Data Storage, Anonymization and Destruction Policy

Other Pages

**1. Purpose**

The purpose of this procedure is to ensure the secure and compliant destruction of all printed and written content, information technology assets, and peripheral units used in obtaining, processing, and storing information in accordance with the Law No. 6698 on the Protection of Personal Data.

**2. Scope**

The procedure covers all personal, commercial data records, and business processes.

**3. Definitions**

Law: Refers to the Law No. 6698 "Protection of Personal Data".

Personal Data: Refers to any information relating to an identified or identifiable natural person. Identifiability of a person means making that person identifiable by associating existing data with a natural person in any way.

Obfuscation: Refers to processes such as crossing out, painting, and blurring all personal data so that they cannot be associated with an identified or identifiable natural person.

Record Medium: Refers to any environment where personal data processed by automatic means or any part of a data recording system are stored.

Personal Data Retention and Disposal Policy: Refers to the policy on which data controllers base the determination of the maximum period necessary for the purpose for which personal data are processed, and the deletion, destruction, and anonymization processes.

Masking: Refers to processes such as deleting, crossing out, painting, and starring certain parts of personal data so that they cannot be associated with an identified or identifiable natural person.

Special Categories of Personal Data: Refers to data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and attire, association, foundation, or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

Periodic Destruction: Refers to the deletion, destruction, or anonymization process to be carried out at recurring intervals and specified in the personal data retention and disposal policy if all the conditions for processing personal data in the law are no longer applicable.

**4. References**

Law No. 6698 on the Protection of Personal Data, Regulation on the Deletion, Destruction, or Anonymization of Personal Data dated 28.10.2018 and numbered 30224.

**5. Implementation**

**5.1. Disposal of Assets**

If the purpose element for the processing of personal data disappears, the explicit consent is withdrawn, or all conditions for processing personal data specified in Articles 5 and 6 of the Law are no longer applicable, or if none of the exceptions specified in these articles are applicable, personal data whose processing conditions are no longer valid are deleted, destroyed, or anonymized by the relevant business unit, taking into account business needs, and the method used is explained with justification according to Articles 7, 8, 9, or 10 of the Regulation (Articles on Deletion, Destruction, or Anonymization of Personal Data). However, if there is a final court decision, the destruction method ruled by the court decision must be applied.

Information on any device with data recording capability is deleted against unauthorized access, and the disk and recording mechanism on the device are physically destroyed. The Environment/Device Destruction Report is filled and signed by the information systems operator. The destruction process is recorded by entering information such as date, device information, and reason for destruction.

**Methods of Deletion of Data**

  1. Personal Data in Paper Medium: They are destroyed with a paper shredder or, if necessary, deleted using the obfuscation method.
  2. Office Files on Central Servers: They are deleted with the delete command in the operating system.
  3. Data in Portable Media: They are deleted with the delete command in the operating system.
  4. Databases: The relevant rows where the data are located are deleted with database commands.

**Methods of Destruction of Assets and Data**

  1. In Local Systems: They are destroyed using appropriate methods such as demagnetization, physical destruction, or overwriting.
  2. Environmental Systems:
  • Network devices (switch, router, etc.): They are destroyed using the appropriate methods specified in item a.
  • Flash-based media: They are destroyed using the methods recommended by the relevant manufacturer or the methods specified in item a.
  • Magnetic tape: They are destroyed by demagnetizing or using physical methods such as burning or melting.
  • SIM cards and fixed memory cards: They are destroyed using the appropriate methods specified in item a.
  • Optical disks: They are destroyed using physical methods such as burning, shredding, or melting.
  • Peripheral units with fixed data recording medium: They are destroyed using the appropriate methods specified in item a.
  1. Printed Media: They are destroyed using paper shredders. Personal data in original paper format that is scanned and transferred to electronic media are destroyed using appropriate methods according to the media they are stored in.

**Methods of Anonymization of Personal Data**

In the anonymization of personal data, the appropriate methods specified in the Guideline on Deletion, Destruction, or Anonymization of Personal Data published by the Personal Data Protection Authority are used.

Periodic reviews or the detection that the data processing conditions are no longer applicable will lead the relevant user or data owner to decide to delete, destroy, or anonymize the relevant personal data according to this policy. In case of doubt, the relevant data owner business unit will be consulted for the appropriate action.

In the destruction of data, the retention periods specified in the regulations published by the State Archives General Directorate are taken into account. Data that have completed the retention periods in unit archives, institution archives, or State Archives are destroyed if there is no obstacle to their destruction.

**5.1.1. Destruction of Multi-Stakeholder Data**

If a decision is to be made on the destruction of personal data with multi-stakeholder ownership located in Central Information Systems, the opinion of the Data Controller Representative is sought, and the decision is made to retain, delete, destroy, or anonymize the relevant personal data according to this policy.

**5.1.2. Destruction of Personal Data Upon Request of Data Owner**

When the real person who owns the personal data applies to the University with the "Personal Data Owner Application Form" in accordance with Article 13 of the Law and requests the deletion, destruction, or anonymization of their personal data, the request is concluded within a maximum of thirty days from the date of application. Requests for the deletion or destruction of personal data will only be evaluated if the identity of the requesting party has been verified. The personal data owner who applied will be informed through the methods specified in the application form. If the legal requirements for processing the data have not disappeared, the personal data owner will be informed that the requested personal data cannot be deleted. The relevant unit where the data is processed will examine whether all conditions for processing personal data have disappeared. If all processing conditions have disappeared, the requested personal data will be deleted, destroyed, or anonymized within a maximum of three months. If all processing conditions have disappeared and the requested personal data have been transferred to third parties, the relevant unit where the data is processed will immediately notify the third party to whom the data was transferred and ensure that the necessary actions are taken by the third party in accordance with the Regulation.

**5.2. Periodic Review of Personal Data**

All users and units processing or storing personal data will review whether the processing conditions have disappeared in their data recording environments at intervals not exceeding six months. Upon the application of the personal data owner or the notification of a court, relevant users and units will conduct this review in their data recording environments regardless of the periodic review period. All actions taken regarding the deletion, destruction, or anonymization of personal data are recorded, and these records are kept for at least three years, excluding other legal obligations.

In the deletion, destruction, or anonymization of personal data, general principles in Article 4 (Processing of Personal Data) and technical and administrative measures to be taken under Article 12 (Obligations Related to Data Security) of the law, relevant legislative provisions, Board decisions, and court decisions are adhered to.

**5.3. Retention of Personal Data**

The processing times of personal data are specified in the "Personal Data Processing Inventory".

In periodic destruction or upon request, the retention and destruction periods specified will be taken into account. Retention and destruction processes may vary upon the request of the data owner unless there is a legal obligation.

For the security of personal data, physical security measures such as keeping paper documents containing personal data, CDs, DVDs, and USBs locked when not in use, allowing access only to authorized personnel, and monitoring entries and exits with cameras are taken. Personal data stored in digital media are kept in the University's system room with necessary security measures in place.

The administrative and technical measures taken to ensure the security of personal data are detailed in the Personal Data Protection and Processing Policy.

**6. Control**

Documents are revised as needed and are periodically reviewed once a year.