AK 212 BAYRAMPASA DENTAL HEALTH SERVICES INDUSTRY AND TRADE LIMITED COMPANY

PERSONAL DATA STORAGE AND DISPOSAL POLICY

 

1.INTRODUCTION

1.1 Purpose

This Personal Data Retention and Disposal Policy (“Policy”) is within the framework of the applicable legislation.Ak 212 Bayrampaşa Dental Health Services Industry and Trade Limited Company(Hereinafter referred to as the “Company”.)It is applied to all and is based on nationally accepted basic principles regarding personal data destruction. It includes the framework and principles regarding the necessary destruction works within the scope of the relevant legislation.

 

In the third paragraph of Article 7 of the Law on Protection of Personal Data (“Law”), there is the provision “The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by a regulation”. Pursuant to this provision and subparagraph (e) of the first paragraph of Article 22 of the Law, the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”) has been prepared by the Personal Data Protection Board (“Board”) and dated 28 October 2017. It was published in the Official Gazette numbered 30224.

 

Based on the regulation above, the purpose of this Policy is to determine the procedures and principles regarding the deletion, destruction or anonymization of the personal data processed by the Company in the conduct of its activities, in accordance with the Regulation.

 

1.2.Scope

Personal data belonging to employees, employee candidates, visitors, third parties with whom we cooperate and third parties working in the Company are within the scope of this Policy, and this Policy is applied in all recording environments where personal data owned or managed by the Company are processed, and in activities for personal data processing. .

 

1.3. Abbreviations and Definitions

Concept Definition
Recipient group Natural or legal person category to whom personal data is transferred by the data controller
Open Consent Consent on a particular subject, based on information and expressed with free will
Making Anonymous Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Electronic environment Environments where personal data can be created, read, changed and written by electronic devices.
Non-Electronic Media All written, printed, visual etc. other than electronic media. other environments.

 

Related person Natural person whose personal data is processed
Related user Except for the person or unit responsible for the technical storage, protection and backup of the data, the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.
Destruction Deletion, destruction or anonymization of personal data
Law Law No. 6698 on the Protection of Personal Data
recording media Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.
Personal data Any information relating to an identified or identifiable natural person
Personal data owner Natural person whose personal data is processed
Processing of personal data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. all kinds of operations performed on the data, such as blocking
Personal data processing inventory Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the purposes of processing, the data category, the transferred recipient group and the data subject group, explaining the maximum time required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security.
Board Personal Data Protection Board
Organisation Personal Data Protection Authority
Special categories of personal data Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data
periodic destruction In the event that all of the personal data processing conditions in the law are eliminated, the deletion, destruction or anonymization process to be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy.
Policy The policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization.
Record The registry of data controllers kept by the Personal Data Protection Authority.
data processor The real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
data logging system The registry system where personal data is processed and structured according to certain criteria.
data controller It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
regulation

 

Regulation on the Deletion, Destruction or Anonymization of Personal Data, which entered into force by being published in the Official Gazette dated 28.10.2017 and numbered 30224.

 

 

  1. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES

The company’sall its units and employees, by the responsible units, the implementation of the technical and administrative measures taken within the scope of the Policy, the training and awareness of the unit employees, their monitoring and continuous supervision, the prevention of the illegal processing of personal data, the prevention of unlawful access to personal data and the protection of personal data against the law. It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure proper storage.

 

The distribution of the titles, units and job descriptions of those involved in the storage and destruction of personal data is given below.

 

Table 1: Task distribution of storage and disposal processes

Title

 

Unit

 

Job Description

 

IT Officer

 

Computing

 

Ensuring the compliance of the processes within its duty with the retention period, management of the periodical destruction process, performing the necessary audits and controls in order to respond to the requests of the Data Owners.

 

Accounting Department Manager
Accounting

 

Ensuring the compliance of the processes within its duty with the storage period, management of the periodical destruction period, checking the continuity of the book and document storage obligations arising from the TCC No. 6100 and the Tax Legislation, and whether the obligations are eliminated.

 

Director of human resources

 

Human Resources

 

Ensuring the compliance of personnel personal data with the retention period, management of the periodical destruction process, receiving and responding to requests for clarification of personnel regarding their rights specified in the Law

 

 

  1. RECORDING ENVIRONMENTS

Personal data is stored securely by the Institution in the environments listed in Table 2, in accordance with the law.

Table 2: Personal data storage environments

Electronic Media Non-Electronic Media
·        Servers (Domain, backup, email, database, web, file sharing, etc.)

·        Software (office software) Information security devices (firewall, log file, antivirus, etc.)

·        Mobile devices (phone, tablet, etc.)

·        Optical discs (CD, DVD, etc.)

·        Removable memories (USB, Memory Card etc.)

·        Printer, scanner, copier

·        Removable memory such as USB, hard disk

·        Desktop and laptop

·        Paper

·        Manual data recording systems

·        Written, printed, visual media

·        folders

·        Folders

 

4.EXPLANATIONS ON STORAGE AND DISPOSAL

By the company; employee, employee candidate, supplier, supplier official, supplier employee, product or service buyer, potential product or service buyer,employee of the person receiving the product or service, the relative of the person receiving the product or service,Personal data of real persons, including shareholders/partners, visitors and other third parties, are stored and destroyed in accordance with KVKK.

In this context, detailed explanations regarding storage and disposal are given below, respectively.

 

4.1 Remarks on Retention

In Article 3 of the Law, the concept of processing personal data is defined, in Article 4 it is stated that the personal data processed should be related to the purpose for which they are processed, limited and measured and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation. counted.

Accordingly, within the framework of the Company’s activities, personal data is stored for a period of time stipulated in the relevant legislation or suitable for our processing purposes.

 

 

 

4.1.1 Legal Reasons for Retention

Company, preserves the personal data processed within the framework of its activities for the period stipulated in the relevant legislation. In this context, personal data;

  • Tax Procedure Law No. 213
  • Health Services Basic Law No. 3359
  • Labor Law No. 4857
  • Social Insurance and General Health Insurance Law No. 5510
  • Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts
  • Turkish Code of Obligations No. 6098
  • Turkish Commercial Code No. 6102
  • Occupational Health and Safety Law No. 6361
  • Law No. 6698 on the Protection of Personal Data
  • Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliates
  • Regulation on Private Health Institutions Providing Oral and Dental Health Services
  • Private Hospitals Regulation, Health Practice Communiqué, Patient Rights Regulation

It is stored as long as the storage periods specified in the other secondary legislation in force, especially

 

4.1.2. Processing Purposes Requiring Storage

Company, stores the personal data it processes within the framework of its activities for the following purposes:

  • Execution of emergency management processes
  • Execution of information security processes
  • Execution of employee candidate / intern / student selection and placement processes,
  • Execution of the application processes of working candidates
  • Fulfillment of obligations arising from employment contracts and regulations for employees
  • Execution of fringe benefits and benefits processes for employees
  • Conducting Educational Activities
  • Execution of activities in accordance with the legislation,
  • Execution of finance and accounting works
  • Providing physical space security
  • Execution of assignment processes
  • Conducting communication activities
  • Carrying out human resources processes
  • Execution/supervision of Business Activities
  • Execution of occupational health / safety activities
  • Carrying out business continuity activities
  • Execution of Logistics Activities
  • Execution of goods / services production and operation processes
  • Execution of goods/service purchasing processes
  • Execution of goods/service sales processes
  • Execution of Risk Management Processes
  • Organization and event management
  • Execution of contract processes
  • Follow-up of requests/complaints
  • Ensuring the security of movable property and resources
  • Execution of supply chain management processes
  • Execution of medical diagnosis, treatment and care services
  • Ensuring the security of data controller operations
  • Foreign Personnel Work and Residence Permit Procedures
  • Providing information to authorized persons, institutions and organizations
  • Execution of management activities

 

4.2. Reasons for Destruction

Personal data;

  • Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing,
  • The disappearance of the purpose requiring its processing or storage,
  • In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his explicit consent,
  • Acceptance of the application made by the person concerned for the deletion and destruction of personal data in accordance with Article 11 of the KVKK,
  • The company’sIn the event that the person concerned rejects the application made to him/her with a request for the deletion or destruction of his/her personal data, finds his/her response insufficient, or fails to respond within the period stipulated in the KVKK; making a complaint to the Board and this request being approved by the Board, and
  • The maximum period for keeping personal data has passed and there are no conditions to justify keeping personal data for a longer period of time.

in cases,CompanyIt is deleted, destroyed or ex officio deleted, destroyed or anonymized by the request of the person concerned.

 

  1. TECHNICAL AND ADMINISTRATIVE MEASURES

Within the framework of adequate measures determined and announced by the Board for special quality personal data in accordance with Article 12 and paragraph 4 of Article 6 of the KVKK in order to keep personal data safe, to prevent unlawful processing and access, and to destroy personal data in accordance with the law. Technical and administrative measures are taken by the company.

 

5.1. Technical Measures

CompanyThe measures taken by the Company regarding the personal data it processes are listed below;

  • Network security and application security are provided.
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
  • The security of personal data stored in the cloud is ensured.
  • Firewalls are used.
  • Personal data is backed up and the security of the backed up personal data is also ensured.
  • User account management and authorization control system are implemented and these are also followed.
  • Encryption is done.
  • Data loss prevention software is used.

 

5.2. Administrative Measures

CompanyThe measures taken by the Company regarding the personal data it processes are listed below;

  • The authorizations of employees who have a change in duty or quit their job in this field are removed.
  • Confidentiality commitments are made.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  • The security of environments containing personal data is ensured.
  • Personal data is reduced as much as possible.

 

  1. PERSONAL DATA DISPOSAL TECHNIQUES

Personal data at the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed,CompanyIt is destroyed by the following techniques, ex officio or upon the application of the person concerned, in accordance with the provisions of the relevant legislation.

 

6.1. Deletion of Personal Data

Personal data is deleted with the methods given in Table-3.

Table 3: Deletion of personal data

Data Recording Environment
Explanation
Personal data in the physical environment

 

Personal data in the physical environment are deleted by using the obfuscation method or by keeping the document in a secure environment where it cannot be accessed by the relevant users.

 

Personal Data on Servers

 

The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period of time has expired.

 

Personal data in databases

 

By assigning a role and permission, the relevant user is prevented from accessing the personal data in the database.

 

Personal data on portable devices (such as USB, Hard disk, CD, DVD)

 

The user is denied access to the file.

 

 

 

6.2. Destruction of Personal Data

CompanyAs, the methods used by us in order to carry out the legal destruction of personal data are as follows:

Table 4: Destruction of Personal Data

Data Recording Environment
Explanation

 

Personal data in the physical environment

 

Of the personal data in the paper medium, the ones that need to be kept, which have expired, are irreversibly destroyed in the paper clipping machines.

 

Personal data in peripheral (network devices, flash-based environments, optical systems, etc.) and local systems

 

Devices containing personal data; It is destroyed by physical processes such as burning, breaking into small pieces, melting. In addition, the personal data on the device is rendered unreadable by the demagnetization method, thus destroying it. With this; As a result of random data entry on existing data with special software, the recovery of old data is prevented and the destruction process is applied.

 

 

 

6.3. Anonymization of Personal Data

Anonymization of personal data means making personal data not associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the personal data by the data controller or third parties and/or matching the data with other data.

 

 

  1. STORAGE AND DISPOSAL TIMES

Companyregarding the personal data being processed within the scope of its activities;

  • The retention periods on the basis of personal data regarding all personal data within the scope of the activities carried out in connection with the processes are in the Personal Data Processing Inventory;
  • Storage periods on the basis of data categories are recorded in VERBIS;
  • Process-based retention periods are included in this Personal Data Retention and Disposal Policy.

 

Destruction process of personal data,Companyin accordance with the storage periods determined by considering the relevant legislation in accordance with each relationship. Personal data whose storage period has expired,CompanyIt is deleted, destroyed or anonymized in the periodic destruction periods determined by the company.

 

Table 5: Process-Based Storage and Disposal Times Table

PERIOD

 

STORAGE PERIOD

 

DISPOSAL TIME

 

Execution of human resources employee processes

 

15 years from the employee’s departure

 

In the period of periodic destruction of the first 6 months following the end of the storage period

 

Execution of processes regarding employee candidates

 

1 year from the date of application

 

In the period of periodic destruction of the first 6 months following the end of the storage period

 

Execution of contractual relations

 

10 years after the expiration of the contract

 

In the period of periodic destruction of the first 6 months following the end of the storage period

 

Camera Recordings

 

30 days after registration

 

Automatically Destroyed at the End of the Recording Period

 

Accounting and Finance Processes

Execution

to be registered

following 10 years

In the period of periodic destruction of the first 6 months following the end of the storage period

 

Execution of Patient File Processes 20 Years From Its Creation In the period of periodic destruction of the first 6 months following the end of the storage period

 

The ex-officio deletion, destruction or anonymization of personal data whose storage period has expired is carried out by the departments listed under the heading “2. RESPONSIBILITIES AND DUTIES”.

 

  1. PERIODIC DISPOSAL TIME

In accordance with Article 11 of the Regulation, the period of periodic destruction has been determined by the Company as [6] months. Accordingly, the Company performs periodic destruction in June and December every year.

 

  1. PUBLICATION AND STORAGE OF THE POLICY

The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is also kept in the file of the Human Resources Department.

 

  1. POLICY UPDATE PERIOD

The policy is updated as needed and changed processes are found.

 

  1. ENFORCEMENT AND REVOCATION OF THE POLICY

This Policy is deemed to have entered into force after its publication on the Company’s website.

If it is decided to be annulled, the wet signed old copies of the Policy are canceled with the company stamp and the signature of the company official (cancellation stamp or by writing cancellation) and are kept by the Human Resources Department for at least 5 years.