Data Protection

Regulation On Deletion

Document Information

Name of the Document

Personal Data Storage, Destruction and Anonymization Policy

Content of the Document

The purpose of this policy is to determine the principles for the storage, destruction and anonymization of Personal Data by Desk360 Yazılım A.Ş.

Reference/Ground

Law No. 6698 on Protection of Personal Data

Implementing Regulation on the Deletion, Destruction or Anonymization  of Personal Data

Approved By:

Managerial Board of Desk360 Yazılım A.Ş





Content

PERSONAL DATA STORAGE, DESTRUCTION AND ANONYMIZATION POLICY    3

I.    COVERAGE    3

II.    DEFINITIONS    3

III.    PURPOSE AND SCOPE    5

IV.    RECORD MEDİA    5

V.    SITUATIONS REQUIRING THE STORAGE AND DESTRUCTION OF PERSONAL DATA    6

VI.    MEASURES TAKEN TO STORE, PROCESS AND DISPOSE PERSONAL DATA    8

VII.    UNAUTHORIZED DISCLOSURE OF PERSONAL DATA    9

VIII.    DESTRUCTION OF PERSONAL DATA    10

IX.    METHODS AND PROCESS OF DESTRUCTION OF PERSONAL DATA    11

X.    STORAGE AND DESTRUCTİON TIMES    16

XI.    INFORMATION REGARDING THOSE INVOLVED IN THE STORAGE AND DESTRUCTİON PROCESSES    17

XII.    AMENDMENTS TO THE POLICY    18

XIII.    EFFECTIVE DATE OF POLICY    18


PERSONAL DATA STORAGE, DESTRUCTION AND ANONYMIZATION POLICY

  • COVERAGE
    • This Personal Data Storage, Destruction and Anonymousization Policy (“Policy”) covers all departments, employees and third parties involved in any process by which Desk360 Yazılım A.Ş (“Desk360”) processes Personal Data. 
    • This Policy shall cover all Destruction activities to be implemented by Desk360 on Personal Data and will be implemented as a result of all Destruction requirements.
    • This Policy does not apply to non-Personal Data. 
    • In case of the determination of a new legislation or updating the relevant legislation, it shall update the Desk360 Policy in accordance with the relevant legislation and comply with the legislation requirements.
    • Where it is deemed to be a legal obstacle to the implementation of this Policy by Desk360, Desk360 will be able to redefine the steps it will take if deemed necessary.
  • DEFINITIONS

Express Consent

It expresses the consent that is based on being informed about a certain subject and is declared with free will.

Receiver Group

It refers to the category of natural or legal person to whom Personal Data is transmitted by the Data Officer.

To make anonym or Anonymization

It means that the Personal Data cannot be associated with a certain or identifiable real person under any circumstances even by pairing it with other data.

Destruction

It refers to deletion, destruction and anonymization of personal data.

Relevant User

It refers to persons who process Personal Data in accordance with the authority and instruction received from the Data Officer or within the Data Officer organization, with the exception of the person or unit responsible for the technical storage, protection, and backup of the data.

Law

It refers to the Law No. 6698 on Protection of Personal Data

Storage Media

It means any media in which Personal Data is available that is fully or partially automated or processed in non-automated ways, provided that it is part of any Data Recording System.

Personal Data

It refers to any information relating to an identified or identifiable natural person (In the context of this Policy, the term "Personal Data" shall also include Private Personal Data, defined below as far as it is appropriate.

Personal Data Processing

It refers to any operation performed on the data, such as the process of obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying Personal Data completely or partially by automatic or non-automatic means provided that it is part of any data recording system. 

Committee

It refers to the committee responsible for the performance of the PPD Procedures of this Policy and to be applied in connection with the Policy.

Board 

It refers to Board on Personal Data Protection

Institution

It refers to Institution on Personal Data Protection

PPD Regulations

It refers to Law No. 6698 on the Protection of Personal Data and other relevant legislation on the protection of Personal Data, binding decisions, principles, provisions, instructions issued by regulatory and supervisory authorities, courts and other official authorities and other applicable international agreements on protection of data and any other legislation.

PPD Procedures

They refer to the procedures that determine the obligations that the company, employees, [Committee and / or Data Officer Representative] must comply with under this Policy.

Policy

They refer to the process by which Desk360 determines the maximum time required for the purpose for which the Personal Data is processed as well as the Personal Data Retention, Destruction and Anonymization Policy that it constitutes the basis for the Deletion, Destruction and Anonymization process.

Record

Data Officer Record kept by the Presidency

Private Personal Data

It refers to biometrical and genetical data related to the people's race, ethnical origin, political tought, philosophical belief, religion, sect or other beliefs, dressing, membership to association, foundation or union, health, sexual life, criminal conviction and safety measures.

Deletion or Being Delected.

It refers to the situation that the Personal Data shall by no means accessible to the Relevant Users and not reusable. 

Data Invetory

It refers to the inventory which the company details and explains the Personal Data Processing activities that it is realizing in connection with the work process; the maximum period created by referring to the Personal Data Processing objectives, data category, Receiver Group where the Personal Data is transferred to and people groups subject to the data, and required for the objectives of Processing of Personal Data, Personal Data envisaged to be transferred to the foregn countries and the measures taken related to the data safety.

Data Record System

It refers to the record system through which the Personal Data is is configured and processed in line with certain criteria.

Data Subject

It refers to all real persons whose Personal Data is processed by the Company or on behalf of the Company. 

Data Officer

It refers to the natural or legal person who processes Personal Data by specifying the purposes and means of processing the Data and who is responsible for the establishment and management of the Data Recording System.

Data Officer Representative

It refers the employee chosen within the Committee and carry out relationship of the Company with the Institution and appointed with by managerial board decision.

Directive

It refers to the Directive on the Deletion, Destruction or Anonymization of the Personal Data

Destruction

It means the process of making Personal Data inaccessible, not retrievable and not reusable by anyone.

The definitions contained in the Personal Data Protection and Privacy Policy also apply to this policy.

  • PURPOSE AND SCOPE
    • This Policy shall be applied regarding the real or legal persons who are responsible for the Deletion, Destruction or Anonymization of Personal Data covered by the Directive issued in accordance with article 7 of the Law, and shall define the principles required to be complied by Desk360 and the third parties made contractually responsible by Desk360. 
    • In accordance with the Directive, Desk360, as a Data Officer having obligation to save in the Records,  is obliged to draft a Policy to store, if necessary Delete, Destruct or Anonymize the Personal Data in line with the Data Inventory, and act in accordance with the Policy. In this context, Desk360 has prepared this policy in order to fulfill the obligations listed.
    • The following principles shall apply to the storage and destruction of personal data:
      • The general principles in Article 4 of the Law and Article 7 of the Directive shall be complied with.
      • Desk360, while storing or deleting personal data, destroying it or making it anonymous, shall declare and undertake that it shall act in accordance with the security measures specifed in article 12 of the Law, PPD regulations and policy. 
      • Desk360 undertakes that it shall comply with this Policy and tools, programs and processes to be applied in line with the Policy during the Deletion, Destruction or Anonymization of the Personal Data processed in ways whose objective is fully or partially automatic or non automatic on the condition that it is of part of any recording system.
  • RECORD MEDIA
    • With this Policy, Desk360 undertakes to include in this Policy the media which has Personal Data and listed below as well as Personal Data in other media that arise additionally:


      • Computers/servers used on behalf ofDesk360
      • Network devices,
      • Shared / non-shared disk drives used for storing data on a network
      • Cloud systems,
      • Mobile phones and all storage areas inside,
      • Paper,
      • Microfiche,
      • Peripherals such as printer, fingerprint reader,
      • Magnetic bands,
      • Optical discs,
      • Flash memories.


  • SITUATIONS REQUIRING THE STORAGE AND DESTRUCTION OF PERSONAL DATA

In the event of a breach in the scope stated below, a potential security breach will be considered and a precaution will be taken by Desk360. Desk360 takes all necessary technical and administrative measures related to the safe storage of Personal Data and the prevention of illegal processing and access.

    • Cases Requiring The Storage Of Personal Data


Desk360 is obliged to retain the Personal Data in line with the legislation in case the data processing is mandatory for the legitimate interest of the Data Officer provided that (i) it is expressly stated in the law, (ii) it is obligatory for the life and physical integrity of the person himself/herself, or of somebody else, who cannot express his/her consent due to virtual impossibility or whose consent is not legally valid (iii) the processing of personal data belonging to the parties to the contract is necessary, provided that it is directly related to the establishment or execution of a contract (iv) it is mandatory for the fulfillment of legal obligation (v) the processing of data is necessary to establish, use or protect a right, (vi) it is ensured that the Data Subject's fundamental rights and freedoms are not violated.  Desk360 also has the right to retain personal data if (I) Explicit Consent is obtained, (ii) presence of exceptions set out in Articles 5(2) and 6 (3) of the Law. 

    • Cases Requiring The Destruction Of Personal Data


      • Violation of the Law


Desk360 undertakes that it will not process personal data contrary to the way set out in the law. 


 Desk360, Law 5 and 6. as long as there are no exceptions in the terms of the processing of personal data and personal data of special quality in its articles;


  • It does not store the personal data of people from whom it would not get explicit consent, except with exceptions set out in the law.
  • In cases where Desk360 stores Private Personal Data of a special quality, it processes the data in compliance with the regulations of the KVK with the knowledge of the [Data Manager representative and/or committee]. In this context, it takes measures defined or to be defined by the Board within the frame of Article 6(4) of the Law.


      • Removal of Data Processing Conditions

Desk360 is responsible for the up-to-date nature of the data processing requirements and shares this responsibility with all its employees.


Employees cannot continue to process data in cases where all of the conditions of processing data have been eliminated. Desk360 Information Technology Department is responsible for deleting, destroying or anonymizing personal data, whose retention conditions do no longer exist, in accordance with this policy. 


Desk360 acknowledges that the requirements for processing data have been removed in the relevant cases listed below and specified in the regulation:

  • Amendment or repeal of PPD regulations which are the basis for processing personal data,
  • The contract between the parties has never been established, the contract is invalid, the contract is expirated, the contract is terminated or the contract is repealed.,
  • Elimination of purpose requiring processing of personal data,
  • Processing personal data is against the law or honesty,
  • The consent of the data subject is withdrawn when processing personal data takes place only on the basis of explicit consent, 
  • Data Subject's duly application regarding the processing of personal data within the framework of the rights specified in the Article 11 paragraph (e) and (f) of the Law
  • In the event that the Data Officer refuses the application made by the request of the Data Subject to delete or destroy his personal data, that the response is insufficient or that he/she does not respond within the period stipulated in the law, a complaint is made to the board and that the request is found to be appropriate by the Board,
  • Although the maximum period of time required to store personal data has passed, there are no conditions that justify storing personal data for longer.


  • MEASURES TAKEN TO STORE, PROCESS AND DISPOSE PERSONAL DATA

Desk360 takes technical and administrative measures in accordance with the nature of the data to be protected, technological capabilities and application costs in order to ensure the storage, processing and access of Personal data in accordance with the law.

    • Technical Measures


The main technical measures taken by Desk360 to prevent unlawful storage, processing and access of Personal Data are listed below.:

      • Technical measures in accordance with the developments in technology are taken, while these measures are updated and renewed periodically.
      • In accordance with the legal compliance requirements determined by the business unit, the authority Matrix was creatd, the personal account management system was established and the encryption systems were activated. 
      • In this context, software and hardware including virus protection systems and firewalls are installed, log records are kept, and regular backups are made. 
      • The necessary software and hardware are installed to ensure network security, while authorization checks and infiltration tests are carried out at 6-month intervals. In this context, firewalls and intrusion detection and prevention systems are used. 
      • The technical measures are periodically reported to the [the Data Officer Representative and/or the Committee] as required by the internal audit mechanism, the issues that pose risks are re-evaluated and the necessary technological solutions are produced.
      • Data that are not taken by explicit consent and are not among the legal exceptions are used by masquerading
      • Technical personnel is employed and they are made permanent members of the committee, if any.
    • Administrative Measures


The main administrative measures taken by Desk360 to prevent unlawful storage, processing of, and access to Personal Data are listed below:


      • Desk360 informed its employees regarding the Protection of Personal Data legislation and provided them with necessary training. Within the scope of the training, the employees were told their roles and responsibilities and informed about the principle of “everything is forbidden unless permitted” not “everything is free unless prohibited”. Necessary commitments are taken for the protection of Personal Data with a confidentiality agreement signed with the Employees specifying that they can't explain the Personal Data to others in violation of PPD Regulations, can't use for purposes other than processing and this responsibility shall prevail after the termination of the employment.  In this context, provisions in accordance with the law have been added to employee employment contracts and disciplinary regulations. In intra-Company organizations, it has prepared disciplinary processes to be applied in case of non-compliance with these commitments and other confidentiality obligations.
      • Desk360 is committed to keep its employees informed at 6-month intervals and to keep their information up-to-date.
      • It has completed the necessary preparations for notification to the register.
      • Access to personal data and authorization processes are designed and implemented within the Company in accordance with business unit-based legal compliance requirements. 
      • The contracts concluded by Desk360 with those to whom the personal data is transferred in compliance with the law include provisions that the persons to whom the Personal Data is transferred will take the necessary security measures for the purpose of protecting the Personal Data and ensure compliance with these measures in their own organizations.
      • It has made the necessary arrangements for access, information security, use, storage and destruction within the scope of this Policy.
      • The data inventory are prepared and necessary provisions are included in the contracts for the processing, storage, and transfer of personal data.,
      • Necessary preparations have been made for periodic and/or random intra-Company inspections. Risk analyses were carried out and necessary measures were taken.
      • Corporate communication procedures and disclosure processes in case of breach are set out in this policy.


    • Inspection of Measures Taken To Protect Personal Data

Desk360, in accordance with the article 12 of the PPD law, conducts necessary inspections through [its appointed Data Officer Representative and/or the committee formed within itself] or make them conducted. The results of this audit are reported to the relevant department within the scope of the internal operation of the Company and the necessary activities are carried out to improve the measures.  

  • UNAUTHORIZED DISCLOSURE OF PERSONAL DATA 

Desk360 has regulated the procedure to be followed in cases of violation of the personal data security obligations set out in the law, KVK regulations and this policy within the scope of this policy.

    • Violations within Desk360


If a Desk360 employee detects a violation or encounters a potential violation, he/she immediately inform the relevant department director of the situation and informs the department manager about how the violation was discovered and where it originated. The Department director shall take the first steps to stop the breach if it is ongoing and to determine the extent to which it has ended, and shall notify [the Data Officer Representative and/or committee] of the situation. [The data officer representative and / or committee] gets support from the IT department to take action against the breach and contacts the legal department. [The data officer representative and / or committee] reports the extent, scope and consequences of the breach and shares it with the Board of Directors and the agency.  

    • Violations By Third Parties


[Data Officer Representative and/or committee] shall contact the legal department and, if necessary, the IT department within 12 hours following the notification if a third party with whom Desk360 works detects a breach or encounters a possible breach. [The data officer representative and/or committee] reports the information obtained from the other party about the extent, scope and consequences of the breach and shares it with the Managerial Board and the Institution.  

  • DESTRUCTION OF PERSONAL DATA

The Destruction of Personal Data can be made in three different ways as Deletion, Destruction or Anonymization of data. The purpose of the destruction process is that it is not possible to reach the real person with the remaining data. Desk360 takes all necessary technical and administrative measures regarding the Deletion, Destruction and Anonymization of personal data in accordance with the law.

    • Deletion Of Personal Data

The deletion of Personal Data processed in whole or in part by automatic means is the process of making such Personal Data inaccessible and unusable in any way by the Relevant Users.


The chief data officer explains how the conditions set out in Article 7(3) of the Directive on the Deletion of Personal Data are met in relevant policies and procedures. Deletion of Personal Data that forms part of any Data Recording System and processed by non-automated means and the process of making Personal Data Anonymous, which is not required in paper form, which is transferred to the electronic media by scanning or without digitization, are done in cases where Desk360 processes the data completely or automatically; when Desk360 Deletes Personal Data, it makes the data inaccessible or reusable in any way. Desk360 guarantees that the data cannot be accessed or reused by any user while performing this operation. This warranty is under the responsibility of Desk360. 

The stated deletion methods are subject to the Directive and it is the responsibility of Desk360 to update them in the relevant cases.

    • Deletion of Personal Data


The destruction will be done in cases where Desk360 processes the data in physical recording media, and Desk360 is obliged to make such data inaccessible, unusable and impossible to retrieve again.


During the destruction process, Desk360 employees and related departments are obliged to inform [the Data Manager representative and/or committee] of the relevant data to be destroyed, and then Desk360 shall take all necessary technical and administrative measures. 

    • Deletion Of Personal Data


Anonymisation is the process in which Desk360 processes personal data in whole or automatic ways, and makes it impossible to associate that data with a specific or identifiable real person, even if it is matched to other data. 


Anonymization of personal data is the task of the business unit having the data within the Desk360. The business unit having the data may get support from different departments of Desk360, provided that the audit is done by itself for the Destruction of the data.


During the anonymization of personal data, Desk360 may use the methods specified under this policy. In cases where the accuracy of the method to be applied cannot be assured, the [Data Officer Representative and/or committee] should be consulted.

  • METHODS AND PROCESS OF DESTRUCTION OF PERSONAL DATA

For the Deletion of Personal Data, Desk360 defines in this policy all methods that may be used for the destruction of personal data. The business having the data is obliged to implement the appropriate method in this policy according to the appropriate circumstances. 

    • Deletion


During the deletion of personal data, Desk360 employees perform the deletion process by choosing the appropriate one among the following methods:

      • Cloud systems

The data in the cloud system is deleted by making a Delete command. Desk360 notes that the Relevant User does not have the authority to retrieve deleted data on the cloud system while performing the aforementioned operation.

  • Personal Data In Paper Environement

Personal data in the paper media is deleted using the blanking method. The blanking process is done by cutting the personal data on the relevant documents where possible, and making it invisible to the relevant users by using fixed ink so that it cannot be returned and read with technological decodings where it is not possible.

  • Office Files Located On The Central Server

The file is deleted with the Delete command on the operating system, or the Relevant User's access rights are removed on the file or directory where the file is located. When performing this operation, it is noted that the Relevant User is not a system administrator at the same time.

  • Personal Data in Portable Media

Personal Data in Flash-based storage media is stored encrypted form and deleted using software appropriate to those media.

  • Databases

The database commands of the related rows containing the personal data are deleted by commands like (DELETE, etc.). When performing this operation, it is noted that the Relevant User is not a system administrator at the same time.

    • Destruction

During the Destruction of Personal Data, Desk360 employees perform the destruction process by choosing the appropriate one among the following methods:

  • Overwriting

It is the process of making old data unreadable by overwriting random data consisting of 0 and 1s at least 8 times with software on magnetic environement and rewritable optical media.

  • Magnetizing

It is the process of making the data on the magnetic environement unreadable by applying physical changes in a high-value magnetic field.

  • Physical Destruction

It is the process of physical destruction of optical media or magnetic environement by melting, pulverizing, grinding, and similar processes. It can be applied in cases where magnetizing or overwriting methods fail.

  • Cloud systems

It is the process of destroying all copies of the encryption keys of Personal Data after notification of the destruction of Personal Data held on cloud systems is made to the contracted service provider.

  • Destruction Of Personal Data In Peripheral Systems

It is the process of destruction through overwriting, magnetizing or physically destroying if available, internal unit, if not, all devices which are inside the systems such as a printer, fingerprint unit, the internal unit, door entry and that holds Personal Data. This type of destruction must be made before the devices are subject to backup, maintenance and similar operations.

  •  Destruction of personal data in paper and microfiche media

The main media is destroyed because the personal data in those media is permanently and physically overwritten. During this process, the media is divided into small pieces of an incomprehensible size with paper Destruction or clipping machines, if possible horizontally and vertically, so that it cannot be combined back.


The personal data transferred from the original paper format to the electronic media through scanning is destroyed by using one or more of the appropriate methods mentioned above according to the electronic media in which they are located.

    • Anonymization


The data obtained as a result of the application of Anonymization prevents the identity of the Data Subject from being identified or loses its distinction in a group or crowd in a way that cannot be associated with a real person.

In the event that Desk360 decides to anonymize a Personal Data rather than deleting or destroying, it fulfils the following requirements:

  • The anonymity cannot be broken by combining an anonymized dataset with another dataset,
  • A record of one or more values cannot be made a whole in a meaningful way that can make it unique,
  • The values in the anonymized dataset do not combine to produce an assumption or result.

Because of the risks listed above, Desk360 performs regular checks on the data sets it anonymized and makes sure that anonymity is protected.

While applying the following Anoniymization methods, Desk360 shall take into account the  following: The nature and the size of the data, the structure in the physical media, the variety, the intended benefit / purpose of processing, the frequency of processing, the reliability of the party to be transferred, the amount of effort for anonymization, the extent of the damage that may occur if the anonymity is broken, the sphere of impact, the distribution/centrality rate, authorization control of users to access related data, to project an attack that would break anonymity and the likelihood that the efforts to implement it is significant.

By means of contracts and risk analyses, Desk360, which Anonymizes the data, controls if through the use of information that is known to be within other institutions and organizations to which the personal data is transferred or is public, the mentioned data have nature to identify a person again. 

During the Anonymization of Personal Data, Desk360 employees perform the Anonymization process by choosing the appropriate one among the following methods:

      • Anonymization Methods That Do Not Provide Value Irregularity    

In the case of a data set that does not provide a value irregularity, a change or addition or subtraction is not applied to the values that the data set has, but instead changes are made to the entire row or column in the set.

  • Removal of Variables

A method of anonymization provided by removing one or more of the variables from the table by completely deleting it.  In such case, the entire column in the table will be completely removed.

  • Removing Records

In this method, anonymity is strengthened by removing a line containing a singularity in the data set and the possibility of producing assumptions about the data set is reduced.

  • Regional Concealment

In the regional concealment method, the goal is to make the dataset more secure and reduce the risk of predictability. If the combination of values of a particular record creates a very little visible situation, and this can likely cause that person to become distinguishable in the group concerned, the value that creates the exceptional situation shall be changed to “unknown”.

  • Generalization

It is the process of converting Related Personal Data from a private value to a more general value. The new values obtained as a result of the generalization process show the total values or statistics for a group that makes it impossible to access a real person.

  • Lower and upper bound coding

The upper and lower bound encoding method defines a category for a given variable, and combines the values left in the grouping created by that category. In general, the lower or higher values in a particular variable are gathered together and these values are progressed by making a new definition.

  • Global Coding

The Global encoding method is a grouping method used in datasets where lower and upper bound encoding is not feasible, does not contain numeric values, or has values that cannot be sorted numerically. It is generally used in cases where certain values are grouped together, making it easier to make predictions and assumptions. All records in the data set are replaced with this new definition by creating a common and new group for the selected values.

  • Sampling

The sampling method describes or shares a subset taken from the cluster instead of the whole dataset. This reduces the risk of producing accurate estimates of individuals because it is not known whether a person who is known to be involved in the whole data set is included in the described or shared sample subset. Simple statistical methods are used to determine the subset of sampling.

      • Anonymization Methods That Provides Value Irregularity

Unlike the methods mentioned above, the existing values are changed by methods that provide value irregularity to create distortion in the values of the data set. In this case, the values of the records are changing, so the benefit planned to be obtained from the data set must be calculated correctly. Even if the values in the dataset are changing, the data can still be benefited by ensuring that the total statistics are not corrupted.

  • Micro Combination

In this method, all the records in the data set are first sorted in a meaningful order and then the whole set is divided into a certain number of subsets. Then, by averaging the value of each subset of the specified variable, the value of the subset of that variable is replaced by the mean value. Thus, the average value of that variable that applies to the entire dataset will not change either.

  • Data Exchange

The data exchange method is record changes obtained by exchanging values of a subset of variables between pairs selected from among records. This method is mainly used for categorizable variables, and the main idea is to transform the database by changing the values of variables between records or individuals.

  • Adding Noise

With this method, additions and subtractions are made to provide distortions in a selected variable to the specified extent. This method is most often applied to datasets that contain numeric values. Distortion is applied equally at each value.

      • Statistical Methods To Strengthen Anonymization

As a result of the combination of some of the values in the records in the anonymized data sets with individual scenarios, it may be possible to identify the individuals in the records or to derive assumptions about their personal data. For this reason, anonymity can be strengthened by minimizing the singularity of the records in the dataset by using various statistical methods in Anonymized datasets.


The main purpose of these methods is to minimize the risk of disruption of anonymity and to keep the benefit from the data set to a certain level.


  • K-Anonymity

K-Anonymity has been developed to prevent the disclosure of information specific to individuals who show singular characteristics in certain combinations by enabling the identification of more than one person, with specific fields in a dataset. If there are more than one record of a combination created by combining some of the variables in a data set, the probability of identifying the individuals corresponding to this combination is reduced.


  • L-Variety

The L-diversity method, which is formed by studies on the deficiencies of k-Anonymity, takes into account the diversity of sensitive variables corresponding to the same combinations of variables.

  • T-Proximity

The process of calculating the degree of closeness of personal data, values and anonymizing the data set into subclasses according to these closeness degrees is called the T-closeness method.

  • STORAGE AND DESTRUCTION PERIOD
    • Periodic Destruction and Legal Retention Periods

Physical and digital data that complete the legal storage and Destruction periods are periodically destroyed. Desk360 shall Delete, Destroy or Anonymize Personal data in the first periodic destruction process following the date of obligation to Delete, Destroy or Anonymize Personal Data comes. Periodic Destruction is carried out in 6-month time intervals for all Personal Data. The legal storage and Destruction periods to be based on Periodic Destruction are determined in the Data Inventory. Desk360 undertakes that if the Board shortens the periods under Article 11(4) of the Directive, it shall adapt to the New periods.

Transactions relating to deleted, destroyed and anonymized data are kept free from other legal obligations for a period of at least 3 years. Desk360 reserves the right to store Personal Data arising from other legal obligations.

 

    • The Process of Deletion and Destruction Following the Request of The Data Owners

In cases where the data holders apply to Desk360 and request that their personal data be deleted or destroyed, Desk360 controls the current status of the conditions for processing the personal data and takes related actions accordingly.

If all of the terms for processing personal data have been removed, it will delete, destroy or anonymize the requested personal data. Desk360 finalizes the request of the Data Subject within thirty days at the latest and informs the data subject.

If all personal data processing requirements have been removed and the requested Personal Data has been transferred to third parties, the Data Manager shall notify the third party of this situation and ensure that the necessary procedures are carried out within the scope of the Directive before the third party.

If the conditions for processing Personal Data have not been completely removed, the Technology may reject the request by explaining the justification to the Data Subject and notify the Data Subject in writing or electronically within thirty days at the latest.

  • INFORMATION REGARDING THOSE INVOLVED IN THE STORAGE AND DESTRUCTİON PROCESSES

In accordance with the decision of the Desk360 Managerial Board [appointed a Data Officer Representative and/or established a committee] to manage this policy and other policies related to this policy. The duties of this [committee] are set out below. 

  • To prepare basic policies related to the protection and processing of personal data and to submit to the approval of the Managerial Board to prepare and enact changes where necessary.
  • To decide how to implement and supervise the policies regarding the protection and processing of Personal Data and to make internal appointments within this framework and to ensure coordination to submit to the Board of Directors for approval.
  • Submission of committee recommendations and procedures prepared by committee member (s) for the approval of the Board of Directors
  • To operate the deletion, destruction and anonymization processes with the support of IT department and to establish the necessary procedures and submit them to the Board of Directors for approval. 
  • To determine the issues to be done in order to ensure compliance with the LPDD and PPD Regulations and to submit to the approval of the Board of Directors; to supervise implementation and ensure coordination.
  • To raise awareness within Desk360 and in the institutions with which Desk360 cooperates in the protection and processing of Personal Data.
  • Follow-up of the processes related to violations of PPD Regulations and PPD Policies and Procedures by the committee members and the creation of necessary mechanisms and action plans and submitting them to the Board of Directors for approval. 
  • To educate employees about Personal Data protection and Company policies.
  • To ensure compliance and follow-up of processes related to the processing of Private Personal Data. 
  • To identify the risks that may arise in the company's personal data processing activities and to ensure that necessary measures are taken; to submit improvement proposals to the Board of Directors for approval.
  • To design trainings on the protection of personal data and the implementation of policies and to ensure that they are executed by obtaining the necessary approvals.
  • To work to establish mechanisms for the effective response of Personal Data owners' applications and to submit them for the approval of the Board of Directors. 
  • To follow the developments and regulations regarding the protection of personal data and to advise the Board of Directors on what should be done within the Company in accordance with these developments and regulations. 
  • To coordinate relations with the Personal Data Protection Board and the Personal Data Protection Institution.
  • To perform other duties given by the Board of Directors on the protection of Personal Data.


  • AMENDMENTS TO THE POLICY

This policy may be amended with the approval of the Board of Directors by Desk360 upon the recommendation of [the Data Officer Representative and/or committee] or if there is a change in the KVK regulations that will affect the regulations in this policy. If there is a discrepancy between the PPD regulations and this policy, the PPD regulations shall prevail.

Desk360 will share the changes made to the policy and the updated policy that can be reviewed with its employees via email and make it available to its employees via the corporate intranet. 

  • EFFECTIVE DATE OF POLICY

This version of the Personal Data Retention, Destruction and Anonymization policy was approved by the Board of Directors of the company and entered into force on 09/09/2019.

We use legitimate cookies to improve your experience. Cookie Policy
Cookies we use and our Policy