BIM.PR.20 — Device Loss / Theft / Repair

Document NoBİM.PR.20
Version1.0
Initial Release26.04.2026
Owner GroupUser Support Group
Approved byMehmet ARARAT — IT Director
Legal BasisKVKK Art. 12 (Data Breach) · ISO/IEC 27001:2022 A.7.14 · BİGDES
Related DocumentsKYS.POL.01 P22–P23, KYS.POL.03, BİM.PR.10 (Incident Breach), BİM.PR.19, BİM.PR.21

1. Purpose and Scope

Defines the operational process, reporting timelines, temporary device allocation, and KVKK breach assessment to be followed in the event of loss, theft, or malfunction of an assigned corporate device.

2. Loss / Theft Reporting

Mandatory report within 24 hoursdestek@hku.edu.tr, phone 444 6 458 / extension 8002, destek.hku.edu.tr.

Report must include: device type, serial number, last known location, description of circumstances.

A police report is mandatory for theft cases; the report must be submitted to IT within 48 hours. In the absence of a police report and negligence, settlement does not apply (BİM.PR.19 s.6).

3. IT Immediate Actions

  1. Remote lock of the device via MDM
  2. Sign out of all sessions on the corporate account (sign-out everywhere)
  3. Remote selective wipe of corporate data
  4. Device status updated to “lost/stolen” in inventory (BİM.PR.22)
  5. If KVKK Art. 12 personal data risk is present, preparation for notification to the Personal Data Protection Authority within 72 hours (KVKK Commission)

4. Repair Process

  1. Staff member brings the device to the Help Desk or opens a ticket.
  2. IT performs a preliminary diagnosis (within 1 business day).
  3. If under warranty → sent to authorised service.
  4. Out of warranty + internal repair feasible → repaired by BIM.
  5. Complex hardware failure → contracted external service (BİM.PR.11 — Supplier).

5. Temporary Device (Loaner)

  • A loaner is assigned immediately to critical staff (managers, academic staff during teaching/exam periods).
  • For standard users, a loaner is provided when repair exceeds 3 business days.
  • Loaner assignment follows the same rules as BİM.PR.19.

6. Data Protection

  • If corporate data is present on a device going for repair: a disk image backup is taken, then the disk is wiped (DoD 3-pass).
  • When a device is sent to an external service, the disk is removed and retained by IT (in all feasible cases).
  • After repair, the device is restored with a fresh OS image.

7. SLA

Action Timeframe
Preliminary diagnosis 1 business day
Internal repair Average 3 business days
External service Average 7–14 business days (parts procurement)

8. Data Breach Notification

If device loss/theft creates a potential KVKK data breach:

  • Notification to the Personal Data Protection Authority within 72 hours (prepared by KVKK Commission)
  • Notification to affected individuals
  • Incident report (System Status page — summary)

9. Violations

KYS.POL.04 s.55 + BİM.PR.10.

10. Entry into Force

26.04.2026; revised every January/July.


Hasan Kalyoncu University · IT Directorate
Osmanlı Mah. Havaalanı Yolu Üzeri 8. Km 27010 Şahinbey/Gaziantep
444 6 458 · destek@hku.edu.tr · destek.hku.edu.tr · portal.hku.edu.tr
KEP: hasankalyoncu.unv@hs01.kep.tr

Share