PERSONAL DATA RETENTION AND DISPOSAL POLICY
INTRODUCTION AND PURPOSE OF THE POLICY
This Personal Data Retention and Disposal Policy (“Policy”) has been prepared by Trabzonspor Club and its affiliated companies (Trabzonspor Club Association, Trabzonspor Football Management Trade Inc., Trabzonspor Sports Investment and Football Management Trade Inc., Trabzonspor Bordo Mavi Energy Electricity Production Inc., Bordo Mavi Football Investments Trade Inc., Trabzonspor Telecommunications Consultancy and Service Trade Inc.) as the data controller.
The purpose of this policy is to ensure compliance with the Law on the Protection of Personal Data No. 6698 (“KVKK” or “Law”), the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679) (“GDPR”), and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, which was published in the Official Gazette on October 28, 2017 as a secondary regulation of the KVKK.
Additionally, in accordance with Article 17 of the GDPR, which regulates the Right to Erasure (Right to be Forgotten), this policy establishes the maximum retention period for personal data, provides the legal basis for the deletion, destruction, and anonymization processes, and informs data subjects about these procedures.
SCOPE
Bu This policy covers personal data retained by the organization, all employees, consultants, and all cases where personal data sharing is in question, including subsidiaries, suppliers, and other legal entities with which the organization has a legal relationship. It applies to personal data and special category personal data that are processed either fully or partially by automated means or by non-automated means provided that they form part of a data recording system as defined by law. Unless otherwise stated in the policy, personal data and special category personal data shall collectively be referred to as “Personal Data.”
AUTHORITY AND RESPONSIBILITIES
All employees, consultants, external service providers, and any other individuals or entities that store and process personal data within the organization are responsible for fulfilling the requirements regarding data destruction as specified by the Law, Regulation, and Policy. Each business unit is responsible for storing and protecting the data it generates within its own business processes.
The responsibility for receiving or accepting notifications and correspondence with the Personal Data Protection Board (KVK Board) on behalf of the data controller, as well as for registration in the registry, lies with the "Data Controller Contact Person."
DEFINITIONS
Abbreviation
Definition
Explicit Consent
Consent given based on information and expressed with free will regarding a specific subject.
GDPR
General Data Protection Regulation, European Union General Data Protection Regulation (Regulation (EU) 2016/679)
Relevant User
Persons who process personal data within the data controller organization or based on
the authority and instructions received from the data controller, excluding the person
or unit responsible for the technical storage, protection, and backup of the data.
Destruction
Deletion, destruction, or anonymization of personal data.
Law/KVKK
Law No. 6698 on the Protection of Personal Data.
Recording Medium
Any environment where personal data is processed, whether fully or partially automated or processed through non-automated means, provided that it is part of a data recording system.
Personal Data
Any information relating to an identified or identifiable natural person.
Processing of Personal Data
Any operation performed on personal data, whether wholly or partially automated or by non-automated means as part of a data recording system, such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use.
Deletion of Personal Data
The deletion of personal data; making personal data completely inaccessible and unusable for Relevant Users.
Anonymization of Personal Data
Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
Destruction of Personal Data
The process of making personal data inaccessible, irretrievable, and unusable by anyone in any way.
Board
Personal Data Protection Board.
Sensitive Personal
Data
Data on individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic
Destruction
In the event that all conditions for processing personal data specified in the Law cease to exist, the deletion, destruction, or anonymization process to be carried out ex officio at recurring intervals as specified in the personal data retention and disposal policy.
Data Subject/
Relevant Person
The natural person whose personal data is processed.
Data Controller
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Regulation
Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.
RULES
Trabzonspor Club and its affiliated companies act in accordance with the following principles regarding the storage and destruction of personal data:
a) The deletion, destruction, and anonymization of personal data are carried out in full compliance with the principles listed in Article 4 of the Law, the technical and administrative measures specified in Article 12 and detailed in Article 6.2 of this Policy, relevant legal regulations, decisions of the Board, and this Policy.
b) All transactions related to the deletion, destruction, and anonymization of personal data are recorded by Trabzonspor Sports Investment and Football Management Trade Inc., and such records are retained for at least six months, excluding other legal obligations.
c) Unless otherwise decided by the Board, an appropriate method for deleting, destroying, or anonymizing personal data is selected by us. However, if the Data Subject requests it, the selected method will be explained along with its justification.
d) If all conditions for processing personal data listed in Articles 5 and 6 of the Law cease to exist and upon request under GDPR, personal data is deleted, destroyed, or anonymized by Trabzonspor Sports Investment and Football Management Trade Inc. either ex officio or upon the request of the Data Subject. If the Data Subject applies to Trabzonspor Club and its affiliated companies regarding this matter:
· The submitted requests are finalized within a maximum of 30 (thirty) days, and the relevant person is informed.
· If the data subject to the request has been transferred to third parties, this situation is communicated to the third party, and the necessary actions are ensured to be taken by the third parties.
1 a) Compliance with the law and principles of honesty, b) Being accurate and, when necessary, up-to-date, c) Processed for specific, explicit, and legitimate purposes, d) Being relevant, limited, and proportionate to the purposes for which they are processed, e) Retention for the period stipulated in the relevant legislation or necessary for the purposes for which they are processed.
EXPLANATIONS REGARDING THE REASONS FOR RETENTION AND DISPOSAL
Personal data belonging to data subjects are securely stored by Trabzonspor Sports Investment and Football Management Trade Inc. in physical or electronic environments, particularly for the purposes of (i) ensuring the continuity of service activities, (ii) fulfilling legal obligations, (iii) planning and executing employee rights and fringe benefits, (iv) managing customer relationships, (v) fulfilling legal requirements, and for other purposes determined in the inventory, within the limits specified by KVKK and other relevant legislation.
The reasons requiring the retention of personal data are as follows:
· Retention of personal data due to its direct relevance to the establishment and performance of contracts,
· Retention of personal data for the establishment, exercise, or protection of a legal right,
· Retention of personal data as a necessity for the legitimate interests of Trabzonspor Sports Investment and Football Management Trade Inc, provided that it does not violate fundamental rights and freedoms of individuals,
· Retention of personal data for Trabzonspor Sports Investment and Football Management Trade Inc to fulfill any legal obligation,
· Retention of personal data explicitly stipulated by legislation,
· Retention of personal data requiring explicit consent from data subjects, with their explicit consent obtained.
· According to the Regulation, in the following cases, personal data of data subjects shall be deleted, destroyed, or anonymized by Trabzonspor Sports Investment and Football Management Trade Inc either ex officio or upon request:
· Modification or repeal of legislative provisions that form the basis for the processing or retention of personal data,
· The disappearance of the purpose requiring the processing or retention of personal data,
· Elimination of the conditions requiring the processing of personal data as specified in Articles 5 and 6 of the Law,
· In cases where personal data processing is solely based on explicit consent, withdrawal of consent by the data subject,
· The data subject’s request for deletion, destruction, or anonymization of personal data under Article 11 (e) and (f) of the Law, and the acceptance of this request by the data controller,
· Under GDPR, exercising the right to withdraw consent and the right to erasure, provided that no overriding legitimate grounds exist that outweigh the data subject’s interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims,
· Under GDPR or national laws, these rights may be limited; for instance, if fulfilling the request would disclose another person’s personal data, violate the rights of a third party (including our rights), or if the request to delete data conflicts with legal obligations requiring retention or strong legitimate interests for protection,
· If the data controller rejects the data subject's request for deletion, destruction, or anonymization of personal data, the response is deemed insufficient, or there is a failure to respond within the legally stipulated period, leading to a complaint to the Authority and the approval of the request by the Authority,
· The expiration of the maximum retention period for personal data without any existing condition justifying its further retention.
RETENTION AND DISPOSAL PERIODS
Trabzonspor Club and its affiliated companies determine the retention and disposal periods of your personal data obtained in compliance with the KVKK and other relevant legal regulations based on the following criteria:
a) If a retention period for the personal data in question is stipulated by legislation, this period is strictly followed. After the expiration of this period, the data is processed under the provisions of paragraph 2.
b) If the retention period stipulated in the legislation for the personal data in question has expired, or if no retention period is specified in the relevant legislation, the following steps are taken:
c) Personal data is classified as either personal data or sensitive personal data based on the definitions provided in Article 6 of KVKK. All personal data identified as sensitive is destroyed. The method to be used for the destruction of such data is determined based on the nature of the data and its significance to Trabzonspor Club and its affiliated companies.
· For example, it is evaluated whether Trabzonspor Club and its affiliated companies have a legitimate purpose for retaining the data. If it is determined that data retention may violate the principles specified in Article 4 of KVKK, the data is deleted, destroyed, or anonymized.
· It is determined under which exceptions stipulated in Articles 5 and 6 of KVKK the retention of the data falls. Based on the identified exceptions, reasonable retention periods for the data are established. Upon the expiration of these periods, the data is deleted, destroyed, or anonymized.
The retention, disposal, and periodic disposal periods determined by Trabzonspor Club and its affiliated companies can be accessed in the appendix of the Policy under the "Personal Data Processing Inventory."
Personal data whose retention period has expired is disposed of in accordance with the destruction periods specified in the appendix of the Policy and following the procedures outlined in the Policy every six months.
All actions related to the deletion, destruction, and anonymization of personal data are recorded, and such records are retained for at least six months, excluding other legal obligations.
METHODS OF RETENTION AND DISPOSAL OF PERSONAL DATA - STORAGE MEDIA
Personal data belonging to data subjects is securely stored by Trabzonspor Club and its affiliated companies in accordance with the provisions of KVKK and other relevant regulations, as well as international data security principles, in the environments listed in the table below:
a) Electronic Environments:
· Servers (Domain, backup, email, database, web, file sharing, etc.)
· Software (Office software, portals, government applications, VERBIS)
· Information security devices (Firewall, intrusion detection and prevention systems, antivirus, etc.)
· Personal computers (Desktop, laptop)
· Removable storage devices (USB, memory card, etc.)
· Printers, scanners, photocopiers
b) Fiziksel ortamlar: Physical Environments:
· Paper-based documents
· Written, printed forms, contracts, visual media
TECHNICAL AND ADMINISTRATIVE MEASURES
In order to ensure the secure storage of your personal data, prevent unlawful processing and unauthorized access, and legally dispose of data, Trabzonspor Club and its affiliated companies have taken all necessary administrative and technical measures in accordance with the principles outlined in Article 12 of KVKK. These measures are listed below:
a) Administrative Measures:
Trabzonspor Club and its affiliated companies take the necessary administrative measures to ensure the security of personal data and supervise employees’ compliance with these measures. It defines access and authorization levels in accordance with legal compliance requirements specific to each business unit without disrupting business processes. It defines employees’ access rights to personal data and the rules governing these rights. Employees are informed that they cannot disclose personal data they have learned in the course of their duties in violation of the KVKK provisions, cannot use them for purposes other than processing, and that this obligation continues even after they leave their positions. Employees are continuously provided with awareness, technical, administrative, and legal training on the General Data Protection Regulation and the 6698 Personal Data Management System. Necessary commitments are obtained from employees in this regard. Regarding the sharing of personal data with third parties, either a framework agreement is signed with the parties with whom personal data is shared, or necessary clauses are added to contracts to ensure data security. Third parties with whom personal data is shared accept the obligation to take necessary security measures to protect the data and ensure compliance with these measures within their organizations. If it is determined that unlawfully processed personal data has been obtained by unauthorized parties, the data representative notifies the relevant person and the KVKK Board. An investigation is conducted into how the personal data was accessed by unauthorized parties. Trabzonspor Club and its affiliated companies implement the necessary administrative measures to eliminate detected vulnerabilities and take technical measures when necessary.
b) Technical Measures:
Trabzonspor Club and its affiliated companies employ knowledgeable and experienced personnel to ensure data security and provide necessary KVKK compliance training to their staff. In accordance with Article 32 of the GDPR, they take the necessary technical measures for the implementation of GDPR regulations and ensure stricter measures are applied to access special categories of personal data. In line with these processes, technical precautions are taken in accordance with technological advancements. Investments are made in infrastructure suitable for evolving technology. Necessary software and hardware are installed to ensure data security in virus protection systems and cloud environments. Updated versions of systems with necessary security measures against known vulnerabilities are used, and penetration testing and vulnerability scanning are continuously conducted on systems. Employees' access to personal data is controlled through authorization management. Access and authorization definitions are made according to the legal compliance requirements determined for each business unit. Compliance with access authorizations is monitored, and the implemented measures are continuously maintained and controlled.
PERSONNEL
You can access the titles, departments, and job descriptions of the personnel involved in the personal data storage and disposal process from our institution.
METHODS OF PERSONAL DATA DISPOSAL
In accordance with KVKK and other relevant regulations, personal data obtained by Trabzonspor Club and its affiliated companies will be disposed of ex officio or upon the request of the Data Subject when the purposes of personal data processing, as listed in the Law and Regulations, cease to exist. This disposal process will be carried out using the techniques specified below, in compliance with the provisions of the Law and relevant legislation.
a) Techniques for Deletion and Destruction of Personal Data:
The procedures and principles regarding the deletion and destruction of personal data by Trabzonspor Club and its affiliated companies are listed below:
Deletion of Personal Data:
Secure Deletion from Software: When deleting data processed in fully or partially automated ways and stored in digital environments, methods ensuring that the data is made completely inaccessible and unusable for Relevant Users are employed.
This includes deleting relevant data from cloud systems via a delete command, removing user access rights from the directory containing the file on a central server, deleting relevant rows in databases using database commands, or securely deleting data stored on portable media such as flash drives using appropriate software.
However, if the deletion of personal data would result in making other data within the system inaccessible and unusable, personal data shall be considered deleted if the following conditions are met by archiving it in a way that it can no longer be associated with the relevant individual:
· It is inaccessible to any other institution, organization, or individual.
· All necessary technical and administrative measures are taken to ensure that only authorized personnel have access to personal data.
Secure Deletion by an Expert: In certain cases, an expert may be contracted to delete personal data on behalf of the organization. In this case, personal data is securely deleted by the expert in a way that ensures it is completely inaccessible and cannot be reused by Relevant Users.
Redaction of Personal Data on Paper: To prevent the unintended use of personal data or to delete requested data, personal data on physical documents is either physically cut out or made unreadable using permanent ink that renders it irretrievable and unreadable through technological solutions.
Destruction of Personal Data:
Physical Destruction: Personal data may also be processed through non-automated means as part of a data recording system. When destroying such data, a physical destruction method is applied to ensure that the data is permanently unusable and cannot be recovered.
Techniques for Anonymization of Personal Data:
Trabzonspor Club and its group companies have established procedures and principles for anonymizing personal data.
Anonymization of Personal Data is defined as rendering personal data unidentifiable and non-associable with a specific or identifiable individual, even when combined with other data.
· Utilizing techniques suitable for the nature of the data storage environment and operational domain.
· Implementing irreversible techniques or anonymizing data through combination with other data.
According to Article 28 of the KVKK, when personal data is processed for research, planning, and statistical purposes by being anonymized within official statistics, such processing is considered outside the scope of the Law, and obtaining explicit consent will not be required.
OTHER MATTERS
In the event of any inconsistency between the KVKK and other relevant legislation and this Policy, the provisions of the KVKK and other relevant legislation shall prevail.
This Policy, prepared by Trabzonspor Club and its group companies, has entered into force. In case of any amendments to the Policy, the effective date and relevant provisions will be updated accordingly.
RETENTION AND DISPOSAL PERIODS
The retention and disposal periods for the data processed by the institution have been determined on a process basis in the Personal Data Inventory. If requested by filling out the KVKK and GDPR Application Form, access to information regarding the retention and disposal periods can be provided.
PERSONS RESPONSIBLE FOR RETENTION AND DISPOSAL PROCESSES
The company assigns a "Personal Data Protection Committee" or appoints an individual or individuals responsible for managing this policy and other related policies, overseeing the processing and disposal processes specified in these policies, and ensuring the execution of compliance actions determined by senior management.
Within this scope, the tasks to be carried out by the relevant person or committee include:
· Preparing, monitoring, and submitting for approval the documents related to the design of personal data protection and processing processes.
· Ensuring the implementation of documents concerning personal data protection and processing and conducting necessary audits.
· Monitoring relations and correspondence with the KVK Institution and the KVK Board.
PUBLICATION AND UPDATE OF THE POLICY
This Policy is published on the Company's website (www.trabzonspor.org.tr) and is made available to personal data owners upon request.
This Policy is updated whenever necessary and, in case of amendments, the changes come into effect by being published on the website.
