Skip to main content Skip to footer
Sun Anaokulları
  • About
  • Curriculum
  • Our School
  • Admissions
  • Reviews
  • Contact
  • tr
Book a Tour
Sun Anaokulları
  • About
  • Curriculum
  • Our School
  • Admissions
  • Reviews
  • Contact
0212 669 42 41
  • tr
Book a Tour
Legal

Personal Data Retention and Disposal Policy

Last updated on: 04/07/2026Version 1.0
Contents
Have a question? Write to us →

Introduction

This disposal policy has been prepared by ÖZEL ISPARTAKULE SUN ANAOKULU [FULYA KOÇALİ] (the “School”), in its capacity as data controller, to determine the procedures and principles to be applied by the School regarding the deletion, destruction or anonymization of the personal data it holds, pursuant to Law No. 6698 on the Protection of Personal Data (the “PDP Law”) and other applicable legislation.

In this context, the personal data of our employees, employee candidates, parents, students (our minor children) and all natural persons whose personal data is held by the School for any reason is managed in accordance with the law, within the framework of the Personal Data Processing and Protection Policy and this Personal Data Retention and Disposal Policy.

Definitions

Direct Identifiers

Identifiers which, on their own, directly reveal, disclose and distinguish the person to whom they relate

Indirect Identifiers

Identifiers which, when combined with other identifiers, reveal, disclose and distinguish the person to whom they relate

Data Subject

The natural person whose personal data is processed

Disposal

The deletion, destruction or anonymization of personal data

Law

Law No. 6698 on the Protection of Personal Data, published in the Official Gazette No. 29677 dated 07.04.2016

Regulation

The Regulation on the Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette No. 30224 dated 28.10.2017

Board

The Personal Data Protection Board

Recording Medium

Any medium containing personal data processed by fully or partially automated means, or by non-automated means provided that it forms part of a data recording system

Personal Data Processing and Protection Policy

The policy accessible on the website that sets out the procedures and principles for the management of personal data held by the School

Data Recording System

The recording system in which personal data is processed by being structured according to specific criteria.

Media and Security Measures

Media in Which Personal Data Is Stored

Personal data stored by the School is kept in a recording medium appropriate to the nature of the data concerned and to our legal obligations.

The recording media used for the storage of personal data are, in general, those listed below. However, some data may be kept in a medium different from those shown here due to its special characteristics or our legal obligations. In all cases, the School acts in its capacity as data controller and processes and protects personal data in accordance with the Law, the Personal Data Processing and Protection Policy and this Personal Data Retention and Disposal Policy.

Printed Media

Media in which data is kept printed on paper or microfilm.

Local Digital Media

Servers within the School, fixed or portable disks, optical disks and other similar digital media.

Cloud Media

Media that are not located within the School but are in the School’s use, employing internet-based systems encrypted with cryptographic methods.

Ensuring the Security of the Media

The School takes all necessary technical and administrative measures — appropriate to the nature of the personal data concerned and the medium in which it is kept — to store personal data securely and to prevent its unlawful processing and access.

Technical Measures

The School takes the following technical measures for all media in which personal data is stored, appropriate to the nature of the data and the medium:

  • Only up-to-date and secure systems in line with technological developments are used in the media where personal data is kept.
  • Security systems are used for the media where personal data is kept.
  • Security tests and investigations are carried out to detect security vulnerabilities in information systems, and existing or potential risks identified as a result of these tests and investigations are remedied.
  • Access to the media where personal data is kept is restricted, allowing only authorized persons to access this data, limited to the purpose of storage, and all access is logged.
  • The School employs sufficient technical personnel to ensure the security of the media where personal data is kept.

Administrative Measures

The School takes the following administrative measures for all media in which personal data is stored, appropriate to the nature of the data and the medium:

  • Work is carried out to raise the awareness of all School employees who have access to personal data on information security, personal data and the privacy of private life.
  • Legal and technical consultancy services are obtained in order to follow developments in the fields of information security, privacy of private life and the protection of personal data, and to take the necessary actions.
  • Where personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data, and all due care is exercised to ensure that these third parties comply with their obligations under these protocols.

Internal Audit

Pursuant to Article 12 of the Law, the School conducts internal audits regarding the application of the provisions of the Law, this Personal Data Retention and Disposal Policy and the Personal Data Processing and Protection Policy.

If deficiencies or faults in the application of these provisions are identified as a result of the internal audits, they are remedied immediately.

If it is understood during an audit or otherwise that personal data under the School’s responsibility has been obtained by others through unlawful means, the School notifies the data subject and the Board as soon as possible.

Disposal of Personal Data

Reasons for Retention and Disposal

Reasons for Retention

Personal data held within the School is stored for the purposes and reasons stated herein, in accordance with the Law and our Personal Data Policy.

Reasons for Disposal

Personal data held within the School is deleted, destroyed or anonymized in accordance with this disposal policy, upon the data subject’s request or ex officio when the reasons listed in Articles 5 and 6 of the Law cease to exist.

The reasons listed in Articles 5 and 6 of the Law are as follows:

  • It is expressly provided for by law.
  • It is necessary for the protection of the life or physical integrity of a person who is unable to give consent due to actual impossibility, or whose consent is not legally valid, or of another person.
  • It is necessary to process the personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of that contract.
  • It is necessary for the data controller to fulfil its legal obligations.
  • The data has been made public by the data subject themselves.
  • Data processing is necessary for the establishment, exercise or protection of a right.
  • Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Disposal Methods

The School deletes, destroys or anonymizes the personal data it stores in accordance with the Law, other applicable legislation and the Personal Data Processing and Protection Policy — upon the data subject’s request or ex officio within the periods specified in this Personal Data Retention and Disposal Policy — when the reasons requiring its processing cease to exist.

The deletion, destruction and anonymization techniques most frequently used by the School are listed below:

Deletion Methods

Deletion Methods for Personal Data Kept in Printed Media — Redaction

Personal data in printed media is deleted using the redaction method. Redaction is performed by cutting out the personal data on the relevant document where possible, and where not possible, by rendering it invisible using permanent ink in a manner that is irreversible and cannot be read with technological solutions.

Deletion Methods for Personal Data Kept in Cloud and Local Digital Media — Secure Software-Based Deletion

Personal data kept in cloud or local digital media is deleted with a digital command in a manner that cannot be recovered. Data deleted in this way cannot be accessed again.

Destruction Methods

Destruction Methods for Personal Data Kept in Printed Media — Physical Destruction

Documents kept in printed media are destroyed with document shredders in a manner that they cannot be reassembled.

Destruction Methods for Personal Data Kept in Local Digital Media

Physical Destruction: The physical destruction of optical and magnetic media containing personal data, such as melting, incinerating or pulverizing. Data is rendered inaccessible through processes such as melting, burning, pulverizing or passing the optical or magnetic media through a metal grinder.

Degaussing: The process of exposing magnetic media to a strong magnetic field so that the data on it is corrupted beyond readability.

Overwriting: Random data consisting of 0s and 1s is written at least seven times over magnetic media and rewritable optical media, preventing the old data from being read or recovered.

Destruction Methods for Personal Data Kept in Cloud Media — Secure Software-Based Deletion

Personal data kept in cloud media is deleted with a digital command in a manner that cannot be recovered, and when the cloud computing service relationship ends, all copies of the encryption keys required to render the personal data usable are destroyed. Data deleted in this way cannot be accessed again.

Anonymization Methods

Anonymization means rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even when matched with other data.

Variable Removal: The removal of one or more of the direct identifiers contained in the data subject’s personal data that would serve to identify the person in any way. This method may be used to anonymize personal data, and may also be used to delete information within the personal data that is not compatible with the purpose of processing.

Local Suppression: The deletion of potentially distinguishing information relating to exceptional data within a data table where personal data is held collectively in anonymized form.

Generalization: The process of bringing together the personal data of many persons and converting it into statistical data by removing distinguishing information.

Lower and Upper Bound Coding / Global Coding: For a given variable, ranges of that variable are defined and categorized. If the variable does not contain a numerical value, data within the variable that is close to each other is categorized. Values within the same category are merged.

Micro-Aggregation: With this method, all records in the data set are first arranged in a meaningful order, and then the whole set is divided into a specific number of subsets. The average of the value of the designated variable for each subset is then calculated, and the value of that variable for the subset is replaced with the average value. Since the indirect identifiers within the data are thereby disrupted, associating the data with the data subject is made more difficult.

Data Shuffling and Perturbation: The direct or indirect identifiers within the personal data are mixed with other values or perturbed, severing their connection with the data subject and ensuring they lose their identifying qualities.

The School uses one or more of these anonymization methods according to the nature of the data concerned. When applying these anonymization methods, the School may use the statistical methods of K-Anonymity, L-Diversity and T-Closeness.

Retention and Disposal Periods

Retention Periods

Data SubjectData CategoryRetention Period
StudentIdentity information, enrollment documents, family information, contact informationRetained for 10 years from the end of the educational relationship.
StudentHealth file data (vaccinations, allergies, chronic illnesses, medication use, dietary information, etc.)Retained for the duration of the educational relationship and for 30 years from its end.
StudentEducation and development files, class notes, performance reportsRetained for 10 years from the end of the educational relationship.
Parent / Legal RepresentativeIdentity information, contact information, financial informationRetained for 10 years from the end of the educational relationship.
Student / ParentCamera footage, vehicle license plate informationRetained for 2 months.
EmployeeRecruitment documents, notifications made to the Social Security Institution, personnel recordsRetained for 10 years from the end of the employment relationship.
EmployeeData contained in the Workplace Personal Health FileRetained for the duration of the employment contract and for 30 years from its termination.
Employee CandidateInformation contained in the CV and job application formRetained for as long as the CV remains current, up to a maximum of 1 year.
Website VisitorName, surname, email address, browsing activity informationRetained for 2 years.
Accounting DataInvoices, payment information, contract recordsRetained for 10 years pursuant to Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code.

* Where a longer period is prescribed by legislation, or where a longer period is envisaged under legislation for statutes of limitation, preclusive periods, retention periods and the like, the periods in the legislative provisions are deemed to be the maximum retention period.

Disposal Periods

The School deletes, destroys or anonymizes personal data in the first periodic disposal operation following the date on which its obligation to delete, destroy or anonymize the personal data for which it is responsible arises, pursuant to the Law, applicable legislation, the Personal Data Processing and Protection Policy and this Personal Data Retention and Disposal Policy.

When the data subject applies to the School pursuant to Article 13 of the Law and requests the deletion or destruction of their personal data:

  • If all of the conditions for processing the personal data have ceased to exist, the School deletes, destroys or anonymizes the personal data subject to the request, using the appropriate disposal method and explaining its reasoning, within 30 (thirty) days of receiving the request. For the School to be deemed to have received the request, the data subject must have made the request in accordance with the Personal Data Processing and Protection Policy. In all cases, the School informs the data subject about the action taken.
  • If all of the conditions for processing the personal data have not ceased to exist, the request may be rejected by the School with an explanation of the grounds, pursuant to the third paragraph of Article 13 of the Law, and the rejection is communicated to the data subject in writing or electronically within thirty days at the latest.

Periodic Disposal

Where all of the personal data processing conditions set out in the Law have ceased to exist, the School deletes, destroys or anonymizes the personal data whose processing conditions have ceased to exist through an operation carried out ex officio at recurring intervals specified in this Personal Data Retention and Disposal Policy.

Periodic disposal processes began for the first time on 01.07.2024 and recur every 6 (six) months.

Auditing the Lawfulness of Disposal Operations

The School carries out disposal operations — whether upon request or ex officio in periodic disposal processes — in accordance with the Law, other applicable legislation, the Personal Data Processing and Protection Policy and this Personal Data Retention and Disposal Policy.

The School takes a number of administrative and technical measures to ensure that disposal operations are carried out in accordance with these rules.

Technical Measures

  • The School keeps technical tools and equipment appropriate for each disposal method set out in this policy.
  • The School ensures the security of the place where disposal operations are carried out.
  • The School keeps access records of the persons carrying out the disposal operations.
  • The School employs competent and experienced staff to carry out disposal operations, or obtains services from competent third parties where necessary.

Administrative Measures

  • The School carries out work to raise the awareness of employees who will perform disposal operations on information security, personal data and the privacy of private life.
  • The School obtains legal and technical consultancy services to follow developments in information security, privacy of private life, the protection of personal data and secure disposal techniques, and to take the necessary actions.
  • Where the School has disposal operations performed by third parties due to technical or legal requirements, it signs protocols with the relevant third parties for the protection of personal data and exercises all due care to ensure that these third parties comply with their obligations under these protocols.
  • The School regularly audits whether disposal operations are carried out lawfully and in accordance with the conditions and obligations set out in this Personal Data Retention and Disposal Policy, and takes the necessary actions.
  • The School records all operations regarding the deletion, destruction and anonymization of personal data and retains these records for at least three years, without prejudice to other legal obligations.

Updates and Compliance

The School reserves the right to make changes to the Personal Data Processing and Protection Policy or to this Personal Data Retention and Disposal Policy due to amendments to the Law, in line with decisions of the Authority, or in light of developments in the sector or in the field of information technology.

Changes made to this Personal Data Retention and Disposal Policy are incorporated into the text immediately, and explanations regarding the changes are provided at the end of the policy.

This text is provided for information purposes; the final version takes effect upon approval by our legal counsel. For any questions, please contact the school administration.

Sun Anaokulları
Bahçeşehir 1. Kısım Mah. Porsuk Sok. No:3
Villa 20, 34488 Başakşehir / İstanbul
T · 0212 669 42 41WhatsApp · 0553 321 81 56
MENU
  • Home
  • About
  • Curriculum
  • Our School
  • Admissions
  • FAQ
  • Reviews
  • Contact
LEGAL
  • Privacy Notice (KVKK)
  • Data Protection & Processing Policy
  • Cookie Policy
  • Data Retention & Disposal Policy
  • CCTV Notice
  • Accessibility
OPENING HOURS
School
09.00 – 16.00
Workshops
16.00 – 16.50
Extended care
07.30 – 19.00
fin
© 1995–2026 Sun Preschool · All rights reserved.In Bahçeşehir since 1995