If you are a Studio Santral student, you can log in with the information given to you.
REGISTER
You can use the following form for Studio Santral membership.Your password will be send to your e-mail address.
PERSONAL DATA RETENTION AND ERASURE POLICY
PERSONAL DATA RETENTION AND ERASURE POLICY
PURPOSE
Personal Data Retention and Erasure Policy (“Policy”) is issued by us as SilahtarağaGayrimenkul Yatırım A.Ş.Private Studio Santral Girls' Dormitory (“Studio Santral”) in accordance with the Personal Data Protection Law No. 6698 and By-Law on Erasure, Destruction or Anonymization of Personal Data(“By-Law”) constituting the secondary regulation of the Law to explain general principles about fulfilling our obligations as the data controller, informing data subject about erasure, destruction and anonymization processes and the maximum storage period necessary for the purpose for which personal data are processed.
1.1 SCOPE
Studio Santral Personal Data Retentionand Erasure Policy is applied to all recording mediums where personal data is collected and processed by Studio Santral and all activities on processing personal data with regards to the personal data belonging to Studio Santral employees and employee candidates, service providers, visitors and other third parties.
1.2 Definitions
Explicit consent: Freely given, specific and informed consent.
Anonymization: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
Data Subject: The natural person, whose personal data are processed.
User concerned: Persons who process personal data within the organization of the data controller or upon authorization and instructions received from the data controller, other than the person or department which is responsible for the technical storage, protection and back up of personal data.
Disposal: Erasure, destruction, or anonymization of personal data.
Recording Medium: Any type of environment that keeps the personal data processed wholly or partially by automated means or non-automated means which provided that it forms part of a data filing system
Personal Data: Any information relating to an identified or identifiable natural person
Personal data processing inventory: “Studio Santral’s Data Inventory”is formed according to related data subject groups and consists of the following: personal data processing activities of Studio Santral according to its business processes; purposes and legal ground of personal data processing; data categories; recipient groupsto whom the data are transferred, the maximum data storage period required for fulfilling of collecting and processing purposes, categories of personal data envisaged to be transferred to foreign countries; and measures taken regarding data security.
Processing of Personal Data: Any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that it forms part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.
Anonymization of personal data: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
Erasure of Personal Data: Rendering personal data inaccessible and non-reusable for the users concerned, by no means.
Destruction of personal data: Rendering personal data inaccessible and non-reusable for the users concerned, by no means.
Board: Personal Data Protection Board
Authority: Personal Data Protection Authority
Periodic Disposal: The erasure, destruction or anonymization process which is determined in the personal data storage and disposal policy and is to be carried out periodically ex officio, in the event that all of the conditions for processing laid down in the Law no longer exist.
Policy: Personal Data Storage and Disposal Policy
By-Law: By-Law on Erasure, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.
- DISTRIBUTION OF THE ROLES AND RESPONSIBILITIES
In its capacity Studio Santral as data controller, together with all its employees, actively pays strict attention to take technical and organizational measures in all mediums where the personal data is processed, to ensure data security by implementing technical and organizational measures according to the Policy by concerned users, to increase the educational level and awareness of the employees in this regard, to prevent unlawful processing of personal data by monitoring and continuous audit, to enable storage of personal data lawfully.
- Recording Medium
Personal data are stored lawfully and safely by Studio Santral in below specified mediums.
3.1 Electronic Means
- Databases
- Email server (hosted abroad)
- External backup disks
- Optical disks
- Removable memory
- Odeon Hotel Management System
- Salto (İnfomet Güvenlik Sistemleri Bil. ve Elek. San.Tic.Ltd.Şti)
- Software (office software, portal, EBYS)
3.2 Non-Electronic Means
- Paper
- Manuel data recording systems (questionnaire forms, visitor registering book)
- Written, printed, visual environment
- Information on Storage and Disposal
Personal data of the employees, employee candidates, visitors, and employees of third parties, institutions or organizations as service providers are stored and destroyed by Studio Santral in accordance with the Law.
In this context, detailed explanations regarding storage and disposal are as follows:
4.1 Explanations on Storage
According to the Law No. 6698, in Article 3, the processing of personal data is explained, in Article 4, it is stated that processed personal data should be relevant, limited and proportionate and be stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed, in Article 5 and 6 conditions for processing personal data are specified.
In accordance there with, the personal data that are subject to the personal data processing activities included in Studio Santral’s business processes are stored for the required time prescribed in the relevant legislation or in accordance with the processing purposes. In case the purpose of data processing ends, the data is erased, destroyed, or anonymized, unless there is no other legal reason or basis for the storage of the data.
If the purpose of processing personal data has expired, and the storage periods determined by the relevant legislation and Studio Santral have come to an end, personal data can only be stored in order to provide evidence in possible legal disputes or to claim or defend the relevant right connected to personal data. In determining the terms here, the prescription periods for the claim of the mentioned right and the applications with same subjects that are submitted to Studio Santral although the prescription periods that have expired are taken into consideration. Mentioned periods are shown in the table below. Following the ending of these periods, personal data are erased, destructed, or anonymized.
Regarding the storage of personal data in the context of concrete data, in case the period stipulated in the legislation has expired or no period has been foreseen in the relevant legislation regarding the storage of said data, the data is erased, destructed or anonymized by the data controller in 6 months periods. (According to Article 11 of the By-Law, the Authority has determined the destruction period as 6 months. "Accordingly, periodic destruction is carried out in June and December every year.").
Unless otherwise provided by the Authority, the appropriate method of erasing, destructing, or anonymizing of the personal data is selected by Studio Santral. When the data subject applies to Studio Santral and requests the erase or destruction of his personal data, an evaluation is made as to whether the processing conditions still exist regarding the relevant personal data. If the processing conditions of personal data are not given, Studio Santral erases, destructs or anonymizes the personal data which is subject to the request. However, if the processing conditions still exist, then the reason is explained to the data subject and the request is refused. The application of the data subject is finalized and answered within 30 days under any circumstances.
4.1.1 Legal Grounds Requiring Storage
The personal data processed within the framework of the activities included in the Studio Santral business processes are stored for the period stipulated in the relevant legislation. In this context, personal data are stored within the scope of below laws and regulations for the foreseen periods;
- Personal Data Protection Law No. 6698,
- Turkish Code of Obligations Act No. 6098,
- Public Procurement Law No. 4734,
- Civil Servants Act No. 657,
- Social Insurance and General Health Insurance Law No. 5510,
- Law No.5651 on Regulation of Publications onthe Internet and Combating Crimes Committed by Means of such Publication,
- Public Financial Management and Control Law No. 5018,
- Occupational Health and Safety Law No. 6331,
- Law on the Right to Information No. 4982,
- Law on the Use of the Right to Petition No. 3071,
- Labor Law No. 4857,
- Higher Education Law No. 2547,
- Higher Education Loan and Dormitory Services Law No. 351
- Retirement Fund Law No. 5434,
- Social Services Law No. 2828
- Regulation on Student Private Housing Services No. 351
- Regulation on Health and Safety Measures to Be Taken in Workplace Buildings and Annexes
- Regulation on Archive Services
- Other secondary regulations in force in accordance with above mentioned laws
4.1.2 Processing Purposes Requiring Storage
Studio Santral stores the personal data processed within the framework of its business activities for the following purposes:
- To carry out human resources processes
- To provide communication within Studio Santral
- To ensure the security of Studio Santral
- To conduct statistical studies
- To execute duties and operations according to signed contracts and protocols
- To ensure legal obligations are fulfilled as required or necessitated by legal regulations
- To contact with natural / legal persons who have business relations with Studio Santral
- To deliver legal reports
- To manage call center processes
- To fulfill the proof obligation as evidence in future legal disputes
- To execute information security processes
4.1.3 Detailed table about Storage Periods
| Details of the Data Types | Storage Period starting date | Storage Period |
| Personal data received from potential business partners who do not have any contractual relationship with Studio Santral (Proposal requests) | Data processing date | 2 years |
| Data collected in phone calls with students | End of contractual relationship with Studio Santral | 2 years |
| Telephone records of the candidates who request housing services | Date of the interview | 2 years |
| Data collected within the framework of the contractual relationship | End of business relationship with Studio Santral | 2 years |
| Visit data records kept by security officer | Data processing date | 1 years |
| Video recordings of security cameras in the Studio Santral building | Data processing date | 3 months |
| Data received from employee candidates | Data processing date | 1 years |
| Employee’s personal data collected within the scope of business relationship | Termination date of employment | 10 years |
4.2 Reasons Requiring Disposal
As per the data subject’s request, personal data is erased, destroyed, or ex officio erased, destructed or anonymized by Studio Santral under below conditions:
Amendment or abolishment of relevant legislation provisions that constitute the basis of personal data processing,
Ending of processing or storing purpose
In cases where the processing of personal data takes place only in accordance with the explicit consent condition, data subject’s recalling of his his explicit consent,
On the ground of Article 11 of the Law, in case of acceptance of data subject’s application by Studio Santral regarding the erasure or destruction of his personal data within the framework of his rights,
In cases where Studio Santral rejects the application of erasure, destruction or anonymization of the personal data, and the data subject finds the answer inadequate or Studio Santral does not respond to his application within the period stipulated by the Law; the data subject is entitled to make a complaint to the Board and receive Board’s approval on the complaint,
In the event the maximum period that requires the storage of personal data is expired and there are no conditions that would justify storing the personal data for a longer period, the data is deleted, destructed and anonymized by Studio Santral.
4.3 Erasure, Destruction and Anonymization of Personal Data
Studio Santral stores personal data, only for a period that is stipulated in the relevant legislation or during the period required for its intended processing. Within this scope, firstly, it is determined whether a period in the relevant legislation is stipulated for the storage of personal data, and if a period is determined, it is acted accordingly, if a period is not determined, personal data are stored for the period required for its intended processing. In case the period is ended or the reasons that require its processing have disappeared, personal data are erased, destructed, or anonymized according to this Policy.
All operations relating to erasure, destruction and anonymization of personal data shall be recorded and those records shall be stored for a minimum of three years excluding other legal obligations.
4.3.1 Erasure of Personal Data
Erasure of personal data is the process of rendering personal data inaccessible and non-reusable for the users concerned, by no means.
When the storage period expires due to reaching the purpose required for the processing of personal data within its own structure, the user concerned takes technical and organizational measures to prevent the processing of the relevant personal data related to its field of duty. Other users within the structure of Studio Santral do not erase, destruct or anonymize the relevant personal data within their own jurisdiction and duties if the processing purposes and storage periods required for the same personal data have not expired.
If the erasure of the personal data will result in the inaccessibility of other data that is not required to be erased and loss of the use of this data; provided that any necessary technical and operational measures are taken, personal data will be deemed erased; either it shall be archived by anonymization or the access to personal data by any other institution, organization or person shall not be allowed, and it shall be ensured that personal data can only be accessed by authorized persons.
The erasure of personal data is conducted based on the relevant recording medium as shown in the table below:
| Data Recording Medium | Explanation |
| Personal Data in the servers | For the ones that the required storage period of personal data in the servers has expired, the erasure is made by the system administrator by removing access authorization of the users concerned. |
| Personal Data in Electronic Means | The ones that the required storage period of personal data in the electronic means has expired, are made inaccessible and non-reusable by no means for other employees (users concerned) except for the database administrator. |
| Personal Data in Physical Media | The ones that the required storage period of personal data in the physical media has expired, are made inaccessible and non-reusable by no means for other employees except for the responsible archive manager. Additionally, spoliation is applied by drawing / painting / erasing in an unreadable manner. |
| Personal Data in Removable Media | The ones that the required storage period of personal data in the flash-based storage media has expired, are stored in the secure medium with encryption keys encrypted by system administrator with sole access authorization. |
4.3.2 Destruction of personal data
Destruction is the process of rendering personal data inaccessible, irretrievable, or non-reusable by anyone, by no means. Studio Santral is conscious of its obligation to take any type of technical and organizational measures required for ensuring destruction of personal data and destroys relevant personal data by considering Data Recording Medium as follows:
| Data Recording Medium | Description |
| Personal Data in Physical Media | The ones that the required storage period of personal data in the printed medium has expired are destructed in an irrecoverably way via paper shredders. |
| Personal Data in Optical / Magnetic Media | Physical destruction, such as melting, burning, or pulverizing are applied to the ones that the required storage period of personal data in optical and magnetic media are expired. In addition, magnetic media is passed through a specific device exposed to a high value magnetic field which makes the data unreadable. |
4.3.3 Anonymization of personal data
Anonymization is the process of rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data. Studio Santral ensures to anonymize the personal data, personal data shall be rendered impossible to relate to identified or identifiable person, even through using appropriate techniques, such as recovery of data by the data controller, recipient or recipient groups and matching data with other data. Studio Santral is obliged to take any type of technical and organizational measures required for ensuring anonymization of personal data.
5.Organizational and Technical Measures
Pursuant to the By-Law, the information regarding the technical and organizational measures taken for the destruction of Personal data in accordance with the law should be shown in this Policy. In this direction, the technical and organizational measures to process personal data in accordance with the Personal data processing principles are set out below. In addition, new organizational and technical measures will be taken as new requirements develops, and this Policy document will be updated accordingly with this context.
5.1 Organizational Measures
In order to effectively comply with the legislation regarding the protection of personal data, establishing a Personal Data Protection Committee operating within Studio Santral, with the ultimate responsibility by the legal entity of Studio Santral,
- Preparation of Information Security Policy,
- Periodic auditing of compliance with KVKK obligations by the Internal Audit unit,
- Anticipating access authorization restrictions,
- Ensuring data minimization,
- Determining the data storage periods,
- Raising awareness through meetings / trainings held / to be held with all business units of Studio Santral,
- Training of the employees about the issues to be considered in compliance with the Law, and training on Information Security
- Harmonization of Studio Santral’s business and operational processes with the Law,
- Preparing data inventory
- Determining the circumstances under which data processing conditions occur,
- Adding provisions to all third party and employee contracts to protect personal data and concluding confidentiality agreements in this regard,
- Notification in Studio Santral’s website about the personal data of data subject and for the receiving of relevant applications,
- Improving processes for system security, etc.
5.2 Technical Measures
In addition to the above operational measures, Studio Santral takes the following technical measures to ensure the security of personal data:
- Authorization matrix is being created
- Authority control is being done
- Access logs are kept
- User accounts are managed
- The network environment is secured
- Applications are secured
- Data is encrypted with encryption methods
- Institutional safety is tested by performing penetration tests.
- Intrusion detection and prevention systems are established
- Log records are examined and backed up
- Data masking is done
- Data loss prevention software is used
- Backup systems are used
- Latest anti-virus systems are used
- Erasure, destruction or anonymizing the data are performed according to their conditions
6. Update of the Policy
The policy is revised as needed and the necessary sections are updated.
7. Enforcement
When the policy is published on the website, it is considered to have come into force.