1. INTRODUCTION
In 2010, Law No. 5982 amended Article 20 of the Constitution of the Republic of Turkey, effectively recognizing the right to protect personal data among other constitutional rights.
According to the added paragraph, “Everyone has the right to demand the protection of their personal data. This right also includes being informed about the data related to the person,
accessing these data, requesting their correction or deletion, and learning whether they are used for their intended purposes. Personal data can only be processed in cases as put forth by the law or with the explicit consent of the person. The principles and procedures regarding the protection of personal data are regulated by law.”
The scope of this constitutional right was later expanded in the Law on Personal Data Protection No. 6698 which entered into force following its publication in the Official Gazette dated April 7, 2016 and numbered 29677. It currently governs and regulates matters related to personal data protection.
Law No. 6698 is considered to be a legal protection device that upholds the principle of privacy and regulates personal data processing activities in accordance with international standards. It stresses that the fundamental rights and freedoms of the individual should be
respected above all else during the processing of personal data. The Law also establishes the procedures and principles related to personal data processing.
As YBN Teknoloji Danışmanlık ve Dış Ticaret Anonim Şirketi we’d like to stress that within the Gamercard Project (“the Project,” developed to help children acquire positive habits and useful information, to teach them money management, and to nurture an understanding of
charity and kindness), all personal data will be handled with utmost care so that they will be processed in full compliance with the Law on Personal Data Protection No. 6698 (hereafter referred to as “The Law” or “KVKK”).
For the purpose, we have created this Policy on the Protection and Processing of Personal Data (“the Policy”) in order to act in compliance with the legislation in matters related to personal data provided by parents and children.
Personal Data is any information relating to an identified or identifiable natural person.
Processing of Personal Data is any kind of operation on personal data, such as obtaining, recording, storing, protecting, altering, rearranging, disclosing, transferring the data; taking them over; and making them available fully or partially, by automatic or non-automatic means, to make them parts of a data filing system. This also includes operations such as
classification of data or prevention of its use.
Data Subject is the natural person whose personal data is processed.
Explicit Consent is consent related to a specific issue, based on information and expressed with free will.
Data Controller is the natural person or legal entity determining the purposes and means of processing personal data. They are responsible for the setup/creation and management of the data filing system.
Data Processor is a natural person or legal entity processing personal data on behalf of, and with the authorization given by, the Data Controller.
Data Filing System is the system in which personal data is processed and structured according to certain criteria.
Receiving Party is the category of natural persons or legal entities to whom personal data is transferred by the data controller.
This Policy on the Protection and Processing of Personal Data is prepared in order to apply the provisions as set forth in Article 10 of the Law on Personal Data Protection (“KVKK”) titled “Obligation of the Data Controller to Inform” and Article 12 titled “Obligations
Concerning Data Security.”
YBN Teknoloji Danışmanlık ve Dış Ticaret Anonim Şirketi will be the “Data Controller” for all personal data processing for the Gamercard mobile application. Its function in this
capacity includes determining the categories of personal data to be processed, the purposes of processing the data, the means and methods of collection and the creation of the data filing
system, and the recipient of the data transfer and the retention periods, all within the scope of relevant laws.
The Data Controller takes all necessary technical and administrative measures to ensure the required level of security in order to prevent unlawful processing of, and access to, personal data and to ensure the protection of personal data.
In case there are third parties authorized by the Data Controller to process data, the Data
Controller will be jointly liable with said third parties in matters regarding the measures set forth above. In this context, the Data Controller meticulously takes all steps to ensure the privacy of personal data, to bring into force Confidentiality Commitments for the said third parties and take all necessary administrative and technical measures.
The Data Controller, within itself, does not hesitate to make, or have another entity make, the necessary inspections in order to ensure the implementation of the Law.
The Data Controller cannot unlawfully disclose the personal data it processes and will not use it outside the established processing purposes. This obligation persists even after the
application is discontinued.
In case the processed personal data is obtained by others in unlawful ways, the Data
Controller will notify the Data Subject and the Personal Data Protection Authority Board as soon as possible.
Personal data processed in the Gamercard application are collected by the Data Controller through the Gamercard application itself, in compliance with the data processing provisions of the Law.
Necessity of, and legal grounds for, the collection of data are:
● It is necessary to process personal data in case there is a contractual relationship between the application and the user. The use of data is directly related to the performance of the contract.
● The Data Subjects have made the data public themselves.
● Data processing is a necessity for the establishment, exercise or protection of a right.
● Provided that it does not harm the fundamental rights and freedoms of the Data Subject, data processing is imperative for the legitimate interests of the Data
Controller.
Cookies are small packets of data sent from website platforms and saved in the user’s web browser. When the user visits the same platform in the future, the cookie provides information about the user’s previous activity. Thus, it serves to improve the user's browsing experience on the platform by personalizing the websites.
For example, the information saved by the user who selects the "Remember Me" option while logging in to any platform becomes a cookie saved in the browser.
Users reserve the right to change their cookie preferences for websites where cookies are registered. They can do so by changing the settings of the browser they use on the
platform--they can choose to receive a warning before the cookies are used, prevent the use of cookies altogether, or disable or delete only some cookies. However, it should be kept in mind that blocked cookies may cause some disruptions in the browsing experience. Although the preferences on this subject vary according to the browser used, you can find some useful general explanations at https://www.aboutcookies.org/.
⦁ To turn off cookies managed by Google Analytics;
https://tools.google.com/dlpage/gaoptout
* To manage the personalized advertising experience provided by Google; https://adssettings.google.com/authenticated
⦁ Preferences for cookies used by companies for advertising purposes; https://www.youronlinechoices.com/en/ad-options (Your Online Choices).
With this Policy, we aim to provide a detailed explanation about cookies and cookie preferences. In this respect, if changes to the Gamercard application starts storing other
cookies related to the service, the provisions of this Policy may be subject to change, too. Any version of the Policy becomes effective on the date it is published on our website.
● User registration
● Registration verification
● Communication with the user
● Secure access to the application
● Purchasing and money loading transactions
● Connecting and pairing parent and child accounts
● Providing means to parents to check whether assigned tasks have been completed
Your personal data is transferred to service providers for purposes limited to software development and software maintenance.
In addition, your data is indirectly transferred abroad as the Gamercard servers are located in Ireland.
Some basic principles are adopted by the Data Controller to ensure compliance with the legislation.
There are basic principles regarding the processing of personal data that have been put forth in international studies and adopted in practice in many countries. Also, the Procedures and Principles Concerning the Processing of Personal Data in Article 4 of the Law No. 6698 are determined in accordance with Convention No.108 and the European Union Directive No. 95/46/EC.
The basic principles of the Law for the processing of personal data by Data Controllers are as follows:
● Compliance with the law and the rules of integrity,
● Being accurate and up-to-date,
● Processing for specific, explicit and legitimate purposes,
● Keeping data relevant and limited to, and adequate for, the purpose for which they are processed,
● Retaining data only for the period allowed by the Law or required by the purpose for which they are processed.
A) Principle of Compliance with the Law and Integrity
Pursuant to the principle of compliance with the law and the rule of integrity and good faith, the Data Controller carries out its operations under the obligation to act in compliance with the principles set by the legislation and other regulations for the processing of personal data.
In accordance with the principle of compliance with the rule of integrity, the Data Controller always considers the reasonable expectations and interests of the Data Subjects, while trying to meet the standards in personal data processing. At this point, in principle, the Data
Controller takes all measures necessary to prevent all kinds of results that are unexpected to the Data Subject from arising. In case the said results nevertheless arise, all necessary information will be provided to the Data Subject without delay.
a) The Principle of Being Accurate and Up-to-Date
The Data Controller is responsible for active care in checking and examining personal data collected through the application in order to ensure that they are accurate and up-to-date.
b) Principle of Processing for Specific, Explicit and Legitimate Purposes
The Data Controller meticulously observes the principle that the purposes of processing personal data are specific, legitimate and clear. The relevant terms of use and policies were created by the Data Controller as an extension of this principle. In these texts legal terminology is avoided as much as possible in order for everyone to clearly understand the personal data processing activities so that it is easier for all to determine the legal bases on which said activity is performed.
c) The Principle of Keeping Data Relevant and Limited to, and Adequate for, the Purpose for which They Are Processed
The Data Controller collects personal data that are processed only for the purposes of the Project. The "data minimization policy," by which the Data Controllers are bound following the decision of the Personal Data Protection Authority, is of great importance to the Data
Controller and is readily adopted.
d) The Principle of Retaining Data Only for the Period Allowed by the Law or Required by the Purpose for which They Are Processed
The Data Controller determines for how long the data are to be retained according to the Law. All necessary administrative and technical measures are taken for the proper storage and retention of the data.
Another obligation of Data Controllers arising from the Law is to inform the Data Subjects about their rights. In this context, according to Article 11 of the Law, the Data Subjects can make a formal application to the Data Controller to;
● Request information on whether their personal data are processed or not,
● Request information on what kinds of personal data were processed and how,
● Request information on the purpose of the processed data and whether they are actually used for that purpose,
● Request information on the third parties to whom personal data is transferred (within the country or abroad),
● Request correction of personal data in case they are incomplete or processed incorrectly,
● Request the deletion or destruction of personal data under Article 7,
● Request reporting of the operations carried out by third parties to whom personal data have been transferred, pursuant to sub-paragraphs (d) and (e)
● Make a complaint or an objection regarding a negative circumstance that came into being due to data processed solely through automated systems,
● Demand compensation in case of damages due to the unlawful processing of personal data
In accordance with the Communiqué on the Procedures and Principles for Application to the Data Controller, Data Subjects desiring to exercise their rights or to demand compensation as stipulated in Article 11 can fill the Application Form on the website www.gamercard.com and send it to Akat Mahallesi
Uğur Mumcu Caddesi Mustafa Kemal Kültür Merkezi No:8 Beşiktaş/İstanbul by mail or to info@gamercard.com by e-mail.
11. PROCEDURE FOR THE PROCESSING OF KVKK-RELATED APPLICATIONS In the event that the applicant submits a request exercising the rights set forth in Section 10 of this Policy, “THE RIGHTS OF THE DATA SUBJECT AND APPLICATIONS TO THE
DATA CONTROLLER”, the Data Controller will handle and process the request or
complaint as soon as practically possible, and in 30 (thirty) days at most, depending on the nature of the request. However, if this requires an additional expense in accordance with the second paragraph of Article 13 of the Law, a fee may be charged on the tariff determined by the Board.
1. INTRODUCTION AND THE PURPOSE AND SCOPE OF THE POLICY
Law on Personal Data Protection No. 6698 (“The Law”) entered into force in 2016, after the protection of personal data became a constitutional right in 2010. The Law upholds the principle of privacy during the processing of personal data and protects fundamental rights and freedoms. It is a legal protection device that establishes the procedures and principles regarding the protection of personal data.
This Policy on Personal Data Retention and Disposal is prepared by YBN Teknoloji Danışmanlık ve Dış Ticaret Anonim Şirketi for the Gamercard mobile application.
The purpose of preparing the Policy on Personal Data Retention and Disposal is to establish procedures for the deletion, destruction or anonymization of personal data in accordance with Law No. 6698 and other regulations.
This policy applies to all operations concerning the storage media of personal data, also the processing, retention, disposal and anonymization of personal data.
The Law/KVKK is the Law on Protection of Personal Data No. 6698, which entered into force on 07/04/2016 following its publication in the Official Gazette;
By-Law is the By-Law on Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette on 28/10/2017.
The Board, the Personal Data Protection Board,
Data Controllers Registry Information System (VERBIS), the information system created and managed by the KVKK authority, accessible online, that data controllers will use in their application to the Registry and other related operations related to the Registry,
Explicit Consent is the freely expressed consent based on information and concerning a certain subject,
Personal Data, any information relating to an identified or identifiable natural person,
Sensitive Personal Data or Special Categories of Personal Data is data about race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and raiment, membership to associations, foundations or trade unions, health, sexual life, criminal convictions, restraining orders, and biometric and genetic data,
Processing of Personal Data is any kind of operation on personal data, such as obtaining, recording, storing, protecting, altering, rearranging, disclosing, transferring the data; taking them over; and making them available fully or partially, by automatic or non-automatic
means, to make them parts of a data filing system. This also includes operations such as classification of data or prevention of its use.
Disposal is the deletion, destruction or anonymization of personal data.
- The process of deleting personal data is rendering the data unusable in any way
- The process of destroying personal data is making the data inaccessible, unrecoverable and unusable by anyone in any way.
- Making it anonymous is making it impossible to associate with an identified or identifiable natural person, even by matching it with other data.
Recording Medium/Media is any medium/media in which personal data are processed wholly or partially, automatically or non-automatically, to make them part of a data filing system,
Electronic Recording Medium/Media is the medium/media where personal data can be created, read, changed and written with electronic devices,
Non-Electronic Recording Medium/Media is all written, printed, visual etc. media other than electronic media
Personal data processing inventory is the inventory that the data controllers log their personal data processing activities. They detail the personal data processing purposes and legal reasons, the data category, the receiving party, and the data subject group. They also detail the maximum retention period, the data to be transferred abroad and the measures taken regarding data security,
Policy on Personal Data Retention and Disposal is the policy that Data Controllers use to determine the maximum retention period required for the purpose for which personal data is processed, and also to establish the procedures for the deletion, destruction and
anonymization of personal data,
Periodic disposal is the deletion, destruction or anonymization operations at certain intervals specified in the Policy on Personal Data Retention and Disposal, carried out ex-officio when no valid legal and contractual grounds remain for personal data to be collected, processed,
and retained,
Data filing system refers to the system in which personal data is processed and structured according to certain criteria.
Data Controller is the natural person or legal entity determining the purposes and means of processing personal data. They are responsible for the setup/creation and management of the data filing system.
Data Processor is a natural person or legal entity processing personal data on behalf of, and with the authorization given by, the Data Controller.
Relevant User is the person who processes personal data within the organization of the data controller or with the authorization and instruction received from the data controller,
excluding the person or unit responsible for the technical storage, protection and backup of the data.
Receiving Party is the category of natural persons or legal entities to whom personal data is transferred by the data controller.
Data Subject is the natural person whose personal data is processed.
Direct identifiers are identifiers that, by themselves, directly reveal, disclose and make distinguishable a natural person.
Indirect identifiers are identifiers that come together with other identifiers to reveal, disclose and make distinguishable a natural person.
Anonymization of data is rendering data impossible to be associated with an identified or identifiable person, even when matched with other data.
i. In the event that no contractual relationship remains that apply to Articles 5 and 6, personal data is deleted, destroyed or anonymized ex officio or upon the request of the Data Subject, by YBN Teknoloji Danışmanlık ve Dış Ticaret Anonim Şirketi, acting as the Data Controller.
ii. The request by the Data Subjects to exercise their rights in Article 11 of the Law are processed within 30 (thirty) days at the latest and the Data Subjects are informed about the result.
iii. Gamercard mobile application is in compliance with the general principles in Article 4 of the Law, the technical and administrative measures within the scope of Article 12, the provisions of the relevant legislation, the Board decisions and the Policy on Personal Data
Retention and Disposal for the deletion, destruction or anonymization operations of personal data.
iv. Unless there is a decision by the Board to the contrary, YBN Teknoloji Danışmanlık ve Dış Ticaret Anonim Şirketi, acting in the Data Controller capacity, chooses the appropriate method of ex-officio deletion, destruction or anonymization of personal data. However, the
Data Subject may demand a certain method and have the Data Controller employ it, provided that they give reasons for demanding that particular method.
v. With respect to the data processed through the Gamercard mobile application, all units and employees of YBN Teknoloji Danışmanlık ve Dış Ticaret Anonim Şirketi work responsibly in order to put in effect all administrative and technical measures to protect personal data, to prevent the data from being processed unlawfully, and to keep all activities and operations in compliance with the Law.
Personal data of the Data Subjects are securely stored in the media listed below, in
compliance with the relevant legislation, especially the provisions of the KVKK, and in accordance with international data security principles:
i. Servers (Domain, backup, email, database, web, file sharing, etc.)
ii. Software (office software, accounting software)
iii. Data security devices (firewall, attack detection and prevention, log file, antivirus, etc.)
iv. Personal computers (Desktop, laptop)
v. Mobile devices (phone, tablet, etc.)
vi. Optical discs (CD, DVD, etc.)
vii. Removable media (USB, Memory Card etc.)
viii. Printer, scanner, copier
ix. License Plate Recognition Systems
i. Paper
ii. Manual data filing systems (questionnaire sheets, visitor logbooks)
iii. Written, printed, visual media
5. REASONS FOR THE RETENTION AND DISPOSAL OF PERSONAL DATA
Personal data belonging to Data Subjects are stored securely in physical and/or electronic media and as specified in the KVKK and other relevant legislation by the YBN Teknoloji Danışmanlık ve Dış Ticaret Anonim
Şirketi as the Data Controller for accessibility and continuity of the mobile application. More clearly, the purposes and reasons for data retention are as follows:
● User registration
● Registration verification
● Communication with the user
● Secure access to the application
● Purchasing and money loading transactions
● Connecting and pairing parent and child accounts
● Providing means to parents to check whether assigned tasks have been completed
Legal Basis
● Law No. 6698 for the Protection of Personal Data,
● Other relevant laws and regulations
Data Subjects can choose to exercise their rights mentioned in the Article 11 of the Law1 and request the deletion, destruction or anonymization of their data from the Data Controller.
YBN Teknoloji Danışmanlık ve Dış Ticaret Anonim Şirketi, acting in the Data Controller capacity, will delete, destroy or anonymize the data ex-officio or upon request in the following conditions:
i. The Data Subject, in accordance with the rights in Article 11, makes a formal
application to the Data Controller but the Data Controller doesn’t respond to or process the request, rejects the application, or provides insufficient response,
whereupon the Data Subject makes a formal complaint to the Board and the Board approves the request by the Data Subject,
ii. Even though personal data was processed with explicit consent, the Data Subject now withdraws this explicit consent,
iii. The maximum period for keeping personal data has expired and there are no circumstances to justify the further retention of personal data,
iv. The provisions of relevant legislation that are the basis of the operations
concerning the processing and retention of personal data are amended or revoked,
v. The purpose that required the processing or retention of personal data no longer exists,
vi. The conditions put forth in the Articles 5 and 6 of the Law that require the processing of data no longer applies.
1 Rights of the Data Subjects
Everyone can make a formal application to the Data Controller to;
● Request information on whether their personal data are processed or not,
● Request information on what kinds of personal data were processed and how,
● Request information on the purpose of the processed data and whether they are actually used in accordance with that purpose,
● Request information on the third parties to whom personal data is transferred (within the country or abroad),
● Request correction of personal data in case they are incomplete or processed incorrectly,
● Request the deletion or destruction of personal data under Article 7,
● Request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,
● Make a complaint or an objection regarding a negative circumstance that came into being due to data processed solely through automated systems,
● Demand compensation in case of damages due to the unlawful processing of personal data
Administrative and technical measures taken by the Data Controller for the safe retention and lawful disposal of personal data, and the prevention of unlawful processing and access, are as follows.
As administrative and technical measures for the protection of personal data collected through, and for use by, the Gamercard mobile application, we:
● Identified the risks and determined the necessary measures.
● Trained our employees and created an awareness of the obligations involved.
● Established personal data security policies and procedures.
● Minimized the amount of personal data to be processed.
● Meet at least the minimum required level of security in all Data Processor activities.
● Sign data protection agreements and confidentiality commitments (between Data Controller-Data Controller and Data Controller-Data Processor).
● Perform in-house periodic and/or random audits.
● Engage in organizational communication (crisis management; reputation management; informing the Board and Data Subjects)
● Created an authorization matrix.
● Provide network security.
● Provide software security.
● Use encryption.
● Perform network penetration tests.
● Use attack detection and prevention systems.
● Keep logs.
● Use data masking.
● Use data loss prevention software.
● Back up personal data and apply security measures to backups.
● Use firewalls.
● Use up-to-date antivirus systems.
● Use key management systems.
● Provide cyber security.
● Monitor the security of personal data.
● Ensure security of the media that contain personal data.
● Ensure security of the data stored in the cloud.
● Procure, develop and maintain IT systems.
YBN Teknoloji Danışmanlık ve Dış Ticaret Anonim Şirketi, as the Data Controller, uses the following criteria to determine the retention periods and disposal times of your personal data obtained in compliance with the provisions of the Law and all other relevant regulations:
1. We comply with the time periods determined by the law or regulations regarding the retention and disposal of personal data. Following the expiry of the said period, the data is processed pursuant to the second paragraph.
2. In the event that the period determined by the law or regulations regarding the retention of the said personal data expires, or if no period has been determined for the retention of the said personal data, the following steps are taken:
i. All personal data determined to be of the special category as set by Article 6 of the Law will be destroyed. The method of destruction of the said data is determined
according to the nature of the data and the importance of its retention to the Gamercard mobile app.
ii. Retention of the data will be considered according to the principles specified in Article 4 of the Law. Data whose retention violates the law will be deleted, destroyed or anonymized.
iii. Retention of the data will be considered in light of the exceptions set in Articles 5 and 6 of the Law. Within the context of identified exceptions, the Data Controller will determine reasonable periods to retain the data. Following the expiration of
said periods, the data will be deleted or destroyed.
1. Deletion of Personal Data
Deletion of personal data is the process of making personal data inaccessible and
non-reusable by Relevant Users. YBN Teknoloji Danışmanlık ve Dış Ticaret Anonim Şirketi, as the Data controller, takes all necessary technical and administrative measures to ensure that deleted personal data is inaccessible and non-reusable by the relevant users.
Since personal data can be stored on various recording media, the methods of disposal need to be appropriate for each recording media. The methods we employ are detailed below:
1.1. Cloud Software Solutions as Services
In the cloud system, data is deleted by an explicit delete command. The relevant user does not have the authorization to restore the deleted data on the cloud system.
1.2. Personal Data on Paper Media
Blacking out is performed in the form of cutting out the personal data on the documents
when possible, and in cases where not possible, making it unintelligible to the relevant users by using marking ink, rendering it unreadable even by technological processing.
1.3. Data on the Central Server
Either the data are deleted with the delete command in the operating system or the
authorization of the relevant user to access the file or the directory is removed. The said relevant user is not the system administrator.
1.4. Personal Data in Flash Storage
Personal data in flash storage media are encrypted, and they are deleted using software specific to these media.
1.5. Databases
Relevant lines containing personal data are deleted with database commands (DELETE etc.). The relevant user performing the deletion is not the system administrator.
2. Disposal of Personal Data
Disposal of personal data means rendering personal data inaccessible, unrecoverable and non-reusable by anyone. The Data controller takes all necessary technical and administrative measures to ensure that the personal data is properly disposed of.
For the disposal, first, all media that contain the personal data are identified. Afterwards, depending on the type of the system involved, the following methods are employed.
2.1. Local Systems
One or more of the following methods are used to destroy the data on local systems.
2.1.1. Demagnetizing
By passing the magnetic media through a special device and exposing it to a strong magnetic field, the data on it is corrupted in an unreadable way.
2.1.2. Physical Destruction
The physical destruction of optical media and magnetic media, such as by melting, incinerating or pulverizing. Data is rendered inaccessible by melting, incinerating or pulverizing optical and magnetic media, or by destroying them in a metal grinder.
If overwriting or demagnetization of solid-state discs is not successful, they are physically destroyed as well.
2.1.3. Overwriting
It is the process of making former data unrecoverable by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media. This is done using special software.
2.2. Peripheral Devices and Systems
Depending on the media type, the disposal methods used are as follows:
2.2.1. Network devices (switches, routers, etc.)
The storage media inside these devices are fixed. Products often have a delete command but no destroy feature. They are destroyed by using one or more of the methods specified under local systems.
2.2.2. Flash storage media
Flash-based hard drives with ATA (SATA, PATA, etc.), SCSI (SCSI Express, etc.) interfaces can be wiped by using the 'block erase' command, if supported. If not, the manufacturer's recommended destruction method or a local system destruction method is employed.
2.2.3. Magnetic tape
Magnetic tape stores data on micro magnet pieces on a flexible band. It is destroyed by demagnetization in a very strong magnetic field or by physical destruction methods such as burning and melting.
2.2.4. Units such as magnetic discs
These store data on micro magnet pieces on flexible (plate) or fixed media. They are destroyed by demagnetization in a very strong magnetic field or by physical destruction methods such as burning and melting.
2.2.5. Mobile phones (Sim cards and fixed memory)
Fixed memory in portable smartphones have a delete command, but most do not have a destroy command. They are destroyed by one or more of the local system destruction methods.
2.2.6. Optical discs
They are data storage media such as CDs and DVDs. They are destroyed by physical destruction methods such as burning, breaking, melting.
2.2.7. Peripheral devices with removable data recording media, such as printers and fingerprint door access control systems
All data recording media are removed and destroyed by one or more of the local system destruction methods, depending on their properties.
2.2.8. Peripheral devices with fixed data recording media, such as printers and fingerprint door access control systems
Most of these systems have a delete command, but no destroy command. They are destroyed by one or more of the local system destruction methods.
2.3. Paper and Microfiche Media
Since data is permanently and physically written on these media, they are physically destroyed. For this operation the medium is torn into very small pieces using paper shredders or clipping machines to prevent restoration.
Personal data transferred from the original paper format to the electronic environment by
scanning are destroyed by one or more of the local system destruction methods, depending on where they are stored.
2.4 The Cloud
The data stored in the cloud systems are encrypted with cryptographic methods and separate encryption keys are used for each cloud solution. When the cloud service relationship ends, all copies of encryption keys that may render personal data usable are also destroyed.
In addition to the above-mentioned media, personal data in devices that have malfunctioned or are to be sent to repair/maintenance are destroyed by one or more of the following methods:
i. The personal data in these devices are destroyed by one or more local system destruction methods before the devices are sent to third parties such as manufacturers, vendors, and tech services.
ii. When it is not possible or appropriate to destroy the data storage medium, it is disassembled and only the defective parts are sent to third parties such as manufacturers, vendors, and tech services.
iii. All necessary measures are taken in order to prevent unlawful copying of data by the tech staff outsourced and brought to the premises for repair and maintenance purposes.
3. Anonymization of Personal Data
Anonymization of personal data means making them impossible to associate with an identified or identifiable natural person under any circumstances, even when matched with other data.
In order for personal data to be anonymous; they must be rendered impossible to associate
with an identified or identifiable natural person, even by using data recovery or data matching techniques suited to the recording medium and the relevant operations.
All units and employees of the Data Controller actively support the units responsible for taking administrative and technical measures for data security in order to prevent unlawful processing of personal data and unlawful access to personal data, and also to ensure lawful retention of personal data, by training and monitoring employees, increasing their awareness, performing inspections, and by ensuring that all technical and administrative measures are
actually in effect.
The titles, units and job descriptions of those involved in the retention and disposal of personal data is given in the table below.
|
STAFF TITLE AND UNIT |
TASK |
RESPONSIBILITY |
|
LAWYER, LAW DEPARTMENT |
IMPLEMENTATION OF THE POLICY ON PERSONAL DATA RETENTION AND DISPOSAL |
ENSURING THAT PERSONAL DATA ARE RETAINED FOR THE LEGALLY DETERMINED PERIOD OF TIME, OVERSEEING THE PERIODIC DISPOSAL OPERATIONS |
|
DATA PROCESSING |
IMPLEMENTATION OF |
ENSURING THAT |
|
MANAGER, DATA |
THE POLICY ON |
PERSONAL DATA ARE |
|
PROCESSING |
PERSONAL DATA |
RETAINED FOR THE |
|
DEPARTMENT |
RETENTION AND |
LEGALLY DETERMINED |
|
|
DISPOSAL |
PERIOD OF TIME, |
|
|
|
OVERSEEING THE |
|
|
|
PERIODIC DISPOSAL |
|
|
|
OPERATIONS |
Concerning the personal data processed by us for our operations, The Retention and Disposal Table is provided below.
|
ACTIVITY |
RETENTION PERIOD |
DISPOSAL TIME |
|
REGISTRATION |
Retained until deleted by the user, in order to maintain continuity of the service and the application |
The next disposal following the expiry of the retention period. |
|
LOGIN |
Retained until deleted by the user, in order to maintain continuity of the service and the application |
The next disposal following the expiry of the retention period. |
|
PURCHASING |
Retained until deleted by the user, in order to maintain continuity of the service and the purchasing/fund loading process |
The next disposal following the expiry of the retention period. |
|
ACCESS |
Retained until deleted by the user, in order to maintain continuity of the service and the application, and to connect/pair parent and child accounts |
The next disposal following the expiry of the retention period. |
|
PROFILE CREATION |
Retained until deleted by the user, in order to maintain continuity of the service and the application |
The next disposal following the expiry of the retention period. |
|
TASK ASSIGNMENT |
Retained until deleted by the user, in order to maintain continuity of the service and the application |
The next disposal following the expiry of the retention period. |
The changes made to this policy according to the laws, by-laws, other regulations, and decisions by YBN Teknoloji Danışmanlık ve Dış Ticaret Anonim Şirketi, acting in the Data Controller capacity, are provided in the table below.
|
DATE OF UPDATE |
BASIS |
SCOPE OF CHANGE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Pursuant to Article 11 of the By-Law, the Authority has determined the period of destruction as 1 year. Therefore, the periodic destruction is carried out every June by the Data Controller.
The policy is kept on two different media, one on printed paper with wet-ink signatures, the other on an electronic medium. It is reviewed and updated as necessary. YBN Teknoloji
Danışmanlık ve Dış Ticaret Anonim Şirketi, acting in the Data Controller capacity, has the right to make amendments to this policy. Amendments are to be announced at the website.
This policy is deemed to have entered into force on the date of signature.
All rights of this text are reserved. No part of it may be copied or reproduced without prior permission from the Gamercard executives.
Gamercard executives reserve the right to make amendments to this text. All amendments will be announced at the website www.gamercard.com.
