Dr. Seher Arı
PERSONAL DATA AND PRIVATE PERSONAL DATA STORAGE AND DISPOSAL POLICY
Personal Data Retention and Disposal Policy (“Policy”), “Dr. Seher Arı Clinic” (“The Institution”) has been prepared in order to determine the procedures and principles regarding the operations and transactions related to the storage and destruction activities being carried out.
The Institution ensures that the personal data of the Institution’s employees, employee candidates, patients, suppliers, service providers, visitors and other third parties are processed in accordance with the Turkish Constitution, international agreements, the Law on the Protection of Personal Data No. 6698 (“Law”) and other relevant legislation, and has determined as a priority to ensure the effective use of their rights. Works and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Institution in this direction.
Personal data belonging to Institution employees, employee candidates, patients, suppliers, service providers, visitors and other third parties are within the scope of this Policy, and this Policy is applied in all recording environments where personal data owned or managed by the Institution are processed and in activities for personal data processing.
1.3 Abbreviations and Definitions
Recipient Group: The natural or legal person category to which personal data is transferred by the data controller.
Explicit Consent: Consent on a specific subject, based on information and expressed with free will.
Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data.
Employee: “Dr. Staff of “Seher Arı Clinic” Institution.
Patient: “Dr. The person who receives health and medical treatment services from Seher Arı Clinic.
Electronic Media: Environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media: All written, printed, visual etc. other than electronic media. other environments.
Service Provider: A natural or legal person who provides services within the framework of a specific contract with the Personal Data Protection Authority.
Relevant Person: The natural person whose personal data is processed.
Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for technical storage, protection and backup of the data.
Destruction: Deletion, destruction or anonymization of personal data.
Law: Law on Protection of Personal Data No. 6698.
Recording Environment: Any environment in which personal data is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory, which is created by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group, by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security.
Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. or any kind of operation performed on the data, such as preventing its use.
Special Qualified Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric data. and genetic data.
Periodic Destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all the conditions for processing personal data in the law are eliminated.
Policy: Personal Data Retention and Disposal Policy
Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Registration System: A registration system in which personal data is processed and structured according to certain criteria.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System: An information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in applying to the Registry and in other related transactions.
VERBIS : Data Controllers Registry Information System
Regulation : Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.
2. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES
All units and employees of the institution are responsible for the implementation of the technical and administrative measures taken within the scope of the Policy, training and awareness of the unit employees, prevention of illegal processing of personal data by monitoring and continuous supervision, prevention of illegal access to personal data and protection of personal data. It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure that it is stored in accordance with the law. The distribution of the titles, units and job descriptions of those involved in the storage and destruction processes of personal data is given in Table 1.
Table 1: Task distribution of storage and disposal processes
|Data Manager||Responsible for the employees to act in accordance with the policy.|
|Data Manager||It is responsible for the preparation, development, execution, publication and updating of the Policy in the relevant media, and cancellation and retention by the decision of the Institution.|
|Data Security Officer||It is responsible for providing the technical solutions needed in the implementation of the Policy.|
|Other Units||Responsible for the execution of the Policy in accordance with its duties and the duties defined by the internal directive.|
3. RECORDING ENVIRONMENTS
Personal data is stored safely by the Institution in the environments listed below, in accordance with the law.
Table 2: Personal data storage environments
|Electronic Media||Non-Electronic Media|
|Servers (Domain, backup, e-mail, database, web, file sharing, etc.) Software (office software, portal, EBYS, VERBIS.) Information security devices (firewall, intrusion detection and prevention, log file, antivirus) etc. )Personal computers (Desktop, laptop) Mobile devices (phone, tablet etc.) Optical discs (CD, DVD etc.) Removable memories (USB, Memory Card etc.) Printer, scanner, copier||Paper Manual data recording systems (survey forms, visitor logbook) Written, printed, visual media|
4. EXPLANATIONS ON STORAGE AND DISPOSAL
By the institution; Personal data belonging to employees of third parties, institutions or organizations that are in contact as employees, employee candidates, patients, suppliers, visitors and service providers are stored and destroyed in accordance with the Law. In this context, detailed explanations regarding storage and disposal are given below, respectively.
4.1 Remarks on Retention
In Article 3 of the Law, the concept of processing personal data is defined, in Article 4 it is stated that the personal data processed should be related to the purpose for which they are processed, limited and measured and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation. counted. Accordingly, within the framework of the activities of our Institution, personal data is stored for a period of time stipulated in the relevant legislation or suitable for our processing purposes.
4.1.1 Legal Reasons for Retention
Personal data processed in the organization within the framework of its activities are kept for the period stipulated in the relevant legislation. In this context, personal data;
- Law No. 6698 on the Protection of Personal Data,
- Law No. 5651,
- Turkish Code of Obligations No. 6098,
- Turkish Commercial Code No. 4721,
- Law No. 6563
- Private Health Insurance regulation and related legislation
- Patient Rights Regulation and related legislation
- Code of Deontology,
- Social Insurance and General Health Insurance Law No. 5510, insurance legislation
- Occupational Health and Safety Law No. 6331,
- Law on Access to Information No. 4982,
- Law No. 3071 on the Use of the Right to Petition,
- Labor Law No. 4857,
- Retirement Health Law No. 5434,
- Social Services Law No. 2828
- Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments,
- Regulation on Archive Services
- It is stored as long as the storage periods stipulated in the framework of other secondary regulations in force in accordance with these laws.
4.1.2 Processing Purposes Requiring Storage
The Institution stores the personal data it processes within the framework of its activities for the following purposes.
- Performance of health service
- Billing processes
- Managing human resources processes.
- To provide corporate communication.
- Institutional security and control,
- To ensure data security,
- Ensuring physical security of the corporate interior,
- Staff education,
- To be able to perform work and transactions as a result of signed contracts and protocols.
- Within the scope of VERBIS, to identify the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, to organize the services provided accordingly and to update them if necessary.
- To ensure the fulfillment of legal obligations as required or mandated by legal regulations.
- To liaise with real / legal persons who have a business relationship with the Institution.
- For information purposes on social media accounts
- Being able to send sms, electronic messages, answering questions and complaints within the scope of health services
- Procurement of financial consultancy, legal consultancy services
- Obligation of proof as evidence in legal disputes that may arise in the future.
4.2 Reasons for Disposal
- Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing,
- The disappearance of the purpose requiring its processing or storage,
- In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his explicit consent,
- In accordance with Article 11 of the Law, the application made by the Authority regarding the deletion and destruction of personal data within the framework of the rights of the person concerned,
- In cases where the Institution rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the Law; the person concerned makes a complaint to the Personal Data Protection Authority and this request is approved by the Personal Data Protection Authority,
- In cases where the maximum period requiring the storage of personal data has passed and there is no condition to justify keeping the personal data for a longer period, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the Institution upon the request of the person concerned.
5.TECHNICAL AND ADMINISTRATIVE MEASURES
In accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law, in accordance with the adequate measures determined and announced by the Board for personal data to be stored securely, to prevent unlawful processing and access, and to destroy personal data in accordance with the law, technical and administrative measures are taken.
5.1 Technical Measures
The technical measures taken by the Institution regarding the personal data it processes are listed below:
- With the penetration tests, the risks, threats, vulnerabilities and vulnerabilities, if any, regarding the information systems of our Institution are revealed and necessary precautions are taken.
- As a result of real-time analyzes with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
- Necessary measures are taken for the physical security of the information systems equipment, software and data of the institution.
- In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, physical data storage system) The keys of the environment (archive, accounting, patient files, etc.) are only available to the authorized person, etc.) and software (firewalls, attack prevention systems, anti virus software, log tracking system, network access control, systems that prevent malware, etc.) precautions is taken.
- Risks to prevent the unlawful processing of personal data are identified, appropriate technical measures are taken to ensure that these risks are taken, technical controls are made for the measures taken, and data processing support is received regularly.
- By establishing access procedures within the institution, reporting and analysis studies are carried out regarding access to personal data.
- Inappropriate access or access attempts are kept under control by recording the accesses to the storage areas where personal data is stored.
- The Institution takes the necessary measures to make the deleted personal data inaccessible and reusable for the relevant users.
- In the event that personal data is obtained unlawfully by others, a system and infrastructure has been established by the Authority to notify the relevant person and the Board.
- Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date.
- Strong passwords are used in electronic environments where personal data is processed.
- Secure record keeping (logging) systems are used in electronic environments where personal data is processed.
- Data backup programs are used to keep personal data safe.
- Access to personal data stored in electronic or non-electronic media is limited according to access principles.
- Necessary disclosures have been made for special quality personal data, and express consent has been obtained when deemed necessary by law.
- Special quality personal data security trainings have been provided for employees involved in special quality personal data processing, confidentiality agreements have been made, and the authorizations of users who have access to data have been defined.
- Adequate security measures are taken for the physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entry and exit is prevented by ensuring physical security.
- If sensitive personal data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment. If transferring is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between servers or by FTP method. If it is required to be transferred via paper media, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a “confidential” format.
5.2 Administrative Measures
Administrative measures taken by the Institution regarding the personal data it processes are listed below:
- In-house trainings are provided to improve the quality of employees, to prevent the illegal processing of personal data, to prevent illegal access to personal data, and to ensure the protection of personal data.
- Regarding the activities carried out by the institution, the employees and the suppliers, etc. from which the service is purchased. Confidentiality agreements are signed by private and legal persons.
- Legal action is taken against employees who do not comply with security policies and procedures.
- KVKK Disciplinary Policy has been prepared.
- KVKK Institutional Internal Directive has been prepared.
- KVKK Application Form has been prepared.
- Before starting to process personal data, the Authority fulfills the obligation to inform the relevant persons, and obtains the consent of the persons concerned when deemed necessary by the law.
- Clarification and Consent Forms have been prepared.
- In-office/Physical venue KVK information is available.
- Personnel Contracts are in compliance with KVK.
- Personal data processing inventory has been prepared.
- Periodic and random audits are carried out within the institution.
- Information security trainings are provided for employees.
- The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
- Personal data is reduced as much as possible.
- Protocols and procedures for special quality personal data security have been determined and implemented.
- KVKK measures required by the pandemic process have been taken, and necessary illumination and information are provided to our patients and staff.
6. PERSONAL DATA DISPOSAL TECHNIQUES
At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data is destroyed by the Institution ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, with the techniques specified below.
6.1 Deletion of Personal Data
Personal data is deleted with the methods given in Table-3.
Table 3: Deletion of Personal Data
|Data Recording Environment||Explanation|
|Personal Data on Servers||The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period of time has expired.|
|Personal Data in Electronic Media||Among the personal data in the electronic environment, the ones whose period has expired are rendered inaccessible and non-reusable for other employees (related users) except the database administrator.|
|Personal Data in Physical Environment||Among the personal data kept in the physical environment, it is made inaccessible and non-usable in any way for other employees, except for the unit manager responsible for the document archive, for those whose period of time has expired. In addition, the process of blackening is applied by drawing/painting/erasing in a way that cannot be read.|
|Personal Data in Portable Media||Of the personal data kept in flash-based storage media, the expired ones are encrypted by the system administrator and the access authorization is given only to the system administrator, and they are stored in secure environments with encryption keys.|
6.2 Destruction of Personal Data
Personal data is destroyed by the methods given in Table-4 by the Institution.
Table 4: Destruction of Personal Data
|Personal Data in Physical Environment||Of the personal data in the paper environment, those whose period of time has expired are irreversibly destroyed.|
|Personal Data in Optical / Magnetic Media||The physical destruction of the personal data in optical media and magnetic media, such as melting, burning or pulverizing, is applied. In addition, magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.|
6.3 Anonymization of Personal Data
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.
In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the personal data by the data controller or third parties and/or matching the data with other data.
7. STORAGE AND DISPOSAL TIMES
Regarding the personal data being processed by the Institution within the scope of its activities;
- The retention periods on the basis of personal data regarding all personal data within the scope of the activities carried out in connection with the processes are in the Personal Data Processing Inventory;
- Storage periods on the basis of data categories are recorded in VERBIS;
- Process-based retention periods are included in the Personal Data Retention and Disposal Policy.
If necessary, updates are made on the said retention periods by the Institution Manager. For personal data whose storage period has expired, ex officio deletion, destruction or anonymization is carried out by the Data Security Officer.
Table 5: Process-based storage and disposal times table
Preparation and Performance of Contracts 10 years following the expiry of the contract In the first periodic destruction period following the end of the storage period
Execution of Corporate Communication Activities 10 years following the end of the activity In the first periodic destruction period following the end of the storage period
|PERIOD||STORAGE PERIOD||DISPOSAL TIME|
|Execution of patient registration and diagnosis and treatment processes||20 years from completion of the process||At the first periodic disposal period following the end of the storage period|
|Execution of services (communication, etc.) other than institution treatment processes Preparation of contracts||10 years from process completion 10 years from process completion||In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period|
|Accounting Processes||10 years from completion of the process||At the first periodic disposal period following the end of the storage period|
|Execution of Human Resources Processes Severance pay, notice indemnity payments, documents, payroll information of the personnel leaving the job||10 years from the end of the process 5 years from the end of the employment contract||In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period|
|Log Record Tracking SystemsExecution of Hardware and Software Access ProcessesCamera RecordsData on Customers and Potential Customers (cookies, cookies)IYS Records||2 years2 years from the completion of the process1 month after the completion of the registration13 monthsFor 3 years from the date of registration||In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period|
8. PERIODIC DISPOSAL TIME
Pursuant to Article 11 of the Regulation, the Authority has determined the period of periodic destruction as 6 months. Accordingly, periodic destruction is carried out at the Institution in June and December each year.
9. PROCESSING OF SPECIAL QUALITY PERSONAL DATA
9.1 Special care is shown in the processing of Special Quality Personal Data, which is believed to be of more critical importance for the Data Owner from various aspects.
Special Quality Personal Data are processed in accordance with the Law, provided that adequate measures to be determined by the Board are taken, in the presence of the following conditions:
- If the Data Owner has express consent, or
- If there is no explicit consent of the Data Owner; Special quality personal data other than the health and sexual life of the Data Owner, in cases stipulated by the laws, the personal data of the Data Owner regarding his health and sexual life can only be used for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, health It is processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of planning and management of services and financing.
MEASURES REGARDING THE PROCESSING OF SPECIAL QUALITY PERSONAL DATA
Pursuant to the Board’s decision dated 31.01.2018 and numbered 2018/10, the following measures are taken, in the capacity of data controller, in the processing of Special Quality Personal Data, which is included in Article 6 of the Law:
This Policy has been determined which is systematic, clearly defined, manageable and sustainable for the security of sensitive personal data. For employees involved in the processing of special categories of personal data,
- Confidentiality agreements are made,
- The scope and duration of authorization of users who have access to data are clearly defined,
- Periodic authorization checks are carried out.
- Protocols and procedures for special quality personal data security have been determined and implemented.
- Employees who have a change of job or quit their job are immediately removed from their authority in this field. In this context, it receives the inventory allocated to it by the Data Controller.
- The environments in which Sensitive Personal Data are processed, stored and/or accessed, and the physical environment;
- * Adequate security measures are taken (against electrical leakage, fire, flood, theft, etc.)
- * Unauthorized access is prevented by ensuring the physical security of these environments.
10. TRANSFER OF SPECIAL QUALITY PERSONAL DATA
Special Quality Personal Data obtained in accordance with the law are not transferred to third parties for the purposes of data processing, Special Quality Personal Data of the Data Owner.
11. PUBLICATION AND STORAGE OF THE POLICY
The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is also kept in its file by the data manager.
12. POLICY UPDATE PERIOD
The policy is reviewed as needed and the necessary sections are updated.
13. ENFORCEMENT AND REVOCATION OF THE POLICY
The policy is deemed to have entered into force on the date written below. In the event that it is decided to be revoked, old copies of the Policy with wet signatures are canceled and signed by the data manager (with the cancellation stamp or by writing cancellation) and are kept by the data manager for at least 5 years. 13.09.2021