MARMARIS MACHINERY OIL INDUSTRY AND TRADE INC. (Tax No: 6121349345) (Fatih Sultan Neighborhood, 2700 Street, ARP Tower Block No: 3, Interior Door No: 35, Etimesgut/ANKARA) PERSONAL DATA DELETION, DESTRUCTION AND ANONYMIZATION POLICY
1. Purpose of the Deletion Policy
The purpose of this Policy (“Policy”) is, in accordance with the Law on the Protection of Personal Data No. 6698 (“Law”), to regulate the procedures for the deletion, destruction, or anonymization of personal data whose processing conditions under Articles 4, 5, and 6 of the Law have ceased to exist, in line with the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28/10/2017. It explains in detail how personal data processed by Marmaris Machinery Oil Industry and Trade Inc. (“Marmaris Machinery”) will be deleted, destroyed, or anonymized either ex officio or upon the request of the data subject.
2. Definitions
Recipient Group: Natural or legal persons to whom personal data are transferred by the data controller.
Explicit Consent: Consent based on information and freely given for a specific subject.
Anonymization: Making personal data impossible to associate with an identified or identifiable natural person, even by matching with other data.
Employee: Natural persons employed under a contract by our company.
Electronic Environment: Environments where personal data can be created, read, modified, and written using electronic devices.
Non-Electronic Environment: All written, printed, visual, and similar environments outside electronic environments.
Service Provider: Natural or legal persons providing services to our Company under a contractual relationship.
Data Subject: The natural person whose personal data is processed.
Destruction: Deletion, destruction, or anonymization of personal data.
Law: Law on the Protection of Personal Data No. 6698.
Record Environment: Any environment in which personal data is processed fully or partially automatically or non-automatically as part of a data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Inventory: An inventory created by data controllers that details their data processing activities in relation to business processes, including data categories, purposes, recipient groups, retention periods, transfers abroad, and security measures.
Processing of Personal Data: Any operation performed on personal data such as collection, recording, storage, retention, alteration, restructuring, disclosure, transfer, acquisition, making available, classification, or prevention of use.
Board: Personal Data Protection Board.
Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data.
Periodic Destruction: The deletion, destruction, or anonymization process carried out at recurring intervals when all conditions for processing personal data cease to exist.
Policy: Personal Data Retention and Destruction Policy.
Data Processor: A natural or legal person processing personal data on behalf of the data controller based on authorization.
Data Recording System: A system in which personal data is structured and processed according to specific criteria.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data Controllers Registry Information System: The information system (VERBIS) created and managed by the Authority for registration and related processes of data controllers.
Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.
3. Record Environments
Personal data is securely stored in the record environments shown in the table below, in compliance with the law and with all necessary security measures:
| Electronic Environments | Physical Environments |
| Software (office software) VERBIS Email inboxes Servers Information security devices (firewall, antivirus, etc.) Company computers Company mobile devices Portable storage devices Optical disks Printers, scanners, photocopiers |
Paper Physical storage materials Manual data recording systems Printed publications |
4. Storage and Destruction Explanations
Personal data obtained from employees, job applicants, service providers, customers, visitors, and third parties is stored only for the legally required periods in accordance with the Law and is destroyed in compliance with the Law.
4.1. Legal Grounds for Storage:
- Direct necessity for establishing or performing contracts,
- Necessity for establishing, exercising, or protecting a legal right,
- Storage being within legitimate interest without harming fundamental rights and freedoms,
- Legal obligation compliance,
- Data being made public by the data subject,
- Explicit provision in law,
- Explicit consent of the data subject.
4.2. Legal Grounds for Destruction:
- Amendment or repeal of relevant legislation,
- Disappearance of the purpose requiring processing or storage,
- Withdrawal of explicit consent,
- Acceptance of deletion request by the Board,
- Expiration of maximum retention period without legal justification for further storage.
5. Measures Taken for Protection of Personal Data
Marmaris Machinery takes technical and administrative measures required under Article 12 and Article 6(4) of the Law to ensure lawful protection of personal data.
5.1. Technical Measures
- Appropriate technical security systems are implemented and updated regularly.
- Technical personnel support and training are provided.
- Security software is used and regularly updated.
- Access to personal data is restricted on a need-to-know basis.
- Security systems are regularly tested.
- Destruction is carried out in a non-recoverable manner.
5.2. Administrative Measures
- Personal data inventory has been prepared.
- Confidentiality agreements are signed.
- Data subjects are informed before processing.
- Explicit consent is obtained where required.
- Regular inspections are conducted.
- Training is provided to employees.
- Policies are publicly announced.
6. Measures for Data Destruction
When retention periods expire, personal data is deleted, destroyed, or anonymized using appropriate methods.
6.1. Deletion of Personal Data
| Data Environment | Description |
| Electronic systems | Access rights are removed and data is deleted |
| Portable media | Encrypted and securely stored or deleted |
| Physical documents | Made inaccessible and unreadable |
6.2. Destruction of Personal Data
| Data Environment | Description |
| Physical documents | Destroyed using shredding or similar methods |
| Optical/magnetic media | Destroyed by physical or magnetic degaussing methods |
6.3. Anonymization
Anonymization means making data impossible to associate with an identified or identifiable person, even when combined with other data.
7. Retention and Destruction Periods
| Process | Retention Period | Destruction Period |
| Internal company operations | 10 years | At the first periodic destruction period after expiration |
| Contracts | 10 years after termination | At the first periodic destruction period after expiration |
| HR records | 10 years after termination | At the first periodic destruction period after expiration |
| Communication activities | 10 years after termination | At the first periodic destruction period after expiration |
| Log records | 10 years | At the first periodic destruction period after expiration |
8. Periodic Destruction Period
The periodic destruction period is 6 months. Expired data is destroyed every 6 months in accordance with this Policy.
9. Publication and Storage
This Policy is published both in printed and electronic form and made available on the company website.
10. Updates
This Policy is reviewed when necessary and updated accordingly.
11. Effective Date
This Policy entered into force on 22.09.2021.
KVKK application form: click here.