerned It is processed with (KVKK 6.2.) .

NART processes personal data for the following purposes:

•    Managing human resources processes .

•    To provide corporate communication .

•    Ensuring company security ,

•    To be able to do statistical studies .

•    To be able to perform work and transactions as a result of signed contracts and protocols .

•    Within the scope of VERBIS, to determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, to organize the services provided accordingly and to update them if necessary .

•    To ensure the fulfillment of legal obligations as required or mandated by legal regulations.

•    To liaise with real / legal persons who have a business relationship with the company .

•    Making legal reports .

•    Obligation of proof as evidence in legal disputes that may arise in the future .

NART preserves personal data until this period if any period is stipulated in the relevant legislation, and if such a period is not foreseen, it is limited to the period required by the purpose of processing.

In this context, the periods stipulated in the following legislations are taken as basis and personal data are kept in our body for the durations stipulated in these legislations:

•    Law No. 6698 on the Protection of Personal Data ,

•    Turkish Code of Obligations No. 6098 ,

•    Public Procurement Law No. 4734 ,

•    Social Insurance and General Health Insurance Law No. 5510 ,

•    Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts ,

•    Occupational Health and Safety Law No. 6331,

•    Law on Access to Information No. 4982,

•    Law No. 3071 on the Use of the Right to Petition ,

•    Labor Law No. 4857,

•    Retirement Health Law No. 5434 ,

•    Social Services Law No. 2828

•    Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments,

•    Regulation on Archive Services

•    Other secondary regulations in force under these laws.

4.2 DESTRUCTION OF PERSONAL DATA

NART , the personal data it contains;

•    Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing ,

•    The disappearance of the purpose requiring its processing or storage ,

•    In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his explicit consent,

•    In accordance with Article 11 of the Law, NART accepts the application made for the deletion and destruction of personal data within the framework of the rights of the person concerned ,

•    In the event that NART rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the Law; Making a complaint to the Board and this request being approved by the Board ,

•    The maximum period for keeping personal data has passed and there are no conditions to justify keeping personal data for a longer period of time ,

cases, it is deleted, destroyed or ex officio, destroyed or anonymized at the request of the person concerned.

5.      TECHNICAL AND ADMINISTRATIVE MEASURES

NART takes all necessary technical and administrative measures in accordance with the Law for the safe storage of personal data, the prevention of unlawful processing and access, and the destruction of personal data in accordance with the law.

5.1 TECHNICAL MEASURES

NART takes the following technical measures in order to securely store the personal data it contains, to prevent unlawful processing and access, and to destroy personal data in accordance with the law:

•    With penetration tests, risks, threats, vulnerabilities and vulnerabilities, if any, regarding NART information systems are revealed and necessary precautions are taken.

•    As a result of real-time analyzes with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.

•   Access to information systems and authorization of users are made through security policies through the access and authorization matrix and the corporate active directory.

•    Necessary measures are taken for the physical security of NART information systems equipment, software and data .

•    In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software. Measures are taken (firewalls, attack prevention systems, network access control, systems preventing malware, etc.) .

•    Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and technical controls are carried out for the measures taken.

•    Access procedures are established within NART, and reporting and analysis studies are carried out regarding access to personal data.

•    Inappropriate access or access attempts are kept under control by recording the accesses to the storage areas where personal data is stored .

•    NART takes the necessary measures to make the deleted personal data inaccessible and reusable for the relevant users .

•    In case personal data is obtained by others unlawfully, NART has established a system and infrastructure suitable for this in order to notify the relevant person and the Board .

•    Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date .

•    Strong passwords are used in electronic environments where personal data is processed .

•    Secure record keeping (logging) systems are used in electronic environments where personal data is processed.

•    Data backup programs are used to keep personal data safe.

•    Access to personal data stored in electronic or non-electronic media is limited according to access principles .

•    It is encrypted with SHA 256 Bit RSA algorithm using secure protocol (HTTPS) for accessing the institution’s web page .

•    A separate policy has been determined for the security of sensitive personal data .

•    Special quality personal data security trainings have been provided for employees involved in special quality personal data processing, confidentiality agreements have been made, and the authorizations of users who have access to data have been defined.

•    Electronic environments in which sensitive personal data are processed, stored and/or accessed are preserved using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of environments are constantly monitored, necessary security tests are regularly performed/have the test results recorded, are provided under .

•    Adequate security measures are taken for physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entry and exit is prevented by ensuring physical security.

•    If sensitive personal data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD , it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment. If transferring is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between servers or using the sFTP method. If it is required to be transferred via paper media, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a “confidential” format.

5.2 ADMINISTRATIVE MEASURES

NART takes the following administrative measures in order to securely store the personal data it contains, to prevent unlawful processing and access, and to destroy personal data in accordance with the law:

•    Trainings are provided on the prevention of illegal processing of personal data, the prevention of illegal access to personal data, the protection of personal data, communication techniques, technical knowledge and skills, the Law and other relevant legislation, in order to improve the quality of employees .

•    Regarding the activities carried out by NART  Employees are made to sign confidentiality agreements.

•    A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures .

•    Before starting to process personal data , NART fulfills its obligation to inform the relevant persons .

•    Personal data processing inventory has been prepared.

•    Periodic and random audits are carried out within the institution.

•    Information security trainings are provided for employees .

6.      PERSONAL DATA DISPOSAL TECHNIQUES

At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data is destroyed by NART ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, with the techniques specified below.

6.1 DELETION OF PERSONAL DATA

We use the following methods when deleting personal data:

The personal data on our servers are deleted by the system administrator by removing the access authorization of the relevant users.

Electronic Personal data in the environment are made inaccessible and non-reusable for other employees (related users) except the database administrator.

Personal Data in the Physical Environment are rendered inaccessible and non-reusable for other employees, except for the unit manager responsible for the document archive. In addition, the process of blackening is applied by drawing/painting/erasing in a way that cannot be read .

Portable Personal data in the media, personal data kept in Flash-based storage media are encrypted by the system administrator and the access authority is given to the system administrator only, and stored in secure environments with encryption keys.

6.2 DESTRUCTION OF PERSONAL DATA

We use the following methods when destroying personal data:

Personal Data in Physical Media are irreversibly destroyed by paper trimmers.

Personal Data in Optical / Magnetic Media is physically destroyed, such as melting, burning or pulverizing. In addition, magnetic media is passed through a special device, and the data on it is rendered unreadable by exposing it to a high magnetic field.

6.3 ANONYMIZATION OF PERSONAL DATA

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the personal data by the data controller or third parties and/or matching the data with other data.

7.      STORAGE AND DISPOSAL TIMES

The retention periods of personal data processed by NART are included in the Personal Data Processing Inventory on the basis of activity .

Again, the retention periods of personal data processed by NART are included in the VERBIS record on the basis of data category.

Again, the retention periods of personal data processed by NART are included in the Personal Data Retention and Disposal Policy on a process basis.

If necessary, the retention periods can be updated by the KVKK Contact Person and the Information Technologies Director.

For personal data whose storage period has expired, ex officio deletion, destruction or anonymization is carried out by the Information Technologies Director.

 

PERIOD STORAGE PERIOD DISPOSAL TIME
Commercial Transactions 10 years At the first periodic disposal period following the end of the storage period
Preparation of contracts 10 years after the expiration of the contract At the first periodic disposal period following the end of the storage period
Execution of Company Communication Activities Your activity to the end 10 years after expiration At the first periodic disposal period following the end of the storage period
Human Resources Processes

Execution

Your activity to the end 10 years after expiration At the first periodic disposal period following the end of the storage period
Log Tracking Systems 10 years At the first periodic disposal period following the end of the storage period
Execution of Hardware and Software Access Processes 2 years At the first periodic disposal period following the end of the storage period
Registration of Visitors and Meeting Participants 2 Years after the end of the event At the first periodic disposal period following the end of the storage period
Camera Recordings 2 years At the first periodic disposal period following the end of the storage period

 

 

8.      PERIODIC DISPOSAL TIME

In accordance with Article 11 of the Regulation on the Deletion, Destruction or Anonymization of Personal Data, NART has determined the period of periodic destruction as 6 months and periodic destruction is carried out in June and December every year.

9.      PUBLICATION AND STORAGE OF THE POLICY

The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is also kept in the file by the Accounting Manager.

10. POLICY UPDATE PERIOD

The policy is reviewed as needed and the necessary sections are updated.

11.ENTRANCE OF THE POLICY

The policy is deemed to have entered into force after it is published on NART’s website.