Policy on Storage, Disposal and Anonymization of Personal Data

PURPOSE AND SCOPE
The Policy of Storing and Destroying Personal Data will be referred to as the “Policy”. This policy has been prepared in order to determine the procedures and principles regarding the work and operations related to the storage and destruction activities carried out by the Data controller.

As the data controller, our basic principle is; persons / patients receiving product services, their employees, potential patients and persons receiving product services, service providers, visitors and other third parties' personal data T.C. It is processed in accordance with the Constitution, international conventions and the Law on the Protection of Personal Data No. 6698 (the “Law”) and other relevant legislation. In this context, it has been determined as a priority that the relevant persons do not lose their rights and use their rights effectively.

Retention and destruction of personal data prepared this Policy, the Law No. 6698 on protection of personal data, which entered into force by the date and 28.10.2017 30224 in the official gazette of personal data deletion, destruction or anonymization regulation (“the regulation”) and has been prepared in accordance with the provisions of other regulations.

definitions:
Buyer Group

The category of natural or legal person to whom personal data is transferred by the data controller.

Explicit Consent

Consent related to a specific subject, based on being informed and explained by free will.

Anonymization

Making personal data unable to be associated with an identified or identifiable natural person in any way, even by matching it with other data.

Client/ Patient/ Potential patient

The person who receives the product or service / The person who receives the potential product or service / the natural persons who use or have used the services offered by our practice, regardless of whether they have any contractual relationship or not.

Have made a request or interest in using our Services or may have such interest

natural persons who have been evaluated in accordance with commercial practice and honesty rules

Employee

Personnel before the data controller.

Employee candidate

Trainee or employee candidates whose resumes are taken

Electronic Media

Environments where personal data can be created, read, modified and written with electronic devices

Electronic

Non-

Environment

All written, printed, visual, etc. that are outside of electronic media. other environments.

Service Provider

A natural or legal person who provides services under a certain contract with the Personal Data Protection Authority.

Contact Person

The natural person whose personal data is processed. For example, patients and employees.

Related User

Persons who process personal data within the organization of the data controller or in accordance with the authorization and instructions received from the data controller, with the exception of the person or unit responsible for the technical storage, protection and backup of the data

Destruction

Personal data deletion, destruction or has been rendered anonymous.

Law

Law No. 6698 on the Protection of Personal Data.

Recording Media

Any environment in which personal data is processed by means that are fully or partially automated or are processed by non-automated means, provided that they are part of any data recording system.

Personal Data

All kinds of information about an identified or identifiable natural person. Therefore, the processing of information about legal entities is not covered by the Law. For example; name-surname, TCKN, e-mail, address, date of birth, bank information, etc.

Inventory of Personal Data Processing

Data processing activities, depending on the principals of the business processes they are accomplishing personal data; the purpose and legal reason of personal data processing the data category, data is transferred to the recipient group and associating with a group of people created by the subject of personal data required for the purposes they are processed and the maximum conservation of the duration of the measures prescribed by explaining the transfer of personal data to foreign countries detaylandirdik inventory and data protection

Personal

The Data

Processing

Your personal data completely or partially automated, or be part of any data recording system to record non-automatic means obtaining, recording, storage, modification, rearrangement, disclosure, transfer, acquisition, can be obtained, making classification such as the Prevention of the use or any operation that is performed on the data.

Assembly

Personal Data Protection Board

Special

Qualified Personal

Data

Of persons, race, ethnic origin, political opinion, philosophical belief, religion and sect, or other beliefs, costume and clothing, Association or trade union membership, health, sexual life, criminal convictions and security measures, with data on genetic and biometric data.

Periodic Destruction

In the event that all the conditions for the processing of personal data contained in the law disappear, the deletion, destruction or anonymization process to be performed by re ’sen at December intervals specified in the personal data storage and destruction policy and repeated.

Politics

Personal Data Storage and Destruction Policy

Data Processor

A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Recording System

The registration system in which personal data is processed by structuring according to certain criteria.

Data Controller

A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of a data recording system.

The examiner is Dr. Meral Sözen

Data Controllers Registry Information System

An information system created and managed by the Presidency, accessible via the Internet, that data controllers will use in applying for the Registry and other related transactions related to the Registry.

VERBIS

Data Controllers Registry Information System

Regulation

Deletion of Personal Data published in the Official Gazette dated October 28, 2017,

Regulation on its Destruction or Anonymization.

3. RECORDING ENVIRONMENTS
The table below shows in which environments the personal data stored by the Data Controller are recorded. The personal data stored by the Data Controller is stored in the most appropriate recording environment according to its nature and legal status.

Data Recording Media

Explanation

Electronic Media

* Servers (Backup, Email, Web, etc.)

* Information Security Device (Firewall, Intrusion Detection And Blocking, Antivirus, etc.)

* Data Controller Computers (Desktop, etc.)

* Mobile Devices Belonging to the Data Controller (Phone, etc.)

Non-Electronic Media

· Paper

* Written, printed, visual media

responsibility
6 Of the regulation. in accordance with paragraph f of the article, it is regulated that the duties of the persons involved in the storage and destruction of personal data should be specified. In this context, the Prevention of unlawful processing of personal data and access to personal data in order to ensure the proper storage of data security, storage and disposal processes of management, technical and administrative measures to be taken within the organization responsible for issues with data of the employees ' tasks, the distribution of the personal data retention and destruction Policy and other policies and procedures organized to manage the processes that need to be carried out in accordance with and to take decisions on requests for data from related parties are not responsible means.

EXPLANATIONS ON STORAGE AND DISPOSAL
Within the body of the data controller, the personal data belonging to the persons to whom the services are provided are processed in accordance with the issues specified by the Law and stored in the recording environments specified in this policy, but are destroyed in the manner specified in this policy. In addition, it stores and destroys personal data related to personnel.

Personal Data is subject to Article 5 of the Law. and 6. the articles specified in the processing of personal data based on one or more of the conditions are stored in, and in this context, the validity of the conditions specified for the processing of personal data stored for the duration of the personal data in question to contact the expiration or in charge of data processing conditions upon request upon request the stored personal data being deleted, destroyed or made anonymous.

Legal Reasons That Require Hiding
The personal data processed within the framework of the data controller's activities are kept for the period stipulated in the relevant legislation. In this context, personal data;

Law No. 6698 on the Protection of Personal Data,
Turkish Code of Obligations No. 6098,
Social Insurance and General Health Insurance Law No. 5510,
Law No. 5651 on the Regulation of Publications Made on the Internet and the Fight against Crimes Committed Through These Publications,
Occupational Health and Safety Law No. 6361,
Labor Law No. 4857,
Social Services Law No. 2828,
Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
Occupational Health and Safety Services Regulation,
Basic Law of Health Services No. 3359,
Decree No. 663 having the Force of Law on the Organization and Duties of the Ministry of Health and its Affiliated Organizations,
Other secondary regulations in force in accordance with these laws are stored and processed until the storage periods stipulated in their framework.
Processing Purposes That Require Storage
The data controller stores the personal data that it processes within the framework of its activities for certain purposes. In this context, the purposes are listed below.

Conducting Emergency Management Processes
Execution of Information Security Processes
Fulfillment of Obligations Arising From Employment Contract And Legislation For Employees
Execution of Side Rights And Benefits Processes For Employees
Conducting Audit / Ethics Activities
Conducting Educational Activities
Execution of Activities in Accordance with the Legislation
Execution Of Financial And Accounting Affairs
Ensuring the Security of Physical Space Jul
Execution of Assignment Processes
Conducting Communication Activities
Planning of Human Resources Processes
Execution / Supervision of Business Activities
Execution of Occupational Health / Safety Activities
Execution of Goods / Service Purchase Processes
Execution of goods / service sales processes
Execution of customer relationship management processes
Execution of Storage And Archive Activities
Execution of Contract Processes
Follow-up of Requests /Complaints
Execution of the Wage Policy
Ensuring the Jul-tainment of Data Controller Operations
Providing Information to Authorized Persons, Institutions And Organizations
Diagnosis, management of medical diagnosis and treatment processes, execution of medical services
PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES STIPULATED IN THE LEGISLATION
Processing in Accordance with the Law and the Rule of Honesty
The data controller; acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, the data controller takes into account the proportionality requirements in the processing of personal data and does not use personal data outside the purpose.

Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
The data controller ensures that the personal data processed by taking into account the fundamental rights of the personal data owners and their legitimate interests are accurate and up-to-date. It takes the necessary measures in this direction.

Processing for Specific, Explicit and Legitimate Purposes
The data controller clearly and precisely determines the purpose of personal data processing, which is legitimate and in accordance with the law. The data controller processes the personal data in connection with the service it offers and as much as is necessary for them. The purpose for which the personal data will be processed by the data controller is revealed before the personal data processing activity starts.

Being Connected, Limited and Measured for the Purpose for which They are Processed
The data controller processes the personal data in a manner conducive to the realization of the determined purposes and avoids the processing of personal data that are not related to the realization of the purpose or that are not needed.

Keeping Them for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which They are Processed
The data controller keeps the personal data only for the period specified in the relevant legislation or necessary for the purpose for which they are processed. In this context, the data controller first determines whether a period of time is foreseen for the storage of personal data in the relevant legislation, acts in accordance with this period if a period of time has been determined, and if a period of time has not been determined, stores personal data for the period necessary for the purpose for which they are processed. In case of expiration of the period or disappearance of the reasons requiring processing, the personal data are deleted, destroyed or anonymized by the Data controller.

PERSONAL DATA, 5 OF THE LAW. PROCESSING BASED ON ONE OR MORE OF THE PERSONAL DATA PROCESSING CONDITIONS SPECIFIED IN THE ARTICLE AND LIMITED TO THESE CONDITIONS
The protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted only by law and depending on the reasons specified in the relevant articles of the Constitution, without affecting their essence. 20 Of the Constitution. in accordance with the third paragraph of the article, personal data can only be processed in the cases stipulated by law or with the explicit consent of the person. In this direction and in accordance with the Constitution; personal data is processed only in the cases stipulated by law or with the explicit consent of the person.

INFORMING AND INFORMING THE PERSONAL DATA OWNER
Data controller, 10 of the Law. it enlightens the personal data owners during the acquisition of personal data in accordance with the article. In this context, it clarifies the identity of the Data Controller and his representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, as well as the rights of the personal data owner.

20 Of the Constitution. in the article, it is stated that everyone has the right to be informed about the personal data related to him. 11 of the Law in this direction. in the article, “requesting information” is also counted among the rights of the personal data owner. Dec. In this context, the data controller is responsible for the Article 20 of the Constitution. and 11 of the Law. in accordance with its articles, it provides the necessary information in case the personal data owner requests information.

PROCESSING OF SPECIAL QUALITY PERSONAL DATA
The data controller treats the processing of personal data determined as “special quality” by Law in accordance with the regulations stipulated in the Law with sensitivity.

6 Of the Act. in the article, a number of personal data that pose a risk of causing victimization or discrimination to individuals when processed unlawfully are determined as “special quality”. These data race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, costume and clothing, Association or trade union membership, health, sexual life, criminal convictions and security measures, with data on genetic and biometric data.

By the party responsible for the data, in accordance with the law; qualified personal private data and methods to be determined by the board in accordance with the principles of this policy, including the European Council “special personal data processing, the data sorumlularinc adequate measures to be taken” concerning protection of personal data within the framework of the decision of the board dated 31/01/2018 2018/10, and also in the presence of the necessary administrative and technical measures are processed by taking the following terms and:

If the personal data owner has explicit consent, or
If there is no explicit consent of the personal data owner;
Special personal data other than the health and sexual life of the personal data owner, in cases clearly stipulated by law, in other words, if there is an explicit provision in the law on the processing of personal data,

The owner of personal data and special personal data qualified to the health of your sex life, however, Public Health Protection, preventive medicine, medical diagnosis, treatment and care services execution, for the purposes of the planning and management of health services financing, or persons under the obligation of confidentiality by the authorized institution is processed. Otherwise, the explicit consent of the data owner will be obtained.

TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO PREVENT THE SAFE STORAGE, UNLAWFUL PROCESSING AND ACCESS OF PERSONAL DATA AND PERSONAL DATA OF A SPECIAL NATURE
The data controller takes all necessary technical and administrative measures in accordance with the relevant personal data and the characteristics of the environment in which it is kept in order to prevent the unlawful processing and access of personal data by storing it securely. Also 12 of the Law. In accordance with the fourth paragraph of Article 6 of the Law, technical and administrative measures are also taken within the framework of adequate measures determined and announced by the Personal Data Protection Authority for personal data of a special nature.

These measures include, but are not limited to, the following administrative and technical measures to the extent that they correspond to the nature of the relevant personal data and the environment in which it is kept.

Technical and administrative Measures
The data controller takes the following technical measures in accordance with the characteristics of all environments in which personal data is stored, the relevant data and the environment in which the data is kept:

December training and awareness activities are carried out for employees on data security.
Confidentiality commitments are made.
The powers of employees who have changed their duties or left their jobs in this area are removed.
Current anti-virus systems are used.
The signed contracts contain data security provisions.
Personal data security and procedures have been determined.
Personal data security is monitored.
Personal data is reduced as much as possible.
Personal data is backed up and the security of the backed up personal data is also ensured.
Necessary security measures are taken regarding the entry and exit of physical environments containing Personal Data.
Physical environments containing Personal Data are subject to external risks (fire, flood, etc.) against which security is provided.
Protocols and procedures for special quality personal data security have been determined and implemented.
The data processing service providers are provided with awareness about data security.
The Transfer Of Personal Data
The Data Controller can transfer the personal data and special qualified personal data of the personal data owner to the authorized public institutions and organizations by taking the necessary security measures in line with the personal data processing purposes that are in accordance with the law. The Data Controller is responsible for 8 of the Law in this direction. it acts in accordance with the regulations stipulated in the article. The Data Controller is responsible for the legitimate and lawful personal data processing purposes in accordance with Article 5 of the Law listed below. it may transfer personal data to third parties based on one or more of the personal data processing conditions specified in the article and limited to:

If the personal data owner has explicit consent,

Clearly stipulating the relevant activities related to the transfer of personal data in the laws,
The transfer of personal data by the Data Controller is directly related to the establishment or performance of a contract and is necessary,
The transfer of personal data is mandatory for the Data Controller to fulfill his legal obligation,
Transfer of personal data by the Data Controller in a limited manner for the purpose of publicization, provided that the personal data has been made public by the data owner,
The fact that the transfer of personal data by the Data Controller is mandatory for the establishment, use or protection of the rights of the Data Controller or the data subject or third parties,
It is mandatory to carry out personal data transfer activities for the legitimate interests of the Data Controller, provided that they do not harm the fundamental rights and freedoms of the data subject,
The fact that a person who is unable to disclose his consent due to actual impossibility, or whose consent is granted legal validity, is obliged to protect his or someone else's life or body integrity.
In addition to the above, personal data may be transferred to foreign countries declared to have adequate protection by the Board in the presence of any of the above October conditions. In the absence of adequate protection, the data may be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country have committed to adequate protection in writing and have the permission of the Board in accordance with the data transfer conditions provided for in the legislation.

Transfer of Special Qualified Personal Data
The Data Controller is able to transfer the special qualified data of the personal data owner to third parties in the following cases by showing the necessary care, taking all necessary administrative and technical security measures and adequate measures to be stipulated by the KVK Board; for legitimate and lawful personal data processing purposes.

If the personal data owner has explicit consent, or
If there is no explicit consent of the personal data owner;
Private qualified health and sexual life of the owner of personal data outside of personal data (race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, costume and clothing, Association or trade union membership, criminal convictions and security measures, with data on genetic and biometric data), in the way prescribed in the law,
“Special personal data, the owner of personal data and the qualified health of your sex life, however, Public Health Protection, preventive medicine, medical diagnosis, treatment and care services execution, for the purposes of the planning and management of health services financing, or authorized persons under the obligation of confidentiality by the institution.” Otherwise, the explicit consent of the data owner will be obtained.
In addition to the above, personal data may be transferred to foreign countries declared to have adequate protection by the Board in the presence of any of the above October conditions. In the absence of adequate protection, the data may be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country have committed to adequate protection in writing and have the permission of the Board in accordance with the data transfer conditions provided for in the legislation.

RIGHTS OF THE PERSON CONCERNED:
The rights of the person concerned are explained in the disclosure text published on the website of the data controller. In addition, 11 of the law No. 6698. Its substance is indicated below.

Rights of the person concerned

ARTICLE 11-

(1) Everyone can apply to the data controller about himself/herself;

a) To learn whether personal data is processed or not,

b) If personal data has been processed, to request information about it,

c) To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

ç) To know the third parties to whom personal data is transferred in the country or abroad,

d) Requesting correction of personal data in case of incomplete or incorrect processing,

e) Request deletion or destruction of personal data within the framework of the conditions stipulated in article 7,

f) Request that the transactions made in accordance with paragraphs (d) and (e) be notified to the third parties to whom the personal data has been transferred,

g) Object to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,

d) In case of damage caused due to the unlawful processing of personal data, they have the right to demand compensation for the damage.

https://www.meralsozen.com / the application form located at the address, the Data Subject in accordance with the procedures and principles contained in the Communiqué on the Procedures and Principles of Application to the Data Controller, together with the documents showing his identity “Kızılırmak Mah. Dumlupınar Blv No:9/A Office :129, 06510 Çankaya/Ankara” with wet signature; or drmeralsozen@hotmail.com dresine can apply by using her e-mail address. The requests contained in the application will be terminated free of charge within 30 days at the latest.

METHODS OF DESTRUCTION OF PERSONAL DATA AND SPECIAL TYPES OF PERSONAL DATA
Personal data;

Amendment or cancellation of the relevant legislation provisions that constitute the basis for processing,
Disappearance of the purpose that requires its processing or storage,
In cases where the processing of personal data takes place only in accordance with the condition of explicit consent, the person concerned withdraws his/her explicit consent,
Acceptance of the application made by the data controller regarding the deletion and destruction of personal data within the framework of the rights of the relevant person in accordance with Article 11 of the law,
Responsible for data, the person concerned by the personal data deletion, destruction or anonymization to reject the reference to find out the answer with the demand itself or in cases that do not respond within the time stipulated in the law, and to file a complaint to the personal data protection agency approved by the institution of this demand,
The maximum period requiring the storage of personal data has elapsed and there are no conditions that justify storing personal data for a longer period of time,
Expiration of the retention periods specified in the relevant legislation,
in these cases, the data is deleted, destroyed or re ’sen is deleted, destroyed or anonymized by the data controller at the request of the relevant person.

The Data Controller shall delete, destroy or anonymize the personal data stored in accordance with the Law and other legislation and the Personal Data Processing and Protection Policy in accordance with the request of the relevant person or within the periods specified in this Personal Data Storage and Destruction Policy if the reasons requiring the processing of the data disappear, as stated above.

The deletion, destruction and anonymization techniques used by the data controller are listed below:

TECHNIQUES OF DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
Techniques of Erasure and Destruction of Personal Data
The data controller may delete or destroy the personal data based on its own decision or upon the request of the personal data owner in the event that the reasons requiring its processing disappear despite the fact that it has been processed in accordance with the relevant provisions. The most used deletion or destruction techniques are listed below:

Physical Destruction
Personal data can be processed by structuring according to certain criteria. When deleting / destroying such data, a system of physical destruction of personal data is applied in such a way that it cannot be used later.

Secure Deletion from Software
While the data processed by structuring personal data according to certain criteria and stored in digital environments are deleted / destroyed; methods related to the deletion of the data from the relevant software are used in a way that cannot be recovered again.

Techniques for Anonymizing Personal Data
Anonymization of personal data refers to the fact that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching it with other data. The data controller is able to anonymize the personal data when the reasons requiring the processing of the personal data processed in accordance with the law are eliminated.

28 Of the Law. in accordance with the Article and the Regulation; Personal data that have been anonymized may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Law and Regulation and the explicit consent of the personal data owner will not be sought. 10 of the Policy, as the personal data processed by anonymizing will be outside the scope of the Law and Regulation. The rights regulated in the Section will not apply to this data.

PERIODS OF STORAGE AND DESTRUCTION OF PERSONAL DATA
In relation to the personal data processed by the data controller within the scope of the activities;

Storage periods on the basis of personal data related to all personal data within the scope of the activities carried out depending on the processes The data controller is in the Inventory of Personal Data Processing;
Storage periods based on data categories are recorded in VERBIS;
Process-based retention periods are included in the Personal Data Retention and Destruction Policy.
Storage and Disposal Periods
The principal data law, relevant legislation, policy and other policies and the processing of personal data and the preservation of this personal data prepared in accordance with the personal data retention and destruction policy is responsible for the delete, destroy, or arises after the date the obligation to make the periodic destruction of the first anonymous in the process, personal data, delete, destroy, or makes it anonymous.