Gazete haberlerinde veya başka bazı mecralarda zaman zaman gördüğümüz bir kavramdır “bordrolu çalışanlar”. “Bordrolu çalışanlara müjde”, “en çok vergiyi bordrolu çalışanlar ödüyor”, “bordrolu çalışanlara kötü haber” v.s. Peki nedir hemen herkesin duyduğu, bazılarımızı doğrudan ilgilendiren bordro?
Herhangi bir işçinin çalışmaları karşılığında kendisine bir ücret ödenir. İşçi bu ödemenin banka hesabına yansıyan kısmı ile ilgilenirken, işveren ise kendisine oluşturduğu maliyet toplamını bilmek ister doğal olarak. Bununla birlikte, bordro böyle basitçe ortaya çıkmaz, pek çoğumuzun bildiğinin aksine. İşçiye ödenen ücret yalnız temel ücret olabildiği gibi, iş sözleşmelerine ve çalışma koşullarına bağlı olarak yan hak ve menfaatleri de içerebilir. İşveren tarafından işçiye sağlanan nakdi veya ayni her türlü menfaatin bir karşılığı vardır yasalarımızda. Hemen hepsinin bordroda yer alması istenirken, her birinin hesaplamasında uyulması gerekli yasal düzenlemeler farklılık taşır, her biri için ayrı kurallar belirlenmiştir.
Yaptığımız anlaşmaya bağlı olarak bir işverene bağlı işe başladığımız ilk gün başlar bordronun hikayesi, her yeni ay yeniden yeniden yazılır. Biz işverenin beklediği işi elimizden geldiğince ve beklentiler ölçüsünde yapmaya çalışırken, yaptıklarımız ya da yapamadıklarımız bordromuzun hikayesidir aslında. Maaş ödeme günü geldiğinde banka hesabımıza hakettiğimiz ödeme aktarılır ve biz mutlu oluruz. Ancak; o ödeme, o banka hesabına gelene dek pek çok aşamadan geçer, pek çok insanın emeğini ister. Ödemenin banka hesabımıza yapılması ile de bitmez üstelik, daha sigorta prim ödemeleri, vergi ödemeleri, işverenin maliyetlerinin kaydedilmesi biçiminde sürüp giden çalışmalar ve işlemler demektir bordro.
Çalışma günlerimiz, ay içindeki eksik ya da fazla çalışmalarımız, ödenmesi gereken ek menfaatler, yapılacak ek kesintiler ve benzeri çok sayıda değişken oluşturur ayın sonunda elimize aldığımız bordromuzu. Bordro, işçiye yapılacak net ödeme tutarı yanında işçi adına işveren tarafından hesaplanan gelir vergisi, damga vergisi ve sigorta prim ödemelerini de içerir. Bunun dışında, ay içinde ödenen avanslar, varsa icra ödemeleri, benzeri özel kesintiler de gözden kaçırılmaması gereken noktalardır. Bordroyu oluşturan tüm bu değişkenler puantaj denen bir tabloda toplanır,hesaplamalar öncesi. Bu puantajda tüm işçilerin ödeme ve kesintileri, ücretli veya ücretsiz izin kullanımları, varsa işe giriş veya çıkış tarihleri detaylı biçimde yer alır. Devamında bu tablolar bu amaca yönelik olarak çalışan yazılımlar kullanılarak o ay için gerçekleşen sonuçları içeren bordro tablolarına dönüştürülür. Bu dönüştürme işlemi tek bir tuşa basılarak gerçekleşmez elbette. Son dakika değişiklikleri ve güncellemeleri, internet bağlantısından, yazılım geliştirmelerine varan teknolojik etkenler, hesaplamaları etkileyen mevzuat güncelleme ve düzenlemelere ve benzeri koşullara uyum sağlamayı gerektirir bordro uzmanının hayatı.
Bordro, işçiye ait tüm ödeme ve kesintileri içermesi zorunluluğunun ötesinde, işçi için hayatını sürdüreceği geliri, işveren için işinin sürekliliğini sağlayacağı maliyetleri anlatır. Bordro hesaplamalarında yapılabilecek herhangi bir eksiklik veya yanlışlık; işçinin hakettiği geliri elde edememesine yol açabileceği gibi, işverenin olağandan daha fazla bir maliyetle karşı karşıya kalmasına da neden olabilir. Böylesi bir durum; işçinin şirketine olan güvenini sarsacak, motivasyonu ve şirkete bağlılığı üzerinde doğrudan bir etki yapacaktır. Maliyet yanlışlıkları ise işverenin değerlendirmelerini doğru yapamaması demektir bir başka açıdan. Bütün bunların ötesinde, işçi adına ödenmesi gereken vergi ve sigorta prim tutarlarının yasalara uygun biçimde hesaplanmamış olması, eksik ödemelerin ortaya çıkması; işveren için azımsanamayacak idari ve mali yaptırımlara yol açar. Tüm bu trafiğin belirlenmiş bir takvime bağlı kalınarak yapılması zorunluluğu, söz konusu işlemlerin yasalarla belirlenmiş tarihlere bağlı kalınarak gerçekleştirilmesinin yarattığı bir gerilim ve stres de bordro serüveninin vazgeçilmez bir parçasıdır.
Ay sonunda elimize aldığımız bordro o noktaya gelene dek insan kaynaklarından muhasebeye, birim yöneticilerinden uzman danışman ve yazılımcılara varan pek çok noktadan geçer, her birinin uzmanlığını ve zamanını ister. Üstelik bordromuzda yer alan hesaplamalar, hastalandığımızda alabileceğimiz geçici iş göremezlik ödeneklerinin hesabına, tatsız olsa da işsiz kaldığımızda alabileceğimiz işsizlik ödeneğine, günü geldiğinde bağlanacak emekli aylığımıza değin hayatımızın her aşaması için göz ardı edilmemesi gereken anlamları ve sonuçları içerir. Bordro deyip geçmemeli. Sadece yasal bir gereklilik veya özel ihtiyaçlarımız olduğunda önemsediğimiz bordro, her şeyden önce bizim emeğimiz olmak üzere, pek çok kişinin imzasını taşır altında.
İnsan Kaynakları Yönetim Sistemleri ve Ticaret A.Ş (herein shalll be referred as the Company), uses Technologies such as cookies, mobile device identifiers and pixel tags (herein shall be referred as Cookies) in order to improve the experience of our users and visitors (Ziyaretçi olarak anılacaktır) with use of our web site and other online platforms as well as to provide you with a better service.
Company pays utmost care to protect personal data of visitors using our internet site and other platforms; therefore we would like to inform you that Personal Data Protection Act No. 6698 (herein shall be referred as the Act/Law)is observed in all data processing operations, and you can access to Personal Data protection and Processing Policy at here .
This Cookie Policy is prepared to inform our visitors on use and purpose of Cookies, and the Company is entitled to make changes to the policy at any time.
The Company uses Cookies in order to improve our visitors’ experience securely, and to make use of the site efficient and easy. However, use of cookies can be blocked from browser settings if you wish, and data from previous use of cookies can be destroyed. Please note that blocking cookies may impact user experience with the web site and platforms.
What is Cookie?
Cookies are the data files containing small pieces of information installed and stored on the device (or network server) over the browser or application by relevant site or application when an internet site is visited ot an application is installed on a mobile device. Data files contains data about your visit of web site, and are unable to access to data on your computer or mobile device.
Cookie Types and Purposes of Use
Primary reason for use of cookies is to personalize and improve the experience of our users and visitors with our web site. These data enable us to increase functionality of web/mobile site for visitors, assess ease of use and functionality of our internet site and make improvements to provide you a better service.
Technical Cookies / Mandatory Cookies
Technical cookies which are also referred as mandatory cookies; are the minimum information required for use of electronic service provided by the Company via [https://www.pernet.com.tr] internet site. Technical cookies are used for security and verification purposes, and they ensure sound operation of the internet site and identify non-functional pages and areas.
Functionality / Preference Cookies
Preference cookies offer practical and functional solutions such as recalling language preference, entry information, etc. previously entered by users on [https://www.pernet.com.tr/] internet site to enable automatic entry.
Statistical / Performance Cookies
Statistical cookies enable understanding of user actions on the internet site. Company processes statistical cookies in an anonymized manner via Google Analytics for a more accurate analysis.
Marketing Cookies
Marketing cookies are used to offer advertisements and promotions that fit visitor’s areas of interest on web sites and similar media.
Cookies used on the web site and their intended use are as follows:
Service Provider
Cookie
Intended Use
Cookie Use Policy
Visitors can manage and personalize their cookie preferences from browser settings, and liit information share. However, we would like to note that it may impact certain functionalities of the web site partially or completely. Visitors who blocked use of cookies are deemed to accept related performance issues.
You can restrict use of cookies by following instructions given in the links provided next to browser types.
Rights of visitors as “data owners” per article 11 of the Act or the rights that can be exercised by filing an application over web site are listed below:
Find out whether their personal data are processed or not,
Request information if their personal data are processed,
Find out purpose of processing personal data and if they are used for intended purpose,
The third parties in and out of the country to whom their personal data is transferred,
Ask for correction if their personal data are processed inaccurately or incomplete, and request notification of the third parties to whom their personal data is transferred about any actions taken in that respect,
Ask for deletion or destruction of their personal data if reasons to process personal data no longer exists even if the same is processed in accordance with KVK Act and other applicable law provisions, and request notification of the third parties to whom their personal data is transferred about any actions taken in that respect,
Object to any consequences that may arise against them due to analysis of processed data exclusively by means of automated systems,
Assert claim for compensation of any damages incurred due to illegal processing of personal data.
PERSONAL DATA PROTECTION AND PROCESSING POLICY
1-INTRODUCTION
İnsan Kaynakları Yönetim Sistemleri ve Ticaret A.Ş (Herein shall be referred as “Data Officer”) pays utmost attention to the observance of legal regulations as a requisite of its ethical values supporting commercial assets and success of the corporate, facilitating any structuring necessary for compliance with personal data protection statutes.
Personal Data Protection and Processing Policy (Herein shall be referred as “Personal Data Protection and Processing Policy or Policy”) sets forth the principles and basis adopted in processing of personal data belonging to natural persons having employment or contractual relationship with the Data Officer, ensures transparency as well as legal security of data owners in personal data processing operations carried out by Data Officer in that frame.
Personal Data Protection and Processing Policy sets forth the fundamental principles and duties of Data Officer to ensure that operations carried out by the Data Officer in respect to all the personal data processed automatically or via non-automatic methods as part of a data recording system are in compliance with the provisions of Personal Data Protection Act No. 6698 (Herein shall be referred as “KVK Act”).
Contents of this Policy are in line with the related statutes, and in case of a contradiction between the Policy and the applicable legal statutes, provisions of the statutes shall prevail.
2- DATA OFFICER
Data Officer; has the capacity of “data officer” in personal data processing activities, purpose and means of which are identified pursuant to KVK Act, and hereby announces his/her responsibilities adopted in his/her capacity as the data officer in this policy.
3- DEFINITIONS
Important terms contained in KVK Policy and the statutes are provided along with their definitions in the following table:
Personal Data
Any information pertaining to an identified or identifiable natural person
Personal Privacy Data
Data relating to race, ethnical origin, political view, philosophical beliefs, religion, religious cult or other beliefs, clothing, memberships in associations, foundations or unions, health, sexual orientation, criminal sentence, security measures as well as biometric and genetic data
Data Owner
Identified or identifiable person whose personal data is processed (Concerned person)
Explicit consent
Consent based on information in respect to a specific topic, given in free will
Anonymization
Presentation of personal data in a fashion that it cannot be related to an identified or identifiable natural person even if combined with other data
Personal Data Processing
Any action performed on personal data such as obtaining, recording, storage, maintaining, altering, re-organization, disclosure, transfer, taking over, making it obtainable, classification or preventing their use
Data Officer
Natural or legal person who determines purpose and means of personal data processing, and responsible for establishment and management of data recording system
Data Processor
External natural and legal person who carries out personal data processing operations based on the authorization given by the data officer
KVK Act
(Act/Law)
Personal Data Protection Act No. 6698, dated 24 March 2016, publicized on the Official Gazette dated 7 April 2016, No. 29677
KVK Board
Personal Data Protection Board
KVK Agency
(Agency)
Personal Data Protection Agency
VERBİS
Data Officers Register maintained publicly by the Chair of Personal Data Protection Agency under supervision of KVK Board
Data Officer
(Company)
İnsan Kaynakları Yönetim Sistemleri ve Ticaret A.Ş
Data Officer
Business Partners
Persons who are in cooperation with the Data Officer per commercial relationships
Data Officer KVK Storage and Destruction Policy
Policy issued by the Data Officer to stipulate storage, deletion, destruction and anonymization processes of the maintained personal data
Data Officer Suppliers
Third parties providing services to Data Officer on contractual basis
Data Officer Data Owner Application Form
Application form to be used by data owners in exercising their rights stipulated in Article 11 of KVK Act
Data Officer KVK Policy
Data Officer Personal Data Processing and Protection Act
Group Companies
Group companies within the organization of Data Officer
Personal Data Processing Inventory
The inventory that describes and details; personal data processing operations carried out by data officers based on their work processes; personal data processing purposes and legal grounds, data category, recipient group to whom data is transferred, maximum storage term determined in relation with the concerned persons and required for the purpose of processing, personal data anticipated for transfer to foreign countries and measures in place for the security of data
Regulation on Data Officers Registry
Regulation on Data Officers Registry effected on 1 January, 2018, and publicized in Official Gazette dated 30 December 2017, No. 30286
Data Security Board
The Board to ensure necessary coordination within the Company organization in order to facilitate, maintain and sustain compliance with personal data protection statutes by Data Officer
4- DATA SECURITY BOARD
Data Security Board is the unit responsible for protection of personal data processed by Data Officer as well as supervising compliance with personal data protection statutes. It is composed of Finance, IT and Legal Department representatives.
Meetings are held as deemed necessary by the Board or a request is made in that respect. Revisions and compliance of the policies with the statutes are checked by Data Security Board. To this end, following operations and compliance processes are carried out by Data Security Board:
Ensuring that the roles and appointments required in the field of personal data protection are fulfilled,
Preventing illegal transfer and disclosure of and access to personal data in accordance with the Act and Board decisions, taking and implementing measures in vulnerable areas,
Facilitating inspections on implementation of data security measures and administrative decisions,
Implementation of additional measures for storage of personal privacy data as needed,
Organizing trainings as needed in order for adoption of data protection culture within the company organization,
Ensuring implementation of relevant documents for compliance with the statutes and facilitating necessary inspections,
Supervising whether group companies fulfill their responsibilities arising from the statutes,
Supervising relationships with KVK Agency and KVK Board.
4.1. ROLES AND DUTIES
Replacement of the “Contact person” who will be performing VERBIS registration and information entry duties as well as communications with the Agency shall be made per Data Security Board and Board of Directors resolution.
Pursuant to “Personal Data Owner Relations Guideline”, “Esra Akça Şaşmazer” who will be performing the duties of ‘Data owner relations and control of functionality of relevant mechanisms’ is appointed by Data Security Board or Board of Directors resolution.
In addition to the aforementioned baseline duties, certain duties and responsibilities can be assigned to the officers that may be appointed to ensure compliance with personal data confidentiality.
4.2. PREPARATION OF POLICY, PROCEDURE, GUIDELINES AND CODES
Data Security Board ensures revision of the following documents for compliance with personal data protection statutes on behalf of the Data Officer within capacity of data officer.
Personal Data Protection Policy
Personal Data Storage and Destruction Policy
Personal Data Breach Procedure
Other texts that are required under the Act
5-POLICY PRINCIPLES
5.1. BASIC PRINCIPLES
Following basic principles are adopted by Data Officer in respect to processing of personal data.
5.1.1. Processing personal data in accordance with law and ethical codes
Data Officer conducts personal data processing operations primarily in accordance with Republic of Turkey Constitution and KVK Act as well as data confidentiality statutes and codes of honesty.
5.1.2. Ensuring that the processed personal data are accurate and current
Data Officer ensures that the personal data being processed are accurate and current, takes necessary administrative and technical measures in that respect, and supervises the process.
5.1.3. Processing personal data in connection with the purpose, in a limited and reasonable manner
Data Officer shall process personal data in connection with the purpose to the reasonable extent required for performance of those services. To this end; purpose of processing personal data is identified before starting personal data processing operations. In other words, personal data cannot be processed merely assuming that they might be used in the future (storage of personal data is also considered as data processing operation). Accordingly, Data Officer considers fundamental rights of data owners and its own legitimate interests.
5.1.4.Storing personal data for the term anticipated in the relevant statutes or the term needed for the purpose of processing
Data Officer shall process personal data for the term stipulated in the relevant statutes if any. In case there is no such term specified in the statutes, such data are stored for a limited term required for the purpose of processing. Data Officer shall destroy personal data by erasing, destruction or anonymization at the end of the term stipulated under statutes or the when the reasons of processing such data no longer exists. To this end, established Data Officer Personal Data Storage and Destruction Policy shall be observed.
5.2. LEGAL PROCESSING OPERATIONS
Data Officer shall observe data processing conditions stipulated in articles 5 and 6 of KVK Act along with the fundamental principles in personal data processing operations.
Data Officer shall configure necessary mechanisms within internal systems to ensure processing of personal data in accordance with laws. Additionally, Data Officer shall carefully execute the process by ensuring personnel awareness on confidentiality via in-house trainings.
Data Officer shall operate in line with Republic of Turkey Constitution in particular as well as Turkish Criminal Code No. 5237, KVK Act, similar applicable laws and rules stipulated in Data Officer KVK Policy in processing personal data.
5.2.1. Data Processing Conditions
Personal data are processed in accordance with the Board resolutions provided that explicit consent is obtained from the Data Owner. Data processing operations can be carried out without seeking explicit consent when minimum one of the following conditions is met:
Explicit consent: Processing of data after obtaining consent of personal data owner legally and in their free will for a specific topic upon providing information.
Anticipation/requirement under laws: Processing of data if there is a clear provision in statutes about processing of personal data or if it is required for performance of legal obligations of Data Processor.
Inability to obtain explicit consent due to physical reasons: Processing of data if the data owner is in a state that prevents giving an explicit consent due to physical reasons or his/her consent cannot be recognized as valid, if it is required to protect the life or physical integrity of data owner or a third persons.
In connection with an agreement: Processing of personal data belonging to the parties if it is directly connected with the establishment or performance of an agreement.
Publicizing of personal data by data owner: Processing of data limited to scope of publicizing when the data is directly publicized by the Data Owner.
Processing of data when it is required for claiming, exercising or protecting a right.
Legitimate operations of data officer: Processing of data as required for legitimate interests of Data Officer, provided that fundamental rights and freedom of the Data Owner are ensured.
5.2.2. Conditions for Processing Personal Privacy Data
Personal Privacy Data can be processed in accordance with applicable statutes, Board resolutions, policies implemented by Data Officer and explicit consent pursuant to article 6 of the Act if following conditions are present.
5.2.3 Special Conditions Pertaining to Data Processing Operations
Ensuring supplemental rights and interests arising from Labor Law,
Ensuring equal opportunity,
Preventing any conflicts with the law,
Providing references,
Processing in company merge and transfer as well as other actions that change company structure,
Processing of your personal data in disciplinary investigations and inspection processes,
Maintaining health data separately, and persons authorized to process health data
Alcohol and drug tests
Processing of personal data related to use of electronic communication means
Processing of personal data related to security camera applications
Processing of personal data related to internet use
Processing of personal data related to equipment provided by the company
Processing of personal data related to requesting information on employees from third persons
5.3. LEGAL DATA TRANSFER
Personal data transfer conditions stipulated in Articles 8 and 9 of KVK Act are observed by Data Officer in share of personal data with group companies and 3rd parties or providing access to personal data by 3rd parties. The 3rd parties to whom data are transferred shall be subject to all necessary measures and inspections o ensure security of the said personal data.
5.3.1. Personal Data Transfer
Personal Data can be transferred upon explicit consent of the Data Owner as well as under presence of the following conditions without explicit consent, provided that necessary protective measures are in place and statutes as well as Data Officer policies are observed:
Explicit consent: Transfer of data after obtaining consent of personal data owner legally and in their free will for a specific topic upon providing information.
Anticipation/requirement under laws: Transfer of data if there is a clear provision in statutes about processing of personal data or if it is required as part of performance of legal obligations of Data Processor.
Inability to obtain explicit consent due to physical reasons: Transfer of data if the data owner is in a state that prevents giving an explicit consent due to physical reasons or his/her consent cannot be recognized as valid, if it is required to protect the life or physical integrity of data owner or a third persons.
In connection with an agreement: Transfer of personal data belonging to the parties if it is directly connected with the establishment or performance of an agreement.
Publicizing of personal data by data owner: Transfer of data limited to scope of publicizing when the data is directly publicized by the Data Owner.
Transfer data when it is required for claiming, exercising or protecting a right,
Legitimate operations of data officer: Transfer of data as required for legitimate interests of Data Officer, provided that fundamental rights and freedom of the Data Owner are ensured.
5.3.2. Transfer of Personal Privacy Data
Personal privacy data can be transferred provided that sufficient technical and administrative measures are ensured, and following conditions are present:
Personal privacy data other than those related to health and sexual life can be transferred without explicit consent of the Data Owner if explicitly regulated under laws. In case of lack of such regulation under laws, data can be transferred per explicit consent of the concerned person.
If the specified data transfer conditions are present, personal data can be transferred to the foreign countries that are safe/having adequate protection determined and announced by the Board, or in the absence of adequate protection, to the foreign countries permitted by the Board provided that data officers in Turkey and the foreign country can execute a written undertaking for ensuring adequate protection measures for data transfer stipulated in statutes and by the Board; also if Binding Company Codes are applied provided that restrictions and conditions stipulated by the Board are observed.
6-OBLIGATIONS
Data owners shall be informed about the purpose of processing personal data, to whom data can be transferred, for which purposes can the data be processed or transferred and data collection methods by the Company. Data owners shall also be informed about their rights pertaining to personal data and how to exercise such rights as part of the informing process.
Data Officer shall comply with the obligations stipulated in KVK Act for data officers. To this end, primary obligations of Data Officer are listed below as part of this policy:
6.1. Obligation to Fulfill KVK Board Resolutions
Data Officer shall immediately fulfill resolutions notified by KVK Board, executive organ of KVK Agency which regulates personal data protection operations and is administrative authority of our country in this field, due to a complaint or as a result of an investigation conducted ex officio. Furthermore, Data Officer shall also adopts principle resolutions established by KVK Board as a data privacy code.
6.2. Data Owner Relations Obligation
Data Officer shall conclude requests by data owners about their personal data as soon as possible and maximum within thirty (30) days depending on the nature of request pursuant to article 13 of KVK Act in its capacity as data officer.
Data Owners can exercise the following rights by filing application over web site of the Data Officer pursuant to Article 11 of KVK Act:
Find out whether their personal data are processed or not,
Request information if their personal data are processed,
Find out purpose of processing personal data and if they are used for intended purpose,
The third parties in and out of the country to whom their personal data is transferred,
Ask for correction if their personal data are processed inaccurately or incomplete, and request notification of the third parties to whom their personal data is transferred about any actions taken in that respect,
Ask for deletion or destruction of their personal data if reasons to process personal data no longer exists even if the same is processed in accordance with KVK Act and other applicable law provisions, and request notification of the third parties to whom their personal data is transferred about any actions taken in that respect,
Object to any consequences that may arise against them due to analysis of processed data exclusively by means of automated systems,
Assert claim for compensation of any damages incurred due to illegal processing of personal data.
6.3. Obligation of Registration to Data Officers Register and Notification
Data Officer shall be registered to Data Officers Register in accordance with article 16 of KVK Act as well as principles and basis stipulated by regulations if the criteria provided in Regulation on Data Officers Register are met.
6.4. Obligation to Inform Data Owner
Data Officer manages processes required to ensure informing of data owners by authorized persons during obtaining personal data in accordance with Article 10 of KVK Act and Communiqué on Principles and Basis to be Observed in Fulfilling Information Obligation. You may view KVK Information Statement publicized on web site to fulfill information obligation.
6.5. Obligation to Ensure Security of Personal Data
Data Officer shall take any and all technical and administrative measures to ensure sufficient level of security in order to;
Prevent illegal processing of personal data,
Prevent illegal access to personal data, and
Ensure protection of personal data
with awareness on importance of ensuring security of personal data and paying regard to fundamental rights and freedoms of data owners in accordance with article 12 of KVK Act. Additionally, necessary inspections shall be conducted to ensure functioning of mechanisms for data security.
7-ENSURING SECURITY OF PERSONAL DATA
Data Officer shall, depending on the nature of data to be protected, take all necessary measures to prevent illegal processing of personal data, illegal access to personal data or to avoid security vulnerabilities that may arise in any other means as well as to ensure secure storage of personal data.
7.1. ADMINISTRATIVE MEASURES
Data Officer shall establish Personal Data Processing Inventory containing personal data categories, data owners, processing purposes and security measures in place.
Organizational policies and procedures on protection of personal data shall be established, and their functionality and continuity shall b ensured.
Confidentiality agreements shall be entered with employees.
In-house protection awareness is raised through awareness trainings and meetings.
In case personal data are subject to transfer, necessary measures shall be ensured by group companies or 3rd party companies.
Provisions in compliance with the laws shall be included in employment contracts and discipline codes.
Registration and information entry to Data Officers Register Information System VERBİS procedures shall be completed if the criteria are met.
Data Security provisions shall be included in agreements entered with data processors.
7.2. TECHNICAL MEASURES
Data Officer shall ensure security of physical and electronic media containing personal data.
Personal data back-up copies shall be taken on regular basis against malware, and security of back-up copies shall be ensured.
Preventive systems and software shall be installed on information network to ensure cyber security.
Access authorization of Data Officer employees shall be established by continuously ensuring their duties and authorization controls.
Data security trainings shall be planned.
Data leakage test standards shall be identified.
7.3. PERSONAL DATA BREACH
Data Officer shall inform KVK Board and concerned data owners within 72 hours in case processed personal data are illegally accessed by unauthorized persons. Data Officer Data Breach Procedure (link) is established for that purpose; and all breach exercises within the organization of Data Officer are set by Data Security Board hereunder this procedure.
8-DESTRUCTION OF PERSONAL DATA
Data Officer shall have all internal systems established for destruction of personal data in accordance with Personal Data Storage and Destruction Policy developed for deletion, anonymization or destruction of personal data when the reasons for processing data no longer exists even though they are legally processed pursuant to article 7 of KVK Act.
9-REVISION
This Policy shall become effective upon its approval by Data Security Board. Data Security Board shall govern any changes to be made on this Policy except for abolition of this Policy, as well as how this policy will be put in effect.
KVK Act shall be published on internet site by Data Officer, and presented to public access. This Policy shall be reviewed on annual basis under any circumstances, and if changes are necessary, it shall be submitted to Data Security Board approval, and updated. In case of a contradiction between this policy and the applicable statues, KVK Act in particular, provisions of statutes shall prevail.
Data Officer reserves the right to make changes to KVK Policy in line with the legal arrangements by KVK Agency, the administrative authority.
Any revisions to this policy and the statutes shall be included in the policy accompanied with the date and topic, and shall become integral part of the policy after necessary announcements are made. Current version of KVK Policy shall be published on Data Officer’s internet site.
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
1. OBJECTIVE AND SCOPE
İnsan Kaynakları Yönetim Sistemleri ve Ticaret A.Ş (Herein shall be referred as “Data Officer”), pays utmost attention to the observance of legal regulations as a requisite of its ethical values supporting commercial assets and success of the corporate, facilitating any structuring necessary for compliance with personal data protection statutes..
Personal Data Storage and Destruction Policy sets forth principles and basis for storage and destruction of personal data processed by Data Officer within the company organization.
Provisions of this Policy shall apply when the reasons for processing the personal data legally processed by Data Officer no longer exists or a request is made by data owner for destruction of personal data.
2. BASIS
Personal Data Destruction Policy is issued pursuant to KVK Act and Regulation on Deletion, Destruction or Anonymization of Personal Data; and prepared in compliance with Personal Data Protection and Processing Policy as well as publications and guidelines published by Personal Data Protection Agency.
3. DATA OFFICER
Data Officer identifies purpose and means of personal data processing within its corporate structure, and is responsible for personal data processing activities; and is the data officer pursuant to KVK Act.
In accordance with this Policy; Data Security Board governs destruction processes of the personal data processed within the organization of Data Officer.
4. DEFINITIONS
Important terms contained in Data Officer Pesonal Data Storage and Destruction Policy and the statutes are provided along with their definitions in the following table:
Personal Data
Any information pertaining to an identified or identifiable natural person
Personal Privacy Data
Data relating to race, ethnical origin, political view, philosophical beliefs, religion, religious cult or other beliefs, clothing, memberships in associations, foundations or unions, health, sexual orientation, criminal sentence, security measures as well as biometric and genetic data
Data Owner
Identified or identifiable person whose personal data is processed (Concerned person)
Destruction of Personal Data
Deletion, destruction or anonymization of personal data
Personal Data Processing
Any action performed on personal data such as obtaining, recording, storage, maintaining, altering, re-organization, disclosure, transfer, taking over, making it obtainable, classification or preventing their use
Data Officer
Natural or legal person who determines purpose and means of personal data processing, and responsible for establishment and management of data recording system
Periodic Destruction
Destruction procedure carried out on periodic intervals and ex officio by Data Officer at the end of personal data processing and storage term
KVK Act
(Act/Law)
Personal Data Protection Act No. 6698, dated 24 March 2016, publicized on the Official Gazette dated 7 April 2016, No. 29677
Data Security Board
The Board to ensure necessary coordination within the Company organization in order to facilitate, maintain and sustain compliance with personal data protection statutes by Data Officer
KVK Agency
(Agency)
Personal Data Protection Agency
Data Breach
In Personal data protection law; Illegal access to processed personal data by third parties
5. PERSONAL DATA STORAGE
Personal data stored by Data Officer are maintained on a recording media suitable to the nature of such data as well as to our legal obligations. Data Officer shall take necessary administrative and technical measures in place for storage of personal data securely and prevention against illegal attempts. Personal Data Protection and Processing Policy shall apply to the matters relating to measures taken for data security and data storage purposes.
Generic media for personal storage data are listed below. However, certain data can be stored on a media other than those listed below due to their diverse nature or Data Officer’s legal obligations.
Physical Media
Personal data stored on paper and similar physical methods
Electronic
Media
Personal data stored on servers and external hard disks that are located within Data Officer’s organization and can only accessed by authorized Data Officer
Cloud Media
Personal data stored on internet based systems, protected with encryption methods
6. DESTRUCTION OF PERSONAL DATA
Destruction of personal data means the process of deleting, destroying or anonymization of personal data of which reason to process no longer exists or upon request of data owner. If the personal data is maintained due to contractual, commercial, legal, administrative actions against possible claims of right, data are stored for prescribed time-out period.
Personal data processed by Data officer shall be deleted, destroyed or anonymized ex official per this Policy upon request of the concerned person or when the reasons for processing personal data listed in articles 5 and 6 of KVK Act and the Data Officer Personal Data Protection and Processing Policy no longer exists.
Data Security Board performs periodic destruction on 6 months intervals for all personal data being processed by Data Officer.
7. DELETION OF PERSONAL DATA
Deletion of personal data is the process of making personal data inaccessible and unusable for relevant users. Users other than the data officer cannot access to deleted data.
In case of a conflict between the request and company policy, an application shall be filed to Personal Data Protection Agency in writing, and action shall be taken in accordance with the principle decision to resolve the conflict.
Relevant users shall be identified for each personal data using access authorization and control matrix or a similar system, and user authorizations and methods such as access, retrieval, re-use are determined, then operations relating to closure and cancellation of access, retrieval, re-use authorizations and methods of relevant users for personal data shall be performed.
7.1 DELETION METHODS
7.1.1 BLACK-OUT
It is the method of making personal data stored on paper media invisible to users by cutting it out if possible or otherwise using ink.
7.1.2 SECURE DELETION FROM DIGITAL MEDIA
Personal data stored on central servers and cloud are securely deleted using deletion command provided in the operating system.
8. DESTRUCTION OF PERSONAL DATA
Destruction of personal data is a the process of making personal data inaccessible, non-retrievable, non-reusable by anyone. Destruction of personal data means, unlike deletion, making such data inaccessible by anyone, including Data Officer.
8.1 DESTRUCTION METHODS
8.1.1 DE-MAGNETIZATION
Magnetic media is passed through a device capable of de-magnetizing to corrupt the data, making it non-readable. De-magnetizing device shall be supplied by Data Officer if needed.
8.1.2 PHYSICAL DESTRUCTION
Optical media or magnetic media is physically destroyed by melting, incineration or crashing.
8.1.3 OVER-WRITING
Random data constituted of 0s and 1s are overwritten on magnetic media and re-writable optical media to prevent recovery of actual data. Company shall procure a software for that purpose if needed.
8.1.4 SECURE DESTRUCTION FROM DIGITAL MEDIA
Personal data stored on central servers are destroyed in an non-retrievable manner via destruction command on the operating system.
9. ANONYMIZATION OF PERSONAL DATA
Anonymization of personal data is the process of making personal data non-linkable to an identified or identifiable natural person even if combined with other data. Data Officer shall take all security measures for anonymization of personal data.
9.1 ANONYMIZATION METHODS
There are methods available for anonymization of personal data such as grouping, masking, derivation, generalization, randomization. Data Officer considers nature and size of personal data, presence structure and variety of personal data on physical media, benefit intended from personal data / purpose of processing, data processing frequency, reliability of rd persons to whom the data will be transferred, meaningfulness of the efforts required for anonymization, magnitude, impact area of the damage that may incur if data anonymization is lost, distributed/centralized data ratio, user access authorization control for the relevant data and potential attacks that may disrupt anonymization when selecting anonymization method.
Storage reasons and terms for the personal data processed by Data Officer are given in the following table. Each data with expired storage term shall be destroyed in the first subsequent periodic destruction process. Such term may vary depending on fulfillment of legal and contractual obligations, and the data shall be destroyed in the first subsequent periodic destruction process after expiry of such obligation.
Data Category
Storage Term
Storage Reason
Personnel Data
Document storage period is 10 years starting from the first day of subsequent year after creation of the document per Law No. 5510
Employment contract and fulfillment of obligations arising from statutes for the employees
Health Information
Personnel health files are maintained for 10 years pursuant to the provisions of Occupational Health and Safety
Fulfillment of occupational health and safety obligations
Occupational Experience
CV information of candidate employees are maintained for 3 months.
Facilitation of employee candidate application process
Identification and Contact Information
Contact information of customers and potential customers are maintained for 10 years.
Facilitation of communication
Legal Actions
Maintained for 10 years following the date of action.
Responding to claims submitted by authorized jurisdiction / administrative organizations and bodies
Customer Transaction
Maintained for 10 years per provisions of Turkish Obligations Law.
Execution of good / service purchase and sales processes, and ensuring customer satisfaction
Finance and Accounting Data
Maintained for 10 years per provisions of Turkish Trade Act, Article 82.
Execution of finance and accounting processes
Marketing Data
Maintained for 10 years after acquisition.
Execution of marketing operations and works
Criminal Sentence and Security Measures
Maintained for 10 years per provisions of occupational health and safety.
Supervision of Occupational Health / Safety and Legal Affairs
Physical Premise Security
Security camera records are maintained for 3 months.
Ensuring security of physical premises
Transaction Security
Maintained for 10 years.
Execution of information security processes
Other
Maintained for 10 years.
Continuity of company operations
10. DESTRUCTION REQUESTS BY DATA OWNERS
In case Data Owner submits a request from destruction to Data Officer; it shall be notified to Data Security Board within 24 hours. Data Officer Data Owner Relations Guideline shall apply in request response process.
In case that data owner application submitted to Data Officer contains findings of a data breach, Data Officer Data Breach Procedure shall apply. Breach potential shall be informed to Data Security Board immediately and latest within 24 hours.
11. VIOLATION AND SANCTIONS
In case the policies and procedures for personal data issued by Data Officer are violated by employees; employee’s defense shall be taken pursuant to Employment Contract and Labor Law No. 4857and appropriate disciplinary measure shall be taken. In case the act is also considered as a criminal act under Turkish Criminal Code No. 5237 or other laws, relevant judicial authorities shall be notified.
12. REVISION
This Policy shall become effective upon its approval by Data Security Board. Data Security Board shall govern any changes to be made on this Policy except for abolition of this Policy, as well as how this policy will be put in effect.
Data Officer Personal Data Storage and Destruction Policy shall be reviewed on annual basis under any circumstances, and if changes are necessary, it shall be submitted to Data Security Board approval, and updated. In case of a contradiction between this policy and the applicable statues, KVK Act in particular, provisions of statutes shall prevail.
Data Officer reserves the right to make changes to Data Officer Personal Data Storage and Destruction Policy in line with the legal arrangements by KVK Agency, the administrative authority.
Any revisions to this policy and the statutes shall be included in the policy accompanied with the date and topic, and shall become integral part of the policy after necessary announcements are made.