PERSONAL DATA PROTECTION AND DESTRUCTION POLICY

1. Objective

This policy aims to describe the methods adopted for the processing, protection, storage and destruction of personal data processed in all kinds of activities carried out by ZZGTECH LTD (ZZGTECH) in the capacity of data controller and to fulfil the obligation of disclosure in accordance with Article 13-14 of the European Union General Data Protection Regulation and UK Data Protection Regulation (EU GDPR and UK GDPR hereinafter referred to as GDPR). This policy includes the principles applied in the collection, use, sharing, storage and destruction of personal data by ZZGTECH. It aims to inform the relevant persons about the personal data of employees, candidate employees, relatives of employees, references, supplier employees, company partners, suppliers and candidate suppliers, prospective suppliers, prospective customers, online visitors, outsource employees, partner employees, partner company officials, customers and related persons of customers processed by ZZGTECH.

2. Scope

This policy; It covers all recording media and activities for personal data processing where personal data belonging to employees, candidate employees, employee relatives, references, supplier employees, company partners, suppliers and candidate suppliers, customer candidates, online visitors, outsource employees, partner employees, partner company officials, customers and customers' related persons owned by ZZGTECH or managed by ZZGTECH are processed.

3. Authorisations and Responsibilities

All employees, external service providers and anyone else who stores and processes personal data within the organisation are responsible for fulfilling the requirements for the storage and destruction of personal data processed within the organisation. Each business unit is obliged to store and protect the data produced in its own business processes.

The Data Protection Officer (DPO) is responsible for notifying or accepting notifications or correspondence with the ICO Authority on behalf of the data controller and for registration in the register.

The distribution of the titles, units and job descriptions of those involved in the storage and destruction of personal data is detailed below;

Data Protection Officer (DPO): On behalf of the Data Controller, to design, plan, perform the works and transactions to be carried out within the framework of the procedures and principles set out in the Law, to organise the relevant actions and to ensure audits.

Archive Officer To carry out the processes of processing, storage, deletion, editing, destruction and anonymisation of personal data stored in the archive.

Information Security Committee Member: Assists the DPO to design, plan, realise the works and transactions to be carried out within the framework of the procedures and principles set out in the Law on behalf of the Data Controller and to ensure the relevant audits and helps to maintain the processes related to personal data security by supporting the DPO. It takes part in the evaluation and response stages of personal data requests from data subjects. In addition, the Information Security Committee Member takes part in ISO 27001 Information Security Management System, ISO 27701 Personal Data Management System and ISO 9001 Quality Management System standard studies.

4. Definitions and Abbreviations

Definition / Abbreviation Description
Open Consent Consent on a specific subject, based on information and expressed with free will.
Related User Persons who process personal data within the organisation of the data controller or in accordance with the authority and instructions received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.
Data Owner/Related Person The natural person whose personal data is processed.
Data Controller The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller.
Destruction Deletion, destruction or anonymisation of personal data.
Periodic Disposal In the event that all of the conditions for the processing of personal data specified in the Law disappear, the deletion, destruction or anonymisation process to be carried out ex officio at recurring intervals specified in this policy.
Law UK Data Protection Regulation
EU GDPR European Union Data Protection Regulation
UK GDPR UK Data Protection Regulation
Anonymisation Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Recording Media All kinds of media containing personal data that are fully or partially automated or processed by non-automated means, provided that they are part of any data recording system.
Personal Data Any information relating to an identified or identifiable natural person.
Personal Data Inventory Inventory in which data controllers elaborate the personal data processing activities they carry out depending on their business processes by associating them with the purposes of processing personal data, data category, transferred recipient group and data subject group and by explaining the maximum period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and measures taken regarding data security.
Processing of Personal Data Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Anonymisation of Personal Data Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Deletion of Personal Data Deletion of personal data; making personal data inaccessible and non-reusable in any way for the Relevant Users.
Destruction of Personal Data The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way.
Board European and UK Data Protection Authority (ICO) supervisory authorities
ICO UK Data Protection Authority
Electronic Media Environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media All written, printed, visual, etc. other media other than electronic media.
Sensitive Personal Data (Intimate Data) Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Data Recording System Recording system in which personal data are structured and processed according to certain criteria.
Employee ZZGTECH staff.
Service Provider A natural or legal person who provides services under a specific contract with ZZGTECH.
Online Visitor Site visitors who visit ZZGTECH's website and whose cookie information is obtained
Customer Legal and natural persons with whom ZZGTECH has an agreement and who benefit from ZZGTECH's services
Customer Contact Person In cases where ZZGTECH is a data processor, natural persons who are the data controller of the Customer with whom ZZGTECH has an agreement and who are under the responsibility of ZZGTECH
SSL VPN It is a virtual private network technology that provides secure access.

5. Personal Data Processing and Protection Policy

ZZGTECH sets out the necessary measures and the process applied for the protection and processing of personal data in a concrete manner with this policy. In cases where this policy is incompatible with the relevant laws and regulations or if the policy is outdated in line with the updated legislation, ZZGTECH agrees to comply with the applicable legislation. According to the changes in laws, regulations and legislation, this policy is updated and revised in order for ZZGTECH to fulfil the legal requirements.

5.1 Personal Data Owners and Processed Personal Data

ZZGTECH processes the following personal data:

Data Owner Data Categories
Employees Criminal records, bank and salary information, audio-visual records, legal files, contact information, identity information, log records, professional information, personal and health information
Employee Candidates Photograph, credentials, contact details, professional and personal information
Employee Relatives Name, surname and telephone number
Online Visitor IP address, browser information, website logs (anonymised) and cookie information
Customers Bank and financial information, legal documents, identity information, contact information, log records, complaint and support records, company and tax office information, service and offer information
Contact Person for Customers Finance, visual and audio recordings, communication, transaction security, identity, location, customer transaction, personal data, cookie information
Partners Bank and financial information, identity information, contact information, signature circular and power of attorney
Outsourced Employees Bank and financial information, contact, log records, identity, personal and embezzlement information
Partner Employee Identity, communication
Partner Officer Identity, communication
Potential Customers Identity, contact, log records, service content and offer information, company information
Potential Suppliers Name, surname, title, contact and offer information
References Name, surname, title, contact and company information
Supplier Employee Name, surname, contact information
Supplier Authorised Identity information, contact information, log records, bank and financial information, legal files, tax office information

5.2 Purposes of Processing Personal Data

ZZGTECH processes personal data for the following purposes;

Purpose of Data Processing Data Subjects
Execution of Emergency Management Processes Employee Relatives
Execution of Information Security Processes Employees, Outsourced Employees
Execution of Application Processes of Employee Candidates Employee Candidates, References
Fulfilment of Labour Contract and Legislative Obligations for Employees Employees
Management of Disciplinary Processes Employees
Execution of Training Activities Employees, Outsourced Employees
Execution of Access Authorisations Employees, Customers, Outsource Employees, Supplier Authorised
Execution of Activities in Accordance with the Legislation Employees, Online Visitors, Customers, Outsource Employees
Execution of Finance and Accounting Affairs Employees, Customers, Partners, Supplier Authorised
Ensuring Physical Space Security Employees
Execution of Assignment Processes Employees
Follow-up and Execution of Legal Affairs Employees, Customers, Supplier Authorised
Execution of Communication Activities Employees, Employee Candidates, Outsource Employees, Supplier Employees
Planning Human Resources Processes Employees, Relatives of Employees, Outsourced Employees
Execution / Supervision of Business Activities Employees, Partners, Outsource Employees, Partner Employee, Partner Officer
Execution of Occupational Health / Safety Activities Employees
Receiving and Evaluating Suggestions for Improvement of Business Processes Partner Employee, Partner Officer
Execution of Business Continuity Ensuring Activities Employees, Outsourced Employees
Execution of Goods / Service Procurement Processes Supplier Employee, Supplier Authorised
Execution of Goods / Services After Sales Support Services Customers
Execution of Goods / Service Sales Processes Customers, Partner Employee, Partner Officer
Execution of Goods / Service Production and Operation Processes Customers, Customer Contact Person
Conducting Marketing Analysis Studies Online Visitor
Execution of Contract Processes Employees, Outsourced Employees
Follow-up of Requests / Complaints Customers, Potential Customers
Ensuring the Security of Movable Property and Resources Employees, Outsourced Employees
Execution of Supply Chain Management Processes Potential Suppliers
Execution of Wage Policy Employees
Execution of Marketing Processes of Products / Services Customers, Potential Customers
Ensuring the Security of Data Controller Operations Employees
Providing Information to Authorised Persons, Institutions and Organisations Employees

5.3 Process Based Processed Personal Data

ZZGTECH processes personal data according to the following sub-processes;

Unit Process Data Categories
IT Operations and Infrastructure Access Authorisation Controls Communication, Identity
User Support Identity
Mail Service Communication, Identity
Application Log Management Communications, Log Records, Identity
Remote Working Communications, Log Records, Identity
Obtaining Cookie Information IP address, Browser information, Website logs (anonymised)
Customer Accounts Management Process Communication, Log Records, Identity
Application Activation Process Communication, Identity, Personality
Software Deployment Process Finance, Audiovisual records, Communication, Log Records, Identity, Location, Customer transaction, Personnel, Marketing
Software Support Process Contact, Identity, Customer Transaction, Personnel,
Human Resources Payroll Process Finance, Contact, Identity, Personal, Health Information
Personnel File Creation Process Criminal Record Information, Finance, Audio-visual records, Identity, Contact, Professional experience, Personal, Health information
Disciplinary Process Identity, Personal
Education Process Finance, Identity
Legal Processes Finance, Legal action, Communication, Identity, Personnel
Recruitment Candidate Selection Audiovisual records, Communication, Identity, Professional experience, Personnel
Signature of Dismissal Documents Finance, Communication, Identity, Personnel
Consent Form Process Identity
Outsourced Employees Finance, Communication, Identity
Contract Process Finance, Communication, Identity
Receiving Commitments Identity, Personal
Embezzlement Processes Identity, Personal
Human Resources / Administrative Affairs Purchasing Processes Finance, Communication, Identity, Personnel
Business Development Business Development Process Communication, Identity
Financial Affairs Finance Process Finance, Communication, Identity, Personnel
Customer Operations Finance, Communication, Identity, Personnel
Supplier Operations Finance, Communication, Identity, Personnel
Sales Marketing Sales Marketing Process Contact, Log Record, Identity, Personality, cookie information
Obtaining Cookie Information IP address, browser information, cookie information (anonymised)
Senior Management Execution of Legal Processes Finance, Legal action, Communication, Identity
Software Development and R&D Development of Artificial Intelligence Models Audiovisual Records, Customer Processing, Marketing
Software Analysis Process Communication, Identity
Software Development Process Log Records, Identity
Software Testing Process Communication, Identity

5.4 Data Collection Methods

ZZGTECH methods of obtaining personal data are set out below:

Data Categories Method of Obtaining
Criminal Records Hand delivery, paper media
Finance Knowledge Electronic records and paper forms, customer and supplier current cards, mail, hand delivery, invoice, stamp information, accounting programme, executive declarations, verbal declaration, payroll, personnel files, personnel employment contract, purchasing contracts, customer contracts, written declaration, software database
Audio and Visual Recordings Hand delivery, job application site interface, mail, customer data sources, software database, HR Company
Legal Action Enforcement correspondence, customer and supplier current cards, contracts, personal files
Contact Details Electronic records and paper forms, visual, verbal declaration, IT application, customer and supplier current cards, support panel, mail, hand delivery, invoice, job application site interface, stamp information, accounting programme, release document, executive correspondence, employment document list form, customer and supplier contracts, written declaration, application panel, personnel files, personnel employment contract, project management application, social media platforms, software database, HR Company
Transaction Security Information IT application, mail, application panel, project management application, oral statement, software database, website
Credentials Electronic records and paper forms, visual, verbal declaration, IT application, mail, support panel, HR documents (disciplinary documents, defence letters, minutes, disclosure and explicit consents, embezzlement forms, release, consent and agreements, expense form, personnel leave form, executive paper, resignation letter), hand delivery, invoice, training attendance forms, job application site interface, stamps, accounting programme, recruitment document list form, paper media, business cards, customer and supplier contracts, application panel, customer and supplier current cards, personnel files, policy document, project management application, social media platforms, software database, HR Company
Location Information Software database
Occupational Information Hand delivery, job application site interface, mail, HR Company
Customer Transaction Information Support panel, mail, customer data sources, software database
Personal Information Electronic records and paper forms, visual, verbal declaration, current card, mail, contract, support panel, HR documents (disciplinary documents, defence letters, minutes, release document, resignation letter, notice of dismissal, personnel leave form, embezzlement forms), hand delivery, invoice, job application site interface, stamps, accounting program, application panel, personnel files, purchase contracts, written declaration, software database, HR Company
Marketing Information Mail, customer data sources, software database, website, electronic registration forms
Health Information Hand delivery

5.5 Legal Reasons for Data Processing

ZZGTECH processes personal data due to legal obligations and to ensure business continuity. Your personal data; In the light of the principles stipulated in Article 5 of the GDPR, it is processed by obtaining explicit consent or in the cases specified in Article 5 of the GDPR. In data processing, it is essential to obtain explicit consent in case the requirements of the Law are not met.

5.5.1 Reason for Processing Personal Data

  1. Explicitly stipulated in the laws,
  2. It is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
  3. Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract,
  4. It is mandatory for the data controller to fulfil its legal obligation,
  5. It has been made public by the data subject himself/herself,
  6. Data processing is mandatory for the establishment, exercise or protection of a right,
  7. Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

The relevant laws regarding foreseen in the law are detailed in this policy.

5.5.2 Justification for Processing Sensitive (Private) Personal Data

Provided that adequate measures are taken; it is stipulated in the laws in terms of personal data of special nature other than health and sexual life, and in terms of personal data of special nature related to health and sexual life;

  1. Protection of public health,
  2. Preventive medicine,
  3. Medical diagnosis,
  4. Carrying out treatment and care services,
  5. Your personal data may be transferred without obtaining explicit consent for purposes such as planning and management of health services and financing.

The legal grounds used by ZZGTECH to process data are detailed in the "Personal Data Inventory" document.

5.6 Principles for Processing Personal Data

The GDPR regulations set out principles for the processing of personal data. ZZGTECH processes personal data in accordance with the determined principles.

The processing of personal data is carried out in accordance with the following principles;

Transfer of Personal Data

Personal data of customers, suppliers and employees are processed in accordance with the basic principles stipulated in the GDPR, provided that public interest is observed. Within the scope of the personal data processing conditions and purposes specified in Section V of the GDPR, it may be shared with the following domestic and/or foreign related parties.

5.7.1 Transfer of Personal Data to Domestic Persons

ZZGTECH carefully complies with the conditions regulated in the Law regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. Within this framework, personal data are not transferred to third parties without the explicit consent of the data subject. However, in the presence of one of the following conditions specified in the Law, personal data may be transferred without obtaining the explicit consent of the data subject:

Provided that adequate measures are taken; it is stipulated in the laws in terms of personal data of special nature other than health and sexual life, and in terms of personal data of special nature related to health and sexual life;

In the transfer of special categories of personal data, the conditions specified in the terms of processing of such data are complied with.

Domestic parties to whom personal data are transferred are detailed below;

Related Party Reason for Transfer Transfer Method Legal Basis
Contracted Banks To be able to make profit distributions, to carry out the financial processes of partners and stakeholders, to deposit personnel salaries, By mail, hand delivery, by mail using bulk instruction Foreseen in the Law
Contracted Law Offices User access logs can be shared with the contracted lawyer for contract control, resolution of possible disputes, execution of lawsuits related to the employee and employer, and in case of a legal request. In case of termination of the employment contract before the end of the advance repayment, the corporate lawyer can be informed. Execution of enforcement processes are shared with the enforcement office through contracted law offices. It is shared so that employees' legal objections or complaints can be evaluated. Cargo, mail, media device Foreseen in the Law
Legitimate Interest
Performance of Contract
Fulfilment of Legal Obligation
Contracted Customers Personal data obtained within the scope of the contract with the Contracted Customer, which is the Data Controller, must be visible to the customer Software Offered to the Customer Explicit consent obtained by the customer who is the Data Controller
Performance of Contract
Contracted Suppliers Shared in order to fulfil the terms of the agreement Mail, Written Declaration Open Consent
Performance of Contract
Legitimate Interest
Contracted HR Companies Personal data can be shared in order to carry out outsourced employee employment processes Mail Open Consent
Publicisation
Performance of Contract
Legitimate Interest
Authorised Courts In case of a legal problem related to employees and in case of a legal request, user access logs are shared through the Contracted Law Office to be submitted to the court. In case of possible disputes with customers, employees and suppliers, they are shared with the competent courts through the corporate lawyer By hand delivery through a contracted law firm or by media device Foreseen in the Law
Legitimate Interest
Performance of Contract
Fulfilment of Legal Obligation
Authorised Public Institutions and Organisations It can be shared with the persons / institutions requesting for the continuity of the activities and operations of the institution. Hand Delivery Photocopy,
Mail,
Foreseen in the Law
Advertising Publishers On behalf of ZZGTECH and the Contracted Customer, cookie information and, where necessary, the relevant personal data of the Customer Contact Person are shared with the advertisement publisher for the promotion of products or services. Cookie Forwarding,
Client software,
Ad Publisher API
Open Consent
Performance of Contract

5.7.2 Transfer of Personal Data to Persons Abroad

ZZGTECH can process personal data on foreign servers based on the agreement made with its customers who are Data Controllers, and data transfers can be made to Advertisement Publishers.

ZZGTECH is able to carry out its operations on overseas cloud systems while managing customer accounts, application activation processes and software distribution, development and testing processes.

In cases where foreign cloud use is required; security measures determined by the cloud service provider are applied. In addition, ZZGTECH has taken all technical measures that may be needed, especially data masking, hashing and authorisation limitations. The measures taken are detailed under the heading "Technical Measures".

5.8 Personal Data of Website Visitors and Personal Data Received for Internet Access Point Service

Cookie information is received on the websites owned by ZZGTECH. Detailed information can be found in the Cookie Policy document on the website. The obligation to inform and the purposes of processing the personal data received are detailed in the Cookie Policy.

ZZGTECH uses mobile internet for internet access. ZZGTECH therefore does not process internet access logs.

System and application access logs of customers, suppliers and employees can be processed during the management of customer accounts, software distribution, application log management, remote working and software development processes. Authorisation restrictions have been made to prevent unauthorised access to logs. There is also a time stamp on the logs. In order to ensure remote access security, access is provided with VPN. In addition, static ip and mac addresses are checked. Detailed information can be found under the heading "Technical Measures".

5.9 Rights of the Personal Data Owner

The rights of personal data subjects specified in Part III of the GDPR are detailed below:

6. Storage and Destruction of Personal Data

6.1 Data Controller Organisation and Data Environments

All employees of ZZGTECH take an active role in the implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy. Measures are taken to ensure data security in all environments where personal data is processed in order to prevent unlawful processing and access of personal data by training and raising awareness of unit employees, monitoring and continuous supervision.

Personal data are securely stored by ZZGTECH in accordance with the law in the following environments;

Electronic Media Non-Electronic Media
Servers (Domain, application servers, database)
Office applications
Accounting practice
Cloud system
IT applications
Telephone directories
Information security devices (firewall, log file)
Personal computers (desktop, laptop)
Mobile devices (phone, tablet, etc.)
Portable media (Usb, portable disc)
Cookie information
Mail
Paper
Written, printed, visual media
Folders
Personal files
Lockers of the units
Job Application Forms

ZZGTECH stores and destroys personal data belonging to Data Subject Main Category, employee, candidate employee, employee relative, reference, supplier employees, company partners, supplier and candidate supplier, customer candidate, online visitor, outsource employee, partner employee, partner company official, customer and customers' related persons in accordance with the Law.

Article 3 of the Law defines the concept of processing personal data. It is addressed in the GDPR that personal data should be linked, limited and proportionate to the purpose for which they are processed and should be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed. Accordingly, ZZGTECH stores personal data within the framework of its activities for the period stipulated in the relevant legislation or in accordance with our processing purposes.

6.2 Legal Grounds Requiring Retention

Your personal data are processed without the requirement of explicit consent based on the stipulation of the provisions of the law in force in the UK, legitimate interest, fulfilment of ZZGTECH's legal obligation, establishment of a right, publicisation and/or performance of the contract.

6.2.1 Reasons for Destruction

Personal data;

6.3 Ensuring the Security of Personal Data

ZZGTECH takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data.

The measures taken by ZZGTECH to ensure the security of personal data are detailed in the sub-articles:

6.3.1 Technical Measures

6.3.2 Administrative Measures

6.3.3 Audits for the Sustainability of Personal Data Protection

ZZGTECH carries out or has the necessary audits carried out to ensure personal data security. It ensures that internal audits are carried out to ensure the sustainability of personal data security. ZZGTECH provides controls according to ISO 27001 Information Security Management System and ISO 27701 Personal Data Management System standards to increase the efficiency of internal audits. It regularly performs penetration tests for technical vulnerabilities that may occur in the systems. The systems are regularly monitored by IT. When unlawful access or processing of personal data is detected in the audits, the DPO is informed.

6.3.4 Measures Implemented to Ensure Protection of Personal Data by Third Parties

ZZGTECH, in its contracts with third parties; It includes the necessary sanction clauses to prevent unlawful processing of personal data, to prevent unlawful access to data and to ensure the preservation of data. Confidentiality agreements are signed before sharing information with third parties. Necessary information is provided to third parties to raise awareness. In cases where third parties need to access the systems, audit trails related to access are kept.

6.3.5 Measures Implemented for the Protection of Sensitive Personal Data

Adequate measures must be taken for personal data of special nature both due to their nature and because they may lead to victimisation or discrimination. In Article 6 of the Law, personal data that have the risk of causing victimisation or discrimination when processed unlawfully are defined as "Special Categories".

These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

ZZGTECH takes the necessary measures to protect personal data of special nature, which are determined as "special quality" by the Law and processed in accordance with the law. Sensitivity is shown for special quality personal data in technical and administrative measures taken to protect personal data.

Employees are informed about the use of special categories of personal data through policies and procedures. Sensitive personal data are not processed in the absence of the consent of the person. In cases where sensitive personal data may be processed, it is not shared with anyone other than 3rd party persons / organisations that have been informed and whose explicit consent has been obtained.

6.3.6 Raising Awareness to Ensure Protection of Personal Data

Necessary information is provided to employees in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the preservation of data. Trainings are organised and their effectiveness is measured.

In case of changes in the relevant laws, regulations or legislation, the policies are revised and the relevant changes are re-announced to the personnel.

6.4 Personal Data Destruction Techniques

ZZGTECH destroys the personal data it obtains in line with the request of the personal data owners, if it is not mandatory to use it due to legal obligations, due to legal obligations or for the protection of public order and provided that it does not affect business processes. Personal data belonging to data owners are destroyed based on the decision to be taken by the organisation when the retention periods determined by the relevant laws expire or when the requirements for planning disappear in the event that the condition for the use of the relevant data disappears. Personal data that do not need to be stored on the dates determined by the DPO every year are destroyed by the following techniques in accordance with the legislation. Destruction operations are carried out in three different methods as deletion, destruction and anonymisation.

6.4.1 Deletion of Personal Data

The methods of deletion of personal data are specified in the table below;

Data Recording Environment Description
Personal Data on Servers For the personal data on the servers, deletion is made by the system administrator by removing the access authorisation of the relevant users for those whose retention period has expired.
Personal Data in Electronic Media Personal data in the electronic environment, which expires from the personal data requiring storage, is rendered inaccessible and non-reusable in any way for other employees (relevant users) except the database administrator. In operational processes, personal data environments whose file has been finalised and completed are deleted in such a way that only the authorised administrator can access them.
Personal Data in Physical Environment For personal data that expires from the personal data kept in the physical environment, it is made inaccessible and non-reusable in any way for other employees, except for the unit manager responsible for the document archive. In addition, the blackout process is also applied by scratching/painting/erasing in such a way that it cannot be read.
Personal Data on Portable Media The personal data kept in Flash-based storage media and those whose period of retention has expired are encrypted by the system administrator and access authorisation is given only to the system administrator and stored in secure environments with encryption keys.

6.4.2 Destruction of Personal Data

Destruction of personal data is specified in the table below;

Data Recording Environment Description
Personal Data in Physical Environment Those of the personal data in paper media, whose retention period has expired, are irreversibly destroyed in paper shredding machines.
Personal Data in Optical / Magnetic Media Personal data contained in optical media and magnetic media that expire after the expiry of the period for which they are required to be retained shall be rendered physically unreadable in an irreversible manner. Destruction is carried out using the Destruction Record Form.

6.4.3 Anonymisation of Personal Data

Anonymisation of personal data means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data.

In order for personal data to be anonymised; personal data must be rendered unassociable with an identified or identifiable natural person, even through the use of appropriate techniques for the recording medium and the relevant field of activity, such as the return of personal data by the data controller or third parties and / or matching the data with other data.

6.5 Storage and Destruction Periods

The retention periods for personal data processed by ZZGTECH within the scope of its activities, all personal data within the scope of the activities carried out depending on the processes are detailed in the Data Inventory document.

Retention periods have been determined by taking into account the laws to which ZZGTECH is subject, the provisions of the contract with the relevant parties and the periods required for ZZGTECH's operational activities.

Such retention periods are updated by the Personal Data Contact Person if necessary.

Personal data whose retention periods have expired are destroyed ex officio. The category-based maximum retention periods of personal data are as follows;

Data Data Owner Storage Periods
Criminal Records Employees 10 years from the end of the employment contract
Finance Knowledge Employees 10 years from the end of the employment contract
Customers 10 Years
Customer Contact Person 2 Years
Partners 10 Years
Outsourced Employees 10 years from the end of the employment contract
Potential Supplier 10 Years
Supplier Authorised 10 Years
Audio and Visual Recordings Employees 10 years from the end of the employment contract
Employee Candidates 1 Year
Customer Contact Person 10 Years
Legal Action Employee 10 Years
Customers 10 Years
Supplier Authorised 10 Years
Contact Details Employees 10 years from the end of the employment contract
Employee Candidates 1 Year
Employee Relative 10 years from the end of the employment contract
Customers 10 Years
Customer Contact Person 2 Years
Partners 10 Years
Outsourced Employees 10 years from the end of the employment contract
Partner Employee 10 Years
Partner Officer 10 Years
Potential Customer 5 Years
Potential Supplier 10 Years
References 1 Year
Supplier Employee 10 Years
Supplier Authorised 10 Years
Transaction Security Information Employees 10 Years
Online Visitors 2 Years
Customers 10 Years
Customer Contact Person 2 years from the end of the service contract
Outsourced Employees 2 Years
Potential Customer 5 Years
Supplier Authorised 2 Years
Credentials Employees 10 years from the end of the employment contract
Employee Candidates 1 Year
Employee Relative 10 years from the end of the employment contract
Customers 10 Years
Customer Contact Person 2 Years
Partners 10 Years
Outsourced Employees 10 Years
Partner Employee 10 Years
Partner Officer 10 Years
Potential Customer 5 Years
Potential Supplier 10 Years
References 1 Year
Supplier Employee 10 Years
Supplier Authorised 10 Years
Location Information Customer Contact Person 2 years from the end of the service contract
Occupational Information Employees 10 years from the end of the employment contract
Employee Candidates 1 Year
Customer Transaction Information Customers 2 years from the end of the service contract
Customer Contact Person 10 Years
Personal Information Employees 10 years from the end of the employment contract
Employee Candidates 1 Year
Customers 10 Years
Customer Contact Person 2 years from the end of the service contract
Partners 10 Years
Outsourced Employees 10 Years
Potential Customer 5 Years
References 1 Year
Supplier Authorised 10 Years
Marketing Information Customer Contact Person 10 Years
Customer 5 Years
Potential Customer 5 Years
Online Visitors 2 Years
Health Information Employees 10 years from the end of the employment contract

7. Application Methods

You can realise your rights regarding your personal data within the scope of GDPR by using the following methods;

Data Controller: ZZGTECH LTD

Data Protection Officer (DPO): Rugül ÇINAR- [email protected]

You can make your personal data applications by filling out the Personal Data Application Form document. Clarification application methods are as follows;

Method Contact Details Description
Hand Delivery 124 City Road, London, United Kingdom, EC1V 2NX During the hand delivery of the Personal Data Application Form, please have one of the documents indicating your identity such as driving licence, identity card, passport, etc. with you.
Mail [email protected] After the Personal Data Application Form is sent to us by e-mail, identity verification can be made by checking the systems or by contacting us to confirm your identity information.

Personal data applications will be accepted following the identity verification to be made by us, and the relevant persons will be answered in writing or electronically within the legal periods.

About SignalSight

SignalSight is an experienced tech solution who strives to connect brands with their customers like never before.

About SignalSight Server-side Signal Success Stories Pricing Docs Contact Us

Privacy Policy | Terms & Conditions