1. OBJECTIVE and SCOPE The purpose of this Policy is to stipulate the procedure rules and responsibilities applicable to the fulfillment of the obligations related to the Storage and Destruction of Personal Data and other obligations specified in the regulation pursuant to Articles 5 and 6 of the By-Law on Erasure, Destruction or Anonymization of Personal Data, promulgated in Official Gazette No. 30224 on 28.10.2017 and issued on the basis of Act No. 6698 on the Protection of Personal Data. This policy applies to all data, to university staff, to the university administration and to all third parties, external service providers and natural and legal persons with whom personal data is exchanged. 2. DEFINITIONS Anonymization: “Anonymization” means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data. Disposal: Erasure, destruction or anonymization of personal data. Personal Data: Personal data means any information relating to an identified or identifiable natural person. Data Controller: Data Controller means the natural or legal person who determines the purposes and means persons data and is responsible for the establishment and management of the data filing system. Personal Data Processing Inventory: “Personal data processing inventory” means the inventory which are detailed by explanations of the followings; personal data processing operations performed by data controllers according to their business processes, purposes and legal basis of personal data processing, data category, recipient group, maximum storage period which is formed relating to the group of person subject to data and necessary for the purpose for which personal data are processed, personal data envisaged to be transferred to foreign countries, and measures taken relating to data security. Erasure of the Personal Data: Erasure of personal data is the process of rendering personal data inaccessible and non-reusable for the users concerned, by no means. Destruction of the Personal Data: Destruction is the process of rendering personal data inaccessible, irretrievable or non-reusable by anyone, by no means. Special Categories of Personal Data: Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data. Periodic Disposal: Periodic disposal means, in such cases where the reason of processing no longer exists, erasure, destruction or anonymization of the personal data ex officio for the period laid down by the personal data storage and disposal policy. Data Filing System: “Data filing system” means the system where personal data are processed by being structured according to specific criteria. 3. DUTIES AND POWERS OF THE PERSONAL DATA PROTECTION BOARD (KVK BOARD) The duties and powers of the Personal Data Protection Board includes the announcement of this policy to the relevant units and following up proceedings that are deemed necessary and monitor their implementation. The Personal Data Protection Board shall monitor any amendments to legislation, acts and decisions of the Board, court decisions or revisions of procedures, practices and systems in the field of data protection and notify the relevant units. Provides updating of the business process of the relevant units, if it is deemed necessary. 4. ACTIONS TO BE TAKEN IN CASE THE CONDITIONS FOR PROCESSING THE DATA DISAPPEAR 4.1. When all the conditions and purposes of the processing of personal data referred to in Articles 5 and 6 of the Act cease to exist, or explicit consent has been withdrawn, or there is a situation in which none of the exceptions provided for in the same Articles can be applied, the personal data shall be erased, destroyed or anonymized by the competent authority under Articles 7, 8, 9 or 10 of the Regulation, together with a justification of the method to be applied. In case there is a definitive ruling, the method of disposal prescribed in the ruling must be used. 4.2. All users who process or store data shall inspect, within six months at the latest, whether the conditions for processing the data by all users are still applicable by inspecting the data storage devices they use. Upon request of the data subject or after being notified by the relevant body or court, the users and services concerned shall carry out this inspection on the data storage devices they use, irrespective of the deadline for periodic control. 4.3 Pursuant to regular checks or any time that it is determined that the conditions for processing the data no longer exist, the user or owner of the data concerned decides, entirely on his or her own responsibility and in accordance with this policy, to erase or destroy or anonymize the personal data in question from the data storage device. In cases where a decision has to be taken on the disposal of data kept by several parties in the central information systems, the Personal Data Protection Board shall be consulted and a decision shall be made on the storage or erasure, destruction or anonymization of the personal data concerned. 4.4. All operations in which personal data are erased, destroyed or anonymized shall be documented and these documents shall be kept for at least three years, except in the case of a legal obligation. 4.5. According to Article 7(4) of the Regulation, the data controller is obliged to specify in the relevant policies and procedures which rules he/she applies for the erasure, destruction and anonymization of personal data. 4.6. He/she is bound by the general principles set out in Article 4 of the Law and the technical and administrative measures to be adopted under Article 12, the provisions of the legislation, the decisions of the bodies and judicial decisions. 4.7 Pursuant to Article 13 of the Law, in case the data subject requests his/her personal data to be erased, destroyed or anonymized, the relevant unit shall control whether all conditions to process the personal data still apply. If all conditions to process personal data no longer exist, the personal data shall be erased, destroyed or anonymized. Pursuant to Personal Data Disposal Policy, data subject’s request shall be finalized within 30 days at the least from the application date and the relevant unit shall notify the data subject. Where all the preconditions for processing have ceased to exist and the data have been transferred to a third party, the competent authority shall immediately inform the third party and ensure that it takes the necessary measures in accordance with the regulation. 4.8. Pursuant to Article 13(3) of the Law, requests from data subjects for the erasure or destruction of their data may be rejected if the conditions for processing the data have not been completely terminated, with a statement of the reasons for such rejection. The rejection shall be communicated to the applicant in writing or electronically within 30 days at the latest. 4.9. The review of requests for erasure or destruction of personal data can only proceed if the identity of the data subject has been verified. 5. ENFORCEMENT OF THE POLICY, VIOLATIONS AND SANCTIONS 5.1. This policy is binding on all units, consultants, external service providers and all those who process personal data, as of the effective date of this policy. 5.2. It is the responsibility of Unit Directors to ensure that policy requirements are fulfilled. In the event of a policy violation, the employee's supervisor will immediately report the problem to a senior manager. In the event of a serious violation, the senior manager shall immediately inform the Data Protection Board. 5.3. Appropriate administrative action will be taken against any employee who violates the policy. 5.4. To comply with this policy, all security measures shall be taken, in particular the requirements stipulated by the YÖK and the PCI/DSS standards. 6. INDIVIDUALS AND THEIR RESPONSIBILITIES FOR THE STORAGE AND DISPOSAL OF PERSONAL DATA All employees, academic consultants, external service providers and others who store and process personal data are responsible for compliance with the requirements of laws, regulations and this policy. Each unit/department is responsible for storing and protecting the data generated in its own business process. However, if the data are only available in information systems outside the control and authority of the business unit, the entities responsible for the information systems must store the data. Periodic disposals that affect business process and result in data integrity violations, data loss and failure to comply with legal requirements shall be carried out by information systems managers, taking into account the nature of the data and the systems in which it is stored. 7. PERSONAL DATA STORAGE AND DISPOSAL PERIODS Annex Table 1 below shows the Personal Data Storage and Disposal Periods. Storage and disposal periods are considered for the periodic disposal or the disposals upon request. The operations listed in the personal data inventory in the table are updated by seeking the opinion of the Personal Data Protection Board in case of any doubt. 8. PERIODIC DISPOSAL PERIODS The time limit for the periodic disposal of personal data shall be determined and laid down by the competent authorities, but shall in no case exceed 6 (six) months. 9. ENFORCEMENT 9.1. The policy shall be entered into force as of the release date. 9.2. Personal Data Protection Board is responsible for the announcement of the policy and the necessary updates. ANNEX TABLE 1: PERSONAL DATA STORAGE AND DISPOSAL PERIODS In the absence of a final court decision or temporary injunction, personal data shall be kept for the periods indicated in the table and then disposed pursuant to the Article 4 of the policy. Limitation period pursuant to Article 146 of Turkish Code of Obligations 10 years As required by the regulations Periods specified in the regulations Pursuant to Article 66 and 68 of Turkish Criminal Law in case the personal data constitutes a crime or associates to a crime Limitation Period for the Lawsuit and Penalty