info@ana-grp.com

+966558490607

Data Storage Disposal Policy

Blog Our Services

Data Storage Disposal Policy

REF# Policy/Data/1034/25

Date:03 jan,2024

1. PURPOSE

Purpose of Personal Data Storage and Disposal Policy (“Policy”) is prepared with the aim of determining the procedure and principles of conducting the storage and disposal activities by ANNA STAR CONTRACTING COMPANY.

Company establishes processing of the personal data of employees of Company, candidate employees, service providers, visitors and other third parties in accordance with the Constitution, international agreements, the Personal Data Protection Law with no. 6698 (“Law”) and other relevant legislation and providing to effective use of the relevant persons’ rights. The work and transactions regarding the storage and disposal of personal data are carried out in accordance with the Policy prepared by the Company in this direction.

2.SCOPE

This Policy is prepared for the people whose personal data are processed by our Company, especially company stakeholders, company authorities, company and group company customers, potential customers, company business partners, candidate employees, visitors and third parties, either automatically or by non-automatic means provided that they are part of any data recording system and applied within the scope of these determined people. Our Company informs the afore-mentioned Personal Data Subjects about the Law by means of publishing this Policy on the web-site. For our Company’s employees, the Personal Data Processing Policy for Employees is applied.

3.DEFINITION

Recipient group: the category of natural and legal person to which the personal data are transferred by the data controller, Explicit consent: Freely given and informed consent on a specified issue Anonymization: rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data, Employee : Shakeel Ahmed Medium : any type of environment that the personal data processed to be created, read, changed and written wholly or partially by automated means

Non-electronical Medium: The other environments such as written, published, visual etc. except the electronical ones

Service Providers: The real and legal person who provides service to the Company in the frame of a certain agreement

Data subject: the natural person whose personal data are processed

Disposal: erasure, destruction or anonymization of personal data, Law: Personal Data Protection Law No. 6698, Personal data processing inventory: the inventory which are detailed by explanations of the followings: personal data processing activities of data controllers according to their business processes; purposes and legal ground of personal data processing; data category; maximum data storage period required for the purposes formed relating to the recipient group to whom the data are transferred and with data subject groups, and for personal data processing; personal data envisaged to be transferred to foreign countries; and measures taken relating to the data security, Processing of personal data : any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof, Special categories of personal data: Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data

Periodic Disposal : the erasure, destruction or anonymization process which is determined in the personal data storage and disposal policy and to be carried out periodically ex officio, in the event that all of the conditions for processing laid down in the Law no longer exist,

Data Processor: the natural or legal person who processes personal data on behalf of the data controller upon its authorization,

Data filing system: the system where personal data are processed by being structured according to specific criteria,

Data Controller: the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

Activities

4.LIABILITY AND DISTRIBUTION OF DUTY

All units and employees of Company actively supports the liable units in terms of applying the implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy, increasing the training and awareness of the employees of the unit, monitoring and continuous supervision, preventing unlawful processing of personal data, preventing unlawful access to personal data and ensuring that personal data is stored in accordance with the law, taking technical and administrative measures to ensure data security in all environments where data is processed.The distribution of the titles, units and job descriptions of those involved in the storage and disposal processes of personal data is given in Table 1. Table 1: The distribution of duty on the processes of storage and disposal

• TITLE • DUTY

• General Manager

• Responsible for employees to the actin accordance with policy.

• IT Manager

• Responsible for providing the technical solutions needed in theimplementationof the policy.

• Data Management Unit

• Responsible for the fulfillment of the duties required in the implementation of the policy the dataandassigned bycontroller.

• Other Unit Chiefs

• Responsible for the execution of the Policy in accordance with their duties.

5. THE PERSONAL DATA SUBJECT’S RIGHT AND USAGE OF THESE

RIGHTSThe Rights of Personal Data Subjects Personal data subjects have the following rights:  Learning whether personal data is processed,  If processed, requesting information on the personal data processing,  Learning the purpose of the personal data processing and whether they are usedin accordance with that purpose,  Learning the third parties the personal data transferred in the country and abroad.  Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to third parties to whom personal data are transferred,  Request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, nevertheless the fact that it has been processed in accordance with the provisions of the Personal Data Protection Law and other related laws, and requesting the notification of the transaction made within this scope to third parties to whom the personal data has been transferred,  Making objection to the occurrence of a result against the person by analyzing theprocessed data exclusively through automated systems.  Requesting the compensation of the damage due to the processing of personal data illegally.

Circumstances that Personal Data Subjects Cannot Claim Their Rights

8.Personal data subjects cannot claim the rights of personal data subjects listed in 10.1.1., since the following situations are excluded from the scope of the Personal Data Protection Law in accordance with Article 28 of that Law:  Processing personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.Pursuant to the 2nd paragraph of Article 28 of the Personal Data Protection Law, in the circumstances stated below, the personal data subject cannot claim the rights declared in 8.1.1., except the right to request the compensation of damages: (1) Processing of personal data is necessary for the prevention of crime or for a criminal investigation. (2) The processing of personal data made public by the personal data subject. (3) The processing of personal data is necessary for the execution of supervision or regulation duties and disciplinary investigation or prosecution by the authorized and competent public institutions and organizations and public professional organizations, based on the authority granted by the law. (4) Processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial issues.
It is not possible to make requests by third parties on behalf of personal data subjects. In order for a person other than the personal data subject to make a request, the original copy of power of attorney issued by the personal data subject on behalf of the person to make the application shall be submitted. In their application to exercise their rights, personal data owners will fill in the "Application Form Regarding Applications Made to the Data Controller by the Relevant Person (Personal Data Subject) in accordance with the Personal Data Protection Law with No. 6698", which is linked above. The method of the application to be made is also explained in detail in this form.If the process requested by the personal data owner requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by our company. The method of depositing this fee will be specified in the Application Form. Applications will not be considered if this fee is not paid in accordance with the described procedure.

The Right to Complaint to the Personal Data Protection Board of Personal Data Subject

In case the application is rejected in accordance with Article 14 of the Personal Data Protection Law, the response of our Company is found to be insufficient or the application is not answered in time; personal data subject can make a complaint to the Personal Data Protection Board within thirty days from the date of learning the answer of our Company, and in any case within sixty days from the date of application.

Our Company's Procedure and Duration to Respond to Applications

If the personal data owner submits the request of this section to our Company in accordance with the above-mentioned procedure, our Company will finalize the request as soon as possible and within thirty days at the latest, depending on the nature of the request. Information Our Company May Request from Personal Data Subject Applying Our Company may request information from the person concerned in order to determine whether the applicant is the subject of personal data. In order to clarify the matters in the application of the personal data subject, our company may ask a question to the personal data subject about his application.

Company's Right to Reject the Application of Personal Data Owner

Our company may reject the application of the applicant by explaining the reason in the following situations: (1) Processing personal data for purposes such as research, planning and statistics by anonymizing them with official statistics. (2) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime. (3) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security. (4) Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings. (5) Processing of personal data is necessary for the prevention of crime or fora criminal investigation. (6) Processing personal data made public by the personal data owner himself. (7) The processing of personal data is necessary for the execution of supervision or regulation duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations that qualify as public institutions, based on the authority granted by the law. (8) Processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial issues. (9) The possibility of the personal data subject's request to hinder the rights and freedoms of other persons (10) Requests requiring disproportionate effort have been made. (11) The information requested is public information.

9.Within the scope of this document, our company manages the Personal data policy by adopting the following fundamental principles.

Processing the personal data appropriate to the law and good faith Keeping personal data accurate and updated when necessary, Processing the personal data for specific, clear, legitimate purposes, Processing personal data linked to the purpose for which they are processed, in limited, and measuredly, Keeping personal data for the period stipulated in the relevant legislation or for the purpose for which they are processed, Enlightening and informing personal data owners, Setting up the necessary system for personal data owners to exercise their rights, Taking required measures in the preservation of personal data, To act in accordance with the relevant legislation and the regulations of the Personal Data Protection Board in transferring personal data to third parties in line with the requirements of the processing purpose, To give the necessary importance to process and protect the special categories of personal data. Our Company, as the 12th article of Personal Data Protection Law, takes required administrative and technical precautions due to the appropriate safety level through preventing to process the processed personal data unlawfully, preventing to access the data unlawfully and provide to store the data.

10. TRANSFER OF THE PERSONAL DATA AND ITS PURPOSE

Purpose of Data Transfer

Business Partners

To take products and services, the projects and cooperation with company itself or with the Group Companies during the Company’s commercial activities

Group Companies

To conduct the commercial activities of the company that require the participation of companies affiliated to the group to which it is affiliated

Shareholders

In accordance with the provisions of the relevant legislation, it can be transferred in a limited manner for the purposes of the activities carried out by the Company within the scope of company law, event management and communication processes regarding the Company.

Company Authorities

In accordance with the provisions of the relevant legislation, it can be transferred in a limited manner for designing strategies for the commercial activities of the Company, ensuring the highest level of management and auditing purposes.

Legally Authorized Public Companies and Institutions

Within the legal authority of the relevant public companies and organizations, it can be transferred in a limited manner for the purpose requested.

Legally Authorized Private Law Persons

In accordance with the provisions of the legislation, the relevant private law persons can be transferred within their legal authority with a limited purpose.

11.DATA CATEGORIES

Personal Data Subject Category

Explanation

Customer

Real persons who used or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with the Company

Potential Customer

Real persons who have requested or made an interest in using our products and services or who have been evaluated in accordance with the rules of commercial practice and honesty.

Visitor

Real persons who, for various purposes, visit the physical premises that our Company owned, or an organization organized in there, or enter our websites.

Third Parties

Third-party natural persons who are associated with our company in order to ensure the security of commercial transactions between the aforementioned parties or to protect the rights of the aforementioned persons and to obtain benefits.

Candidate Employee

Real persons who have applied for a job to our company in any way or who have opened their cv and related information to our company for inspection.

Shareholders

Natural persons who are shareholders of our company or real person representatives of legal person shareholders

Company Authorities

Board member of our company and other real persons authorized by our company

Employees, Shareholders and Authorities of Institutions We Cooperate with

Real persons working in organizations with which our company has all kinds of business relations (such as business partners, suppliers, but not limited to them), including the shareholders and authorities of these institutions

PERSONAL DATA CATEGORIZATION

EXPLANATION

Identity Info

The documents such as Driving License, Id Card and Passport,with name-surname, Id number, nationality, parents names, birth place, birth date, gender info, and Social Security Institution no, signature info, vehicle plate, etc.

Communication Info

Info that are clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non- automatically as part of the data recording system; such as phone number, address, e-mail address, fax number, IP address.

Location Info

Info determining the location of the employees of the companies while using the Company vehicles; GPS location, travel data, etc.

Visual/Audial Data

Info that are clearly belonging to an identified or identifiable natural person; data contained in documents that are copies of photographs and camera recordings, sound recordings and documents containing personal data.

Customer Info

Info obtained and produced about the person concerned as a result of our commercial activities and operations carried out by our business units within this framework I

Customer Operation Info

nformation about the products and services we offer or the family members and relatives of the personal data owner in order to protect the legal interests of the Company and the data subject.

Physical Space Security Info

Information such as records for the use of our products and services, and instructions and requests required by the customer for the use of products and services

Process Security Info

Personal data regarding the records and documents taken during the entrance to the physical space, during the stay in the physical space Your personal data processed in order to ensure technical, administrative, legal and commercial security while conducting business activities

Risk Management Info

Personal data processed by means of methods used in accordance with the generally accepted legal, commercial practice and good faith in these fields so that we can manage our technical and administrative risks.

Financial Info

Processed personal data regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship our company has established with the personal data owner.

Employee Info

All kinds of personal data processed to obtain information that will be the basis of the personal rights of our employees or real persons who have a working relationship with our Company.

Candidate Employee Info

Personal data processed about individuals who have applied to be an employee of our company or who have been evaluated as employee candidates in line with the human resources needs of our company or who have a working relationship with our Company in accordance with commercial practices and honesty rules.

Fringe Benefits and Interests Info

Planning the fringe benefits and benefits that we offer and will present to our employees or other real persons who are in a working relationship with our Company, determining objective criteria for entitlement to them and following up the progress of your personal data

Legal Transaction and Accordance Info

Your personal data processed within the scope of determination, follow-up of our legal receivables and rights and the performance of our debts and compliance with our legal obligations and our company's policies

Audit and Inspection Info Special Categories of Personal Data Marketing Info

Your personal data processed within the scope of our company's legal obligations and compliance with company policies Data specified in Article 6 of Law No. 6698 Personal data processed for the marketing of our products and services in line with the usage habits, taste and needs of the personal data owner and the reports and evaluations created as a result of this processing

Request/Complaint Management Info Event Management Info

Personal data regarding the receipt and evaluation of any request or complaint directed to our company Information and evaluations collected about events that have the potential to affect our company, its employees and shareholders

12.LEGAL REASONS AND LEGITIVE PURPOSES THAT REQUIRINGSTORAGE

The information held by the company is kept in accordance with the provisions ofthe relevant legislation.(Public Procurement Law No. 4734, Civil Servants Law No. 657, Social Insurance and General Health Insurance Law No. 5510, Occupational Health and Safety Law No. 6331, Law No. 4982 on Using the Right to Petition, Law No. 3071, Labor Law No. 4857, Higher Education Law No.2547, Retirement Health Law No.5434, Social Services Law No.2828, Regulation on Health and Safety Measures to be Taken in Workplace Building and its Extensions, Regulation on Archive Services, etc.)Our Company processes personal data limited to the purposes and conditions within the personal data processing conditions specified in the Article 5 of paragraph 2 and the Article 6 of paragraph 3, of the Personal Data Protection Law No. 6698. These purposes and conditions are:
It is explicitly stipulated by the Laws that our Company will carry out relevantactivities regarding the processing of your personal data.The processing of your personal data by our Company is directly related andnecessary with the establishment or performance of a contract.Processing of your personal data is mandatory for our Company to fulfill its legal obligation.Provided that your personal data are made public by you; processing by our Company in a limited way for your publicization purpose,The processing of your personal data by our Company is mandatory for the establishment, use or protection of our Company or your or third parties' rights.It is mandatory to perform personal data processing for the legitimate interests of our Company, provided that it does not harm your fundamental rights and freedoms.It is compulsory for our company to process personal data for the protection of the life or physical integrity of the personal data owner or another person, and in this case, the personal data owner is unable to disclose his consent due to the actual impossibility or legal invalidity.Special categories of personal data other than the health and sexual life of the personal data owner, in cases determined by the law,In the absence of the above conditions, in order to carry out personal data processing activities, the Company applies to the explicit consent of the personal data owners.
According to our company policy, the following situations are considered as legitimate processing purposes in terms of current activities and data that may be processed in the future. Establishing and managing information technology infrastructure Making the best use of the products and services of Personal Data Subjects and recommending them according to their requests, needs and requests,Ensuring the highest level of data security, Creating databases Improving the services offered on the website and eliminating the errors on the website, supporting the Group Companies' personnel recruitment processes and compliance with the relevant legislation Planning, auditing and execution of information security processes Planning and execution of emergency management processes Planning and implementation of human resources policies in the best way, Correct planning, execution and management of commercial partnerships and strategies,  Ensuring the legal, commercial and physical security of itself and its business partners,  Ensuring institutional functioning, planning and execution of management and communication activities, Communicating with Personal Data Subjects who convey their requests and complaints to them and to provide request and complaint management,Event management, Management of relations with business partners or suppliers, Execution of personnel procurement processes,Planning and execution of employee satisfaction and / or loyalty processes Planning and execution of fringe benefits and interests for employees Planning and execution of employees' access to information rights Following and / or controlling of employees' business activities Following financial and / or accounting issues Following legal affairs Planning human resources processes Planning and execution of business activities Planning and execution of business partners and / or suppliers' access rights to information Management of relations with business partners and / or suppliers
Planning and execution of corporate communication activities Planning and / or execution of corporate risk management activities Planning and execution of corporate sustainability activities Planning and execution of corporate governance activities Planning and execution of customer relationship management processes Planning and / or following customer satisfaction processes Following customer requests and / or complaints Creating and following a special insurance policy for the vehicles purchased by the customer Execution of personnel procurement processes After sales support services Fulfillment of obligations arising from employment contracts and / or legislation for company employees Ensuring the security of company fixtures and / or resources Planning and execution of company audit activities Planning and execution of external training activities Planning and execution of the operational activities required to ensure that the company activities are carried out in accordance with company procedures and / or relevant legislation. Planning and execution of internal appointment-promotion and dismissal processes Ensuring the security of the company's campus Planning and / or execution of the company's financial risk processes Planning and / or execution of the company's production and / or operational risk processes Conducting company and partnership law transactions Following contract processes and / or legal requests Execution of strategic planning activities Planning and execution of supply chain management processes Planning and execution of human resources needs required for production Planning and execution of production and / or operation processes Planning and execution of market research activities for the sales and marketing of products and services Planning and execution of marketing processes of products and / or services Planning and execution of the sales processes of products and / or services
Planning and execution of promotion and / or marketing processes of products and / or services Ensuring that the data are accurate and updated Planning and executing talent - career development activities Giving information to authorized persons and / or organizations based on legislation Creating and tracking visitor records

13.REASONS REQUIRING DISPOSAL

Reasons Requiring Disposal Amendment or abolition of the relevant legislation provisions that constitute the basis for processing personal data. The abolition of the purpose requiring processing or storage, In cases where the processing of personal data takes place only on the condition of express consent, the persons concerned withdraws their express consent, In accordance with Article 11 of the Law, the application made by the Company for the deletion and destruction of personal data within the framework of the rights of the person concerned, In the event that the company rejects the application made by the person concerned with the request for deletion, destruction or anonymization of his personal data, finds his answer inadequate or does not respond within the period stipulated in the Law; Making a complaint to the Board and approval of this request by the Board, In cases where the maximum period that requires the storage of personal data has passed and there are no conditions to justify the storage of personal data for a longer period, they are deleted, destroyed or ex officio deleted, destroyed or anonymized by the Company at the request of the person concerned.

14.TECHNICAL AND ADMINISTRATIVE MEASURES

In accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law for the safe storage of personal data, the technical and administrative measures to prevent unlawful processing and access, and for the disposal of personal data in accordance with the law are taken by the company within the frame of the adequatemeasures determined and announced by the Board for the special categories of personal data.Technical Measures: The technical measures taken by the Company due to the processed personal data are listed: • With Penetration tests, the risks, threats, vulnerabilities and gaps, if any, of our Company's information systems are revealed and necessary measures are taken.
• As a result of real-time analysis with information security event management, risks and threats that will affect the continuity of information systems are constantly monitored. • Access to information systems and authorization of users are done through access and authorization matrix and security policies over the corporate active directory. • Necessary measures are taken for the physical security of the company's information systems equipment, software, and data. • By establishing access procedures within the company, reporting and analysis studies regarding access to personal data are carried out. • Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control.• The company takes the necessary measures to ensure that deleted personal data are inaccessible and unavailable for relevant users. • In case personal data is illegally obtained by others, a suitable system and infrastructure has been established by the Company in order to notify the relevant person and the Board. • Security vulnerabilities are followed, and information systems are kept updated. • The strong passwords for the electronical media that personal data processed in are used. • Secure record keeping (logging) systems are used in electronic media where personal data are processed. • Data backup programs are used to ensure the safe storage of personal data. • Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
•The specific policies regarding the special categories of personal data are established. • Within the scope of the special categories of personal data, the employees work in the processing of these data are trained on the safety of special categories of personal data, the confidentiality agreements are drawn up, the authorities of the users who own the authorization to access the data are defined. • Electronic media where private personal data are processed, stored and / or accessed are preserved using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the media are constantly monitored, necessary security tests are carried out regularly, test results are to be recorded, • Adequate security measures are taken in the physical environments where personal data of special nature are processed, stored and / or accessed, and unauthorized entry and exit are prevented by ensuring physical security. • If special categories of personal data shall be transferred via e-mail, they are transmitted in encrypted form, with a corporate e-mail address or using a Registered Electronical Mail account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment. If transfer is performed between servers in different physical environments, data transfer is performed between servers by setting up a VPN or using the sFTP method. If it is required to be transferred via paper environment, necessary measures are taken against risks such as theft, loss or being seen by unauthorized persons, and the document is sent in "confidential" format.The administrative measures taken by the company in relation to the personal data it processes are listed below: • So as to improve the qualifications of employees, trainings are provided on the prevention of unlawful processing of personal data, prevention of unlawful access to personal data, to provide the maintenance of personal data, communication techniques, technical knowledge skills, Law No. 657 and other relevant legislation. • Employees are made signed the confidentiality agreements regarding the activities conducting by the Company. • A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures. Before starting to process personal data, the Company fulfills the obligation to inform the relevant persons. Personal data processing inventory has been prepared. Periodic and random audits are conducted within the company. Information security training is provided for employees.

15. DATA DISPOSAL METHODES

Deletion of Personal Data

DATA REGISTRY MEDIA

DISPOSAL METHODE

Personal Data on Servers

For the personal data which the required storage durations of them have expired on the servers, the system administrator will remove the access authority of the relevant users and delete them.

Personal Data in Electronic Media

The personal data, which are in the electronic media and which the required storage durations of them have expired, are made inaccessible and unusable for other employees (relevant users), except for the database administrator.

Personal Data in Physical Media

Except for the department manager responsible for the document archive, the personal data which are kept in physical media and which the required storage durations of them have expired, are made inaccessible and unusable in any way. In addition, the blackening process is also applied by scratching / painting / wiping it in an illegible way.

Personal Data in Portable Media

The personal data which are kept in flash-based storage media and which the required storage durations of them have expired, are stored in secure environments with encryption keys, encrypted by the system administrator and the access authority is given only to the system administrator.

Destruction of the Personal Data:

Data Registry Media

Explanation

Personal Data kept in the Physical Media

The personal data which are kept in the Media papers and which the required storage durations of them have expired, are irreversibly destroyed in the paper trimming

Personal Data in the optical/magnetic media

The personal data which are kept in the optical/magnetic media and which the required storage durations of them have expired, are physically destroyed by melting, burning, or pulverizing. Moreover, magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable
The anonymization of personal data is to render personal data in no way associated with an identified or identifiable natural person, even if they are matched with other data.So as to personal data to be anonymized; personal data must be rendered unrelated to an identified or identifiable natural person, even through the use of appropriate techniques in terms Anonymization of Personal Data of the recording medium and the relevant field of activity, such as the return of personal data by the data controller or third parties and / or matching the data with other data.The destruction and anonymization processes are recorded by the data management unit and the records are kept for 3 years.

16.STORAGE AND DISPOSAL DURATIONS

Regarding the personal data being processed by the company within the scope of its activities,
• Storage durations based on personal data related to all personal data within the scope of activities carried out in connection with processes exist in the Personal Data Processing Inventory; Storage durations based on data categories are registered to VERBIS; Process-based retention periods are included in the Personal Data Storage and Disposal Policy.The personnel assigned by the Data Controller are updated on the retention periods, if necessary. For personal data whose retention periods have expired, the process of deletion, destruction or anonymization is carried out by the relevant personnel / (unit, if any).
Table 5: Storage and disposal times table by processes

Data Category

Data Storage Duration

1-Identity

The first periodical disposaltime afterwards the conclusion of the storage duration 10 Years

2-Communication

5 Years The first periodical disposal time afterwards the conclusion of the storage duration

3-Location

5 Years The first periodical disposal time afterwards the conclusion of the storage duration

4-Employee

10 Years The first periodical disposal time afterwards the conclusion of the storage duration

5-Legal Transactions

10 Years The first periodical disposal time afterwards the conclusion of the storage duration

7-Physical Space Security

1 Year The first periodical disposal time afterwards the conclusion of the storage duration

9-Risk Management

5 Years The first periodical disposal time afterwards the conclusion of the storage duration

11-Occupational Experience

5 Years The first periodical disposal time afterwards the conclusion of the storage duration

13-Visual/Audial Records

1 Months The first periodical disposal time afterwards the conclusion of the storage duration

16- Philosophical Belief, Religion,Sect and other beliefs Special Categories of Personal Data

5 Years The first periodical disposal time afterwards the conclusion of the storage duration

17- Outfits and Clothes Special Categories of Personal Data

5 Years The first periodical disposal time afterwards the conclusion of the storage duration

Special Categories of Personal Data 20-Membership of Trade Unions

5 Years The first periodical disposal time afterwards the conclusion of the storage duration

21-Health Info Special Categories of Personal Data

5 Years The first periodical disposal time afterwards the conclusion of the storage duration

23- Criminal Convictions and Security Measures

5 Years The first periodical disposal time afterwards the conclusion of the storage duration
Special Categories of Personal Data

17.PERIODICAL DISPOSAL DURATION

Pursuant to the Article 11 of the Regulation, the Company has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out in the company in June and December of every year

18.THE PROCEDURE REGARDING THE SPECIAL CATEGORIES OF PERSONAL DATA

A specific policy and procedure has been established for the security of special categoriesof personal data.For employees involved in the processing of special categories of personal data, • Regular trainings are given on the law and related regulations and special categories of personal data security. • This is included by the Confidentiality Agreements. • Authority to access data is available in the relevant inventory department and is limited to working periods. Authorization checks are carried out on a monthly basis. • Employees who have a change of position or leave their jobs are removed from their authority in this area, and in this context, the inventory assigned to them by the data controller is returned. The media where special categories of personal data are processed, stored and / or accessed, and the electronic media is encrypted, the transaction records of all transactions performed on the data are securely logged, and the security updates of the media where the data is located are constantly monitored. In case of remote access to data, at least two-step authentication system is used. Necessary security measures have been taken for the room special categories of personal data are processed, stored and / or accessed, and unauthorized entry and exit are prevented. In the transfer of special categories of personal data, data transfer is performed by establishing a VPN between corporate e-mail address, encrypted removable drives and servers. The phrase "documents with a degree of confidentiality" is placed on paper documents.

19.PUBLISHING AND MAINTAINING THIS POLICY

The policy is published in two different media as wet signed (printed paper) and electronically and disclosed to the public on the website. The printed paper copy is also kept in the Data Management Unit file.

20.UPDATE PERIOD, ENFORCEMENT AND TERMINATION OF THE POLICY

Policy, in terms of the necessity, is reviewed and the required sections are updated.Policy, afterwards the publication on the website of the Company is assumed to be entered into force. In case that the termination is decided, policy is canceled (by “cancel” stamping or written “canceled” on it) by the Board of the Company (or the authorized unit or the managers) and signed, and at least 5 years, stored in the private archive.

Contact Us RIGHT NOW to Get Business License

Register your business in Saudi Arabia, UAE, Bahrain, Oman, Paksitan, India, USA, and UK.

Stay Update!!!

Get In Touch

Riyadh, Jubail, Jeddah, Yanbu, Saudi Arabia

info@ana-grp.com

+966558490607

Follow Us

© ANNA Star. All Rights Reserved. Designed by NITSC