EN
TR
Mobile Hamburger Menu

Protection of Personal Data Law (PPDL)

Nuclear Energy Media Gallery
News from TÜNAŞ
Nuclear Energy Publications
Nuclear Legislation
Nuclear Power Plant Operating Principle
Türkiye's Nuclear Energy Journey

05/TÜRKİYE NÜKLEER ENERJİ A.Ş. (TÜNAŞ) PERSONAL DATA PROCESSING AND DISPOSAL POLICY

1. INTRODUCTION


1.1 Introduction

The protection of personal data is of utmost importance for TÜRKİYE NÜKLEER ENERJİ ANONİM ŞİRKETİ, ("TÜNAŞ" or "Company") and maximum sensitivity is shown in this regard. Accordingly, it is one of the Company's fundamental policies to process personal data in a manner consistent with the expectations of individuals and in compliance with the law.

According to the Constitution of the Republic of Türkiye, everyone has the right to request the protection of personal data concerning him/her. With regard to the protection of personal data, which is a constitutional right, the Company pays due attention to the protection of personal data governed by this Personal Data Processing and Disposal Policy ("Policy") and makes it a Company policy.


1.2 Updateability

This Policy may be updated from time to time in order to adapt to changing conditions and legislation.

In case of an update, it will be notified on the Company's website or through other channels.


2. PURPOSE AND SCOPE OF THE POLICY


The purpose of this Policy is to determine the procedures and principles regarding the processing and protection of personal data carried out by the Company in accordance with the Constitution, which is the basis of this Policy, International Conventions, Personal Data Protection Law No. 6698 ("Law"), European Union Data Protection Regulation No. 2016/679 (General Data Protection Regulation) ("GDPR"), By-Law on Erasure, Destruction or Anonymization of Personal Data ("By-Law") and other relevant legal legislation.

The Policy relates to the data of the members of the Company's board of directors, Company employees, employee candidates, Company visitors, candidates and/or students of overseas postgraduate education programs, suppliers/service providers and other third parties whose data are processed by fully or partially automated or non-automated means provided that they are part of any data recording system.

The first degree addressee of this Policy is the Company. However, the implementation of this Policy and the regulations contained in the Policy concern the members of the Board of Directors, Company employees, employee candidates, candidates and/or students of overseas graduate education programs, suppliers/service providers, visitors and other third parties whose data are processed. Employees who are currently employed by the Company as well as former employees whose personal data are still being processed are covered by this Policy. The term "Employee" in this Policy includes, to the extent appropriate, employees, former employees, directors and former directors of the Company.

This Policy applies to the activities carried out for the processing, storage and destruction of all personal data owned or managed by the Company. This Policy defines the basic control measures that the members of the Company's board of directors, all employees, employee candidates, candidates and/or students of overseas postgraduate study programs, suppliers and service providers, visitors and employees of all institutions and organizations with which the Company cooperates are expected to know and continuously comply with.

Another purpose of this Policy is to inform, enlighten and ensure transparency of natural people subject to personal data processing activities regarding the processing of their personal data.

The scope of application of this Policy regarding the groups of Personal Data Owners in the categories mentioned above may be the entire Policy or only some of its provisions.


3. DEFINITIONS and PERSONAL DATA OWNERS


In this Policy, unless the context requires otherwise, legal and technical terms refer to the following;

Explicit Consent
Consent on a specific issue, based on information and freely given,
Recipient Group
The category of natural or legal person to whom personal data is transferred by the data controller,
ConstitutionConstitution of the Republic of Türkiye,
CCTVClosed Circuit Television
CookieSmall text files stored on your device or network server via browsers by visited websites,
eDMSElectronic Document Management System,
Electronic Media
Media where personal data can be created, read, changed and written with electronic devices,
Non-Electronic Media
All written, printed, visual, etc. media other than electronic media,
Related User
Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or department responsible for the technical storage, protection and backup of the data,
WorkplaceIt refers to the person who visits İşçi Blokları Mah. Mevlana Bulv. No: 162/3 Çankaya/ANKARA                                                                                        
DisposalErasure, destruction or anonymization of personal data,
Websitewww.tunas.gov.tr
LawPersonal Data Protection Law No. 6698,
Recording MediaAny medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system,
Personal DataAny information relating to an identified or identifiable natural person (e.g. name, surname, Turkish ID number, e-mail, address, date of birth, credit card number, bank account number)
Personal Data Owner (Data Subject)The natural person whose personal data is processed,
Personal Data Processing InventoryThe inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes and legal reason for processing personal data, data category, transferred recipient group and data subject group, and detail the maximum retention period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security,
Processing of Personal DataAll kinds of operations performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system,
AuthorityPersonal Data Protection Authority,
Special Categories of Personal Data Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,
Periodic DisposalIn the event that all of the conditions for the processing of personal data specified in the Law disappear, the erasure, destruction or anonymization process to be carried out ex officio at the recurring intervals specified in this Policy,
PolicyThis Personal Data Processing, Storage and Disposal Policy,
Company/TÜNAŞIt refers to the person who visits TÜNAŞ located at İşçi Blokları Mah.  No: 162/3 Çankaya/Ankara,
Data ProcessorNatural or legal people other than the organization of the data controller who process personal data on behalf of the data controller based on the authority granted by the data controller,
Data Recording SystemA recording system where personal data is structured and processed according to certain criteria,
Data ControllerThe person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system),
Data Controllers’ Registry Information System (VERBIS)The information system created and managed by the Authority, which can be accessed over the internet, which data controllers will use in the application to the Registry and other related transactions regarding the Registry,
By-LawBy-Law on Erasure, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017,

Unless the content of this Policy requires otherwise, Personal Data Subjects refers to the following;

EmployeeA natural person who has an employment contract with the Company or whose employment contract has been terminated in the past, (This includes Company executives)
Employee CandidateA natural person who is included in the selection and placement process by the Company in order to establish an employment contract with the Company,
Service ProviderA natural or legal person who provides services under a specific contract with the Company,
SupplierThird party supplier/supplier employees, consultants/managers and service providers from whom the Company receives services
Board Member(s)Members of the Board of Directors of TÜNAŞ
Candidates for Graduate Study Abroad ProgramsThe person who applies to TUNEM, YLSY, AESC and similar programs carried out by the Ministry of Energy and Natural Resources and related institutions and organizations and participates in the candidate selection and placement process coordinated by the Company,
Students of Graduate Study Abroad ProgramsThe person who is accepted within the scope of TUNEM, YLSY, AESC and similar programs carried out in affiliation with the Ministry of Energy and Natural Resources and related institutions and organizations and who benefits from academic consultancy and/or sponsorship services coordinated by the Company,
VisitorIt refers to the person who visits  TÜNAŞ located at İşçi Blokları Mah.  Mevlana Blv. No: 162/3 Çankaya/Ankara, It refers to the person who visits the website of TÜNAŞ and/or the person who reaches TÜNAŞ through the call center.


4. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA


4.1 Processing in accordance with the Law and Good Faith

In the Processing of Personal Data, we act in accordance with the good faith and general principles brought by legal regulations. In this context, Personal Data are processed proportionally and limited to the purpose for which they are processed.


4.2 Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

Taking into account the legitimate interests of the members of the Board of Directors, Employees, Employee Candidates, Candidates for Graduate Education Programs Abroad, Suppliers and Service Providers, Visitors and other third parties whose data are processed, periodic checks and updates are made to ensure that the processed data are accurate and up-to-date and necessary measures are taken in this direction. In this context, systems for checking the accuracy of Personal Data and making necessary corrections are established within the Company.


4.3 Processing for Specific, Explicit and Legitimate Purposes

Within the framework of data minimization by the Company, Personal Data is processed based on clear and precise data processing purposes and as much as necessary for this purpose. The purpose for which the data will be processed is determined before the Personal Data Processing activity begins.


4.4 Being Relevant, Limited and Proportionate to the Purpose for Which They are Processed

Personal Data is processed in a manner that is conducive to the realization of the specified purposes and the Processing of Personal Data that is not related to the realization of the purpose or is not needed is avoided.


4.5 Preservation for the Period Stipulated in the Legislation or Required for the Purpose for which they are Processed

The Company retains Personal Data only for the periods specified in the relevant legislation or required for the purpose for which they are processed. In this context, first of all, it is determined whether a period of time is stipulated for the storage of Personal Data in the relevant legislation, if a period of time is determined, it is acted in accordance with this period, and if a period of time is not determined, Personal Data is stored for the period required for the purpose for which they are processed. In the event that the period expires or the reasons requiring processing are eliminated, Personal Data are deleted, destroyed or anonymized according to the principles of the policy applied by the Company in this direction, unless there is a legal reason that allows them to be processed for a longer period of time.


5. CONDITIONS FOR PROCESSING PERSONAL DATA


Explicit Consent of the Personal Data owner is one of the legal grounds that make it possible to process Personal Data in accordance with the law. Apart from Explicit Consent, Personal Data may also be processed in the presence of one of the other conditions listed below. The basis of the Personal Data Processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same Personal Data Processing activity.


5.1 Processing of Personal Data of the Personal Data Owner Based on Explicit Consent

Personal Data of the Personal Data Owner is processed based on Explicit Consent, unless it is processed based on a different condition. Personal Data owners are informed about which Personal Data is processed, for what purposes and for what reasons their Personal Data is processed, from which sources their Personal Data is collected, with whom this Personal Data will be shared and how it will be used, and their Explicit Consent is obtained in this way.


5.2. Explicitly Stipulated in Laws

In cases where Personal Data Processing is explicitly stipulated in the Law, the Company processes Personal Data without obtaining the explicit consent of the Personal Data Owner whose data will be processed.


5.3. Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility

In the event that it is mandatory to process the Personal Data of the Personal Data Owner, who is unable to disclose his/her Explicit Consent due to actual impossibility or whose Explicit Consent cannot be legally validated, in order to protect the life or physical integrity of himself/herself or another person, his/her data is processed without obtaining the Explicit Consent of the Personal Data Owner.


5.4. Being Directly Related to the Establishment or Performance of the Contract

Provided that it is directly related to the establishment or performance of a contract, Personal Data is processed if it is necessary to Process Personal Data of the parties to the contract.


5.5. Fulfillment of the Company's Legal Obligation 

In the event that data processing is mandatory in order to fulfill legal obligations as a Data Controller, the data of the Personal Data Owner is processed without obtaining Explicit Consent.


5.6. Publicization of Personal Data by the Personal Data Owner

In the event that the Personal Data is made public by the Personal Data Owner, Personal Data is processed without the need for Explicit Consent.


5.7. Mandatory Data Processing for the Establishment, Exercise or Protection of a Right

In the event that data processing is mandatory for the establishment, exercise or protection of a right, the data is processed without the explicit consent of the Personal Data Owner.


5.8. Data Processing Based on Legitimate Interest

In the event that data processing is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the Personal Data Owner, the data is processed without obtaining the Explicit Consent of the Personal Data Owner.


6. EXPLANATIONS ON PROCESSED PERSONAL DATA 


In accordance with Article 10 of the Law and secondary legislation, the Company processes Personal Data of Personal Data Owners in line with the Company's personal data processing purposes in accordance with Article 10 of the Law and secondary legislation, including but not limited to the purposes set out in the second title of the Policy; by fulfilling the obligation to inform; based on at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law and limited, in accordance with the general principles specified in the Legislation, primarily the principles specified in Article 4 of the Law.

Within the scope of the above-mentioned purposes and in accordance with the principles set out in this Policy in line with the provisions of the Legislation, the Company stores, shares with third parties and destroys the Personal Data of Personal Data Owners in accordance with the procedures set out in this Policy, limited to the purpose of data processing in domestic systems.

Although the types and numbers of Personal Data processed depending on the relationship between the Company and Personal Data Owners will vary depending on the reason for processing, Personal Data shared by the Personal Data Owner with the Company or obtained by the Company from third parties are categorized below:

Personal Data CategoriesThe Personal Data We Collect
Identity DataName, surname, Turkish Republic Identification Number, gender, country, date and place of birth, military service status, nationality, marital status, skin/family sequence number, identity card serial number, spouse and dependents' name-surname, date of birth, identity number information, skin/family sequence number, identity card serial number, passport information, driver's license, biography, other identity information
Visual DataPhotographic, audio and video recordings (except CCTV).
Contact DataCorporate and personal e-mail, corporate and personal telephone, address and telephone information of relatives to be contacted in case of emergency, etc.
Location DataResidence address, work address.
Network Traffic and Other Related DataIP address, cookies, device identification number, websites visited.
Account Login InformationUsername and password, other information used to access and/or secure Company systems
and applications.
Background InformationName and surname of spouse and children, Turkish Republic Identity Number, date of birth and occupation data, military service status, department, authorities, office address, date of employment, title, position/grade, work unit, part-time or full-time position, vacation entitlements, work history, date(s) and reasons for employment/re-employment and termination of employment, authorities, retirement status, promotions and disciplinary records, date of transfers, the manager(s) to whom he/she reports, other details of the employment contract, a copy of the birth certificate, the number of days of SSI premiums, the service breakdown showing that the spouse is not working, the number of children and the student certificates of the children, death leave and death certificate of the relative of the employee receiving the benefit, private security card information.
Professional ExperiencePersonnel evaluation form, occupational code, work experience, starting and leaving dates, reasons for leaving, wages and fringe benefits, educational information, foreign language score, professional skills, certificates and course information, institution, position held.
Financial DataSalary information, social benefits and fringe benefits other than salary, income information, bank account information, BES(Individual Pension Insurance) deduction amount, execution debt information, advance payment information, receivables and payables information, attendance fee information.
Legal Process DataData such as payroll records, work permit, SSI No, type of insurance.
Social DataSmoking status, alcohol use, hobbies and activities.
Absenteeism DataParticipation in work-related organizations, vacation, sick leave, long-term leave, etc., addresses where leave is spent.
Criminal conviction dataData on criminal behavior, criminal records, or prosecutions and proceedings relating to criminal or other unlawful behavior.
Health DataHealth report, Incapacity report, Disability Report.
Education dataEducation and diploma data, foreign language skills, computer skills, training and certification information.
Data on Career DevelopmentDetails presented in application letters and CVs, special expertise, competency assessments, personality inventory.
Information Collected by CCTV and Security SystemsCCTV footage.
Information in the Company's property and entrusted to the personnelCompany laptop, Company car, information contained in the Company's cell phone, USB memory stick
Data on Travel and ExpensesPassport data, visa, information on travel vehicles used, registration information, expense report data, advance payment request form, foreign travel approval form, citizenship, residence and work permit details, reference number given by the consulate regarding visa acceptance procedures

Institutional Memory InformationMemories, interviews, etc. processed within the scope of the activities carried out by TÜNAŞ in order to create the corporate memory of TÜNAŞ.
Other DataNames, surnames, e-mail addresses and contact numbers of reference persons, number of children, hobbies, names, surnames and contact numbers of family members, smoking, personality inventory (for candidates who pass the interview positively), exam results (for candidates who qualify for the interview), job offer form (for candidates who qualify for employment)

The security cameras that are visible in the workplace are recorded from the moment they enter the data center and archive room and these records are kept for security purposes. Areas that exceed security purposes and that may result in interference with a person's privacy are not subject to monitoring. The number of cameras in the workplace is necessary to ensure data security and is limited to this purpose.

Authorized persons have access to the records recorded and maintained in digital media. Live camera images can be viewed by authorized persons affiliated with the company's Information Technologies Department. 

In addition, Personal Data may be used by the Company for security purposes and/or to protect the Company's legitimate interests or to prevent or investigate suspected or actual violations of law, violations of working conditions or non-compliance with the Company's business principles or Company policies. For the above purposes, and to the extent permitted by applicable law, the following measures may be taken in the event that information is obtained that supports suspicions of violations of the Company's general business principles or policies or other applicable laws:

  • Access, investigate, monitor and archive data sent, accessed, displayed or stored
  • Realize video surveillance,
  • Disclosing information obtained during searches and indicating possible illegal behavior to law enforcement authorities.

The Company stores, shares with third parties and destroys the Personal Data of the natural person obtained in accordance with the principles set out in this Policy within the scope of the above-mentioned purposes and in line with the provisions of the Legislation, in accordance with the procedures set out in this Policy, limited to the purpose of data processing in domestic systems.


7. METHODS AND LEGAL REASONS FOR COLLECTING PERSONAL DATA


Personal Data belonging to Personal Data Owners can be processed by the Company as follows;

  • Parties submitting applications digitally,
  • Parties submit applications by physical means,
  • Receiving applications through a consulting company,
  • The sharing of personal data by the supplier / service provider through physical or digital means due to the commercial relationship between the parties,
  • Through surveillance activity with surveillance cameras;
  • In case the parties visit the company website,
  • In case the parties contact the company through the call center,
  • Delivery of personal data to the Company by physical or digital means by the parties,

In accordance with the basic principles stipulated by the KVKK (PDPL), personal data may be collected, processed and transferred for the purposes specified in this Policy within the scope of the personal data processing conditions specified in Articles 5 and 6 of the KVKK (PDPL).


8. TRANSFER OF PERSONAL DATA


The Company acts in accordance and in compliance with the relevant legislation in terms of transferring the Personal Data processed within the scope of its activities domestically and/or abroad.

Pursuant to the relevant legislation, personal data cannot be transferred without the explicit consent of the data subject. As an exception to this situation; If the processing of personal data falls within the scope of one of the following situations, it may be possible to transfer personal data without seeking the Explicit Consent of the person concerned:

  1. Explicitly stipulated in the law.
  2. It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
  3. Provided that it is directly related to the establishment or performance of a contract, it is necessary to Process Personal Data of the parties to the contract.
  4. It is mandatory for the Data Controller to fulfill its legal obligation.
  5. It has been made public by the person concerned.
  6. Data processing is mandatory for the establishment, exercise or protection of a right.
  7. Data processing is mandatory for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Explicit Consent of the data subject is also required for the transfer of Personal Data abroad.  However, it may be possible to transfer Personal Data abroad if one of the exceptional circumstances listed above exists and in addition to the existence of this situation, the following conditions are met in the foreign country to which the Personal Data will be transferred:

  1. The availability of adequate protection,
  2. In the absence of adequate protection, the data may be transferred abroad without seeking the explicit consent of the data subject, provided that the data controllers in Türkiye and in the relevant foreign country undertake adequate protection in writing and the Authority has the permission. (Countries with adequate protection will be determined and announced by the Authority.)

Although the types and numbers of Personal Data processed depending on the relationship with the Company will vary depending on the reason for processing; The institutions to which personal data shared with the Company or obtained by the Company from third parties are transferred, transfer purposes and storage periods are categorized below:

If a period of time is stipulated in the legislation for determining the storage and destruction periods of Personal Data obtained by the Company in accordance with the legislation, this period is complied with. If a period of time is stipulated in the legislation, Personal Data shall be stored for the duration of the said period or if no period of time is stipulated in the legislation, Personal Data shall be stored for the period required to be processed in accordance with the practices of TÜNAŞ and the customs of commercial life.

Personal Data CategoriesTransferred InstitutionsTransfer ObjectivesStorage and Disposal Periods
Identity DataRelevant Ministries, relevant institutions, organizations, companies, universities, SSI, İŞKUR, Police Station, District Governor's Office, Bank Institution from which Private Pension Service is received and other contracted banks, Companies from which Insurance Service is received, Institutions and Companies from which Training Service is received, Suppliers from which Goods and Services are procured, TENMAK, consultancy companies abroad, organizations abroad and other organizations of which TÜNAŞ is a member, contracted travel agencies, persons and institutions providing consultancy to contribute to the development of employees within the scope of Career and Talent Management systems, public institutions and organizations assigned and authorized by law, judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures, Chambers of Commerce, Relevant Notaries,- For the purposes of overseas education, conducting official visit processes, preparing greeting cards for special occasions, fulfilling legal obligations, completing visa procedures, enabling employees to benefit from in-house facilities, minimizing security vulnerability, carrying out management and representation activities, conducting due diligence processes and fulfilling contractual obligations,

- For the purposes of fulfilling legal obligations, carrying out management and representation activities, carrying out application processes for seminars and conferences abroad, creating internal user accounts and carrying out application processes for seminars and conferences abroad,

- For the purpose of preparing greeting cards for special occasions with the name and surname information of the employee and the employee's relatives,

- For the purpose of executing execution proceedings and making salary payments,

- For the purpose of carrying out the relevant processes related to overseas education and travel,

- For the purpose of providing input to TÜNAŞ's career management and talent management systems, to have an idea about the talents, predispositions and competencies of the Personal Data Owner and to support them on their career paths in line with these characteristics,

- It is shared in order to ensure the physical and legal security of TÜNAŞ, to ensure general workplace safety, to increase the quality of the services provided, and to fulfill the obligations arising from the legislation.

- For the purposes of visa procedures and travel health insurance,

- For the purpose of conducting due diligence processes,		It retains personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the legal legislation to which the relevant activity is subject. In this context, our Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed.
Visual Data
Contact Data
Location Data
Network Traffic and Other Related Data
Account Login Information
Background Information
Professional Experience
Financial Data
Legal Process Data
Social Data
Absenteeism Data
Health Data
Education Data
Data on Career Development
Information Collected by CCTV and Security Systems
Information in the Company's Property and Entrusted to the Personnel
Data on Travel and Expenses


9. POLICY-REGULATED RECORDING MEDIA


All Personal Data subject to data processing activities within the scope of the Law are stored by the Company in electronic media and physical media by fully or partially automated or non-automated means, provided that they are part of any data recording system.

The electronic and physical storage media where Personal Data are stored are specified in the table below. The following electronic and physical storage media are the current storage media used by the Company as of the date of preparation of this Policy, and changes may be made to these media from time to time.

Electronic Storage MediaNon-Electronic Media
  • Servers (ERP servers, domain, backup, e-mail/exchange, database, web, file sharing, etc.)
  • Software (Office software, EBYS)
  • Information security devices (firewall, intrusion detection and prevention, log file, anti-virus, etc.)
  • Personal computers (desktop, laptop)
  • Mobile devices (phones, tablets, etc.)
  • Optical disks (CD, DVD, etc.), removable memory sticks (USB, Memory Card, etc.)
  • Departments' files on the file server,
  • Printer, scanner, copier
  • Paper,
  • Manual data recording systems (survey forms, visitor logbook),
  • Written, printed, visual media


10. EXPLANATIONS ON STORAGE AND DISPOSAL OF PERSONAL DATA


The personal data of employees, employee candidates, candidates for graduate education programs abroad, suppliers and service providers and employees of other third parties, institutions or organizations whose data are processed by the Company are stored and destroyed in accordance with the Law. In this context, detailed explanations on retention and destruction are given below respectively.


10.1 Legal Grounds for Retention

Personal Data processed within the framework of the Company's activities are retained for the period stipulated in the relevant legislation. Personal data in this context;

  • Personal Data Protection Law No. 6698,
  • Turkish Code of Obligations No. 6098,
  • Law No. 5510 on Social Security and General Health Insurance,
  • Regulation of Publications on the Internet No. 5651 and Law on Combating Crimes Committed Through These Publications,
  • Law No. 6331 on Occupational Health and Safety,
  • Law No. 4982 on The Right to Information,
  • Law No. 3071 on the Exercise of the Right to Petition,
  • Labor Law No. 4857,
  • Tax Procedure Law No. 213
  • The Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes, and other secondary regulations in force are kept for the prescribed retention periods.

10.2 Processing Purposes Requiring Retention

 The Company stores the personal data that it processes within the framework of its activities for the purposes set out in sections 6.1, 6.2, 6.3, 6.4, 6.5 and 6.6 of this Policy.


10.3 Reasons for Disposal

Personal data;

  • Amendment or abolition of the relevant legislation provisions that constitute the basis for processing,
  • The purpose requiring processing or storage disappears,
  • In cases where Personal Data Processing takes place only on the basis of explicit consent, the relevant person's withdrawal of his/her Explicit Consent,
  • Acceptance by the Company or the Institution of the application made by the person concerned for the erasure and destruction of Personal Data within the framework of the rights of the person concerned pursuant to Article 11 of the Law,
  • In cases where the Company rejects the application made by the person concerned with the request for erasure, destruction or anonymization of his Personal Data, finds the answer insufficient or does not respond within the period stipulated in the Law, he may file a complaint to the Authority and this request is approved by the Authority,
  • In the event that the maximum period required for the storage of Personal Data has expired and there is no condition that would justify storing Personal Data for a longer period, it is deleted, destroyed or anonymized by the Company upon the request of the relevant person or ex officio.


11. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE SECURE STORAGE OF PERSONAL DATA AND THE PREVENTION OF UNLAWFUL PROCESSING AND ACCESS


11.1 Technical Measures

The Company shows the utmost care and diligence in the safe storage of Personal Data and the prevention of unlawful processing and access, and takes the necessary technical and administrative measures according to the technological possibilities and implementation cost regarding the following issues in accordance with Article 12 of the Law and the provisions of the By-Law, the general principles mentioned above, this Policy and the Authority decisions.

The main technical measures taken by the Company to store Personal Data in secure environments are listed below:

  • Systems in accordance with technological developments are used to store Personal Data in secure environments.
  • Personnel specialized in technical issues are employed.
  • Technical security systems are established for storage areas, technical measures taken are reported to the relevant person as required by internal audit, and necessary technological solutions are produced by re-evaluating the issues that pose a risk.
  • Backup programs are used in accordance with the law to ensure that Personal Data is stored securely.
  • Firewalls are used.
  • Up-to-date anti-virus systems are used.
  • Personal Data is minimized as much as possible.
  • Cyber security measures have been taken and their implementation is constantly monitored.
  • Access to data storage areas where Personal Data is stored is logged and inappropriate access or access attempts are monitored.
  • Through penetration tests, risks, threats, vulnerabilities and vulnerabilities, if any, against the Company's information systems are revealed and necessary measures are taken. 
  • Risks and threats that will affect the continuity of information systems are continuously monitored as a result of real-time analysis with information security incident management.
  • Intrusion detection and prevention systems are used.
  • Access to information systems and authorization of users are carried out through access and authorization matrix and security policies through the corporate active directory.
  • Necessary measures are taken for the physical security of the Company's information systems equipment, software and data.
  • In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, ensuring the physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, intrusion prevention systems, network access control, malware prevention systems, etc.) measures are taken.
  • Access procedures are established within the organization and reporting and analysis studies on access to personal data are carried out.
  • Access to the storage areas where Personal Data is stored is recorded and inappropriate access or access attempts are kept under control.
  • The Company takes necessary measures to ensure that deleted Personal Data is inaccessible and non-reusable for the relevant users.
  • In the event that Personal Data is unlawfully obtained by others, a suitable system and infrastructure has been established by the Company to notify the relevant person and the Authority.
  • Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up-to-date.
  • Strong passwords are used in electronic environments where Personal Data is processed.
  • Secure record logging systems are used in electronic environments where Personal Data is processed.
  • Data backup programs are used to ensure that Personal Data is stored securely.
  • Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
  • Employees who are reassigned or leave their jobs are de-authorized in this area.
  • Trainings have been provided for employees involved in the processing of Sensitive Personal Data on the security of Sensitive Personal Data, confidentiality agreements have been made, and the authorizations of users authorized to access the data have been defined.
  • Electronic media in which Sensitive Personal Data are processed, stored and/or accessed are maintained using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are constantly monitored, necessary security tests are regularly performed/conducted, and test results are recorded, 
  • Adequate security measures are taken for the physical environments where Special Categories of Personal Data are processed, stored and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
  • If Sensitive Personal Data is required to be transferred via e-mail, it is transferred encrypted with a corporate e-mail address or using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept on different media. If transferring between servers in different physical environments, data transfer is performed by establishing a VPN between the servers or by SFTP method. If the document must be transferred via paper media, necessary precautions are taken against risks such as theft, loss or unauthorized viewing of the document and the document is sent in "confidential" format.


11.2 Administrative Measures

The main administrative measures taken by the Company to store personal data in secure environments are listed below:

  • For the improvement of the quality of employees, trainings are provided on the prevention of unlawful processing of personal data, prevention of unlawful access to personal data, ensuring the protection of personal data, communication techniques, technical knowledge skills, and other relevant legislation.
  • In case an external service is obtained by the Company due to technical requirements for the storage and processing of personal data, the contracts concluded with the relevant companies to which personal data are transferred in accordance with the law include provisions stating that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations,
  • Confidentiality agreements are signed by employees regarding the activities carried out by the Company.
  • Before starting Personal Data Processing, the Company fulfills its obligation to inform the relevant persons.
  • Personal Data Processing inventory has been prepared.
  • Internal periodic and random audits are conducted.
  • Information security trainings are provided for employees.
  • All activities carried out by the Company are analyzed in detail specific to all business units, and as a result of this analysis, personal data processing activities specific to the company activities carried out by the relevant business units are revealed.
  • The Personal Data Processing activities carried out by the Company departments, the requirements to be fulfilled in order to ensure that these activities comply with the Personal Data Processing requirements sought by the Law are determined specifically for each business unit and the detailed activity it carries out.
  • In order to ensure the legal compliance requirements determined on a departmental basis, awareness is raised and implementation rules are determined for the relevant business units; the necessary administrative measures are implemented through internal policies and trainings to ensure the supervision of these issues and the continuity of implementation.
  • In the contracts and documents governing the legal relationship between the Company and the Employees, records that impose the obligation not to process, disclose and use Personal Data, except for the Company's policies, procedures, work instructions and the exceptions imposed by the Law, are included and employee awareness is raised and audits are carried out.


12. METHODS APPLIED FOR THE DISPOSAL OF PERSONAL DATA AND TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE LAWFUL DISPOSAL OF PERSONAL DATA 


The Company deletes, destroys or anonymizes personal data by the following methods in the event that all of the conditions for processing personal data specified in Articles 5 and 6 of the Law disappear.

All transactions carried out within the scope of disposal are recorded by the Company and these records are kept for at least three years, excluding other legal obligations.

Unless otherwise decided by the Authority, the Company chooses the appropriate method of erasure, destruction or anonymization of personal data according to technological possibilities and implementation cost, and explains the reason for the appropriate method upon request of the personal data owner.

The main technical measures taken by the Company to ensure the destruction of Personal Data in accordance with the law are listed below:

  • Personnel specialized in technical issues are employed.
  • If the devices that carry personal data within the company are no longer usable and will be sold or left outside, the data in the device is disposed, or if this is not possible, the device is destroyed.
  • Personal data contained in CCTV (Closed Circuit Television) is automatically deleted by the system after 90 days.

The main administrative measures taken by the Company to ensure the destruction of personal data in accordance with the law are listed below:

  • All activities carried out within the Company are analyzed in detail for all departments, and as a result of this analysis, Personal Data destruction activities are put forward for the company activities carried out by the relevant departments.
  • The Personal Data destruction activities carried out by the departments; The requirements to be fulfilled in order to ensure that these activities comply with the personal data destruction requirements sought by the Law and the By-Law are determined specifically for each department and the detailed activity it carries out.
  • Awareness is raised and destruction practice rules are determined for the relevant department in order to ensure the legal compliance requirements determined on a departmental basis; the necessary administrative measures are implemented through internal policies and trainings to ensure the supervision of these issues and the continuity of the implementation.
  • Articles on the processing, protection and destruction of personal data are included in the contracts and undertakings governing the legal relationship between the Company and employees, and employee awareness is raised on this issue.


a) Methods of Erasure of Personal Data

Erasure of Personal Data is the process of making Personal Data inaccessible and non-reusable in any way for the relevant users. The Company takes all necessary technical and administrative measures according to the technological possibilities and implementation cost in order to make the deleted Personal Data inaccessible and non-reusable for the relevant users.

In this context, the Company applies the following methods for the deletion of Personal Data:

Data Recording MediaDescription
Personal Data on ServersFor the Personal Data on the servers, erasure is made by the system administrator by removing the access authorization of the relevant users for those whose period of storage has expired.
Personal Data in Electronic MediaThose of the Personal Data in the electronic environment whose period of retention has expired are made inaccessible and non-reusable in any way for other employees (relevant users) except the Information Systems Manager
Personal Data in the Physical MediaFor the personal data kept in physical media, the documents are made inaccessible and unusable in any way for those whose retention period has expired. It is also blacked out by scratching/painting/erasing it so that it cannot be read.
Personal Data on Portable MediaThe Personal Data kept in Flash-based storage media and those whose period of storage has expired are encrypted by the system administrator and access authorization is given only to the system administrator and stored in secure media with encryption keys.

b) Methods of Destroying of Personal Data

Destroying of Personal Data is the process of making Personal Data inaccessible, irretrievable and non-reusable by anyone in any way. The Company takes all necessary technical and administrative measures for the disposal of Personal Data according to the technological possibilities and the cost of implementation.

In this context, the Company applies the following methods for the disposal of Personal Data:

Data Recording MediaDescription
Personal Data in Physical MediaThe Personal Data in paper media that expires after the period of time required for its retention is irreversibly destroyed in paper shredding machines.
Personal Data in Optical / Magnetic MediaIt is physically disposed of using various technological methods.

c) Methods of Anonymization of Personal Data

Anonymization of Personal Data means that Personal Data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

In order for Personal Data to be anonymized, Personal Data must be rendered unassociable with an identified or identifiable natural person, even through the use of techniques appropriate for the recording medium and the relevant field of activity, such as retrieval and matching of data with other data by the Company, recipients or groups of recipients. The Company takes all necessary technical and administrative measures for the anonymization of Personal Data according to the technological possibilities and the cost of implementation.


13. STORAGE AND DISPOSAL PERIODS


The Company disposes Personal Data only after keeping it for the period specified in the relevant legislation that it is obliged to comply with or for the period required for the purpose for which it is processed.

In this context, the Company stores the Personal Data processed within the framework of its activities for the periods specified in Article 8 of this Policy and disposes of it in the first periodic destruction period following the end of the retention period.

If the Personal Data owner requests the destruction of his/her Personal Data by applying to the Company, the Company:

a) If all the conditions for processing Personal Data have been eliminated:

  • It finalizes the request of the Personal Data Owner within thirty days at the latest and informs the personal data owner.
  • If the Personal Data subject to the request has been transferred to third parties, it notifies this situation to the third party; ensures that the necessary actions are taken before the third party.

b) If all of the conditions for processing personal data have not been eliminated, the request of the Personal Data Owner may be rejected by explaining the reason in accordance with the third paragraph of Article 13 of the Law and notifies the Personal Data Owner in writing or electronically within thirty days at the latest.



14. PERIODIC DISPOSAL PERIOD


The Company disposes of Personal Data in the first periodic disposal following the date on which the obligation to dispose of Personal Data arises. In this context, in the event that the obligation to dispose of Personal Data arises, the Company subjects personal data to destruction in the maximum periods written in the Legislation. This period does not exceed the maximum periodic destruction period specified in Article 11 of the By-Law in any case and under any circumstances.


15. RIGHTS AND OBLIGATIONS OF THE PERSONAL DATA OWNER


15.1 Obligations 

Data owners are responsible for ensuring that the Personal Data they have shared with the Company are accurate, complete and up-to-date, and if personal data belonging to other persons are shared, that such data are collected in accordance with the applicable legislation. The person whose data is processed is obliged to inform other persons to whom the Company provides Personal Data about the content of this notice and to obtain their consent for the use of their Personal Data by the Company as specified in this notice (including transfer and disclosure).


15.2 Rights

  • Within the scope of KVKK (PDPL) and related legislation, Personal Data Owners have the following rights;
  • Learn whether their personal data is being processed,
  • Request information if their personal data has been processed,
  • Learn the purpose of processing personal data and whether they are used for their intended purpose,
  • Know the third parties to whom personal data are transferred domestically or abroad,
  • Request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • Although it has been processed in accordance with the provisions of the Law and other relevant laws, to request the erasure or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • Object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
  • In case of damage due to the processing of Personal Data in violation of the Law, it has the right to demand the compensation of the damage.

Personal Data Owners may submit their applications, including their requests regarding their rights, in a clear, understandable manner and by attaching documents identifying their identity and address information; in writing and with wet signature, by hand, by mail or through a notary public to the address of the Data Controller Company "İşçi Blokları Mahallesi Mevlana Bulvarı No: 162/3 Çankaya-Ankara" or [email protected] PTT KEP address.

Although the Company has the right to verify the identity before responding, the application must include

  • The name, surname and signature if the application is in writing,
  • Republic of Türkiye identification number for citizens of the Republic of Türkiye, if the applicant is a foreigner, the nationality, passport number or identification number, if any,
  • The residential or workplace address for notification,
  • The e-mail address, telephone and fax number, if any, for notification,
  • The subject of the request,

And information and documents related to the subject, if any, must be attached to the application. If the requests are submitted to the Company as stated above, the Company will finalize the request as soon as possible and within thirty days at the latest, depending on the nature of the request.


15.3 Principles on the Exercise of Legal Rights Regarding Personal Data 

Relevant persons may submit their requests regarding their rights listed in Article 15 of this Policy ("Rights and Obligations of the Personal Data Owner") to our Company by the methods determined by the Authority. In this direction, they can benefit from the "TÜNAŞ Data Owner Application Form" which can be accessed at www.tunas.gov.tr.


16. ENFORCEMENT


This Policy, which was issued by the Company and entered into force on the date of approval, may be updated from time to time in order to adapt to changing conditions and legislation. The Policy is published on the Company's website (www.tunas.gov.tr) and is also communicated to the relevant persons upon the request of the Personal Data Owners.

In case of any conflict between this Policy and the provisions of the Law and By-Law, the provisions of the applicable legislation shall prevail.

COMPANY CONTACT INFORMATION:İşçi Blokları Mahallesi Mevlana Bulvarı No: 162/3 Çankaya-Ankara 
Tel:0 (312) 285 00 21
Fax:www.tunas.gov.tr
PTT KEP:[email protected]


Annex-1 Personnel Title, Unit and Position List 

The list containing the titles, units and job descriptions of those involved in the processes of storing and destroying personal data is kept confidential by TÜNAŞ.