PERSONAL DATA RETENTION AND DISPOSAL POLICY (COMPLIANT WITH KVKK & GDPR)
1. INTRODUCTION AND PURPOSE OF THE POLICY
The Personal Data Retention and Disposal Policy (“Policy”) has been prepared by Kalif Mimarlık Mühendislik Proje Yapı Taahhüt Üretim İthalat İhracat ve San. Ltd. Şti. (“KALİF DESIGN” or the “COMPANY”) in order to determine the procedures and principles regarding the retention and disposal activities carried out.
The Company aims to ensure that the personal data of all relevant persons—including Company employees, customers, suppliers, job applicants, members, and visitors—are processed in compliance with the Law No. 6698 on the Protection of Personal Data (“KVKK”), the European Union General Data Protection Regulation (“GDPR”), and relevant legislation, and that data subjects can effectively exercise their rights.
All processes regarding the retention and disposal of personal data are carried out by the Company in accordance with this Policy.
2. SCOPE
This Policy covers the personal data of:
- Company employees
- Job applicants
- Customers
- Suppliers
- Members
- Visitors
- Persons involved in legal disputes
- Other third parties
This Policy applies to all recording environments owned or managed by the Company where personal data is processed, and to all personal data processing activities.
3. DEFINITIONS
Abbreviation — Definition
Explicit Consent: Consent given freely, based on being informed, and related to a specific subject.
Relevant User: Persons who process personal data within the data controller organization (or under the authority/instructions received from the data controller), excluding the person/unit responsible for technical storage, protection, and backup of data.
Disposal: Deletion, destruction, or anonymization of personal data.
Law / KVKK / GDPR: Law No. 6698 on the Protection of Personal Data and the EU General Data Protection Regulation.
Recording Environment: Any environment where personal data is processed fully or partially by automated means or by non-automated means provided that it is part of a data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing its use, by fully or partially automated means or non-automated means as part of a data recording system.
Anonymization of Personal Data: Rendering personal data impossible to associate with an identified or identifiable natural person, even when matched with other data.
Deletion of Personal Data: Making personal data inaccessible and unusable for Relevant Users in any way.
Destruction of Personal Data: Making personal data impossible for anyone to access, recover, or reuse in any way. This generally corresponds to the "Right to Erasure" under GDPR.
Board / Supervisory Authority: The Personal Data Protection Board (Turkey) and relevant Data Protection Authorities (EU).
Special Category Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion/sect/other beliefs, dress, association/foundation/union membership, health, sexual life, criminal convictions and security measures, biometric and genetic data.
Periodic Disposal: Recurring deletion, destruction, or anonymization carried out ex officio at the intervals specified in the retention and disposal policy when all conditions for processing personal data cease to exist.
VERBIS: The data recording system where personal data is processed in a structured manner according to certain criteria.
Data Subject / Relevant Person: The natural person whose personal data is processed.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Regulation: Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on 28 October 2017.
4. RECORDING ENVIRONMENTS
The personal data of relevant persons is stored securely by the Company in the environments listed below, primarily in accordance with KVKK and the relevant legislation, within the framework of international data security principles.
Electronic Environments:
Company computers
Email servers
Portable memory devices
Accounting software
Social media accounts
Telephone devices
Non-Electronic Environments:
Paper documents and files
Written, printed, and visual media
Locked cabinets
5. PRINCIPLES
The Company acts within the following principles in the retention and disposal of personal data:
For deletion, destruction, and anonymization of personal data, the Company acts in full compliance with the Law, relevant legislation, Board decisions, and this Policy.
While processing personal data, the Company protects the rights of data subjects. Personal data is collected and processed in accordance with the general principles set out in Article 4 of KVKK and Article 5 of GDPR (Principles relating to processing of personal data).
All disposal transactions are recorded by the Company, and these records are stored for 10 (ten) years, except for other legal obligations.
Unless otherwise decided by the Company, the Company selects the appropriate disposal method. However, if requested by the data subject, the selected method will be explained with justification.
If all conditions for processing personal data under Articles 5 and 6 of the Law cease to exist, personal data is disposed of ex officio by the Company or upon the request of the data subject. In case of an application by the data subject:
Requests are finalized within 30 (thirty) days at the latest and the data subject is informed.
If the relevant data has been transferred to third parties, the third party is notified and required actions are ensured on the third party side.
6. EXPLANATIONS REGARDING RETENTION AND DISPOSAL
Personal data processed by the Company is stored securely in electronic and/or non-electronic environments within the limits stipulated by KVKK and other relevant legislation, based on the legal grounds such as: explicit provision in laws, necessity for establishing/performing a contract, compliance with legal obligations of the data controller, necessity for the establishment/exercise/protection of a right, necessity for legitimate interests without harming fundamental rights and freedoms, and explicit consent.
6.1 EXPLANATIONS REGARDING RETENTION
The retention periods for personal data processed by the Company are determined by taking into account the principle in KVKK Article 4/2(d) and GDPR Article 5/1(e) (Storage Limitation): “being retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.”
Detailed explanations regarding retention and disposal are provided below.
6.1.1 LEGAL GROUNDS REQUIRING RETENTION
Personal data processed within the scope of the Company’s activities is retained for the periods stipulated in the relevant legislation. Accordingly, personal data is retained within the framework of the retention periods required under, including but not limited to:
EU General Data Protection Regulation (GDPR)
Law No. 6698 on the Protection of Personal Data
Turkish Code of Obligations No. 6098
Law No. 6563 on the Regulation of Electronic Commerce
Consumer Protection Law No. 6502
Tax Procedure Law No. 213
Turkish Commercial Code No. 6102
Income Tax Law No. 193
Labor Law No. 4857
Criminal Procedure Code No. 5271
Attorneyship Law No. 1136
Social Insurances and General Health Insurance Law No. 5510
Occupational Health and Safety Law No. 6331
Code of Civil Procedure No. 6100
Turkish Civil Code No. 4721
Law No. 5651 on Regulating Publications on the Internet and Combating Crimes Committed Through Such Publications
Regulation on Commercial Communication and Commercial Electronic Messages
Other secondary legislation currently in force
6.1.2 PROCESSING PURPOSES REQUIRING RETENTION
The Company retains personal data for the following purposes (including but not limited to):
Fulfillment of legal obligations under relevant legislation (e.g., e-commerce, consumer law, tax law, labor law, OHS law, social security, etc.)
Execution of shopping/order transactions
Execution of membership processes
Providing a service for viewing purchase history
Evaluation of requests
Management of contract processes
Sending e-invoice/e-archive invoice related to purchases
Issuing invoices and, in some cases, performing current account and reconciliation transactions
Fulfillment of obligations for products with specific legal thresholds or regulations
Performing operational after-sales processes
Providing after-sales support services
Delivering purchased products via cargo/shipping
Managing product return and refund processes
If commercial communication permission/explicit consent is given: conducting general or personalized campaigns, benefits, promotions, advertisements, information, marketing activities, and commercial communications (SMS, email, etc.)
Resolving issues/complaints/requests submitted via communication channels (call center, email, website, mobile app, social media, etc.) and contacting the customer when necessary
Exercising all rights (lawsuits, responses, objections) against official institutions (courts, enforcement offices, arbitration committees, etc.) in disputes; conducting negotiation and settlement processes
Tracking lawsuits and legal processes
Serving as evidence within the scope of security, review, investigation, and legal proceedings
Conducting activities in compliance with legislation
Fulfillment of obligations and processes arising from employment contracts
Creating personnel files
Tracking employees’ legal rights
Determining whether employees are medically fit (where applicable and lawful)
Conducting communication activities
Issuing payroll and paying salaries
Social security entry/exit notifications
Managing leave processes
Conducting employee training and information activities
Providing necessary support in case of blood donation needs
Conducting periodic medical examinations by workplace physician
Tracking working hours and timesheets
Managing and tracking projects
Managing assignment processes
Managing emergency processes
Receiving job applications for open positions
Reviewing and evaluating applicants’ professional qualifications
Managing evaluation processes for candidates
Contacting candidates
Managing procurement processes and follow-up
Accounting follow-up for supplier payments
Managing supplier relationships
Conducting communication with suppliers
Updating supplier information
Conducting payment processes
Providing information to authorized public institutions and organizations
6.2 REASONS REQUIRING DISPOSAL
Personal data shall be deleted, destroyed, or anonymized by the Company ex officio or upon the request of the data subject in cases such as:
Amendment or repeal of relevant legal provisions forming the basis for processing/retention
The purpose requiring processing/retention no longer exists
The conditions for processing under KVKK Articles 5 and 6 and GDPR Articles 6 and 9 cease to exist
Where processing relies solely on explicit consent and the data subject withdraws consent
Acceptance by the Company of an application for deletion/destruction under KVKK Article 11
Rejection of the data subject’s request by the data controller, insufficient response, or failure to respond within the legal period, followed by a complaint to the Board and the Board’s acceptance of the request
Expiration of the maximum retention period, with no condition justifying longer retention
7. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN
In order to ensure secure storage of personal data, prevent unlawful processing/access, and ensure lawful disposal, the Company takes technical and administrative measures in accordance with KVKK Article 12 and GDPR Article 32 (Security of processing) and, for special category data, within the framework of adequate measures announced by the Board under KVKK Article 6/4.
7.1 ADMINISTRATIVE MEASURES
Within the scope of administrative measures, the Company:
Fulfills its obligation to inform data subjects before starting to process personal data
Prepares personal data inventories and determines existing risks and threats
Limits internal access to stored personal data to personnel who need access based on job definition (considering whether the data is special category and its level of importance)
Has prepared a “Personal Data Breach Incident Response Policy and Plan” and notifies the data subject and the Board as soon as possible (within 72 hours) if data is obtained unlawfully by others
Signs agreements with third parties (real/legal persons) to whom personal data is transferred, or ensures data security through contractual clauses
Employs personnel knowledgeable and experienced in personal data processing and provides necessary training on data protection legislation and data security
If non-compliance is detected, the matter is immediately reported by the relevant employee’s manager; HR conducts evaluation and necessary action is taken
Establishes disciplinary arrangements containing data security provisions for employees
Conducts training and awareness activities on information and data security at certain intervals
Prepares and implements corporate policies on access, information security, use, retention, and disposal
Obtains confidentiality undertakings
Adds clauses regarding personal data security to contracts and employment contracts
Conducts periodic and random internal audits
Determines and implements policies and procedures for special category data security
Minimizes personal data as much as possible
Includes personal data protection clauses in employment contracts
Prepares a KVKK warning text for use in Company emails
7.2 TECHNICAL MEASURES
Within the scope of technical measures, the Company:
Revokes authorizations for employees whose duties change or who leave employment
Uses firewalls
Takes additional security measures for personal data transferred via paper and sends documents in confidentiality-graded format
Takes necessary security measures for entry/exit to physical environments containing personal data
Ensures protection of physical environments against external risks (fire, flood, etc.)
Ensures the security of environments containing personal data
Performs backups and ensures the security of backed-up personal data
Applies user account management and authorization control systems and monitors them
Enforces a password policy requiring strong/complex passwords of at least 8 characters including uppercase, lowercase, numbers, and special characters
8. DISPOSAL OF PERSONAL DATA
The Company retains personal data for the period stipulated in the relevant legislation or necessary for the purposes for which it is processed. In this context, it is first determined whether a retention period is prescribed in the relevant legislation. If a period is specified, that period is complied with. If not specified, data is retained for as long as necessary for the processing purpose.
When the period ends or the reasons requiring processing cease to exist—and if there is no legal ground allowing longer processing—personal data is deleted, destroyed, or anonymized by the Company in accordance with this Policy.
Where there is a contractual relationship, retention periods start after the parties’ contractual obligations end; in other activities, after the transaction is completed and a final outcome is obtained.
If there is a legal dispute or lawsuit process, personal data is retained until the legal process is completed.
Note for GDPR Context: While Turkish legislation specifically categorizes disposal as "deletion, destruction, or anonymization," for the purposes of GDPR, these actions collectively ensure the fulfillment of the obligation to "erase" personal data (Right to Erasure / Right to be Forgotten) when retention is no longer necessary.
9. DISPOSAL TECHNIQUES FOR PERSONAL DATA
At the end of the retention period, personal data is disposed of by the Company ex officio or upon the request of the data subject, in compliance with the relevant legislation, using the techniques below.
Unless otherwise decided by the Board, the Company selects the appropriate method of deletion, destruction, or anonymization ex officio. If requested by the data subject, the Company selects the appropriate method by explaining its justification.
All transactions regarding deletion, destruction, or anonymization are recorded, and these records are retained for 10 (ten) years, except for other legal obligations.
9.1 DELETION OF PERSONAL DATA
Deletion of personal data means making personal data inaccessible and unusable in any way for Relevant Users. The data controller is obliged to take all necessary technical and administrative measures to ensure this.
“Relevant User” is defined in the Regulation on Deletion, Destruction or Anonymization of Personal Data, Article 4(b) as: persons who process personal data within the data controller organization or under the authority/instructions received from the data controller, excluding the person/unit responsible for technical storage, protection, and backup.
Methods of deletion (summary):
Personal data on servers: For data whose retention period has expired, deletion is performed by removing access authorizations of relevant users by the system administrator.
Electronic environment data: For data whose retention period has expired, it is made inaccessible and unusable for all employees except the database administrator.
Physical environment data: For paper-based data whose retention period has expired, it is made inaccessible and unusable for employees other than the unit manager responsible for archives.
Personal data on portable media: Data stored on flash-based media whose retention period has expired is encrypted by the system administrator, access is limited only to the system administrator, and encryption keys are stored securely.
9.2 DESTRUCTION OF PERSONAL DATA
Destruction of personal data means making personal data impossible for anyone to access, recover, or reuse in any way. The data controller is obliged to take all necessary technical and administrative measures.
Methods of destruction (summary):
Physical environment data: Paper-based personal data whose retention period has expired is destroyed irreversibly using shredders.
Optical/magnetic media data: Data on optical and magnetic media whose retention period has expired is physically destroyed (e.g., melting, burning, pulverizing). Additionally, magnetic media is exposed to a high magnetic field using special devices to make the data unreadable.
9.3 ANONYMIZATION OF PERSONAL DATA
Anonymization means rendering personal data impossible to associate with an identified or identifiable natural person, even when matched with other data.
For data to be considered anonymized, it must not be possible to re-identify a person even using techniques appropriate to the recording environment and activity area, such as reversing by the data controller or third parties and/or matching with other data.
The data controller is obliged to take all necessary technical and administrative measures regarding anonymization.
The Company also takes into account the “Guideline on Deletion, Destruction or Anonymization of Personal Data” published by the Authority and selects appropriate examples from this guideline.
10. RETENTION AND DISPOSAL PERIODS
Regarding personal data processed within the scope of the Company’s activities:
Personal data-based retention periods for all personal data within activities depending on processes are included in the Personal Data Processing Inventory.
Process-based retention periods are included in the Personal Data Retention and Disposal Policy.
Retention periods may be updated by the Company when necessary.
For personal data whose retention periods have expired, deletion, destruction, or anonymization is performed by the Company ex officio.
Process-Based Retention & Disposal Periods (summary):
Employee personnel files / salary payments: 10 years from end of contract/legal transaction → disposal in first periodic disposal after retention ends
Job applications via Kariyer.net: 1 year → disposal in first periodic disposal after retention ends
Customer data for incoming orders / invoices / receipts: 10 years from end of legal relationship → disposal in first periodic disposal after retention ends
OHS specialist & workplace physician data (service procurement): 10 years from end of legal relationship → disposal in first periodic disposal after retention ends
Periodic examinations by workplace physician / OHS activities: 15 years after termination of employment → disposal in first periodic disposal after retention ends
Individual suppliers & sole proprietorship suppliers / invoices: 10 years → disposal in first periodic disposal after retention ends
Litigation/enforcement/mediation case files: 10 years after finalization of the case → disposal in first periodic disposal after retention ends
CCTV recordings: 7 days → disposal in first periodic disposal after retention ends
Marketing emails: 2 years → disposal in first periodic disposal after retention ends
11. PERIODIC DISPOSAL PERIOD
Pursuant to Article 11 of the Regulation on Deletion, Destruction or Anonymization of Personal Data and to comply with the 'Storage Limitation' principle of GDPR, the Company has determined the periodic disposal period as 6 months. Accordingly, periodic disposal is carried out in June and December each year.
12. PUBLICATION AND STORAGE OF THE POLICY
The Policy is published in two formats: wet-signed (printed paper) and electronic. It is disclosed to the public on the Company’s website. The printed paper copy is also retained by the Company.
13. POLICY UPDATE FREQUENCY
The Policy is reviewed by the Company as needed, and necessary sections are updated.
14. EFFECTIVE DATE AND REPEAL
The Policy is deemed to have entered into force after being published on the Company’s website.
If it is decided to repeal the Policy, the old wet-signed copy is canceled by the Company (by stamping “canceled” or writing cancellation) and is signed and retained.