EN

Data
Classification

Why is Data ClassificationNecessary?

DATA CLASSIFICATION

It is the organization of the categorization, sorting, and storage functions necessary for us to access the document we need.
A well-planned data classification is extremely important in risk management, legal compliance, and to form the life cycle of the document.

Investigation - Where is Personal Data?

Image

Ayse Çelik, 35

Financial Specialist

Head Office (HQ)

Personal Information

Address - Phone Number

Activity

Traveling
20%
Culture
50%
Adventure
90%
Excitement
30%
Network
60%

Goals

Gaining skills in writing articles in English

Challenges

  • Teamwork
  • Time Management
  • Communication

Motivation

Rewarding, mentoring.

ATTACHED DOCUMENTS

  • CV
  • ID
  • Passport
  • Certificate of Employment

Hobbies and Activities

Why is Data Classification Necessary?

Although the main purpose of data classification is to access the correct data quickly with the appropriate authorization,
the categorization of the document containing personal data has become obligatory due to the need for legal compliance.

Security

Protection of documents and records against cyber-attacks and breaches.

Privacy

Ensuring access control of the document or record with the appropriate authorization matrix.

Accessibility

Availablity of documents and records when requested.

Integrity

Keeping the required recordset and documents in similar environments in terms of relevance and integrity.

Accessibility

Availablity of documents and records when requested.

Integrity

Keeping the required recordset and documents in similar environments in terms of relevance and integrity.

Security

Protection of documents and records against cyber-attacks and breaches.

Privacy

Ensuring access control of the document or record with the appropriate authorization matrix.

Classification in Two Types

Classification Based on the Retention Periods

Personal data must be categorized and classified according to each process owned by all departments to determine the destruction periods. These categories should be determined by considering the retention periods and the processes to which they are related. The determination of retention periods is carried out by considering the legal obligation and legitimate interest of the organization.

Classification Department/Process Duration
Records kept according to
the law numbered 5651		 IT 2 years (legal obligation)
Employee Resumes
(Resumes of employee candidates who were not accepted for the job)		 Human Resources 3 years (maximum)
Employee Active
Directory Records		 Human Resources/Quality 10 years

Classification Based on Sensitivity

In order to determine the storage conditions of personal data, the data kept in all departments must have a sensitivity label for each process. For example, sensitive personal data should be stored with the Top Secret Information tag and the storage conditions specified in the law should be met.

Privacy Levels

ConfidentialHighly ConfidentialInformation!​

GizliÇok GizliBilgi içermektedir.

TOP SECRETCONFIDENTIALFOR YOUR EYES ONLY

Questions to be Answered

Human Resources and Data

In order to ensure data privacy and security, it is one of the important roles of Human Resources to contribute to the data classification and demonstrate correct methodological approaches the data retention as required by law.


Human Resources department must make sure that legal compliance is ensured when setting document standards in accordance with organizational processes and rules to manage information security risks. The fact that the processed records and files do not have predetermined levels of sensitivity and confidentiality means that the data are not adequately protected in administrative and technical terms.

Examples of Personal Data Obtained
in Human Resources Processes

Kişisel Veri örnekleri

Which Documents Should Be Stored in Personnel Files and
How Should They Be Stored?


Necessary security measures should be taken regarding the entry to and exit from physical environments containing personal data, and the security of personal information should be ensured.


Necessary security measures should be taken regarding the entry to and exit from of physical environments containing personal data, and the security of personal information should be ensured.


The form filled in by the employee for MSA information should be taken as basis. In addition, the identity documents of the spouse and child should not be requested.


The form filled in by the employee for MSA information should be taken as basis. In addition, the identity documents of the spouse and child should not be requested.


Documents containing health data should be kept in lockers in the workplace doctor's office, not in the personnel file.


Documents containing health data should be kept in lockers in the workplace doctor's office, not in the personnel file.


A criminal record should be required only as long as the position to work requires ("purpose limitation").


A criminal record should be required only as long as the position to work requires ("purpose limitation").


The information kept in personnel files and employee registration cards in digital environments must be accurate and up to date.


The information kept in personnel files and employee registration cards in digital environments must be accurate and up to date.


Driving license should only be requested from people who will use vehicles for organizational procedures.


Driving license should only be requested from people who will use vehicles for organizational procedures.


Personnel files should be kept in accordance with their retention periods, and those whose storage periods have expired should be destructed.


Personnel files should be kept in accordance with their retention periods, and those whose storage periods have expired should be destructed.


For documents such as birth report, death certificate, and marriage certificate required for excuse leaves, the principle of proportionality should be considered, and excess data should not be taken.


For documents such as birth report, death certificate, and marriage certificate required for excuse leaves, the principle of proportionality should be considered, and excess data should not be taken.

Which Documents Should Be Stored in Personnel Files and How Should They Be Stored?

Sensitive personal data contained on documents such as old version of ID, driving license must be destructed by scribbling method.
Image
Image

Exemplary Retention Periods
in Human Resources Processes

Job Application Records
with Positive Results

10 YEARS

Job Application Records
with Negative Results

2 YEARS

Personnel File and
Records of HR Processes

10 YEARS

Employee Insurance
Policies

10 YEARS

Occupational Health and
Safety Records

15 YEARS

Training Records

10 YEARS

Employee’s Law and
Enforcement Requests

10 YEARS

How Do We Destruct Data in Human Resources?

Retention periods for personal data should be determined, and periods suitable for the nature of the work should be specified according to the type of data within the framework stipulated by the law.

When determining destruction periods, not only data types but also data subjects should be considered. For example, the data in the identity category obtained from the Employee Candidates and the identity data obtained from the employees should be subject to different retention periods.

Information that does not need to be kept in documents and is safe to keep in the current state should be masked with scribbling method. For example, religion, blood group information, etc. available in old version of IDs.

Information and documents in physical environments should be destructed by appropriate methods by following the relevant retention periods. At least P-5 level paper shredders should be used.

Information and documents in digital environments should be destructed with appropriate methods by following the relevant retention periods. Unnecessary data should not be entered into online registration systems used in this regard. Unnecessary data entered previously can be destructed by anonymization.

All transactions related to destruction should be recorded and such records should be kept for at least three years, excluding other legal obligations.

Conditions Requiring the Destruction of Data

Amendment or abolition of the relevant legislation provisions that constitute the basis for personal data processing,

The disappearance of the purpose requiring the processing or storage of personal data,

Withdrawal of the explicit consent by the data subject in cases where the processing of personal data takes place only on the condition of explicit consent,

Expiration of the maximum period for the storage of personal data and unavailability of conditions to justify the storage of personal data for a longer period.

Legal Compliance

In accordance with Article 12 of the Personal Data Protection Law No.6698 (KVKK), the data controller shall take all necessary technical and organizational measures for providing an appropriate level of security in order to “prevent unlawful processing of personal data, prevent unlawful access to personal data, and safeguard personal data.” Based on this provision, taking appropriate administrative and technical measures depends on the correct classification of personal data and risk analysis in line with these classifications.

This obligation has been summarized in the data security guide of the Authority as below.

Identification of Current Risks and Threats

In order to ensure the security of personal data, firstly, it should be determined what personal data are processed by the data controller, the possible risks that may arise in relation to the protection of these data; and the results in case of occurrence of these risks should be accurately determined and appropriate measures should be taken in this regard.

On the other hand, within the scope of Article 32 of the EU General Data Protection Regulation (GDPR), the security of data processing is explained as follows:

Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.

Finally, the following article in the Turkish Criminal Code No. 5237 is very important, in case of the failure to preserve and destruct data:

Destruction of Data

ARTICLE 138 - (1) Any person who fails to destruct data in accordance with the prescribed procedures, before the expiry of the legally prescribed period for destruction, shall be sentenced to a penalty of imprisonment for a term of one to two years.

Notification!

The content in this article is for general information purposes only and belongs to CottGroup® member companies. This content does not constitute legal, financial, or technical advice and cannot be quoted without proper attribution.

CottGroup® member companies do not guarantee that the information in the article is accurate, up-to-date, or complete and are not liable for any damages that may arise from errors, omissions, or misunderstandings that the information may contain.

The information presented here is intended to provide a general overview. Each specific case may require different assessments, and this information may not be applicable to every situation. Therefore, before taking any action based on the information provided in the article, it is strongly recommended that you consult a competent professional in the relevant fields such as legal, financial, technical, and other areas of expertise. If you are a CottGroup® client, do not forget to contact your client representative regarding your specific situation. If you are not our client, please seek advice from an appropriate expert.

To reach CottGroup® member companies, click here.

Let's start
Get a quote for your service requirements.

Would you like to know more
about our services?