MUSICHOOL PERSONAL DATA RETENTION AND DESTRUCTION POLICY
TABLE OF CONTENTS
- OBJECTIVE AND SCOPE
- LEGAL BASIS
- DATA CONTROLLER
- DEFINITIONS
- RETENTION OF PERSONAL DATA
- DESTRUCTION OF PERSONAL DATA
- DELETION OF PERSONAL DATA
- DELETION TECHNIQUES
- ERASURE OF PERSONAL DATA
- ERASURE TECHNIQUES
- ANONYMIZATION OF PERSONAL DATA
- DATA SUBJECT DESTRUCTION REQUESTS
- BREACH AND SANCTIONS
- REVISION
OBJECTIVE AND SCOPE
Musichool OU ("Musichool"), which has achieved a reputable position in the various sectors in which it operates, has adopted the principle of exercising utmost care regarding compliance with the legal order. Accordingly, all necessary systems are being established to ensure compliance with the Personal Data Protection Law No. 6698 and other relevant legislation.
The Musichool Personal Data Retention and Destruction Policy regulates the principles and procedures adopted in the processes of retaining and destroying personal data processed by Musichool within the company.
The provisions of this policy shall be applied when the reasons requiring the processing of personal data lawfully processed by Musichool cease to exist or when the data subject requests destruction.
LEGAL BASIS
The Musichool Personal Data Retention and Destruction Policy has been published in accordance with the PDPL and the Regulation on the Deletion, Destruction or Anonymization of Personal Data, and has been prepared in compliance with the Musichool Personal Data Protection and Processing Policy and the publications and guidelines issued by the Personal Data Protection Authority.
DATA CONTROLLER
Musichool, which determines the purposes and means of processing personal data processed under its legal entity and is responsible for data processing activities, is the data controller in accordance with the PDPL.
DEFINITIONS
The important definitions contained in the Musichool Personal Data Retention and Destruction Policy and legislation are set out in the table below along with their meanings:
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Special Category Personal Data | Data concerning race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data |
| Data Subject | The identified or identifiable natural person whose personal data is processed (Relevant person) |
| Destruction of Personal Data | The deletion, erasure or anonymization of personal data |
| Processing of Personal Data | Any operation performed on data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system |
| Periodic Destruction | The destruction operation to be carried out by Musichool at recurring intervals and ex officio when the personal data processing and retention period expires |
| PDPL (Law) | The Personal Data Protection Law No. 6698, dated March 24, 2016, published in the Official Gazette dated April 7, 2016 and numbered 29677 |
| PDP Authority (Authority) | The Personal Data Protection Authority |
| Data Breach | In personal data protection law; the acquisition of processed personal data by third parties through unlawful means |
| Data Security Board | The Board established within the Company by Musichool to ensure the necessary coordination within the scope of ensuring, maintaining and sustaining compliance with personal data protection legislation |
RETENTION OF PERSONAL DATA
Personal data retained by Musichool is kept in a recording environment appropriate to the nature of the relevant data and our legal obligations. Musichool takes the necessary administrative and technical measures to ensure the safe storage of personal data and to prevent unlawful interference. The Musichool Personal Data Protection and Processing Policy is complied with regarding the measures taken for data security and the reasons for data retention.
The recording environments generally used for the retention of personal data are listed below. However, certain data may be kept in an environment different from those shown below due to their different nature or Musichool's legal obligations.
| Environment | Description |
|---|---|
| Physical Environments | Personal data stored by paper and similar physical means |
| Electronic Environments | Personal data stored on servers and external disks within Musichool and to which Musichool has access authorization |
| Cloud Environments | Personal data stored using internet-based systems encrypted through cryptographic methods |
DESTRUCTION OF PERSONAL DATA
The destruction of personal data refers to the processes of deleting, erasing or anonymizing personal data that has lost its processing purpose or for which the data subject has made a request. If the existence of the personal data relates to potential rights claims arising from contractual, commercial, legal or administrative transactions, the data is retained for the statute of limitations period applicable to the relevant transaction.
Personal data processed within Musichool:
- Upon the request of the relevant person, or
- When the data processing reasons specified in Articles 5 and 6 of the PDPL and in the Musichool Personal Data Protection and Processing Policy cease to exist, are deleted, erased or anonymized ex officio in accordance with this Policy.
Periodic destruction is carried out by Musichool at 6-month intervals for all personal data being processed.
DELETION OF PERSONAL DATA
The deletion of personal data is the process of making personal data inaccessible and unusable by relevant users in any way. Deleted data cannot be accessed by relevant users other than the data controller.
In the event of a conflict between the request and the company policy on this matter, a written application is made to the Personal Data Protection Authority for the purpose of resolving the conflict, and action is taken in accordance with the principle decision.
Using an access authorization and control matrix or a similar system, the relevant users for each personal data item are identified, and the users' authorizations and methods such as access, retrieval and reuse are determined. Subsequently, operations are carried out to close and eliminate the relevant users' access, retrieval and reuse authorizations and methods within the scope of personal data.
DELETION TECHNIQUES
REDACTION
This is the technique of making personal data on the relevant document in paper format invisible to users by cutting where possible, or otherwise by using ink.
SECURE DELETION FROM DIGITAL ENVIRONMENT
Personal data on central servers and in the cloud is securely deleted using the operating system's delete command.
ERASURE OF PERSONAL DATA
The erasure of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. Unlike deletion, the erasure of personal data means that even the data controller cannot access the data in question after the destruction process.
ERASURE TECHNIQUES
DE-MAGNETIZATION
Magnetic media is passed through a de-magnetization device, corrupting the data so that it becomes unreadable. A de-magnetization device is procured by Musichool when needed.
PHYSICAL DESTRUCTION
Optical media and magnetic media are physically destroyed by melting, burning or pulverizing.
OVERWRITING
Recovery of old data is prevented by writing random data consisting of 0s and 1s at least seven times onto rewritable optical media and magnetic media. Software for this purpose is procured by the company when needed.
SECURE ERASURE FROM DIGITAL ENVIRONMENT
Personal data on central servers is erased using the operating system's erasure command in a manner that is irrecoverable.
ANONYMIZATION OF PERSONAL DATA
The anonymization of personal data is the process of making personal data unable to be associated with an identified or identifiable natural person in any way, even when matched with other data. Musichool takes all types of security measures related to the anonymization of personal data.
ANONYMIZATION TECHNIQUES
Techniques such as grouping, masking, derivation, generalization and randomization are available for the anonymization of personal data. When selecting an anonymization method, Musichool takes into account the nature and volume of the personal data, the structure and diversity of the personal data in physical environments, the benefit/processing purpose intended from the data, the frequency of data processing, the reliability of the third parties to whom the personal data will be transferred, the meaningfulness of the effort required for anonymization, the magnitude and scope of the damage that may arise if the anonymity of personal data is compromised, the distribution/centralization ratio of the data, access authorization control of users for the relevant data, and the probability of an attack scenario that would compromise anonymity.
The retention reasons and periods for the categories of personal data processed by Musichool are specified in the table below. All data whose retention period has expired is destroyed in the first periodic destruction period that follows.
| Data Category | Retention Period | Retention Reason |
|---|---|---|
| Personnel Data | According to Law No. 5510, the document retention period is 10 years starting from the beginning of the year following the year to which the document relates. | Fulfillment of obligations arising from employment contracts and legislation for employees |
| Health Information | According to Occupational Health and Safety provisions, employees' health files are retained for 15 years | Ensuring occupational health and safety obligations |
| Professional Experience | Candidates' resume information is retained for 1 year. | Conducting application processes for employee candidates |
| Identity and Contact Data | Identity and contact information obtained regarding customers and prospective customers is retained for 10 years. | Conducting communication activities |
| Legal Proceedings | Retained for 10 years from the date of the transaction. | Responding to requests submitted by authorized judicial/administrative institutions and bodies |
| Customer Transactions | Retained for 10 years in accordance with the relevant provisions of the Turkish Code of Obligations. | Conducting purchase and sales processes of goods/services and ensuring customer satisfaction |
| Finance and Accounting Data | Retained for 10 years in accordance with Article 82 of the Turkish Commercial Code. | Conducting finance and accounting operations |
| Marketing Data | Retained for 10 years from the date of acquisition. | Conducting marketing activities and operations |
| Criminal Conviction and Security Measures | Retained for 15 years in accordance with occupational health and safety provisions. | Conducting occupational health/safety and legal affairs monitoring |
| Transaction Security | Retained for 2 years. | Conducting information security processes |
DATA SUBJECT DESTRUCTION REQUESTS
In the event that a destruction request is submitted to Musichool by a data subject, the matter is notified to the Data Security Board within 24 hours. The Musichool Data Subject Relations Guide is complied with in the processes of responding to the request.
If the data subject application submitted to Musichool contains findings indicating a possible data breach, the Musichool Data Breach Procedure is put into practice. The possibility of a breach is reported to the Data Security Board immediately and within 24 hours at the latest.
BREACH AND SANCTIONS
In the event that policies and procedures related to personal data published by the data controller are violated by employees, the employee's defense is taken in accordance with the Employment Contract, the PDPL Confidentiality Undertaking and Labor Law No. 4857, and a disciplinary measure appropriate to the act is established. In cases where the act also constitutes a crime under the Turkish Penal Code No. 5237 or other laws, the necessary judicial authorities are notified.
REVISION
This Guide enters into force from the moment it is approved by the Data Security Board. The Data Security Board is also authorized regarding the changes to be made within this Guide and how they will be put into practice.
The Musichool Personal Data Retention and Destruction Policy is reviewed at least once a year in all cases, and if there are necessary changes, it is updated by submitting it for the approval of the Data Security Board. In case of conflict between the legislation in force, primarily the PDPL, and the regulations contained in this Policy, the provisions of the legislation shall apply.
In parallel with the legal regulations to be made by the PDP Authority, which is the administrative authority, Musichool reserves the right to make changes to the Personal Data Retention and Destruction Policy. Any revisions that may occur in this procedure or legislation will be appended to the procedure specifying the date and subject, and will be considered an integral part of the procedure after the necessary announcements are made.