MUSICHOOL PERSONAL DATA RETENTION AND DESTRUCTION POLICY
TABLE OF CONTENTS
- 1. PURPOSE AND SCOPE
- 2. DATA CONTROLLER
- 3. DEFINITIONS
- 4. DATA SECURITY BOARD
- 5. POLICY PRINCIPLES
- 6. OBLIGATIONS
- 7. ENSURING SECURITY OF PERSONAL DATA
- 8. DESTRUCTION OF PERSONAL DATA
- 9. REVISION
1. PURPOSE AND SCOPE
Musichool OÜ (hereinafter referred to as "Musichool"), which has achieved a respectable position in various sectors in which it operates, has also shown maximum care in complying with the legal order. Accordingly, all kinds of systems are being established for compliance with Law No. 6698 on Protection of Personal Data.
The Musichool Personal Data Retention and Destruction Policy regulates the principles and procedures adopted in the processes of retaining and destroying personal data processed by Musichool within the company.
The provisions of this policy shall apply upon the elimination of the reasons requiring the processing of personal data lawfully processed by Musichool or upon the data subject's request for destruction.
Musichool
Personal Data Retention and Destruction Policy has been published in accordance with the PDPL Law and the Regulation on Deletion, Destruction or Anonymization of Personal Data; and has been prepared in accordance with the Musichool Personal Data Protection and Processing Policy and the publications and guides published by the Personal Data Protection Authority.
2. DATA CONTROLLER
Musichool, which determines the purposes and means of processing personal data processed under its legal entity and is responsible for the data processing activity, is the data controller pursuant to the PDPL Law.
3. DEFINITIONS
Important definitions in the Musichool Personal Data Retention and Destruction Policy and legislation are listed in the table below with their meanings:
| Term | Description |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Special Category Personal Data | Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data |
| Data Subject | Identified or identifiable natural person whose personal data is processed (Relevant person) |
| Destruction of Personal Data | Deletion, destruction or anonymization of personal data |
| Data Processing | All kinds of operations performed on personal data |
| DATA CONTROLLER Musichool | Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system |
| Periodic Destruction | Destruction process to be carried out by Musichool at recurring intervals and ex officio when the personal data processing and retention period expires |
| PDPL Law (Law) | Law No. 6698 on Protection of Personal Data dated March 24, 2016, published in the Official Gazette dated April 7, 2016 and numbered 29677 |
| PDPL Authority (Authority) | Personal Data Protection Authority |
| Data Breach | In personal data protection law; the acquisition of processed personal data by third parties through illegal means |
| DATA | Means keeping personal data in a recording medium. Musichool takes the necessary administrative and technical measures to ensure the security of personal data and to avoid illegal interventions. The Musichool Personal Data Protection and Processing Policy is complied with regarding the measures taken for data security and the reasons for data retention. The recording media used for storing personal data are generally listed below. However, some data may be kept in a different medium than those shown below due to their different characteristics or Musichool's legal obligations. |
| Physical Environments | Personal data stored by paper and similar physical means |
| Electronic Environments | Data stored on Musichool's servers and external disks within Musichool |
| Cloud Environments | Personal data stored using internet-based systems encrypted using cryptographic methods |
DESTRUCTION OF PERSONAL DATA
Destruction of personal data refers to the processes of deletion, destruction or anonymization of personal data that have lost their processing purpose or upon the data subject's request. If the existence of personal data is related to possible claims arising from contractual, commercial, legal, administrative transactions, the data is retained during the statute of limitations period related to such transaction.
Personal data processed within Musichool;
Upon the request of the relevant person, or
If the data processing reasons listed in Articles 5 and 6 of the PDPL Law and in the Musichool Personal Data Protection and Processing Policy cease to exist, they are deleted, destroyed or anonymized ex officio in accordance with this Policy.
Musichool performs periodic destruction at 6-month intervals for all personal data being processed.
DELETION OF PERSONAL DATA
Deletion of personal data means making personal data inaccessible and unusable by relevant users. Deleted data cannot be accessed by relevant users other than the data controller.
In case of a conflict between the request and company policy on this matter, a written application is made to the Personal Data Protection Authority to resolve the conflict and action is taken in line with the principle decision.
Using an access authorization and control matrix or similar system, relevant users are identified for each personal data, and authorizations and methods such as access, retrieval, and reuse of users are determined, followed by closing and removing the access, retrieval, and reuse authorizations and methods of relevant users regarding personal data.
DELETION TECHNIQUES
REDACTION
This is the technique of making personal data on the relevant document in paper form invisible to users by cutting where possible, otherwise using ink.
SECURE DELETION FROM DIGITAL ENVIRONMENT
Personal data on central servers and in the cloud is securely deleted using the delete command in the operating system.
DESTRUCTION OF PERSONAL DATA
Destruction of personal data means making personal data inaccessible, irrecoverable and unusable by anyone. Unlike deletion, destruction of personal data means that even the data controller cannot access the data after the destruction process.
DESTRUCTION TECHNIQUES
DE-MAGNETIZATION
Magnetic media is corrupted in unreadable form by passing through a device with de-magnetization feature. The de-magnetization device is provided by Musichool if needed.
PHYSICAL DESTRUCTION
Optical media and magnetic media are physically destroyed by melting, burning or pulverizing.
OVERWRITING
Prevents recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic medium and rewritable optical medium. If necessary, software is provided by the company for this purpose.
SECURE DESTRUCTION FROM DIGITAL ENVIRONMENT
Personal data on central servers is destroyed with the destroy command in the operating system in such a way that it cannot be recovered.
ANONYMIZATION OF PERSONAL DATA
Anonymization of personal data means making personal data impossible to associate with an identified or identifiable natural person by any means, even by matching with other data. Musichool takes all kinds of security measures regarding the anonymization of personal data.
ANONYMIZATION TECHNIQUES
Techniques such as grouping, masking, derivation, generalization, and randomization are used for anonymization of personal data. When choosing the anonymization method, Musichool takes into account the nature and size of the personal data, the structure and diversity of personal data in physical environments, the benefit/processing purpose to be obtained from the data, the frequency of data processing, the reliability of third parties to whom personal data will be transferred, the meaningfulness of the effort required for anonymization, the magnitude and impact area of damage that may occur if the anonymity of personal data is broken, the distribution/centralization ratio of data, access authorization control of users to the relevant data, and the possibility of constructing an attack that will break anonymity.
The retention reasons and periods of personal data categories processed by Musichool are specified in the table below. Every data whose retention period has expired is destroyed in the first periodic destruction period following.
| Data Category | Retention Period | Retention Reason |
|---|---|---|
| Personnel Data | Document retention period is 10 years according to Law No. 5510. | Fulfillment of obligations arising from employment contract and legislation for employees |
| Health Information | Health and Safety, employee health files are retained for 15 years | Occupational health and safety provisions |
| Professional Experience | Retained for 2 years | Execution of candidate application processes |
| Identity and Contact Data | Identity and contact information of customers and customer candidates are retained for 10 years . | Execution of communication activities |
| Legal Transaction | Retained for 10 years from the transaction date. | Responding to requests from authorized judicial/administrative institutions and bodies |
| Customer Transaction | Retained for 10 years in accordance with Turkish Code of Obligations provisions. | Execution of goods/service purchase and sales processes and ensuring customer satisfaction |
| Finance and Accounting Data | Retained for 10 years according to Turkish Commercial Code Article 82. | Execution of finance and accounting operations |
| Marketing Data | Retained for 10 years from purchase | Execution of marketing activities and studies |
| Criminal Conviction and Security Measures | Retained for 15 years according to occupational health and safety provisions. | Execution of Occupational Health/Safety and Legal affairs follow-up |
| Transaction Security | Retained for 2 years . | Execution of information security processes |
DATA SUBJECT DESTRUCTION REQUESTS
In case of a destruction request being submitted to Musichool by the data subject; the situation is reported to the Data Security Board within 24 hours. The Musichool Data Subject Relations Guide is complied with in the processes of responding to the request.
If the data subject application submitted to Musichool contains findings regarding a possible data breach, the Musichool Data Breach Procedure is put into effect. The possibility of breach is reported to the Data Security Board immediately and within 24 hours at the latest.
VIOLATIONS AND SANCTIONS
In case of violation of policies and procedures related to personal data published by the data controller by employees; the employee's defense is taken according to Labor Law No. 4857, and disciplinary action is taken according to the law. It constitutes a crime within the scope of Turkish Penal Code No. 5237.
REVISION
This Guide enters into force from the moment it is approved by the Data Security Board. The Data Security Board is also authorized regarding the changes to be made within this Guide and how they will be put into effect.
The Musichool Personal Data Retention and Destruction Policy is reviewed at least once a year, and if there are necessary changes, it is updated by submitting it to the approval of the Data Security Board. In case of conflict between the regulations in this Policy and the legislation in force, primarily the PDPL Law, the provisions of the legislation shall apply.
Musichool reserves the right to make changes in the Personal Data Retention and Destruction Policy in parallel with the legal regulations to be made by the PDPL Authority, which is the administrative authority. Revisions that may occur in this procedure or legislation will be added to the guide by specifying the date and subject, and will be accepted as an integral part of the procedure after the necessary announcements are made.