This Personal Data Storage and Destruction Policy (“Policy”) has been prepared by Lazzoni Mobilya Sanayi Turizm ve İnşaat Anonim Şirketi (“Company”) as the data controller as per the Law on Protection of Personal Data no 6698 (“Law”) and Regulation on Deletion, Destruction or Anonymization of Personal Data (“Regulation”), which constitutes a secondary regulation of the Law. The policy informs the Persons about the principles for determining the maximum storage period required for the purpose for which their data is processed, as well as the deletion, destruction and anonymization processes.

Definitions and Abbreviations

Express Consent : Consent about a specific subject based on information and expressed in free will,

Destruction :  Deletion, destruction or anonymization of personal data,

Registration Environment :  Any environment in which personal data are processed, which are fully or partially automated or processed in non-automated ways, provided that they are part of any data recording system,

Personal Data : Any kind of information related to the identified or identifiable real person,

Processing Personal Data : All kinds of processes performed on personal data including obtaining, recording, storing, keeping, changing, re-arranging, disclosure, transmission, acquisition, making available, classification or prevention of use in whole or in part, automatically or in non-automatic ways, being part of any data recording system,

Anonymization of

Personal Data : Transforming personal data into a state that is non-attributable to an identified or identifiable natural person under any circumstances, even by matching with other data,

Deleting Personal Data : Deletion of personal data; making personal data inaccessible and unusable for Related Users,

Destruction of Personal Data : Process of making personal data inaccessible, irrecoverable and unusable by anyone,

Board :    Personal Data Protection Board,

Periodic Destruction :   A process of erasing, destroying or anonymizing the personal data stored in the personal data storage and destruction policy in the event that all of the processing conditions of the personal data in the law are removed,

Data Owner / Related  Person :    Real persons whose personal data are processed,

Data Processor :    Except for the person or unit who is responsible from the technical storage, protection and back-up of the data, the persons who process personal data within the data controller organization or with the authorization and instruction that it received from the data controller,

Regulation : Regulation on the Deletion, Destruction or Anonymization of Personal Data

.

  1. Policy Principles

Lazzoni Hotel acts in the following principles during the stages of storing and destroying personal data. Whereas;

  1. In the deletion, destruction and anonymization of personal data, the Law and relevant legislation provisions, Board decisions and this Policy are fully complied with.
  2. All transactions realized with regard to the deletion, destruction and anonymization of personal data are recorded by the Company and such records are retained at least for years,  apart from the other legal obligations.
  3. We choose the best method to delete, destroy or anonymize personal data unless otherwise agreed by the Board. However, deletion, eradication and destruction processes at the request of the Related Person will be carried out in accordance with the request.
  4. In the event that all the conditions for the processing of personal data in Articles 5 and 6 of the Law are completely eliminated, the personal data are deleted, destroyed or anonymized by the Company ex officio or upon the request of the Related Person. In case the Related Person applies to the Company in this respect, the requests that are forwarded to the Company are responded within 30 (thirty) days the latest. In case the data, subject of the request, are transferred to third parties, this situation is notified to the third parties that the data are transferred to and it is ensured that the third party performs the necessary processes.

2- Explanations Regarding the Reasons Requiring Storage and Destruction

    1. The personal data of the data owners are stored within the limits stated in the Law and other relevant legislation by the Company especially for (i) continuing commercial activities, (ii) performing legal obligations, (iii) planning and performing the employee rights and side benefits and (iv) for the justified benefits of the company. The reasons that require the processing of personal data are as follows:
      1. Storing the personal data because it is directly related with establishing and performance of agreements
      2. Storing personal data for the establishment, use or protection of a right,
      3. When it is mandatory to keep the personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the persons,
      4. Storing personal data in order to fulfill any legal obligation of the Company,
      5. Clear statement of the storage of personal data in the legislation,
      6. explicit consent of data owners being present in terms of custody activities that require the explicit consent of data owners.
    1. Pursuant to the Regulation, in the following cases, personal data of the data owners are deleted, destroyed or anonymized by the Company ex-officio or upon request:
      1. Required due to the amendment or abolishment of the relevant legislation provisions that constitute the basis for the processing or storage of personal data,
      2. Eliminating the purpose of processing or storing personal data,
      3. The removal of the conditions that require the processing of personal data in article 5 and 6 of the Law,
      4. In cases where the processing of personal data only occurs as per the explicit consent condition, when the relevant person withdraws its consent,
      5. Acceptance of the application of the related person regarding the deletion, destruction or anonymization of his/her personal data by the data controller within the framework of his/her rights in article 11 of the Law
      6. In case Data controller rejects the application made to it with the request of deletion, destruction or anonymization of personal data by the person concerned, if the respond is found to be unsatisfactory or is not given within the period prescribed by Law; filing a complaint with the Board and the request is approved by the Board,
      7. Although the maximum period for which retaining personal data has elapsed, there is no condition to justify the retaining of the personal data for a longer period of time.

 

    1. Storage and Destruction Periods

The following criteria are used in determining the storage and destruction periods of your personal data obtained by Lazzoni Hotel in accordance with the provisions of the Law and other relevant legislation:

  1. If a period is foreseen in the legislation regarding the storage of the said personal data, this period is complied with. Following the expiration of the aforementioned period, the data is processed under the following article.
  1. In the event that the period stipulated in the legislation with regards to the storage of the personal data in question expires or no period has been stipulated in the relevant legislation for the storage of such data, respectively;
  1. Personal data shall be classified as personal data and sensitive personal data based on the definition in article 6 of the Law. All personal data determined as sensitive are destroyed. The method to be applied in the destruction of the said data is determined according to the level of importance within the Company in accordance with the nature of the relevant personal data.
  2. The compliance of the storage of the relevant Personal Data with the principles set out in Article 4 of the Law is questioned. The data, the storage of which is determined may constitute a violation with the principles set out in Article 4 of the Law, are deleted, destroyed or anonymized.
  3. It is determined which of the exceptions provided for in the 5th and 6th articles of the Law can be evaluated within the scope of storing the relevant Personal Data. In the framework of the exceptions determined, reasonable periods are determined for which the data should be kept. When these periods expire, the data is deleted, destroyed or anonymized.

 

Storage, destruction and periodic destruction periods determined by the company can be found in the annex of this Policy. The personal data, the storage period of which expire, are anonymized or destroyed in accordance with the procedures herein in 6 (six) months periods within the framework of the destruction periods stated in the annex of this Policy.

All transactions realized with regard to the deletion, destruction and anonymization of personal data are recorded and such records are stored at least for 3 (three) years,  apart from the other legal obligations.

  1. Recording Media

Lazzoni Hotel agrees to include the media listed below herein that include personal data and the personal data in the media that may emerge in addition to these within the scope of the Policy.

  1. Computers and servers and network devices registered on behalf of our company
  2. Shared / non-shared disk drives used for storing data on the network
  3. Cloud systems
  4. Mobile phones and all storage areas therein
  5. Paper
  6. Microfiche
  7. Peripherals such as printer, fingerprint reader, biometric eye reading devices
  8. Magnetic tapes
  9. Optical discs
  10. Flash memories
  1. Procedures, Technical and Administrative Precautions Regarding Storage and Destruction of Personal Data

The personal data that will be collected during the employment processes of our Company and/or for the performance of the obligations required to be performed during establishing the agreement, in case it is mandatory to process data for allocating a right, for you to benefit from customer services, consumer rights and other opportunities and/or for performing the commercial, financial, legal responsibilities and obligations related thereto, for ensuring the safety of our Company or necessary to process personal data for the legitimate purposes of our Company, are processed into [] system. In addition, all data stored as digital copies are saved on the Company’s [] server.

Personnel titles, units and job descriptions involved in the process of storing and destroying personal data are included in the Policy annex. 

All administrative and technical measures taken by the Company within the framework of the principles of article 12 of the Law in order to store your personal data safely, to prevent illegal access, to prevent access and to dispose of the data in accordance with the law are listed below:

    1. 4.1.Administrative Measures:

Lazzoni Hotel performs the following within the scope of administrative measures;

  1. Limiting the access to the stored personal data within the company to the personnel required to access due to job description. In limiting access, whether the data is sensitive and its level of importance are also considered.
  1. In the event that the processed personal data is obtained by others unlawfully, it shall notify this situation to the relevant person and the Board as soon as possible.
  1. With regards to the sharing of personal data, ,t shall sign framework agreements related to the protection of personal data and data security with the persons with whom personal data are shared or ensure data security with the provisions added to the current agreement.
  1. It shall employ knowledgeable and experienced staff on the processing of personal data and shall provide necessary training to its personnel within the scope of personal data protection legislation and data security.
  1. It shall carry out  and have carried out the necessary inspections to ensure the enforcement of the provisions of the Law before its legal personality. It shall eliminate the confidentiality and security weaknesses seen in the results of the inspections.
  1. It shall ensure the provision of adequate security measures (against electricity leakage, fire, flood, theft, etc.) according to the environment in which the personal data is available and shall prevent unauthorized entry and exit to these environments.

 

    1. 6.2.Technical Measures:

Lazzoni Hotel performs the following within the scope of technical measures;

  1. It shall perform the necessary internal controls within the scope of the established systems.
  2. It shall carry out information technology risk assessment and business impact analysis processes within the scope of established systems.
  3. It shall ensure the provision of technical infrastructure and the creation of relevant matrices to prevent data from leaking out of the institution or monitor it.
  4. It shall provide control of system weaknesses by taking penetration test services regularly and when the need arises.
  5. It shall ensure that employees in information technology units are kept under control with regards to their access to personal data.
  6. It shall ensure the destruction of personal data as irreversible and without leaving audit trail.
  7. In accordance with Article 12 of the Law, it shall protect any digital medium where personal data is stored, using encrypted or cryptographic methods to meet information security requirements.
  8. It shall provide secure logging of the transaction records of all the movements that take place on sensitive personal data.
  9. It shall ensure that the necessary security tests are regularly performed by constantly monitoring the security updates of the environments where the data are available.
  10. In cases where sensitive personal data are accessed through a software, it shall provide the user authorizations of this software and shall ensure that these software are regularly tested.
  11. It shall provide at least two levels of authentication system when remote access to sensitive personal data is required.
    1. 11.3.In cases where sensitive personal data are transferred, it shall ensure the following;

   

  1. If the data needs to be transferred by e-mail, it is transferred with an encrypted corporate e-mail address or using a KEP account,
  2. If the data needs to be transferred through media such as portable memory, CD, DVD, it is encrypted with cryptographic methods,
  3. If the transfer takes place between servers in different physical environments, it is ensured to be transferred between servers by installing VPN or by using sFTP method,
  4. If the data needs to be transferred on paper, it ensures that the documents are sent in “confidential documents” format.

 

 

  1. Policy Enforcement, Violations and Sanctions
  1. This Policy will enter into force after being published by announcement to all employees and will be binding on all business units, consultants, external service providers and anyone who processes personal data after as of the enforcement date.
  1. It will be the responsibility of the supervisors of the relevant employees to monitor whether the employees meet the policy requirements. When a policy violation is detected, the matter will be immediately reported to the superior, who is affiliated by the supervisor of the relevant employee.
  1. In case the violation is significant, the superior will inform Lazzoni Hotel General Director.
  1. Necessary action will be taken within the scope of the Labor Law No. 4857, after the evaluation to be made by the Human Resources about the employee who acts against the policy.

 

The personal data will be stored for the periods stated below, with taking into account 2nd and 3rd articles of this Policy and will be anonymized or destroyed at the end of this period:

Procedure

Storage Period

Destruction Period

Data stored under the Labor Law (eg performance records, etc.)

10 years after the end of the business relationship

 Within 6 MONTHS after the end of the storage period

Data collected within the scope of occupational health and safety legislation (health reports etc.)

15 years after the end of the business relationship

Within 6 MONTHS after the end of the storage period

Data kept within the scope of SSI legislation

10 years after the end of the business relationship

Within 6 MONTHS after the end of the storage period

Documents that can be used in a claim / case related to work accident / occupational disease

10 years after the end of the business relationship

Within 6 MONTHS after the end of the storage period

Data collected in accordance with other relevant legislation

During the period stipulated in the relevant legislation

Within 6 MONTHS after the end of the storage period

In case the relevant personal data is subject to a crime within the scope of the Turkish Criminal Code or other legislation that regulates a criminal provision.

During the statute of limitations

Within 6 MONTHS after the end of the storage period

Customer Personal Data

10 years after its recording

Within 6 MONTHS after the end of the storage period

 

If the purpose of the Company to use the relevant personal data is not eliminated, if the storage period envisaged for the relevant personal data is longer than the periods in the table, or if the litigation expiration period related to the subject requires the personal date to be stored longer than the periods in the table, the periods stated in the table above may not be applied. In this case, whichever period of use, special legislation or case expiry period expires later, that period will be taken into consideration.