MUYA POLYURETHANE KAUÇUK IND. AND TRADE Inc.

PERSONAL DATA DESTRUCTION POLICY

  1. Principles Regarding Deletion, Destruction or Anonymization of Personal Data

In order to set out the procedure regarding what will happen to these data and the procedures and principles under which the personal data of the relevant persons ( data owners ) whose personal data are processed with their explicit consent are eliminated after the purpose of collection and processing of their personal data is eliminated or upon their own request. This policy has been created. The transactions will be carried out in accordance with the procedures and principles specified in the "Regulation on Deletion, Destruction or Anonymization of Personal Data".

All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records will be kept for at least three years, excluding other legal obligations.

  1. Reasons Requiring Storage and Destruction of Personal Data

Your personal data; Management of human resources processes, having explicit consent of data owners, being directly related to the establishment and execution of contracts, being necessary for the legitimate interests of the data controller, ensuring that the purposes of establishing business partnerships with various projects are fulfilled, carrying out commercial activities, company law, event management. It is stored by us as stated in the relevant legislation and policies for the reasons and purposes of managing corporate communication processes, designing and auditing strategies regarding commercial activities, ensuring security and fulfilling obligations to legally authorized public institutions and organizations, and when the relevant processes are completed, situations requiring the storage of personal data are eliminated. remains or is destroyed as a result of the request of the relevant person or the decision of the Board.

  1. Definitions

The equivalents of the technical terms included in the policy are shown below.

Recipient Group: The category of real or legal person to whom personal data is transferred by the data controller.

Relevant User: Persons who process personal data within the data controller organization or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.

Destruction: Deletion, destruction or anonymization of personal data.

Law: Personal Data Protection Law No. 6698 dated 24/3/2016.

Recording Medium: Any environment containing personal data that is processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system.

Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; It is an inventory that they create by associating personal data with the purposes of processing personal data, data category, transferred recipient group and data subject person group, and detailing the maximum period required for the purposes for which personal data are processed, personal data envisaged to be transferred to foreign countries, and measures taken regarding data security.

Board: Personal Data Protection Board.

Periodic Destruction: It is the process of deleting, destroying or anonymizing personal data specified in the personal data storage and destruction policy and to be carried out ex officio at recurring intervals in case all the processing conditions of personal data specified in the law are eliminated.

Registry: The registry of data controllers maintained by the Personal Data Protection Authority.

Data Recording System: It is a recording system in which personal data is structured and processed according to certain criteria.

Data Controller: (Muya Polirüretan Kauçuk Sanayi ve Ticaret Anonim Şirketi) is the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.

Deletion: It is the process of making personal data inaccessible and unusable for the relevant users in any way.

Destruction: It is the process of making personal data inaccessible, irretrievable and unusable by anyone.

Direct Descriptors: These are descriptors that, by themselves, directly reveal, disclose and make distinguishable the person with whom they relate.

Indirect Identifiers: These are identifiers that, combined with other identifiers, reveal, disclose and make distinguishable the person they are in relation to.

Destruction: Deletion, destruction or anonymization of personal data.

Blackening: These are processes such as scratching, painting and icing all personal data in a way that cannot be associated with an identified or identifiable natural person.

Masking: These are processes such as deleting, crossing out, painting and starring certain areas of personal data in a way that cannot be associated with an identified or identifiable natural person.

  1. Environments in which Personal Data is Recorded

Personal data of data owners are stored securely in the following environments in accordance with KVKK and relevant legislation.

Electronic Environments: Server and backup units, cloud environment

Physical Environments: HR Lockers, Archive

  1. Persons Who Manage and Work in the Process of Storage and Destruction of Personal Data

Below, the titles, units and job descriptions of the authorized and responsible persons involved in the storage and destruction of personal data are stated.

. Human Resources Human Resources Manager during the Job Application Form and CV preservation process

. Human Resources Human Resources Manager in the process of keeping personnel files

. Workplace Physician during the preservation process of data collected within the scope of occupational health and safety legislation (health reports, etc.).

. Storing data regarding work accidents/occupational diseases Workplace Physician

. Administrative Affairs Administrative Affairs Manager in the process of keeping the guest book

. Marketing Manager in the process of storing authorized dealer and customer information

. E-Commerce E-Commerce Officer in the process of storing the membership and order information of customers and visitors who are members of the "www.muya.com" website and/or mobile application.

. Finance Manager in the process of making compensation / advance / enforcement payments

. Accounting Accounting Manager in the process of storing current account cards and invoices

. Accounting Accounting Manager in the process of keeping contracts

. Information Technology Manager during the real-time image recording system acquisition and storage within and outside the company

. Information Technology Manager during the storage of website entry and exit information

. Information Technology Manager during the backup of used program data and e-mails

. Information Technology Department during the registration and storage of workplace entries and exits

  1. Technical and Administrative Measures Taken to Preserve Personal Data and Prevent Unlawful Processing and Access

Technical Measures Taken to Ensure Lawful Storage of Your Personal Data and Preventing Unlawful Processing and Access

 

  • Personal data storage, processing and access activities are supervised by established technical systems.
  • Software and hardware including virus protection systems and firewalls are used.
  • The technical measures taken are reported to the relevant person.
  • Technically knowledgeable personnel are employed.
  • Access authorizations are limited and authorizations are reviewed regularly.
  • Backup programs are used in accordance with the law to ensure that personal data is stored safely.
  • Access to data storage areas containing personal data is logged and inappropriate access or access attempts are instantly communicated to the relevant parties.

Administrative Measures Taken to Ensure Lawful Storage of Personal Data and Prevention of Unlawful Processing and Access

  • Employees are informed and trained about personal data protection law and the legal storage and processing of personal data.
  • Personnel who will process, store and access personal data have been determined in the Personal Data Processing inventory.
  • All activities carried out are analyzed in detail for all departments, and as a result of this analysis, personal data processing activities are revealed specific to the commercial and administrative activities carried out by the relevant business units.
  • In order to meet the legal compliance requirements determined on a departmental basis, awareness is created and implementation rules are determined for the relevant departments; The necessary administrative measures to ensure the control of these issues and the continuity of the application are implemented through in-company policies and training.
  • Employees are informed that they cannot disclose the personal data they have learned to anyone else, contrary to the provisions of the Personal Data Protection Law No. 6698, or use it for purposes other than processing, and that this obligation will continue after they leave office, and the necessary commitments are taken from them in this regard.
  • Except for the instructions of Muya Polyurethane Kauçuk Sanayi ve Ticaret Anonim Şirketi and the exceptions imposed by law, records that impose an obligation not to process, disclose or use personal data are included in the contracts and documents governing the legal relationship between employees, and employees' awareness is raised on this issue.

  1. Technical and Administrative Measures Taken for the Lawful Destruction of Personal Data

 

  • Secure Deletion from Software: When deleting data processed entirely or partially automatically and stored in digital media; Methods are used to delete the data from the relevant software in a way that makes it inaccessible and unusable for the relevant users.
  • Deleting Relevant Data in the Cloud System by Giving a Delete Command : Removing the access rights of the relevant user on the file on the central server or the directory where the file is located; deleting relevant rows in databases with database commands; or deleting data on portable media, i.e. flash media, using appropriate software can be considered within this scope.

However, if the deletion of personal data will result in the inability to access and use other data within the system, personal data will be deemed deleted if the personal data is archived in a way that it cannot be associated with the relevant person, provided that the following conditions are met.

  • It is not accessible to any other institution, organization or person,
  • Taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons.

  • Secure Deletion by an Expert: In some cases, Muya may contract with an expert to delete personal data on its behalf. In this case, personal data will be securely deleted by a person specialized in this field, making them inaccessible and unusable in any way for Relevant Users.
  • Blackening of Personal Data on Paper: It is the method of physically cutting the relevant personal data out of the document or making it invisible using fixed ink in a way that cannot be reversed and cannot be read with technological solutions, in order to prevent the non-purposeful use of personal data or to delete the data requested to be deleted.
  • De-magnetization: It is the method of corrupting the data on the magnetic media in an unreadable way by passing it through special devices where it is exposed to high magnetic fields.
  • Physical Destruction: Personal data can also be processed by non-automatic means, provided that it is part of any data recording system. When destroying such data, a system of physically destroying personal data in such a way that it cannot be used later is applied. Destruction of data on paper and microfiche is carried out in this way, as it is not possible to destroy them in any other way.
  • Overwriting: The overwriting method is writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media through special software.
  • Anonymization Methods That Do Not Cause Value Irregularity: Without making any changes or additions/removals to the personal data stored with anonymization methods that do not cause value irregularities; It is the generalization of any personal data group, replacement with each other, or the removal of a specific data or sub-data group from the group.
  • Variable Extraction: Anonymization of the existing data set by removing the "highly descriptive" variables from the variables in the data set created after bringing together the data collected by the method of removing descriptive data.
  • Removing Records: The stored data is anonymized by removing the data line containing a singularity from the records.
  • Regional Hiding: If a single data has a deterministic nature because it creates a rarely visible combination, anonymization is achieved by hiding the relevant data.
  • Lower and Upper Bound Coding: Using the lower and upper limit coding method, the values ​​in a data group containing predefined categories are anonymized by combining them by determining a certain criterion.
  • Generalization: With the data aggregation method, many data are aggregated and personal data is made unable to be associated with any individual.
  • Global Coding: With the data derivation method, a more general content is created from the content of personal data and it is ensured that personal data cannot be associated with any person.
  • Anonymization Methods That Provide Value Irregularity: In anonymization methods that provide value irregularity, unlike those that do not provide value irregularity, distortion is created by changing some data in personal data groups.
  • Adding Noise: The method of adding noise to the data makes the data anonymous by adding some positive or negative deviations to the existing data at a determined rate, especially in a data set where numerical data is predominant.
  • Micro Joining: In the micro-joining method, all data is first arranged in a meaningful order and divided into groups, the average of the groups is taken, and the value obtained is written instead of the relevant data in the current group, providing anonymization.
  • Data Exchange: In the data exchange method, the values ​​of a variable are exchanged with each other between pairs selected from the stored data.

During the above-mentioned situations, full compliance with the provisions of the KVKK, the Regulation and other relevant legislation is ensured and all necessary administrative and technical measures are taken to ensure data security.

  1. Periodic Destruction Period of Personal Data

Personal data held by Muya will be checked at certain periodic intervals, and those whose processing conditions are completely eliminated will be deleted, destroyed or anonymized.

These periodic review and destruction processes to be applied to personal data are included in the Personal Data Processing Inventory created by Muya and submitted/will be submitted to the VERBIS system.

  1. Periods for Ex officio Deletion, Destruction or Anonymization of Personal Data

In the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises, your personal data will be deleted, destroyed or anonymized. This period will probably not exceed six months.

If irreparable or impossible damages occur and there is a clear violation of the law, the Board may shorten the period specified in this article.

  1. Periods to be Applied Upon Request for Deletion, Destruction or Anonymization of Personal Data of the Data Owner

The Data Owner submits his/her requests regarding the implementation of the Law to Muya in writing or by other methods determined by the Board. Muya accepts the request or rejects it by explaining the reason and notifies the relevant person of its response in writing or electronically within thirty days at the latest. If the request in the application is accepted, it will be fulfilled accordingly.

If all the processing conditions for the personal data subject to the request have been eliminated, the personal data subject to the request will be deleted, destroyed or anonymized. The requests in the application are concluded free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be taken as basis. If it is due to Muya's error, the fee collected will be refunded to the data owner.

Unless a contrary decision is taken by the Board, Muya will choose the appropriate method to delete, destroy or anonymize personal data ex officio. Upon the request of the relevant person, Muya selects the appropriate method by explaining the reason.

If the personal data subject to the request has been transferred to third parties, this will be notified to the third party; It will be ensured that the necessary procedures are carried out within the scope of the Regulation on Deletion, Destruction or Anonymization of Personal Data before the third party.

You can apply for issues regarding the processing of your personal data by filling out the form on the Company's website or in writing* to the address below.

Muya Polyurethane Rubber Industry and Trade Joint Stock Company Contact Information

Address: Adnan Kahveci, İnönü Cd. No:95 Beylikdüzü/Istanbul

Phone: 444 6 968

Email: mh@muya.net

*In case of written application, please state the subject as "Information Request within the Scope of the Personal Data Protection Law" on the envelope.