Privacy Policy
This page contains the full personal data protection, processing, retention, and destruction policy of Dizaynvip Teknoloji Bilişim Ve Otomotiv Sanayi Anonim Şirketi.
I. INTRODUCTION
1.1. Purpose of the Policy
The purpose of this Policy is to determine the principles regarding the processing, protection, storage, and, when necessary, destruction of personal data obtained by Dizaynvip Teknoloji Bilişim Ve Otomotiv Sanayi Anonim Şirketi (“Company”) in accordance with Article 20 of the Constitution titled “Privacy of Private Life”, Personal Data Protection Law No. 6698 (“Law”), and the provisions of the regulations and communiqués in force, primarily the protection of the fundamental rights and freedoms of data subjects (customer, potential customer, visitor, business partner, employee, employee candidate, former employee, third-party company employee, etc.).
1.2. Scope of the Policy
Considering that any operation relating to any information concerning an identified or identifiable natural person, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of such information, by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system, by the Company acting as data controller, is deemed to be a data processing activity, the scope of this Policy is to set out the procedures and principles for the data processing activities carried out by the Company.
1.3. Application of the Policy and Relevant Legislation
This Policy has been prepared in compliance with the applicable legislation and with the rules set out in the regulations, communiqués, decisions, and guidelines published by the Board, primarily including the Turkish Code of Obligations No. 6098, Turkish Commercial Code No. 6102, Personal Data Protection Law No. 6698, Law No. 6563 on the Regulation of Electronic Commerce, the Regulation on the Data Controllers Registry numbered 30286, the Regulation on the Deletion, Destruction or Anonymization of Personal Data numbered 30224, and the Regulation on the Processing of Personal Health Data and Protection of Privacy.
If, after the publication date of the Policy, the Law or other relevant legislation is amended and the Policy becomes incompatible with such amendment, the amended provisions and rules shall apply. All communiqués, decisions, and guidelines published by the Board are followed by the Company, and the rules set out in the Policy are kept up to date.
1.4. Entry into Force of the Policy
The Policy has been published on the Company’s website at https://dtec.app/tr and entered into force on the date of publication.
II. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
2.1. Ensuring the Security of Personal Data
According to Article 12 of Law No. 6698, the data controller is obliged to take all necessary administrative and technical measures to ensure an appropriate level of security in order to:
- Prevent unlawful processing of personal data,
- Prevent unlawful access to personal data,
- Ensure the preservation of personal data.
For these reasons, the Company implements security measures to prevent the unlawful processing, transfer to third parties, and disclosure of personal data, as well as unauthorized access and other security deficiencies arising in other ways. Explanations regarding the administrative and technical measures taken are provided in Section VI. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA.
2.2. Protection of Special Categories of Personal Data
Data that, by their nature, are sensitive and may cause victimization or discrimination against the data subject if obtained by third parties are accepted as special categories of personal data under the Law. Special categories of personal data consist of data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. As a rule, the processing of special categories of personal data is prohibited and may only take place in cases limited by law.
The Company takes all necessary measures to protect special categories of personal data, and it is essential that such data be obtained and processed as little as possible.
III. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA
3.1. Processing of Personal Data in Accordance with the Principles Set Forth in Legislation
Pursuant to Article 4 of the Law, the principles to be applied in the processing of your personal data are as follows:
- Compliance with the law and the principles of honesty,
- Being accurate and up to date when necessary,
- Processing for specific, explicit, and legitimate purposes,
- Being relevant, limited, and proportionate to the purpose for which they are processed,
- Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
3.2. Conditions for Processing Personal Data
Personal data obtained by the Company may not be processed without the explicit consent of the relevant person, except for the exceptions provided by the Law.
3.3. Exceptions to the Obligation to Obtain Explicit Consent
a) Explicitly provided for by law
One of the conditions for data processing is that it is explicitly provided for by law. Provisions in the law stating that personal data may be processed may constitute a processing condition. In such a case, the explicit consent of the relevant person is not required.
b) Actual impossibility
Where the person is unable to express consent due to actual impossibility or where their consent is not legally valid, personal data may be processed without explicit consent if it is necessary to protect the life or physical integrity of that person or another person.
c) Directly related to the establishment or performance of a contract
If processing is necessary for the establishment of a contract to which the data subject is a party or for the performance of that contract, personal data may be processed without obtaining explicit consent.
d) Fulfilment of the Company’s legal obligation
Personal data may be processed without explicit consent for the purpose of fulfilling the legal obligations that the Company must perform in its capacity as data controller.
e) Data made public by the relevant person
Personal data made public by the relevant person, in other words personal data disclosed to the public in any way, may be processed without explicit consent. Even in this case, the personal data made public cannot be used for purposes other than the one for which they were made public.
f) Necessity for the establishment, exercise, or protection of a right
Where it is necessary for the establishment, exercise, or protection of a right, personal data may be processed without the explicit consent of the relevant person.
g) Necessity for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person
If the processing of personal data is necessary for the data controller and the processing activity will not harm the fundamental rights and freedoms of the relevant person, personal data may be processed without explicit consent.
The legitimate interest of the data controller is directed toward the benefit and advantage to be obtained as a result of the processing to be carried out. The benefit to be obtained by the data controller must relate to a legitimate interest that is specific, effective enough to compete with the fundamental rights and freedoms of the relevant person, and already existing. The processing must be related to the current activities of the data controller and be expected to provide benefit in the near future.
3.4. Processing of Special Categories of Personal Data
The processing of special categories of personal data is subject to Article 6 of the Law. Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data, are special categories of personal data. The data within this scope are limited in number and cannot be expanded by interpretation. By their nature, special categories of personal data are data that may cause discrimination and victimization to the relevant person if learned by others. Therefore, they must be protected much more strictly than other personal data.
Special categories of personal data may be processed if the relevant person has given explicit consent, where explicitly provided for by law, where necessary to protect the life or physical integrity of a person who cannot express consent due to actual impossibility or whose consent is not legally valid, where related to personal data made public by the relevant person and in line with the intention of making them public, where necessary for the establishment, exercise, or protection of a right, where necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, or the planning, management and financing of health services by persons under a duty of confidentiality or authorized institutions and organizations, where necessary for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance, or where processed by foundations, associations and other non-profit organizations or entities established for political, philosophical, religious or trade union purposes, provided that they act in accordance with the legislation and purposes to which they are subject, remain limited to their fields of activity, are not disclosed to third parties, and concern their current or former members and affiliates or persons who are in regular contact with such organizations and entities. In addition, adequate measures determined by the Personal Data Protection Authority must be taken in the processing of special categories of personal data.
3.5. Informing and Notifying the Personal Data Subject
During the collection of personal data, data subjects are informed by the Company acting as data controller or by persons authorized by the Company. The procedures and principles regarding this information are set out in the information notices published by the Company concerning the processing of personal data, and such information essentially includes the following elements:
- The identity of the data controller and, if any, its representative,
- The purpose for which personal data will be processed,
- To whom and for what purpose personal data may be transferred,
- The method and legal basis of collecting personal data,
- The rights of the relevant person as set out in Article 11 of the Law.
a) Purposes of processing personal data
Personal data are processed for specific, explicit, and legitimate purposes and on the basis of informing data subjects. The purposes observed in the processing of personal data obtained by the Company for each category of relevant person are set out in the relevant sections of the information notices available on our website.
b) Persons to whom personal data are transferred and purposes of transfer
Within the scope of the data controller’s obligation to inform the data subject, the persons to whom personal data are transferred and the purposes of transfer must be clearly stated. Personal data cannot be transferred to third parties without the explicit consent of the data subject. The recipient groups and purposes of transfer of personal data by the Company are shown in Section IV. TRANSFER OF PERSONAL DATA.
c) Method and legal basis of personal data collection
In accordance with Articles 5 and 6 of the Law, the data controller must clearly specify which personal data processing condition forms the basis of the processing. The method and means of data collection are determined by the data controller. The conditions for processing personal data, that is, the grounds of lawfulness, are listed in a limited number in the Law (Articles 5 and 6) and cannot be expanded.
The Company, acting as data controller, first evaluates whether the purpose of the personal data processing activity relies on one of the processing conditions other than explicit consent. If this purpose does not meet at least one of the conditions other than explicit consent specified in the Law, then the Company proceeds to obtain the person’s explicit consent in order to continue the processing activity.
IV. TRANSFER OF PERSONAL DATA
4.1. Domestic Transfer
Personal data may not be transferred without the explicit consent of the relevant person. However, if one of the conditions specified in paragraph 2 of Article 5 and, provided that adequate measures are taken, paragraph 3 of Article 6 exists, transfer may be made without seeking the explicit consent of the relevant person.
Information regarding the recipient groups to which your personal data processed by the Company are transferred is included in Appendix 3 of this Policy: Third Parties to Which Personal Data Are Transferred and Purposes of Transfer.
4.2. International Transfer
- Personal data may be transferred abroad where one of the conditions specified in Articles 5 and 6 exists and there is an adequacy decision regarding the country, sectors within the country, or international organizations to which the transfer will be made.
- If there is no adequacy decision, personal data may be transferred abroad by data controllers and data processors provided that one of the conditions specified in Articles 5 and 6 of the Law exists, the relevant person has the opportunity to exercise their rights and to apply to effective legal remedies in the country to which the transfer will be made, and one of the appropriate safeguards listed below is provided by the parties:
- If there is no adequacy decision and none of the prescribed appropriate safeguards can be provided, personal data may be transferred abroad only on an occasional basis in the presence of one of the following cases:
Appropriate Safeguards
- The existence of an agreement that is not in the nature of an international treaty between public institutions and organizations abroad or international organizations and public institutions and organizations in Türkiye or professional organizations with public institution status, and permission for the transfer being granted by the Board.
- The existence of binding corporate rules approved by the Board and containing provisions on the protection of personal data that companies within a group of undertakings engaged in joint economic activity are required to comply with.
- The existence of a standard contract announced by the Board that includes matters such as data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, and additional safeguards for special categories of personal data.
- The existence of a written undertaking containing provisions that will provide sufficient protection and permission for the transfer being granted by the Board.
Occasional Cases
- The relevant person gives explicit consent to the transfer, provided that they are informed about possible risks.
- The transfer is necessary for the performance of a contract between the relevant person and the data controller or for the implementation of pre-contractual measures taken at the request of the relevant person.
- The transfer is necessary for the establishment or performance of a contract to be made between the data controller and another natural or legal person for the benefit of the relevant person.
- The transfer is necessary for an overriding public interest.
- The transfer of personal data is necessary for the establishment, exercise, or protection of a right.
- The transfer of personal data is necessary to protect the life or physical integrity of a person who is unable to express consent due to actual impossibility or whose consent is not legally valid.
- The transfer is made from a registry open to the public or to persons with a legitimate interest, provided that the conditions required by the relevant legislation for access to the registry are met and the person with the legitimate interest requests the transfer.
V. PURPOSES OF PERSONAL DATA PROCESSING BY THE COMPANY
Personal data obtained by the Company are processed lawfully within the purposes specified in Articles 5 and 6 of the Law.
VI. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA
The Company takes administrative and technical measures to ensure that personal data are stored securely and to prevent unlawful processing of and access to personal data.
Pursuant to subparagraphs (b) and (d) of paragraph 2 of Article 4 of the Law, personal data must be accurate and up to date when necessary and must be retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed. Within this scope, the processed data are processed in accordance with the principles and rules that must be observed in data processing activities and are retained for as long as necessary for the purposes for which they are processed. Information regarding the retention and destruction procedure and retention periods for personal data processed by the Company is provided in Section VIII. RETENTION AND DESTRUCTION OF PERSONAL DATA and Appendix 4: Retention Periods for Personal Data.
In order to ensure personal data security, the Company determines what personal data are processed and the probability of the risks that may arise in relation to the protection of such data; while identifying these risks, it takes into account whether the personal data are special categories of personal data, the degree of confidentiality they require by their nature, and the nature and extent of the harm that may arise for the relevant person in the event of a security breach.
After identifying these risks and determining their priority, control and solution alternatives aimed at reducing or eliminating such risks are evaluated in line with the principles of cost, applicability, and utility, and the necessary technical and administrative measures are planned and implemented within the framework of the Law.
Within this scope, the Company takes the following administrative and technical measures for the protection of personal data:
- Network security and application security are ensured.
- The security of personal data stored in the cloud is ensured.
- Corporate policies regarding access, information security, use, retention, and destruction have been prepared and put into practice.
- Confidentiality undertakings are executed.
- The authorities of employees who change duties or leave employment in this field are revoked.
- Up-to-date anti-virus systems are used.
- Personal data security policies and procedures have been established.
- Personal data security is monitored.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- The security of physical environments containing personal data is ensured against external risks such as fire and flood.
- The security of environments containing personal data is ensured.
- Personal data are minimized as much as possible.
- Personal data are backed up, and the security of backed-up personal data is also ensured.
- A user account management and authorization control system is implemented and monitored.
- Periodic and/or random internal audits are carried out or commissioned.
- Log records are kept in a way that does not allow user intervention.
- Cybersecurity measures have been taken and their implementation is continuously monitored.
- Data processors and service providers are audited at certain intervals regarding data security.
- Disciplinary regulations containing data security provisions exist for employees.
- Employees receive periodic training and awareness activities regarding data security.
- Protocols and procedures for the security of special categories of personal data have been determined and implemented.
- Secure encryption / cryptographic keys are used for special categories of personal data and managed by different units.
- Signed contracts contain data security provisions.
- Encryption is applied.
VII. PERSONAL DATA PROCESSING ACTIVITY CARRIED OUT AT BUILDING ENTRANCES AND INSIDE THE BUILDING
Monitoring Activities by Camera at Building Entrances and Inside the Building
Camera monitoring activities are carried out at the Company entrance and inside the Company in order to ensure security and to protect the interests related to the security of the Company and other persons. Camera monitoring is conducted in compliance with the Law and within the scope of the data processing conditions listed both in the Law and in this Policy.
VIII. RETENTION AND DESTRUCTION OF PERSONAL DATA
8.1. Retention and Destruction of Personal Data
Your personal data held by the Company are retained for as long as the data processing activity remains necessary; if an obligation arises to delete, destroy, or anonymize personal data, they are deleted, destroyed, or anonymized within the first periodic destruction period following the date on which that obligation arises. In the deletion, destruction, or anonymization of your personal data, the general principles set out in Article 4 of the Law and the technical and administrative measures set out in Article 12 are complied with.
The period during which periodic destruction is carried out is limited to a maximum of 1 year. All transactions regarding the deletion, destruction, or anonymization of personal data are recorded by the Company and retained for at least 3 years due to legal obligation. The retention periods for personal data processed by the Company are shown in Appendix 4.
The personal data specialist appointed by the Company with respect to the retention and destruction of data is the person responsible for carrying out and supervising the personal data retention and destruction policy.
8.2. Obligation to Delete, Destroy, and Anonymize Personal Data
Personal data processed by the Company are deleted, destroyed, or anonymized ex officio or upon the request of the relevant data subject if the reasons requiring their processing disappear, in accordance with Article 7 of the Law and the provisions of the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017 and numbered 30224 by the Personal Data Protection Board.
Deletion of personal data
Deletion of personal data is the process of making personal data inaccessible and unusable in any way for the relevant employees.
All necessary technical and administrative measures are taken to ensure that deleted personal data are inaccessible and unusable again.
Destruction of personal data
Destruction of personal data is the process of making personal data inaccessible, irretrievable, and unusable by anyone in any way.
All technical and administrative measures are taken to ensure that personal data are inaccessible, irretrievable, and unusable by anyone in any way.
Anonymization of personal data
Anonymization of personal data is the process of making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even if matched with other data.
While all technical and administrative measures are taken to anonymize your personal data, anonymization is carried out by applying methods in accordance with our personal data retention and destruction policy.
8.3. Personal Data Recording Environments
A personal data recording environment refers to any environment in which personal data processed wholly or partially by automatic means or by non-automatic means provided that it is part of any data recording system are located.
Personal data relating to relevant persons are stored securely by the Company in the following recording environments in accordance with the provisions of the Law, the relevant legislation, and international data security principles:
- Technical recording environments: computer environments, central servers, removable memories (USB, memory card, etc.), information security devices and software.
- Non-technical recording environments: paper, manual recording systems, written, printed, and visual media.
8.4. Reasons Requiring the Destruction of Personal Data
Personal data relating to relevant persons are destroyed by the Company, including but not limited to the following grounds:
- The general principles set out in Article 4 of the Law,
- Amendment of the relevant legislation forming the basis for the processing,
- Withdrawal of explicit consent by the relevant person in cases where the processing of personal data is based solely on explicit consent,
- A request by the relevant data subject for the destruction of personal data,
- Expiry of legal obligations regarding the retention of personal data,
- Disappearance of the purpose requiring the processing or retention of personal data,
- Expiry of the maximum period requiring the retention of personal data and the absence of any justified reason to continue retaining them.
8.5. Techniques for Deleting, Destroying, and Anonymizing Personal Data
The techniques for deleting, destroying, or anonymizing personal data processed by the Company are set out below, and which technique will be applied may vary depending on the nature of the personal data processed.
During the deletion, destruction, or anonymization of personal data, necessary administrative and technical measures are taken, such as informing employees about information security and destruction processes, selecting the most appropriate method depending on the nature of the recording environment in which personal data are kept, carrying out regular and periodic maintenance and monitoring activities regarding data security, using the most up-to-date technologically and technically necessary destruction systems, issuing automatic deletion commands, and removing authority to access, reuse, or recover deleted data.
For this purpose, the following methods are applied: first, identifying the personal data subject to deletion, destruction, or anonymization; identifying the relevant employees for each personal data item using an access authorization and control matrix or a similar system; determining the relevant employees’ authorities and methods such as access, recovery, and reuse; and closing and eliminating the relevant employees’ authorities and methods regarding access, recovery, and reuse of personal data.
IX. RIGHTS OF THE PERSONAL DATA SUBJECT AND EXERCISE OF RIGHTS
9.1. Rights of the Personal Data Subject
Pursuant to Law No. 6698, as a data subject, you have the right to:
- Learn whether your personal data are processed,
- Request information if your personal data have been processed,
- Learn the purpose of processing your personal data and whether they are used in accordance with that purpose,
- Know the third parties to whom personal data are transferred domestically or abroad,
- Request the rectification of personal data if they have been processed incompletely or incorrectly,
- Request the deletion or destruction of your personal data within the framework of the conditions set out in Article 7,
- Request that the actions taken regarding the rectification of incomplete or incorrect processing and the deletion or destruction of data be notified to the third parties to whom personal data have been transferred,
- Object to a result that is to your detriment arising from the analysis of your processed data exclusively through automated systems,
- Claim compensation for damages if you suffer loss due to the unlawful processing of your personal data.
9.2. Exercise of the Rights of the Personal Data Subject and Our Company’s Responses to Applications
If, as a personal data subject, you submit your requests regarding your rights by the methods specified in the Communiqué on the Procedures and Principles of Application to the Data Controller, which entered into force upon publication in the Official Gazette dated 10 March 2018 and numbered 30356, the Company will finalize the request free of charge as soon as possible and no later than thirty days, depending on the nature of the request. This period may not exceed 30 days from the date your application is served on the Company. If additional information and documents are requested due to deficiencies or unclear statements in your application, the response period does not run until such additional information and documents are served on us. If the process requires an additional cost, a fee may be charged according to the tariff determined by the Personal Data Protection Board.
APPENDIX 1: Definitions
- Explicit Consent
- Consent that is related to a specific matter, based on information, and expressed with free will.
- Anonymization
- Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even if matched with other data.
- Recipient Group
- The category of natural or legal persons to whom personal data are transferred by the data controller.
- Relevant Person
- The natural person whose personal data are processed.
- Destruction
- The deletion, destruction, or anonymization of personal data.
- Law
- Personal Data Protection Law No. 6698 dated 24/3/2016.
- Masking
- Processes such as crossing out, painting, or blurring all of personal data in a way that they cannot be associated with an identified or identifiable natural person.
- Recording Environment
- Any environment in which personal data processed wholly or partially by automatic means or by non-automatic means provided that it is part of any data recording system are located.
- Personal Data
- Any information relating to an identified or identifiable natural person.
- Processing of Personal Data
- Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data wholly or partially by automatic means or by non-automatic means provided that it is part of any data recording system.
- Personal Data Protection Law (“KVKK”)
- The Personal Data Protection Law No. 6698, which entered into force upon publication in the Official Gazette on 7 April 2016.
- Board / Authority
- The Personal Data Protection Board and the Personal Data Protection Authority.
- Data Processor
- The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
- Data Recording System
- The recording system in which personal data are processed by being structured according to specific criteria.
- Data Controller
- The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
APPENDIX 2: Personal Data Subjects (Relevant Persons)
| Data Subject Category | Description |
|---|---|
| Employee | Refers to persons employed within the Company. |
| Employee Candidate | Refers to natural persons who apply for a job by sending a resume to the Company or through other methods. |
| Business Partners | Refers to natural persons and employees of legal entities with whom the Company conducts business, transactions, and cooperation for the purpose of carrying out its activities. |
| Customer | Refers to natural persons who purchase the products and services offered by the Company and benefit from those products and services. |
| Potential Customer | Refers to natural persons who show interest in purchasing the products and services offered by the Company and have the potential to become customers. |
| Supplier | Refers to natural persons and employees of legal entities from whom the Company procures services. |
| Visitor | Refers to third persons who visit the workplace and the Company’s website. |
| Other Relevant Third Parties | Refers to natural persons who fall outside the categories described above but whose personal data are processed by the Company. |
APPENDIX 3: Third Parties to Which Personal Data Are Transferred and Purposes of Transfer
| Recipient Person/Unit | Scope | Purpose of Transfer |
|---|---|---|
| Legal Advisors / Financial Advisors | Parties from whom the Company receives services for support in legal and financial matters | Transfer of personal data limited to obtaining services within the scope of establishing, exercising, and protecting the Company’s legal and financial rights. |
| Business Partners | Domestic and foreign parties with whom the Company establishes business partnerships within the scope of its activities | Transfer of personal data limited to ensuring the performance of the activity carried out with business partners and the conduct of company activities. |
| Suppliers | Parties from whom the Company receives services in order to sustain its activities | Transfer of personal data limited to the procurement of services received from supplier parties providing server and hosting, cloud, information technologies, online communication, and similar services. |
| Authorized Public Institutions and Organizations | Legal relationships between the Company and public institutions and organizations authorized by law | Sharing/transfer limited to the purpose for which the relevant public institutions and organizations request information and documents from the Company and to the scope of commercial activities. |
APPENDIX 4: Retention Periods for Personal Data
| Personal Data Source | Period | Legal Basis |
|---|---|---|
| Personal Data Processed in Contracts and Contractual Relationships | 10 Years from the End of the Legal Relationship | Law No. 6102, Law No. 6098, Law No. 6563, and Law No. 213 |
| Special Categories of Personal Data | 10 Years from the End of the Legal Relationship | Law No. 6102, Law No. 6098, Law No. 6563 |
| All Records Related to Accounting and Financial Transactions | 10 Years from the End of the Legal Relationship | Tax Procedure Law No. 213, Law No. 6563 |
| Personal Data Related to Tax Records | 5 Years | Tax Procedure Law No. 213 |
| All Records Related to Human Resources Processes, Including Personnel Files, Under the Labor Law | 10 Years from the End of the Legal Relationship | Labor Law No. 4857 and Related Legislation, Turkish Code of Obligations No. 6098 |
| Data Collected Within the Scope of Occupational Health and Safety Legislation | 10 Years from the End of the Legal Relationship | Labor Law No. 4857 and Related Legislation, Occupational Health and Safety Law No. 6331, Regulation on Occupational Health and Safety Services |
| Data Related to Candidate Applications Where the Job Application Is Not Accepted | 2 Years | Sectoral Practices Apply. |
| Commercial Electronic E-Mail Approval Records | 1 Year from the Date the Consent Is Withdrawn | Law No. 6563, Regulation on Commercial Communication and Commercial Electronic Messages published in the Official Gazette dated 15.07.2015 and numbered 29417 |
| Personal Data Processed for Security Purposes Under CCTV Cameras (Camera Recordings) | 1 Month | Sectoral Practices Apply. |
| Traffic Information and Log Records Related to Online Visitors | 6 Months – Maximum 2 Years | Internet Law No. 5651 |