Personal Data Storage and Destruction Policy
1. ENTRANCE
1.1 Aim
Personal Data Storage and Destruction Policy (“Policy”),
Data controller title: Assoc. Dr. Ata Can
Data controller address: İnönü, Nizamiye Cd. No:9 D:No:1, 34373 Şişli/Istanbul
Data controller phone: 0536 576 66 66
Data controller e-mail: atababay@yahoo.com
Data controller website: https://dratacan.com/
It has been prepared to determine the procedures and principles regarding the works and transactions regarding personal data storage and destruction activities carried out by the data controller.
Our business; It has prioritized the processing of personal data that we process in line with the lawful mission, vision and basic principles, in accordance with the Constitution of the Republic of Turkey, international agreements, the Personal Data Protection Law No. 6698 (“Law”) and other relevant legislation, and ensuring that the relevant persons exercise their rights effectively.
Work and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared accordingly.
1.2 Scope
Personal data of patients, companions, personnel, personnel candidates and service providers are within the scope of this Policy, and this Policy is applied to all recording environments where personal data managed by our business is processed and activities related to personal data processing.
1.3 Abbreviations and Definitions
Among the legal and technical terms included in this Policy;
Buyer Group | Category of natural or legal person to whom personal data is transferred by the data controller |
Explicit Consent | Consent regarding a specific subject, based on information and expressed with free will, |
Anonymization | The process of making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data, |
Worker | business personnel, |
EBYS | Electronic Document Management System, |
Electronic environment | Environments where personal data can be created, read, changed and written with electronic devices |
Non-Electronic Media | All written, printed, visual, etc. except electronic media. other environments, |
Service provider | Real or legal person who provides services within the framework of a specific contract with our business |
Related person | The real person whose personal data is processed, |
Related User | Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data, |
Destruction | Deletion, destruction or anonymization of personal data, |
Law | Personal Data Protection Law No. 6698 dated 24.3.2016, |
recording media | Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system, |
Personal Data | Any information regarding an identified or identifiable natural person, |
Personal Data Processing Inventory | Personal data processing activities carried out by data controllers depending on their business processes; Explaining the purposes and legal reason for processing personal data, the data category, the transferred recipient group and the maximum retention period required for the purposes for which the personal data are processed by associating them with the data subject group, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security.
detailed inventory, |
Personal Data
Processing |
Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data such as blocking, |
Board | Personal Data Protection Board, |
Special Qualified Personal
Data |
Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data, |
Periodic Destruction | In case all the conditions for processing personal data specified in the law are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy and to be carried out ex officio at recurring intervals, |
Policy | Personal Data Storage and Destruction Policy, |
Data Processor | Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller, |
Data Recording System | The recording system in which personal data is structured and processed according to certain criteria, |
VERBIS | Data Controllers Registry Information System, |
Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system, |
regulation | Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017, |
It expresses.
2. EXPLANATIONS ON STORAGE AND DISPOSAL
Personal data processed by our business is stored in accordance with the Law and destroyed at the end of the storage period.
2.1 Explanations Regarding Storage
In Article 3 of the Law, the concept of processing personal data is defined, in Article 4, it is stated that the personal data processed should be related to the purpose for which they are processed, limited and proportionate and should be kept for the period required by the relevant legislation or for the purpose for which they are processed, and in Articles 5 and 6, it is stated that the processing of personal data should be limited and proportionate. conditions are listed.
Accordingly, personal data is stored for the period stipulated in the relevant legislation or for the period appropriate to our processing purposes.
2.1.1 Legal Reasons Requiring Personal Data Storage
Processed personal data is processed and stored if at least one of the legal reasons listed below exists.
- It is clearly provided for in the law
- Processing of the data of the parties is necessary for the performance of the contract
- It is mandatory for the data controller to fulfill its legal obligation
- Data processing is mandatory for the establishment, exercise or protection of a right
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
- Carrying out preventive medicine, medical diagnosis, treatment and care services
- Explicit Consent
2.1.2 Processing Purposes Requiring Storage
Personal data is processed and stored for the purposes stated below.
- Carrying out the application processes of employee candidates
- Fulfillment of obligations arising from employment contracts and legislation for employees
- Carrying out fringe benefits and benefits processes for employees
- Carrying out educational activities
- Execution of access authorizations
- Carrying out activities in accordance with the legislation
- Carrying out financial and accounting affairs
- Ensuring physical space security
- Carrying out assignment processes
- Follow-up and execution of legal affairs
- Carrying out communication activities
- Planning human resources processes
- Carrying out occupational health and safety activities
- Receiving and evaluating suggestions for improving business processes
- Carrying out performance evaluation processes
- Carrying out storage and archive activities
- Execution of contract processes
- Follow-up of requests and complaints
- Ensuring the security of movable goods and resources
- Ensuring the security of data controller operations
- Providing information to authorized persons, institutions and organizations
- Carrying out promotional activities
2.2 Reasons Requiring Destruction
Personal data;
- Amendment or abolition of the relevant legislative provisions that constitute the basis for processing,
- The purpose that requires processing or storage is eliminated,
- In cases where processing of personal data occurs only on the basis of explicit consent, the relevant
Withdrawing the person's explicit consent,
- Our business accepts the application made by the relevant person for the deletion and destruction of his personal data within the framework of his rights in accordance with Article 11 of the Law,
- In cases where our business rejects the application made by the relevant person requesting the deletion, destruction or anonymization of personal data, finds the answer given insufficient, or does not respond within the time period stipulated in the Law; Complaining to the Board and this request being approved by the Board,
- The maximum period requiring personal data to be stored has passed and there are no conditions that justify storing personal data for a longer period of time,
In such cases, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by our business upon the request of the relevant person.
3. TECHNICAL AND ADMINISTRATIVE MEASURES
In order to safely store personal data, prevent unlawful processing and access of personal data, and destroy personal data in accordance with the law, technical and administrative measures are taken within the framework of adequate measures determined and announced by the Board for special personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law. measures are taken.
3.1 Technical Precautions
The technical measures taken regarding the processed personal data are listed below:
- Network security and application security are ensured.
- Security measures are taken within the scope of supply, development and maintenance of information technology systems.
- The authorities of employees who change their duties or leave their jobs in this area are removed.
- Up-to-date anti-virus systems are used.
- Firewalls are used.
- Periodic authorization checks are carried out for employees who have access to sensitive personal data.
- Security updates for the environments where the data is stored are constantly monitored, necessary security tests are performed or performed regularly and the test results are recorded.
- Security tests of software that access sensitive personal data are carried out regularly and the test results are recorded.
- For personal data stored in digital environment, periodic deletion, destruction or anonymization processes are carried out.
3.2 Administrative Measures
Administrative measures taken regarding processed personal data are listed below:
- There are disciplinary regulations for employees that include data security provisions.
- Training and awareness activities are carried out for employees at regular intervals regarding data security.
- Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
- Confidentiality commitments are made.
- The signed contracts contain data security provisions.
- Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.
- Personal data security policies and procedures have been determined.
- Personal data security issues are reported quickly.
- Personal data security is monitored.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
- The security of environments containing personal data is ensured.
- Personal data is reduced as much as possible.
- Periodic and/or random audits are carried out within the institution.
- Protocols and procedures for the security of special personal data have been determined and implemented.
- If special personal data is to be sent via e-mail, it must be sent encrypted and using a KEP or corporate mail account.
- The authorization scope and duration of users who are authorized to access sensitive personal data are clearly defined.
- Inventory allocated to employees who change positions or leave their jobs is returned.
- A personal data inventory has been prepared.
- Deletion, destruction or anonymization processes are carried out periodically.
4. STORAGE AND DISPOSAL PERIOD
Regarding the personal data processed by our business within the scope of its activities; retention periods are included in the Personal Data Storage and Destruction Policy.
Updates are made to these retention periods if necessary.
For personal data whose storage period has expired, ex officio deletion, destruction or anonymization is carried out during the first periodic destruction period following the end of the storage period.
4.1 Storage Periods Table
PROCESSED DATA | CONTACT CATEGORY | STORAGE PERIOD |
ID information | Worker | 15 years after termination of active employment relationship |
Employee Candidate | It will not be stored if the job application is rejected. | |
Patient | 20 years from the end of treatment | |
Companion | During service | |
Real Persons Providing External Services | 10 years from end of service | |
Contact information | Worker | 15 years after termination of active employment relationship |
Employee Candidate | It will not be stored if the job application is rejected. | |
Patient | 20 years from the end of treatment | |
Companion | During service | |
Real Persons Providing External Services | 10 years from end of service | |
Personal Health Data | Worker | 15 years after termination of active employment relationship |
Employee Candidate | It will not be stored if the job application is rejected. | |
Patient | 20 years from the end of treatment | |
Criminal Conviction and Security Measures Information | Worker | 10 years after termination of active employment relationship |
Employee Candidate | It will not be stored if the job application is rejected. | |
personnel | Worker | 10 years after termination of active employment relationship |
Employee Candidate | It will not be stored if the job application is rejected. | |
Legal action | Employee and Patient | 10 years from the end of the legal process |
Transaction Security | Employee and Patient | 2 years |
Customer Transaction | Patient | 20 years |
Real Persons Providing External Services | 10 years from end of service | |
finance | Patient | 20 years |
Worker | 10 years | |
Camera Recordings | For All Groups of People | 2 months |
Professional experience | Worker | 10 years after termination of active employment relationship |
Employee Candidate | If the job application process is negative, it is not stored | |
Audiovisual Records
|
Worker | 15 years after termination of active employment relationship |
Patient | 20 years from the end of treatment | |
Employee Candidate | If the job application process is negative, it is not stored |
4.2 Destruction Periods
Our business ex officio deletes, destroys or anonymizes personal data in accordance with the principles and procedures set out in this Policy, in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data in accordance with the provisions of the Law and Regulation arises.
If the data controller duly applies to us using the right to request the deletion of personal data specified in Article 13 of the Law;
- If all the conditions for processing personal data have been eliminated; Personal data subject to the request will be deleted, destroyed or anonymized by an appropriate destruction method within 30 (thirty) days from the day the request is received.
- If all the conditions for processing personal data have not been eliminated, the request may be rejected by explaining the reason for the request in accordance with the third paragraph of Article 13 of the Law, and the rejection response will be notified to the relevant person in writing or electronically within 30 (thirty) days at the latest.
5. PERIODIC DESTRUCTION PERIOD
In accordance with Article 11 of the Regulation, the periodic destruction period is determined as 6 months.
DISPOSAL METHODS
At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, personal data are destroyed ex officio or upon the application of the relevant person, using the techniques specified below, in accordance with the provisions of the relevant legislation.
5.1 Deletion of Personal Data
Personal data is deleted by the methods given below.
Data Recording Environment | Explanation |
Personal Data on Servers | For personal data on the servers whose retention period has expired, the system administrator removes the access authorization of the relevant users and deletes them. |
Personal Data in Electronic Media | Among the personal data in the electronic environment, those whose period of storage has expired are made inaccessible and unusable in any way for other employees (relevant users) except the database administrator. |
Personal Data in Physical Environment | Personal data kept in physical environment, for those whose period of storage has expired, are made inaccessible and unusable by all employees except the unit manager responsible for the document archive. In addition, blackening is also applied by drawing/painting/erasing the surface so that it cannot be read. |
Personal Data Contained in Portable Media | Among the personal data kept in flash-based storage media, those that have expired are stored in secure environments with encryption keys, by being encrypted by the system administrator and access authorization is given only to the system administrator. |
5.2 Destruction of Personal Data
Personal data is destroyed by the methods given below.
Data Recording Environment | Explanation |
Personal Data in Physical Environment | Personal data stored on paper that have expired are irreversibly destroyed in paper shredding machines. |
Personal Data Contained in Optical / Magnetic Media | Personal data contained in optical media and magnetic media whose storage period has expired are physically destroyed, such as melting, burning or pulverizing. In addition, the data on the magnetic media is rendered unreadable by passing it through a special device and exposing it to a high magnetic field. |
Personal Data in Digital Environment |
Personal data in the digital environment whose storage period has expired will be irreversibly destroyed, along with all logs and background transaction records and backups. |
5.3 Anonymization of Personal Data
Anonymization of personal data means making it impossible to associate personal data with an identified or identifiable natural person in any way, even if it is matched with other data.
In order for personal data to be anonymized; Personal data must be returned by the data controller or third parties and/or made impossible to associate with an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording environment and relevant field of activity, such as matching the data with other data.
While our company anonymizes personal data, it does so in accordance with the above-mentioned standards. After the anonymization of personal data, personal data cannot be associated with an identified or identifiable natural person in any way.
6. MEASURES TAKEN TO ENSURE THE LEGALITY OF THE DISPOSAL PROCESS
Destruction operations carried out ex officio upon request and during periodic destruction processes are carried out in accordance with the Law, the Regulation and this Policy. The technical and administrative measures taken in this context are shown separately below.
6.1 Technical Measures
- Access rights to personal data of employees in information technology units are kept under control.
- The destruction of personal data is ensured in a way that the data cannot be recycled and does not leave an audit trail.
6.2 Administrative Measures
- Staff are given training on personal data protection legislation, data security and destruction.
- The destruction processes are inspected at regular intervals. Necessary measures are taken to eliminate detected security vulnerabilities.
7. RECORDING MEDIA
Personal data is stored in accordance with the provisions of the law, regulation and other relevant legislation. The recording media of personal data stored in this context are shown in the table below.
Electronic Media | Non-Electronic Media |
Servers (Domain, backup, email, database, web, file sharing, etc.)
ü Software (Meddata Software, office software, portal.) ü Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.) ü Computers (Desktop, laptop) ü Mobile devices (phone, tablet, etc.) ü Optical discs (CD, DVD, etc.) ü Removable memories (USB, Memory Card, etc.) ü Printer, scanner, photocopier, Medical devices |
ü Paper
ü Manual data recording systems ü Written, printed and visual media
|
8. MEASURES TAKEN FOR PERSONAL DATA SECURITY
In order to safely store personal data, prevent unlawful processing and access of personal data, and destroy personal data in accordance with the law, technical and administrative measures are taken within the framework of adequate measures determined and announced by the Board for special personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law. measures are taken.
8.1 Technical Measures
The technical measures taken regarding the processed personal data are listed below:
- Network security and application security are ensured.
- Security measures are taken within the scope of supply, development and maintenance of information technology systems.
- Up-to-date anti-virus systems are used.
- Firewalls are used.
- Deletion, destruction or anonymization is carried out
- Data loss prevention software is used.
8.2 Administrative Measures
Administrative measures taken regarding processed personal data are listed below:
- There are disciplinary regulations for employees that include data security provisions.
- Training and awareness activities are carried out for employees at regular intervals regarding data security.
- Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
- The authorities of employees who change their duties or leave their jobs in this area are removed.
- Personal data security policies and procedures have been determined.
- Personal data security is monitored.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
- The security of environments containing personal data is ensured.
- Personal data is reduced as much as possible.
- Periodic and/or random audits are carried out within the institution.
9. PERSONNEL TITLE, UNIT AND DUTY DISTRIBUTION
All units and employees are required to ensure that the technical and administrative measures taken by the responsible units within the scope of the Policy are properly implemented, the training and awareness of unit employees are increased, their monitoring and continuous supervision are ensured, and personal data is prevented from being processed unlawfully, personal data is unlawfully accessed, and personal data is protected against the law. It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure proper storage.
The distribution of the titles and job descriptions of those involved in the storage and destruction processes of personal data is given in the table below.
OFFICER | JOB DESCRIPTION |
Practice Owner Physician | It is responsible for ensuring that the processed personal data storage and destruction processes are carried out in accordance with this policy, ensuring coordination between units, carrying out the necessary inspections, developing the policy, publishing and updating it in the relevant media.
|
Secretary/Assistant | To ensure that employees act in accordance with the policy, to carry out necessary inspections and to fulfill other duties assigned by the physician who owns the practice.
It is responsible for providing the technical solutions needed in the implementation of the Policy. |
10. UPDATES TO THE POLICY
This Personal Data Storage and Destruction Policy may be amended due to changes in legislation, in accordance with Board decisions or in line with developments in the sector or the field of informatics. Changes made in this context are immediately recorded in the text and explanations regarding the changes are added to the updates table below.
Updates Table
…………………………. | Personal Data Processing and Destruction Policy has entered into force. |
11. FINAL PROVISIONS
This Personal Data Storage and Destruction Policy is prepared by the data controller;
- in suitable places within the business
- https://dratacan.com/ from our website
was announced and communicated to the relevant people.