Protection of Personel Data
Policy on Privacy of Personal Data and Its Destruction
1. Purpose of the Policy
The purpose of our personal data
retention and destruction policy is to reveal the philosophy, purpose and
action plan so as to determine the maximum time required for the purpose of
processing the personal data as data responsible, while performing the transactions
of deleting, destroying and anonymizing the data. In this context, our aim is
to inform our students, graduates, administrative and academic staff, visitors
and the institutions we cooperate with, and all third parties who are in
contact with Doğuş University (DOU) in terms of the processing and rights of
their data; and executing transactions ensuring the transparency in this regard
while respecting the private life.
2. Support of this Policy
Our Policy was generated as per the
Privacy Act dated 7.4.2016 numbered 6698 (Privacy Act numbered 6698.) and
Directive on Deletion, Destruction and Anonymizing the Personal Data having
taken effect after being published on the Official Gazette dated 28.10.2017 and
numbered 30224, articles 5 and 6.
3. Scope of the Policy
Our Policy encompasses our students,
graduates, administrative and academic personnel, our visitors and institutions
with whom we are in collaboration and all natural and legal persons who are in
legal relations with DOU and all their private and non-private data set forth
under Privacy Act numbered 6698.
The Policy encompassed as set forth
under Privacy Act numbered 6698, provided that it is part of a data registry
system completely or partially where they are processed with non-automatic methods.
Unless otherwise indicated in the policy, personal information and special
private information shall jointly be referred to as “Personal Data”.
Interested person: Natural person whose data is being processed,
Personal Data: All kinds of data of
natural persons who can be identified,
Special personal data: Biometric and
genetic data and the data of individuals related to race, ethnic origin,
political thought, philosophical belief, religion, sect or other beliefs, dress
and attire, association, foundation or trade union membership, health, sexual
life, criminal conviction and security measures,
Explicit Consent: Consent disclosed relating to certain matters, based on informing and
with free will,
Data Supervisor: The natural or legal person (Doğuş University) who is responsible for
setting up and managing the data recording system, determining the purposes and
means of processing the personal data,
Processing the personal data: Any kind of operation on data executed
relating to personal data provided that they are part of a data registry system
such as obtaining or recording, storing, retaining, altering, re-arranging,
disclosing, transferring, taking over, making available, making, classification
or preventing the use of personal data in whole or in part automatically or as
part of any data logging system,
Deleting the personal data, their destruction or anonymizing,
Table for retaining and destroying personal data: The table which shows the durations
for keeping the personal information by the University,
Personal Data processing inventory: Processing of personal data which are carried
out by data responsible according to business processes; personal data, data
category, transferred group of recipients and group of data to the group of
people they created and personal data, the maximum amount of time required for
the purposes for which they are processed, personal data prescribed to foreign
countries and the measures taken in relation to data security.
Deleting personal information: Rendering the personal information
inaccessible or un-obtainable by the interested users in any way whatsoever,
Destruction of personal data: Rendering the personal information
inaccessible, un-recoverable or un-obtainable by the interested users in any
Even if the personal data are matched with other data, rendering them not
identifiable or affiliated with a natural person,
Periodical destruction: If the personal data processing conditions set forth under law are
completely eliminated, the deleting, destroying or anonymizing transactions set
forth under personal data retaining and destruction policy and to be performed
ex-officio with certain intervals,
Data registry (retention) system: The registry system whereby personal data are
structured based on certain criterions and processed,
Personal Data Protection Board
shall refer to Personal Data Protecting Committee.
5. General Principles on
which the Policy is based
In processing the personal data by
the data supervisor Doğuş University, the following principles shall be abided
5.1. Personal information may only be
processed only as per the principles and methods set forth under Privacy Act numbered 6698.
5.2. The following principles shall be
observed in processing the personal data:
a) Being legal and within rules of integrity.
b) Being accurate and up-to-date as required.
c) Being processed for certain, clear and
d) Being connected, limited and proportionate
to the purposes of their processing.
e) Being retained for the periods envisaged
under the relevant legislations or for their processing purposes.
6. Recording Environments whereby the Policy is regulated
Provided that it is a part of a data
registry process which is fully or partially automated, all environments where
personal data processed by non-automatic ways are kept shall be deemed as
7. Personal Data Protecting
Committee’s duties and authorities
7.1. Personal Data Protecting
Committee shall be responsible from announcing this Policy to the related business units and following up its requirements and fulfilling them by the concerned units of DOU.
7.2. If the Personal
Data Protecting Committee is to cause the concerned business units for the Directive changes on protecting the personal data, regulating transactions of Personal Data Protecting Committee and their decisions,
court orders or changes in processes, implementation and the system, the required notifications and announcements shall be made required for business process updates.
7.3. Personal Data Protecting
Committee shall determine the processes for inspecting, assessing, following up and concluding on the processes under Privacy Act numbered 6698 and secondary regulations, the decrees of the Board and regulations, court orders and decisions of
other authorized bodies and/or requests, assessing them, following them up and concluding them and notifies them to the concerned units.
Actions to be taken in cases where the Processing conditions for the personal
8.1. In cases of objective element for
processing the personal data being vanished, the explicit consent beinf retracted or the conditions for processing the personal data stipulated under articles 6 and 6 of Privacy Act numbered 6698 or in cases where none of the exemptions set forth
in the relevant articles are going to be implemented, the personal data for which the processing conditions vanished, shall be deleted, destroyed or anonymized by the relevant business unit taking into consideration the business requirements,
within the scope of articles 7 and 10 of the Directive, also clarifying the grounds for the method implemented. However if there is a finalized court order, it is statutory that the method of destruction decided by the court decree is to be implemented.
8.2. The users processing or retaining
the personal data and the data holder DOU units shall review whether the conditions of processing have vanished or not within periods of six months at the latest to be reviewed in the data registry environments they use. Upon the application by
the personal data holder or the notification by the Board or the court, the relevant user and units shall carry out this review in their data registry environments they use without regard for the periodical inspection term.
8.3. As a result of the periodical inspections
or when it is determined that data processing conditions have been eliminated at any moment, the concerned user or data holder shall decide the relevant personal data to be deleted from the recording environment it has as per this policy, its
destruction or anonymizing it. In cases of doubt, the transaction shall be executed after receiving the required opinion from the data holder/owner business unit. When the decision is to be taken relating to the destruction of personal data subject
to multiple owners/stakeholders, the opinion of the Personal Data Protection Committee shall be taken and the person in question shall decide regarding the personal data in question including keeping or deleting the data as per this policy, its
destruction or its being anonymized.
8.4. All transactions executed relating
to the deletion of personal data, their destruction or anonymizing shall be recorded and the records in question shall be retained for a term of three years at least excluding the other legal obligations.
8.5. As per articles 4 and 7 of the Directive,
the methods implemented relating to the deletion of personal data, their destruction and anonymizing them shall be clarified on the Data Destruction Procedure which is to be published after this policy takes effect.
8.6. It is mandatory that in deleting,
destroying or anonymizing of the personal data, the general principles under
article 4 of Privacy Act numbered 6698 and the technical and administrative
precautions to be adopted as per article 12 of Privacy Act, provisions of
relevant legislation, Board resolutions and preserving and destroying the
personal data policy shall be observed and abided by.
8.7. The natural person who possesses
the personal data may apply to DOU, based on article 13 of Privacy Act numbered 6698 and request its personal data to be deleted, to be destroyed or when there is a request for anonymizing it. It shall inspect whether the conditions for processing
the personal data were eliminated or not by the relevant data holder business unit. If all processing conditions were eliminated; it shall delete the personal data subject to the request, destroy them anonymizing them. In this case, in such a
way that its details shall be determined by the Data Destruction Procedure; the request shall be concluded within thirty days at the latest following the date of application and the applicant shall be informed by the interested authority. If the
entire conditions for processing personal data have been eliminated and the personal data which are subject to the request have been transferred to third parties, then the relevant data owner business unit shall notify this to the third party
to whom transfer is being made immediately and ensures that the required action is taken within the scope of the Directive relating to the third party.
8.8. In cases where the circumstances for
processing the personal data do not disappear totally, the requests of the holders of personal data for deleting or destroying the personal data may be rejected by DOU based on 3rd clause of article 13 of Privacy Act numbered 6698. The rejection
reply shall be notified to the interested person within 30 days at the latest in written form or via electronic environment.
8.9. Requests for the deletion or destruction
of personal data shall be assessed only if the person concerned has been identified.
In requests to be made outside the channels in question, the persons concerned shall be directed to the channels whereby identification or identity verification can be made.
9. Enforcing the Policy,
Cases of violations and sanctions
9.1. This Policy shall enter into force
upon notice to all employees and shall be binding for all business units, consultants, external service suppliers and anyone who process personal data at DOU.
9.2. The follow-up of whether the employees
of DOU meet the requirements of the Policy will be the responsibility of their respective supervisors. When a violation of the policy is determined, a supervisor of the relevant employee shall immediately inform the subject. In case of a violation
of significant size, the Supervisor shall inform the Committee on Protection of Personal Data without any delay.
9.3. The necessary administrative action
shall be taken after the evaluation by the Personnel Department about the employee who violates the policy.
9.4. For the fulfilment of policy requirements;
All necessary safety measures, including the ISO standard and measures required
by Higher Education Council are taken
10. Persons and their Responsibilities
authorized for the Storing and Disposal of Personal Data
All employees, consultants, external
service providers and other persons who store and process personal data at DOU
are responsible for fulfilling these requirements in the fulfilment of the
requirements for the destruction of data specified in the Regulation and
Article 6698 of Privacy Act within DOU.
Each business unit is responsible
for preserving and protecting the data generated in its business processes; but
if the data produced is only in the information systems except for the control
and authorization of the business unit, the data will be kept by the units
responsible for the information systems.
The periodic destruction that will
affect the business processes and cause the data integrity to be impaired, data
loss and legal regulations will be made by the related information systems
departments taking into account the type of personal data, the systems
considering the business owner units.
11. Retaining and Elimination
Periods of Personal Data
You may find below the Table for
Storing and Disposing Periods of Personal Data. In case of periodic destruction
or on-demand disposal, such storage and disposal times shall be taken into
consideration. The business units will be updated on the basis of the
evaluation of the Committee for the Protection of Personal Data, if in doubt
12. Periodical Periods of Destruction
Periodical periods of elimination of
the Personal Data shall b determined by the relevant business units who hold
the data. Such periods shall not exceed 6 (six) months.
13.1. The Policy shall take effect on
the date of its being published.
13.2. Announcing the Policy within DOU
in general and doing the required updates is the responsibility of Committee for Protecting Personal Data.
Table for Storing and Disposing Periods of Personal Data
Unless there is any finalized court
decision or precautionary decision, otherwise, the matters set forth under
article 6 of the policy shall be considered in terms of storing/keeping the
data for the periods set forth on the following table and they shall be
terminated at the end of the term.
As per article
146 of Turkish Code of Obligations numbered 6098 which regulates the general lawsuit time-lapse duration
As per other
As long as the
term set forth under the relevant legislation
personal data in question is subject to a crime which requires penalty under Tu
rkish Penal Code or other regulations requiring penalty or being related with a crime, as per articles 66 and 68 of Turkish Penal Code numbered
long as the durations set forth under lapse of time for lawsuits and lapse of
time and Judicial Registry Law numbered 5352