Personal Data Storage and Destruction Policy

DENTIST ÖZGE ASMACIK YAĞCI

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

1.INTRODUCTION

1.1 Purpose

This Personal Data Storage and Destruction Policy (‘Policy’) has been prepared in order to determine the procedures and principles regarding the procedures and procedures regarding the storage and destruction activities carried out by the ‘Data Controller’ (‘DENTIST ÖZGE ASMACIK YAĞCI’).

In this context, the personal data of the Data Controller (‘DENTIST ÖZGE ASMACIK YAĞCI’) employees, employee candidates, patients and all natural persons who have personal data in the possession of DENTIST ÖZGE ASMACIK YAĞCI for any reason, within the framework of the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy. It has been determined as a priority to be processed in accordance with the Constitution of the Republic of Turkey, international conventions, the Law No. 6698 on the Protection of Personal Data (‘Law’) and other relevant legislation and to ensure that the relevant persons can effectively exercise their rights.

1.2 Scope

Works and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared by DENTIST ÖZGE ASMACIK YAĞCI in this direction.

1.3 Abbreviations and Definitions

Explicit Consent: Consent regarding a specific subject, based on information and expressed with free will.

Anonymisation: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Employee: Employees of the Data Controller.

Electronic Media: Media where personal data can be created, read, changed and written with electronic devices.

Non-Electronic Media: All written, printed, visual, etc. other media other than electronic media.

Data Subject: The real person whose personal data is processed.

Relevant User: Persons who process personal data within the organisation of the data controller or in accordance with the authorisation and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.
Destruction: Deletion, destruction or anonymisation of personal data.
Law: Law No. 6698 on the Protection of Personal Data.
Recording Medium: Any medium in which personal data processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Personal Data Processing Inventory: Inventory in which data controllers detail the personal data processing activities that they carry out depending on their business processes by associating them with the purposes and legal grounds for processing personal data, data category, transferred recipient group and data subject group and by explaining the maximum retention period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and measures taken regarding data security.
Board: Personal Data Protection Board
Periodic Destruction: The process of deletion, destruction or anonymisation to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all of the conditions for processing personal data specified in the Law disappear.

Policy Personal Data Retention and Destruction Policy

Data Recording System: The recording system in which personal data is structured and processed according to certain criteria.

Data Controllers Registry Information System: The information system created and managed by the Presidency, accessible via the internet, which data controllers will use in the application to the Registry and other transactions related to the Registry.

VERBIS : Data Controllers Registry Information System.

Regulation: Regulation on Deletion, Destruction or Anonymisation of Personal Data published in the Official Gazette dated 28 October 2017.

2. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES

All DENTIST ÖZGE ASMACIK YAĞCI employees actively support the responsible employees in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law by properly implementing the technical and administrative measures taken within the scope of the Policy, increasing the training and awareness of its employees, monitoring and continuous auditing.

3.RECORDING MEDIA

Personal data are securely stored by the Data Controller in accordance with the law in the media listed in Table 1.

Table 1: Personal data storage media

4.EXPLANATIONS ON STORAGE AND DISPOSAL

Personal data of employees, employee candidates and patients are stored and destroyed by the Data Controller in accordance with the Law. In this context, detailed explanations on retention and destruction are given below respectively.

4.1 Explanations Regarding Storage

Article 3 of the Law defines the concept of processing personal data, Article 4 states that the personal data processed must be relevant, limited and proportionate to the purpose for which they are processed and must be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and Articles 5 and 6 list the conditions for processing personal data. Accordingly, within the framework of the activities of the Data Controller, personal data are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

4.1.1 Legal Reasons Requiring Retention

Personal data processed within the framework of Data Controller activities are retained for the period stipulated in the relevant legislation.

In this context, personal data;

• Law No. 6698 on the Protection of Personal Data,
• Law No. 359 on the Basic Law on Health Services,
• Decree Law No. 663 on the Organisation and Duties of the Ministry of Health and its Affiliated Institutions,
• Regulation on Processing and Ensuring the Privacy of Personal Health Data,
• Law No. 3224 on the Turkish Dental Association,
• Regulation No. 29256 on Private Health Institutions Providing Oral and Dental Health Services,

Turkish Code of Obligations No. 6098,

• Turkish Commercial Code No. 6102,

Law No. 5510 on Social Security and General Health Insurance,

Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through These Publications,

Law No. 6331 on Occupational Health and Safety,

Law No. 4982 on Access to Information,

Law No. 3071 on the Exercise of the Right to Petition,

Labour Law No. 4857,

Law No. 2828 on Social Services,

Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,

Regulation on Archive Services

They are retained for the retention periods stipulated within the framework of other secondary regulations in force pursuant to these laws.

4.1.2 Processing Purposes Requiring Retention

The Data Controller stores the personal data processed within the framework of its activities for the following purposes:

• To fulfil the service provided as an Oral and Dental Health Organisation.
• To ensure corporate communication.
• To ensure the security of the institution
• To be able to do statistical studies.
• To ensure that accounting records are kept.
• To be able to perform works and transactions as a result of signed contracts and protocols.
• To determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors within the scope of VERBIS, to organise the services provided accordingly and to update them if necessary.
• To ensure the fulfilment of legal obligations as required or obliged by legal regulations.
• To liaise with real/legal persons who have a business relationship with the Data Controller.
• To make legal reports.
• Obligation of proof as evidence in legal disputes that may arise in the future.

4.2 Reasons for Destruction

Personal data;

• Amendment or abolition of the relevant legislation provisions that constitute the basis for processing,
• Disappearance of the purpose requiring processing or storage,
• In cases where the processing of personal data is carried out only on the basis of explicit consent, the person concerned may withdraw his/her explicit consent,
• Pursuant to Article 11 of the Law, the application made by the data subject regarding the deletion and destruction of his/her personal data within the framework of his/her rights is accepted by the Authority,
• In the event that the maximum period required for the storage of personal data has expired and there are no conditions that justify the storage of personal data for a longer period of time, it is deleted, destroyed or ex officio deleted, destroyed or anonymised by the Data Controller upon the request of the person concerned.

5. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE STORAGE AND DESTRUCTION OF PERSONAL DATA

Technical and administrative measures are taken by the Data Controller within the framework of adequate measures determined and announced by the Board for special categories of personal data in accordance with Article 12 of the Law and Article 6/4 of the Law for the safe storage of personal data, prevention of unlawful processing and access and destruction of personal data in accordance with the law.

5.1 Technical Measures for Safekeeping

The technical measures taken by the Data Controller regarding the storage of the personal data it processes are listed below:

Hardware and software security systems are installed to ensure the security of information systems against environmental threats in accordance with technological developments regarding the storage areas of personal data. Only authorised employees can access personal data. Strong passwords are used in electronic environments where personal data are processed. Adequate security measures are taken for the physical environments where personal data of special nature are processed, stored and/or accessed, and unauthorised entry and exit are prevented by ensuring physical security. If sensitive personal data is required to be transferred via e-mail, it is transferred via corporate e-mail address. If it is required to be transferred via paper media, necessary measures are taken against risks such as theft, loss or unauthorised persons seeing the document. The Data Controller also requests commitments from the third parties it works with regarding the fulfilment of certain standards in the storage of data. In addition, the Data Controller takes the necessary measures to ensure that personal data is not lost or used unlawfully.

5.2 Administrative Measures for Safekeeping

The administrative measures taken by the Data Controller regarding the storage of the personal data it processes are listed below:

Awareness is raised by informing employees about the technical and administrative risks related to the storage of personal data, in case of cooperation with third parties for the storage of personal data, the contracts made with the companies to which personal data are transferred include provisions setting out the obligations and responsibilities of the persons to whom personal data are transferred to take the necessary security measures for the protection and safe storage of the transferred personal data.

5.3 Technical Measures for Destruction

At the end of the period stipulated in the relevant legislation or at the end of the retention period required for the purpose for which they are processed, personal data are destroyed by the Data Controller ex officio or upon the application of the person concerned, in accordance with the provisions of the relevant legislation, by the following techniques.

5.4 Deletion of Personal Data

Personal data are deleted by the methods given in Table-2.

Table 2: Deletion of Personal Data

5.5 Destruction of Personal Data

Personal data shall be destroyed by the Data Controller by the methods given in Table-3.

Table 3: Destruction of Personal Data

5.6 Anonymisation of Personal Data

Anonymisation of personal data means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data.

In order for personal data to be anonymised; personal data must be rendered unassociated with an identified or identifiable natural person even through the use of techniques appropriate for the recording medium and the relevant field of activity, such as the reversal of personal data by the Data Controller or third parties and/or matching the data with other data.

5.7 Administrative Measures Regarding Destruction

The destruction of data is carried out only by authorised employees of the Data Controller. Employees are informed within the scope of the legislation on the protection and destruction of personal data. Necessary equipment, especially for physical destruction, is available in the workplace.

6. STORAGE AND DESTRUCTION PERIODS

Regarding the personal data being processed by the Data Controller within the scope of its activities;

Retention periods on personal data basis for all personal data within the scope of activities carried out depending on the processes are included in the Personal Data Processing Inventory;

Process-based retention periods are included in the Personal Data Retention and Destruction Policy.

For personal data whose retention periods have expired, the process of ex officio deletion, destruction or anonymisation is carried out.

Table 4: Periods for Retention and Destruction of Data

7. PUBLICATION AND STORAGE OF THE POLICY

The Policy is published in two different media, wet signed (printed paper) and electronic media.

8. PERIOD FOR UPDATING THE POLICY

The policy is reviewed as needed and the necessary sections are updated.

9. ENFORCEMENT OF THE POLICY

This Policy enters into force on***** .

DENTIST ÖZGE ASMACIK YAĞCI