.png)
The purpose of this procedure is to ensure that all printed and written content, information technology assets, and peripheral devices used for obtaining, processing, and storing information are securely destroyed when necessary and in accordance with the Law on the Protection of Personal Data No. 6698.
This procedure covers all personal and commercial data records and business processes.
Law: Refers to Law No. 6698 on the Protection of Personal Data.
Personal Data: Any information relating to an identified or identifiable natural person. A person is considered identifiable if their identity can be determined by associating existing data with a real person in any way.
Redaction: The process of completely preventing personal data from being associated with an identified or identifiable natural person by drawing over, painting, or blurring such data.
Recording Environment: Any environment in which personal data is processed, whether fully or partially automated, or non-automated provided that it is part of a data recording system.
Personal Data Retention and Destruction Policy: The policy used by data controllers as a basis for determining the maximum retention period required for the purpose of processing personal data and for deleting, destroying, or anonymizing such data.
Masking: The process of deleting, drawing over, painting, or replacing certain fields of personal data with symbols (such as asterisks) to prevent association with an identified or identifiable person.
Special Categories of Personal Data: Data relating to racial or ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, association/foundation/union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction: The process of deleting, destroying, or anonymizing personal data at recurring intervals specified in the personal data retention and destruction policy when the conditions for processing as per the Law cease to exist.
Law No. 6698 on the Protection of Personal Data
Regulation on Deletion, Destruction or Anonymization of Personal Data (Official Gazette No. 30224 dated 28.10.2017
If the purpose for processing personal data ceases to exist, explicit consent is withdrawn, or all conditions for data processing specified in Articles 5 and 6 of the Law cease to exist—or if none of the exceptions apply—personal data whose processing conditions are eliminated shall be deleted, destroyed, or anonymized by the relevant unit in accordance with Articles 7, 8, 9, and 10 of the Regulation, with the justification for the chosen method duly stated.
However, if there is a finalized court decision, the destruction method determined by the court must be applied.
All information stored on any device that has data storage capability shall be deleted against unauthorized access, and the disk or recording mechanism shall be physically destroyed. A Media/Device Destruction Report shall be completed and signed by the IT operator, including date, device information, reason for destruction, etc.
a. Personal Data in Paper Format: Destroyed using a paper shredder or redacted when necessary.
b. Office Files Stored on Central Servers: Deleted using the operating system’s delete command.
c. Data on Portable Media: Deleted using the operating system’s delete command.
d. Databases: Relevant rows are deleted using database commands.
a. Local Systems: Demagnetization, physical destruction, or overwriting methods are used.
b. Peripheral Systems:
Network devices (switch, router, etc.): Destroyed using appropriate methods listed in item (a).
Flash-based media: Destroyed using manufacturer-recommended methods or the methods described under item (a).
Magnetic tapes: Destroyed by demagnetization or through physical destruction such as burning or melting.
SIM cards and fixed memory cards: Destroyed using appropriate methods as in item (a).
Optical discs: Destroyed by burning, shredding, or melting.
Peripherals with built-in storage: Destroyed using appropriate methods as in item (a).
c. Printed Media: Destroyed using paper shredders. Personal data converted to digital format by scanning will be destroyed using appropriate methods based on the environment in which they are stored.
During the anonymization process, suitable methods described in the “Guideline on Deletion, Destruction, or Anonymization of Personal Data” published by the Personal Data Protection Authority are applied.
When it is determined through periodic reviews or at any other time that data processing conditions no longer exist, the relevant user or data owner shall delete, destroy, or anonymize the personal data in accordance with this policy. In ambiguous situations, the relevant business unit shall be consulted.
Retention periods defined by the State Archives Directorate are observed. Data that has exceeded the required retention period in unit archives, institutional archives, or State Archives shall be destroyed.
When destruction of personal data stored in Central Information Systems and containing shared data ownership is required, the view of the Data Controller Representative shall be obtained, and a decision will be made based on this policy on whether to retain, delete, destroy, or anonymize the data.
Data subjects may submit requests to have their personal data deleted, destroyed, or anonymized by applying to the institution with a “Personal Data Subject Application Form” pursuant to Article 13 of the Law. Such requests shall be finalized within 30 days.
Requests are evaluated only after identity verification. The data subject shall be informed via the method specified in the application form.
If legal requirements prevent deletion, the data subject shall be notified.
If processing conditions have ceased, the relevant unit will delete, destroy, or anonymize the requested data within three months. If the data has been transferred to third parties, the relevant unit shall immediately notify the third party and request destruction in accordance with the Regulation.
All users and data-owning units that process or store personal data shall review whether processing conditions continue at intervals not exceeding six months.
In case of a data subject application or court notification, this review must be performed immediately, regardless of the periodic review schedule.
All actions regarding deletion, destruction, or anonymization are logged and retained for at least three years unless other legal obligations require longer retention.
All operations must comply with Article 4 (General Principles of Data Processing), Article 12 (Data Security Obligations), relevant regulations, Board decisions, and court orders.
Processing periods of personal data are specified within the “Personal Data Processing Inventory.”
Retention and destruction periods shall be considered during periodic or request-based destruction processes.
Unless legally required otherwise, retention and destruction processes may vary depending on the data subject’s request.
Physical security measures for personal data include storing documents, CDs, DVDs, and USB devices containing personal data in locked areas, limiting access to authorized personnel only, and monitoring entry/exit with cameras. Digital data is stored in the institution’s server room with appropriate security measures.
Administrative and technical measures for ensuring personal data security are detailed in the Personal Data Protection and Processing Policy.
Documents are revised when necessary and reviewed annually.
The website design has been created by our team.
