Privacy policy
## 1. Introduction
### 1.1- Purpose
The Personal Data Retention and Destruction Policy ("Policy") has been prepared to determine the processes, procedures, and principles related to retention and destruction activities carried out by KAÇIK KEÇI GIDA SANAYI TICARET ANONIM SIRKETI (“Petra”).
Petra aims to ensure that the personal data of Petra employees, employee candidates, suppliers, and other third parties are processed in accordance with the Turkish Constitution, international agreements, the Personal Data Protection Law No. 6698 (“KVKK”), and other relevant legislation, and to enable the effective use of the rights of the concerned individuals.
The processes related to the retention and destruction of personal data are carried out in accordance with the Personal Data Retention and Destruction Policy (“Policy”) prepared by Petra.
### 1.2- Abbreviations and Definitions
**Recipient Group:** Real or legal persons to whom personal data is transferred by the data controller.
**Explicit Consent:** Consent based on information and expressed with free will regarding a specific subject.
**Anonymization:** Rendering personal data in such a way that it cannot be associated with an identified or identifiable real person, even if matched with other data.
**Employee:** Real persons employed by Petra based on a service contract.
**Employee Candidate:** Real persons who have applied to be employed by Petra.
**Electronic Environment:** Environments where personal data can be created, read, changed, and written with electronic devices.
**Non-Electronic Environment:** All written, printed, visual, and other environments outside of electronic environments.
**Supplier:** Real persons or ordinary partnerships providing goods and/or services to Petra under a specific contract.
**Concerned Person:** The real person whose personal data is processed.
**Destruction:** Deletion, destruction, or anonymization of personal data.
**KVKK:** Personal Data Protection Law No. 6698.
**Recording Environment:** Any environment where personal data processed by automated or non-automated means, provided that it is part of any data recording system, is located.
**Personal Data:** Any information relating to an identified or identifiable real person.
**Personal Data Processing Inventory:** The inventory detailing the processing activities carried out by data controllers in connection with their business processes, including the purposes and legal reasons for processing personal data, the data category, the recipient group to which the data is transferred, the group of data subjects, the maximum retention period required for the purposes for which the personal data are processed, the personal data to be transferred to foreign countries, and the measures taken regarding data security.
**Processing of Personal Data:** Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automated means or by non-automated means provided that it is part of any data recording system.
**Board:** Personal Data Protection Board.
**Special Categories of Personal Data:** Data related to a person's race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, attire, association, foundation, or trade union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
**Periodic Destruction:** The process of deletion, destruction, or anonymization of personal data, which is to be carried out at regular intervals specified in the personal data retention and destruction policy in case all conditions for processing personal data in the law disappear.
**Policy:** Personal Data Retention and Destruction Policy.
**Data Processor:** A real or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
**Data Recording System:** The recording system in which personal data are processed by structuring them according to specific criteria.
**Data Controller:** The real or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
**Data Controllers Registry Information System (VERBIS):** The information system created and managed by the Presidency, which data controllers will use in their applications to the Registry and other related procedures, accessible over the internet.
**Regulation:** The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.
### 1.1- Scope of the Policy and Personal Data Owners
This Policy has been prepared for persons whose personal data are processed by our Company, including but not limited to Petra Employees, Petra Board Members, Employee Candidates, Suppliers, Visitors, and Third Parties, whether through automated means or non-automated means provided that it is part of any data recording system. This Policy does not apply to legal persons and legal entity data.
Our Company informs the concerned Personal Data Owners about the Law by publishing this Policy on its website. For our Company employees, the Personal Data Processing Policy for Employees will apply. This Policy will not apply if the data is not within the scope of "Personal Data" or if the Personal Data processing activities carried out by our Company are not through the above-mentioned ways.
Within this scope, the personal data owners covered by this Policy are as follows:
**Petra Employees:** Real persons employed by Petra under a Service Agreement.
**Petra Board Members:** Real persons appointed as board members or representatives of legal entities of the Company.
**Employee Candidates:** Real persons who have applied for employment by any means or have opened their resume and related information to Petra's review.
**Suppliers:** Real persons providing goods and services to Petra.
**Third Party:** Other real persons who do not fall under any category of personal data owner as defined in the Personal Data Protection and Processing Policy prepared for Petra Employees.
## 2. Responsibilities and Duties
Petra and all units and employees of Petra who have access to the personal data of the concerned individuals are responsible for the proper implementation of technical and administrative measures taken within the scope of the Policy and relevant legislation, the training and raising awareness of unit employees, monitoring and continuous auditing, and preventing the unlawful processing of personal data.
Those involved in the processes of retention and destruction of personal data are as follows:
| Position | Unit | Duty |
|-------------------------|---------------------|------------------------------------------------------------------------------------------------|
| Human Resources Manager | Human Resources | Ensuring the retention and processing of personal data of Employees and Employee Candidates in accordance with the Policy. |
| Finance Manager | Finance | Ensuring the retention and processing of financial data of Employees and Employee Candidates in accordance with the Policy. |
| IT | IT | Ensuring the retention and processing of Petra’s data in the Soft environment in accordance with the Policy. |
## 3. Recording Environments
Personal data is securely stored by Petra in the environments listed in the table below in compliance with the law.
**Electronic Environments** | **Non-Electronic Environments**
--- | ---
Servers (Domain, backup, email, database, web, file sharing, etc.) | Paper
Software (office software, portal software) | Manual data recording systems (Data Information Forms)
Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.) | Printed Paper Filing Systems
Personal computers (Desktop, laptop) |
Mobile devices (Notebook) |
Removable media (USB, Memory Card, etc.) |
## 4. Explanations on Retention and Destruction
Petra stores and destroys personal data related to Employees, Employee Candidates, and Suppliers in compliance with the provisions of KVKK and secondary legislation. Detailed explanations on retention and destruction are provided below.
### 4.1- Explanations on Retention
Petra retains personal data of Employees, Employee Candidates, and Suppliers for periods appropriate to the purposes of processing and limited to the periods stipulated by the relevant legislation to which the personal data is subject.
#### 4.1.1- Legal Reasons for Retention
Petra retains the personal data processed within the scope of its activities for the periods stipulated in the relevant legislation. In this context, personal data is retained within the limitation periods specified by the following laws and other secondary regulations in force under these laws:
- Personal Data Protection Law No. 6698
- Turkish Code of Obligations No. 6098
- Public Procurement Law No. 4734
- Labor Law No. 4857
- Occupational Health and Safety Law No. 6331
- Turkish Commercial Code No. 6102
- Income Tax Law No. 193
- Tax Procedure Law No. 213
- Social Insurance and General Health Insurance Law No. 5510
- Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Extensions
#### 4.1.2- Reasons for Retention Related to Processing Tools
Petra retains personal data related to the photo and health information of the concerned individuals based on explicit consent for the following purposes:
- Your photo for the use of an introduction card within the workplace, personnel file introduction, and for introduction purposes to security forces
- Health data to make assessments regarding the requirements of the job and to make business processes safer/more efficient
Petra retains personal data processed without the need for explicit consent within the scope of its activities for the following purposes:
- Conducting human resources processes
- Ensuring communication
- Executing business and transactions resulting from signed contracts and protocols
- Identifying and addressing the preferences and needs of employees, data controllers, contact persons, data controller representatives, and data processors within the scope of VERBIS
- Fulfilling legal obligations as required or mandated by legal regulations
- Fulfilling the burden of proof as evidence in potential legal disputes
### 4.2- Explanations on Destruction
#### 4.2.1- Reasons for Destruction
Personal
data will be destroyed under the following circumstances:
- The cessation or removal of the reason that necessitated its processing
- The disappearance of the purpose requiring its processing or retention
- The withdrawal of explicit consent by the concerned person when the processing of personal data is based solely on explicit consent
- The acceptance of the concerned person’s request for deletion or destruction of personal data within the rights granted by Article 11 of KVKK
- A decision by the Board as a result of a complaint to the Board
- The expiration of the maximum retention period requiring the retention of personal data and the absence of conditions justifying a longer retention period
Upon the occurrence of the reason necessitating destruction, personal data will be deleted, destroyed, or anonymized during the first destruction period following the emergence of the destruction reason.
## 5. Technical and Administrative Measures
Petra takes the following technical and administrative measures to ensure the secure retention of personal data, prevent its unlawful processing and access, and lawfully destroy it, in compliance with Article 12 of KVKK and Article 6/4 regarding special categories of personal data.
### 5.1- Technical Measures
The technical measures taken by Petra for the personal data it processes are as follows:
- Access to information systems and user authorization is managed through an access and authorization matrix and corporate active directory security policies.
- Necessary measures are taken to ensure the physical security of Petra's information systems equipment, software, and data.
- User Account Management
- Network Security
- Application Security
- Encryption
- Attack Detection and Prevention Systems are implemented and used.
- Log Records as required by Law No. 5651
- Backup
- For the security of information systems against environmental threats, both hardware (access control system allowing only authorized personnel to enter the system room, 24/7 monitoring system, physical security of edge switches forming the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, malware prevention systems, etc.) measures are taken.
- The Company takes necessary measures to ensure that deleted personal data cannot be accessed and reused by related users.
- The Company has established a system and infrastructure to notify the concerned person and the Board if personal data is unlawfully obtained by others.
- Secure logging systems are used in electronic environments where personal data is processed.
- Access to personal data stored in electronic or non-electronic environments is restricted based on access principles.
### 5.2- Administrative Measures
The administrative measures taken by Petra for the personal data it processes are as follows:
- Employees are provided with training on preventing unlawful processing of personal data, preventing unlawful access to personal data, ensuring the security of personal data, communication techniques, and technical knowledge and skills.
- Confidentiality agreements are signed with employees regarding activities conducted by Petra.
- Disciplinary procedures to be applied to employees who do not comply with security policies and procedures have been prepared.
- The obligation to inform the concerned individuals before starting personal data processing is fulfilled by the Company.
- A personal data processing inventory has been prepared.
- Periodic and random audits are conducted within the Company.
- Information security training is provided to employees.
## 6. Techniques for the Destruction of Personal Data
Upon the emergence of the reasons for destruction specified in paragraph 4.2, personal data will be destroyed by Petra either ex officio or upon the request of the concerned person, using the techniques specified below in accordance with the provisions of the relevant legislation.
### 6.1- Deletion of Personal Data
Personal data will be deleted using the methods specified below.
| Data Recording Environment | Explanation |
|----------------------------|-----------------------------------------------------------------------------|
| Personal Data on Servers | For personal data on servers that have reached the end of the retention period, the system administrator will delete it by removing the access rights of the related users. |
| Personal Data in Electronic Environment | Personal data in the electronic environment that has reached the end of the retention period will be made inaccessible and unusable for other employees (related users) except for the database administrator. |
| Personal Data in Physical Environment | For personal data in physical environments that have reached the end of the retention period, it will be made inaccessible and unusable for other employees except for the unit manager responsible for the document archive. Additionally, blackening will be applied by marking, painting, or deleting in such a way that it cannot be read. |
### 6.2- Destruction of Personal Data
Personal data will be destroyed by Petra using the methods specified below.
| Data Recording Environment | Explanation |
|----------------------------|-----------------------------------------------------------------------------|
| Personal Data in Physical Environment | Personal data in paper form that has reached the end of the retention period will be destroyed in such a way that it cannot be retrieved by using paper shredders or burning methods. |
### 6.3- Anonymization of Personal Data
Anonymization of personal data involves rendering personal data in such a way that it cannot be associated with an identified or identifiable real person, even if matched with other data.
For personal data to be anonymized, the personal data must be rendered unidentifiable and non-associable with an identifiable real person by using appropriate techniques for the recording environment and the related field of activity, such as reversing the personal data or matching it with other data.
Petra does not anonymize personal data.
## 7. Retention and Destruction Periods
Petra explains the retention periods for personal data processed within the scope of its activities in the Personal Data Processing Inventory on a data basis, in the VERBIS registration on a data category basis, and in the Personal Data Retention and Destruction Policy on a process basis.
These retention periods are updated by Petra if necessary.
Personal data with expired retention periods are ex officio deleted and/or destroyed by the Personal Data Protection Board and its members established within Petra.
| Process | Retention Period | Destruction Period |
|-----------------------------------|---------------------------------------------|--------------------------------------------------------|
| Human Resources Job Applications | In case of no employment, the first destruction period following the date of the job application | During the first periodic destruction period following the end of the retention period |
| Conducting Human Resources Processes | 10 years | During the first periodic destruction period following the end of the retention period |
| Preparation of Supply Contracts | 2 years | During the first periodic destruction period following the end of the retention period |
| Communication | During the working period | During the first periodic destruction period following the end of the retention period |
| Creation of Health Files | 10 years in addition to the employment period, unless otherwise stipulated by the relevant legislation | During the first periodic destruction period following the end of the retention period |
| Audit Processes (licenses and documents) | 2 years in addition to the employment period | During the first periodic destruction period following the end of the retention period |
| Camera Records | Within 60 days following the recording period | 60 days after the recording date |
## 8. Periodic Destruction Period
Petra's periodic destruction period is determined as 6 months. Accordingly, Petra carries out periodic destruction operations in March and October each year.
## 9. Publication and Storage of the Policy
The Policy is published in two different environments, wet-signed (printed paper) and electronic.
## 10. Policy Update Period
The Policy is reviewed as needed and the necessary sections are updated.
## 11. Enforcement and Abolition of the Policy
The Policy is considered to have entered into force after its publication within Petra. If it is decided to abolish the Policy, the wet-signed old copies of the Policy will be canceled (canceled by stamping or writing canceled) and retained for at least 5 years.
### 1.1- Purpose
The Personal Data Retention and Destruction Policy ("Policy") has been prepared to determine the processes, procedures, and principles related to retention and destruction activities carried out by KAÇIK KEÇI GIDA SANAYI TICARET ANONIM SIRKETI (“Petra”).
Petra aims to ensure that the personal data of Petra employees, employee candidates, suppliers, and other third parties are processed in accordance with the Turkish Constitution, international agreements, the Personal Data Protection Law No. 6698 (“KVKK”), and other relevant legislation, and to enable the effective use of the rights of the concerned individuals.
The processes related to the retention and destruction of personal data are carried out in accordance with the Personal Data Retention and Destruction Policy (“Policy”) prepared by Petra.
### 1.2- Abbreviations and Definitions
**Recipient Group:** Real or legal persons to whom personal data is transferred by the data controller.
**Explicit Consent:** Consent based on information and expressed with free will regarding a specific subject.
**Anonymization:** Rendering personal data in such a way that it cannot be associated with an identified or identifiable real person, even if matched with other data.
**Employee:** Real persons employed by Petra based on a service contract.
**Employee Candidate:** Real persons who have applied to be employed by Petra.
**Electronic Environment:** Environments where personal data can be created, read, changed, and written with electronic devices.
**Non-Electronic Environment:** All written, printed, visual, and other environments outside of electronic environments.
**Supplier:** Real persons or ordinary partnerships providing goods and/or services to Petra under a specific contract.
**Concerned Person:** The real person whose personal data is processed.
**Destruction:** Deletion, destruction, or anonymization of personal data.
**KVKK:** Personal Data Protection Law No. 6698.
**Recording Environment:** Any environment where personal data processed by automated or non-automated means, provided that it is part of any data recording system, is located.
**Personal Data:** Any information relating to an identified or identifiable real person.
**Personal Data Processing Inventory:** The inventory detailing the processing activities carried out by data controllers in connection with their business processes, including the purposes and legal reasons for processing personal data, the data category, the recipient group to which the data is transferred, the group of data subjects, the maximum retention period required for the purposes for which the personal data are processed, the personal data to be transferred to foreign countries, and the measures taken regarding data security.
**Processing of Personal Data:** Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automated means or by non-automated means provided that it is part of any data recording system.
**Board:** Personal Data Protection Board.
**Special Categories of Personal Data:** Data related to a person's race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, attire, association, foundation, or trade union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
**Periodic Destruction:** The process of deletion, destruction, or anonymization of personal data, which is to be carried out at regular intervals specified in the personal data retention and destruction policy in case all conditions for processing personal data in the law disappear.
**Policy:** Personal Data Retention and Destruction Policy.
**Data Processor:** A real or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
**Data Recording System:** The recording system in which personal data are processed by structuring them according to specific criteria.
**Data Controller:** The real or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
**Data Controllers Registry Information System (VERBIS):** The information system created and managed by the Presidency, which data controllers will use in their applications to the Registry and other related procedures, accessible over the internet.
**Regulation:** The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.
### 1.1- Scope of the Policy and Personal Data Owners
This Policy has been prepared for persons whose personal data are processed by our Company, including but not limited to Petra Employees, Petra Board Members, Employee Candidates, Suppliers, Visitors, and Third Parties, whether through automated means or non-automated means provided that it is part of any data recording system. This Policy does not apply to legal persons and legal entity data.
Our Company informs the concerned Personal Data Owners about the Law by publishing this Policy on its website. For our Company employees, the Personal Data Processing Policy for Employees will apply. This Policy will not apply if the data is not within the scope of "Personal Data" or if the Personal Data processing activities carried out by our Company are not through the above-mentioned ways.
Within this scope, the personal data owners covered by this Policy are as follows:
**Petra Employees:** Real persons employed by Petra under a Service Agreement.
**Petra Board Members:** Real persons appointed as board members or representatives of legal entities of the Company.
**Employee Candidates:** Real persons who have applied for employment by any means or have opened their resume and related information to Petra's review.
**Suppliers:** Real persons providing goods and services to Petra.
**Third Party:** Other real persons who do not fall under any category of personal data owner as defined in the Personal Data Protection and Processing Policy prepared for Petra Employees.
## 2. Responsibilities and Duties
Petra and all units and employees of Petra who have access to the personal data of the concerned individuals are responsible for the proper implementation of technical and administrative measures taken within the scope of the Policy and relevant legislation, the training and raising awareness of unit employees, monitoring and continuous auditing, and preventing the unlawful processing of personal data.
Those involved in the processes of retention and destruction of personal data are as follows:
| Position | Unit | Duty |
|-------------------------|---------------------|------------------------------------------------------------------------------------------------|
| Human Resources Manager | Human Resources | Ensuring the retention and processing of personal data of Employees and Employee Candidates in accordance with the Policy. |
| Finance Manager | Finance | Ensuring the retention and processing of financial data of Employees and Employee Candidates in accordance with the Policy. |
| IT | IT | Ensuring the retention and processing of Petra’s data in the Soft environment in accordance with the Policy. |
## 3. Recording Environments
Personal data is securely stored by Petra in the environments listed in the table below in compliance with the law.
**Electronic Environments** | **Non-Electronic Environments**
--- | ---
Servers (Domain, backup, email, database, web, file sharing, etc.) | Paper
Software (office software, portal software) | Manual data recording systems (Data Information Forms)
Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.) | Printed Paper Filing Systems
Personal computers (Desktop, laptop) |
Mobile devices (Notebook) |
Removable media (USB, Memory Card, etc.) |
## 4. Explanations on Retention and Destruction
Petra stores and destroys personal data related to Employees, Employee Candidates, and Suppliers in compliance with the provisions of KVKK and secondary legislation. Detailed explanations on retention and destruction are provided below.
### 4.1- Explanations on Retention
Petra retains personal data of Employees, Employee Candidates, and Suppliers for periods appropriate to the purposes of processing and limited to the periods stipulated by the relevant legislation to which the personal data is subject.
#### 4.1.1- Legal Reasons for Retention
Petra retains the personal data processed within the scope of its activities for the periods stipulated in the relevant legislation. In this context, personal data is retained within the limitation periods specified by the following laws and other secondary regulations in force under these laws:
- Personal Data Protection Law No. 6698
- Turkish Code of Obligations No. 6098
- Public Procurement Law No. 4734
- Labor Law No. 4857
- Occupational Health and Safety Law No. 6331
- Turkish Commercial Code No. 6102
- Income Tax Law No. 193
- Tax Procedure Law No. 213
- Social Insurance and General Health Insurance Law No. 5510
- Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Extensions
#### 4.1.2- Reasons for Retention Related to Processing Tools
Petra retains personal data related to the photo and health information of the concerned individuals based on explicit consent for the following purposes:
- Your photo for the use of an introduction card within the workplace, personnel file introduction, and for introduction purposes to security forces
- Health data to make assessments regarding the requirements of the job and to make business processes safer/more efficient
Petra retains personal data processed without the need for explicit consent within the scope of its activities for the following purposes:
- Conducting human resources processes
- Ensuring communication
- Executing business and transactions resulting from signed contracts and protocols
- Identifying and addressing the preferences and needs of employees, data controllers, contact persons, data controller representatives, and data processors within the scope of VERBIS
- Fulfilling legal obligations as required or mandated by legal regulations
- Fulfilling the burden of proof as evidence in potential legal disputes
### 4.2- Explanations on Destruction
#### 4.2.1- Reasons for Destruction
Personal
data will be destroyed under the following circumstances:
- The cessation or removal of the reason that necessitated its processing
- The disappearance of the purpose requiring its processing or retention
- The withdrawal of explicit consent by the concerned person when the processing of personal data is based solely on explicit consent
- The acceptance of the concerned person’s request for deletion or destruction of personal data within the rights granted by Article 11 of KVKK
- A decision by the Board as a result of a complaint to the Board
- The expiration of the maximum retention period requiring the retention of personal data and the absence of conditions justifying a longer retention period
Upon the occurrence of the reason necessitating destruction, personal data will be deleted, destroyed, or anonymized during the first destruction period following the emergence of the destruction reason.
## 5. Technical and Administrative Measures
Petra takes the following technical and administrative measures to ensure the secure retention of personal data, prevent its unlawful processing and access, and lawfully destroy it, in compliance with Article 12 of KVKK and Article 6/4 regarding special categories of personal data.
### 5.1- Technical Measures
The technical measures taken by Petra for the personal data it processes are as follows:
- Access to information systems and user authorization is managed through an access and authorization matrix and corporate active directory security policies.
- Necessary measures are taken to ensure the physical security of Petra's information systems equipment, software, and data.
- User Account Management
- Network Security
- Application Security
- Encryption
- Attack Detection and Prevention Systems are implemented and used.
- Log Records as required by Law No. 5651
- Backup
- For the security of information systems against environmental threats, both hardware (access control system allowing only authorized personnel to enter the system room, 24/7 monitoring system, physical security of edge switches forming the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, malware prevention systems, etc.) measures are taken.
- The Company takes necessary measures to ensure that deleted personal data cannot be accessed and reused by related users.
- The Company has established a system and infrastructure to notify the concerned person and the Board if personal data is unlawfully obtained by others.
- Secure logging systems are used in electronic environments where personal data is processed.
- Access to personal data stored in electronic or non-electronic environments is restricted based on access principles.
### 5.2- Administrative Measures
The administrative measures taken by Petra for the personal data it processes are as follows:
- Employees are provided with training on preventing unlawful processing of personal data, preventing unlawful access to personal data, ensuring the security of personal data, communication techniques, and technical knowledge and skills.
- Confidentiality agreements are signed with employees regarding activities conducted by Petra.
- Disciplinary procedures to be applied to employees who do not comply with security policies and procedures have been prepared.
- The obligation to inform the concerned individuals before starting personal data processing is fulfilled by the Company.
- A personal data processing inventory has been prepared.
- Periodic and random audits are conducted within the Company.
- Information security training is provided to employees.
## 6. Techniques for the Destruction of Personal Data
Upon the emergence of the reasons for destruction specified in paragraph 4.2, personal data will be destroyed by Petra either ex officio or upon the request of the concerned person, using the techniques specified below in accordance with the provisions of the relevant legislation.
### 6.1- Deletion of Personal Data
Personal data will be deleted using the methods specified below.
| Data Recording Environment | Explanation |
|----------------------------|-----------------------------------------------------------------------------|
| Personal Data on Servers | For personal data on servers that have reached the end of the retention period, the system administrator will delete it by removing the access rights of the related users. |
| Personal Data in Electronic Environment | Personal data in the electronic environment that has reached the end of the retention period will be made inaccessible and unusable for other employees (related users) except for the database administrator. |
| Personal Data in Physical Environment | For personal data in physical environments that have reached the end of the retention period, it will be made inaccessible and unusable for other employees except for the unit manager responsible for the document archive. Additionally, blackening will be applied by marking, painting, or deleting in such a way that it cannot be read. |
### 6.2- Destruction of Personal Data
Personal data will be destroyed by Petra using the methods specified below.
| Data Recording Environment | Explanation |
|----------------------------|-----------------------------------------------------------------------------|
| Personal Data in Physical Environment | Personal data in paper form that has reached the end of the retention period will be destroyed in such a way that it cannot be retrieved by using paper shredders or burning methods. |
### 6.3- Anonymization of Personal Data
Anonymization of personal data involves rendering personal data in such a way that it cannot be associated with an identified or identifiable real person, even if matched with other data.
For personal data to be anonymized, the personal data must be rendered unidentifiable and non-associable with an identifiable real person by using appropriate techniques for the recording environment and the related field of activity, such as reversing the personal data or matching it with other data.
Petra does not anonymize personal data.
## 7. Retention and Destruction Periods
Petra explains the retention periods for personal data processed within the scope of its activities in the Personal Data Processing Inventory on a data basis, in the VERBIS registration on a data category basis, and in the Personal Data Retention and Destruction Policy on a process basis.
These retention periods are updated by Petra if necessary.
Personal data with expired retention periods are ex officio deleted and/or destroyed by the Personal Data Protection Board and its members established within Petra.
| Process | Retention Period | Destruction Period |
|-----------------------------------|---------------------------------------------|--------------------------------------------------------|
| Human Resources Job Applications | In case of no employment, the first destruction period following the date of the job application | During the first periodic destruction period following the end of the retention period |
| Conducting Human Resources Processes | 10 years | During the first periodic destruction period following the end of the retention period |
| Preparation of Supply Contracts | 2 years | During the first periodic destruction period following the end of the retention period |
| Communication | During the working period | During the first periodic destruction period following the end of the retention period |
| Creation of Health Files | 10 years in addition to the employment period, unless otherwise stipulated by the relevant legislation | During the first periodic destruction period following the end of the retention period |
| Audit Processes (licenses and documents) | 2 years in addition to the employment period | During the first periodic destruction period following the end of the retention period |
| Camera Records | Within 60 days following the recording period | 60 days after the recording date |
## 8. Periodic Destruction Period
Petra's periodic destruction period is determined as 6 months. Accordingly, Petra carries out periodic destruction operations in March and October each year.
## 9. Publication and Storage of the Policy
The Policy is published in two different environments, wet-signed (printed paper) and electronic.
## 10. Policy Update Period
The Policy is reviewed as needed and the necessary sections are updated.
## 11. Enforcement and Abolition of the Policy
The Policy is considered to have entered into force after its publication within Petra. If it is decided to abolish the Policy, the wet-signed old copies of the Policy will be canceled (canceled by stamping or writing canceled) and retained for at least 5 years.