Privacy and Security
1. Purpose
The purpose of this procedure, in terms of Privacy and Security, is to ensure that all printed and written content, information technology assets and peripheral units used in obtaining, processing and storing information are destroyed, when necessary, securely and in accordance with the Law on the Protection of Personal Data No. 6698.
2. Scope
The procedure covers all personal, business data records and business processes.
3. Definitions
Law: 6698 refers to the "Protection of personal data" law.
Personal Data : Personal data refers to any information regarding an identified or identifiable natural person. Making a person specific or identifiable means making that person identifiable by associating existing data with a real person in any way.
Blackening : Processes such as scratching, painting and icing all personal data in a way that cannot be associated with an identified or identifiable natural person,
Recording medium : Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system,
Personal data storage and destruction policy : The policy on which data controllers base their deletion, destruction and anonymization, as well as the process of determining the maximum period required for the purpose for which personal data are processed.
Masking : Processes such as deleting, crossing out, painting and starring certain areas of personal data in a way that cannot be associated with an identified or identifiable natural person,
Personal Data of Special Qualification : Data regarding individuals' race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and attire, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric data and genetic data.
Periodic destruction : It is the process of deleting, destroying or anonymizing personal data, which is specified in the personal data storage and destruction policy and will be carried out ex officio at recurring intervals, in case all the processing conditions of personal data specified in the law are eliminated.
4. References
Regulation on the Deletion, Destruction or Anonymization of Personal Data No. 30224 of the Law No. 6698 on the Protection of Personal Data, dated 28.10.2018
5. Application
5.1. Destruction of Assets
If the purpose for processing personal data disappears, explicit consent is withdrawn, or all of the conditions for processing personal data set out in Articles 5 and 6 of the Law disappear, or if there is a situation where none of the exceptions in the mentioned articles apply, the processing conditions are no longer valid. personal data is deleted by the relevant business unit, taking into account business needs, within the scope of Articles 7, 8, 9 or 10 of the Regulation (Deletion, Destruction or Anonymization of Personal Data articles), by explaining the justification of the method applied, is destroyed or made anonymous. However, in case of a final court decision, the destruction method ordered by the court decision must be applied.
Information on any device with information recording feature is deleted against unauthorized access, and the disk and recording mechanism on the device are physically destroyed. The Environment/Device Disposal Report is filled out and signed by the information systems operator. Date, device information, reason for destruction, etc. The destruction process is recorded by entering the information.
Data Deletion Methods
a. Personal Data on Paper : It is deleted by destroying it with a paper shredder or, when necessary, by using the blackout method.
b. Office Files on the Central Server : They are deleted with the delete command in the operating system.
c. Data on Removable Media : It is deleted with the delete command in the operating system.
D. Databases : The relevant rows containing the data are deleted with database commands.
Methods for Destruction of Assets and Data
a. In Local Systems : It is destroyed using the appropriate methods such as de-magnetization, physical destruction, and overwriting.
b. Environmental Systems:
• Network devices (switch, router, etc.): Destroyed using appropriate methods specified in a.
• Flash-based media: They are destroyed by the methods recommended by the relevant manufacturer or by the methods specified in article a.
• Magnetic tape: It is destroyed by de-magnetization or by physical methods such as burning or melting.
• Sim Cards and hard memory cards: Destroyed by appropriate methods specified in article a.
• Optical discs: are destroyed by physical methods such as burning, breaking into small pieces, and melting.
• Peripheral units with fixed Data Recording Medium: Destroyed by appropriate methods specified in article a.
c. Printed Media : Destroyed using paper shredders. Personal data transferred from the original paper format to electronic media by scanning are destroyed by appropriate methods according to the environment in which they are located.
Methods of Anonymization of Personal Data:
During the anonymization of personal data, the appropriate one of the Anonymization methods of Personal Data shown in the Guide on Deletion, Destruction or Anonymization of Personal Data published by the Personal Data Protection Authority is used.
As a result of periodic reviews or if it is determined that the data processing conditions have been eliminated at any time, the relevant user or data owner will decide to delete, destroy or anonymise the relevant personal data from its own recording environment in accordance with this policy. In cases of doubt, action will be taken by obtaining the opinion of the relevant data owner business unit.
When destroying data, the regulations stating the retention periods published by the General Directorate of State Archives are taken into consideration. Data that are safe to be destroyed in the Unit archive, Institution archive or State Archives are destroyed after the required period has expired.
5.1.1. Destruction of Multi-Stakeholder Data
When it is necessary to make a decision regarding the destruction of personal data with multi-stakeholder data ownership in the Central Information Systems, the opinion of the Data Controller Representative is taken and a decision is made to store or delete, destroy or anonymise the personal data in question in accordance with this policy.
5.1.2. Destruction of Personal Data Upon Data Owner's Request
When the natural person who owns the personal data applies to the University with the "Personal Data Owner Application Form" pursuant to Article 13 of the Law and requests the deletion, destruction or anonymization of his or her personal data, it is finalized within thirty days at the latest from the date of application. Requests for deletion or destruction of personal data will only be evaluated provided that the identity of the person concerned has been identified. The applicant personal data owner is informed through the methods specified in the application form. If the processing conditions are not lifted due to legal requirements; It is declared to the data owner that the personal data subject to the request cannot be deleted. The unit where the relevant data is processed examines whether all the conditions for processing personal data are eliminated. If all processing conditions are eliminated; deletes, destroys or anonymizes the personal data subject to the request within three months at the latest. If all the conditions for processing personal data are eliminated and the personal data subject to the request is transferred to third parties, the unit where the relevant data is processed immediately notifies the third party to whom the relevant data was transferred and ensures that the necessary actions are taken within the scope of the Regulation before the third party.
5.2. Periodic Review of Personal Data
All users and data owner units that process or store personal data will review the data recording environments they use within six-month periods at the latest whether the conditions for processing have been eliminated. Upon the application of the personal data owner or the notification of a court, the relevant users and units will conduct this review of the data recording environments they use, regardless of the periodic audit period. All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.
In deleting, destroying or anonymizing personal data, acting in accordance with the general principles in Article 4 (Processing of Personal Data) of the law and the technical and administrative measures to be taken within the scope of Article 12 (Obligations Regarding Data Security), relevant legislative provisions, Board decisions and court decisions. is done.
5.3. Storage of Personal Data
The processing times of personal data are stated in the "Personal Data Processing Inventory".
These storage and destruction periods will be taken into account in periodic destruction or destruction upon request. Storage and destruction processes may vary upon the request of the data owner, unless there is a legal obligation.
To ensure personal data security, physical security measures have been taken, such as keeping paper documents containing personal data and devices such as CDs, DVDs and USBs locked when not in use, allowing access only by authorized personnel, and monitoring entrances and exits with cameras. Servers containing personal data held digitally are stored in the University system room, with the necessary security measures taken.
Administrative and technical measures taken to ensure the security of personal data are detailed in the Personal Data Protection and Processing Policy.
6. Control
Documents are revised as needed and checked periodically once a year.
By filling out various forms and surveys on our membership or store, some personal information about the members (such as name-surname, company information, telephone, address or e-mail addresses) is collected by our store due to the nature of the business.
Our company may sometimes send campaign information, information about new products, and promotional offers to its customers and members. Our members can make any choice about whether or not to receive such information while becoming a member, and then after logging in, they can change the selection in the account information section or make a notification via the link in the information message they receive.
During the approval process carried out through our store or by e-mail, personal information transmitted electronically to our store by our members will not be disclosed to third parties except for the purposes and scope determined by the 'User Agreement' we have made with our members.
Our company records and uses the IP addresses of its members in order to identify system-related problems and to quickly resolve any problems or disputes that may arise regarding the service provided. IP addresses may also be used to generally identify users and gather broad demographic information.
Our company may use the requested information for direct marketing purposes by itself or its collaborators, beyond the purposes and scope specified in the Membership Agreement. Personal information may also be used to contact the user when necessary. Information requested by our company and information provided by the user or information regarding transactions made through our store; It can be used by our company and its collaborators for various statistical evaluations, database creation and market research, without disclosing the identity of our members, outside the purposes and scope determined by the 'Membership Agreement'.
Our company strives to keep confidential information strictly private and confidential, to consider this as a confidentiality obligation, and to take all necessary precautions and take due care to ensure and maintain confidentiality and to prevent all or any part of the confidential information from entering the public domain or unauthorized use or disclosure to a third party. promises to show.
CREDIT CARD SECURITY
Our company prioritizes the security of credit card holders who shop from our shopping sites. Your credit card information is not stored in any way our system.
When you enter the transaction process, there are two things you need to pay attention to in order to understand that you are on a secure site. One of these is a key or lock icon at the bottom line of your browser. This shows that you are on a secure website and all your information is encrypted and protected. This information is only used depending on the sales transaction process and in accordance with the instructions you give. Information about the credit card used during shopping is encrypted with 128 bit SSL (Secure Sockets Layer) protocol, independent of our shopping sites, and sent to the relevant bank for inquiry. If the card availability is approved can be sustained for shopping. Since no information about the card can be viewed or recorded by us, third parties are prevented from passing this information under any circumstances.
The reliability of payment/invoice/delivery address information of orders placed online by credit card is audited by our company against Credit Card Fraud. Therefore, customers who order from our shopping site for the first time must first confirm the accuracy of their financial and address/phone information in order for their orders to reach the supply and delivery stage. If necessary, the credit card holder customer or the relevant bank is contacted to check this information.
Only you can access and change all the information you provide when becoming a member. If you keep your member login information secure, it is not possible for others to access or change information about you. For this purpose, 128 bit SSL security area is used during membership transactions. This system is an international encryption standard that is impossible to break.
Internet shopping sites that have an information line or customer service service and full address and telephone information are more preferred today. In this way, you can get detailed information about all the issues that come to your mind and get better information about the reliability of the company that provides online shopping service.
Link(s): Link(s) that enable access to another website, files, content via the Website or to the Website, files and content from another website.
THIRD PARTY WEBSITES AND APPLICATIONS
Our store may provide links to other sites within its website. Our company does not bear any responsibility for the privacy practices and content of the sites accessed through these links. Advertisements published on our company's site are distributed to our users through our advertising business partners. The Privacy Policy Principles in this agreement apply only to the use of our Store and do not cover third party websites.
EXCEPTIONAL CASES
In the limited cases specified below, our company may disclose user information to third parties outside the provisions of this 'Privacy Policy'. These situations are limited in number;
1. To comply with the obligations imposed by the legal rules in force and issued by the competent legal authority, such as the Law, Decree Law, Regulation, etc.;
2. In order to fulfill the requirements of the 'Membership Agreement' and other agreements concluded by our store with the users and to put them into practice;
3. Requesting information about users for the purpose of conducting a research and investigation duly carried out by the competent administrative and judicial authority;
4. In cases where it is necessary to provide information to protect the rights or security of users.
EMAIL SECURITY
Never include your credit card number or password in the e-mails you send to our store's Customer Services regarding any of your orders. The information contained in e-mails may be viewed by third parties. Our company cannot guarantee the security of the information transferred from your e-mails under any circumstances.
For any questions and suggestions regarding our privacy policy, you can send an e-mail to marblearth@gmail.com. You can reach our company from the contact information below.
Company Name : MermARTh
Address : Center, Karakaya Village Internal Road, Karakaya
Tel : +905516828135