1.INTRODUCTION
1.1 Purpose
Personal Data Retention and Disposal Policy (“Policy”), “Op.Dr.Dürdane Keskin” (“The Institution”) has been prepared in order to determine the procedures and principles regarding the work and transactions related to the storage and destruction activities being carried out.
Institution; Institution employees, employee candidates, patients, suppliers, service providers, visitors and other third parties personal data belonging to T.R. Its Constitution prioritizes processing in accordance with international conventions, the Law on the Protection of Personal Data No. 6698 (“Law”) and other relevant legislation, and ensuring that the relevant persons use their rights effectively. Works and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Institution in this direction.
1.2 Scope
The personal data of the Institution’s employees, employee candidates, patients, suppliers, service providers, visitors and other third parties are within the scope of this Policy, and this Policy is applied in all recording environments where personal data owned or managed by the Institution are processed, and in activities for personal data processing.
1.3 Abbreviations and Definitions
Recipient Group: The natural or legal person category to which personal data is transferred by the data controller.
Explicit Consent: Consent on a specific subject, based on information and expressed with free will.
Anonymization: Making personal data cannot be associated with an identified or identifiable natural person in any way, even by matching with other data.
Employee: “Op.Dr.Dürdane Keskin” Institution personnel.
Patient : The person receiving health and medical treatment services from “Op.Dr.Dürdane Keskin”.
Electronic Media: The environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media: All written, printed, visual, etc. other than electronic media. other environments.
Service Provider: A natural or legal person who provides services within the framework of a certain contract with the Personal Data Protection Authority.
Relevant Person : The natural person whose personal data are processed.
Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for technical storage, protection and backup of the data.
Destruction: Deletion, destruction or anonymization of personal data.
Law : Law on Protection of Personal Data No. 6698.
Recording Environment: Any environment in which personal data is processed wholly or partially automatically or non-automatically provided that it is a part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory, which they have created by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group, by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries, and the measures taken regarding data security.
Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data fully or partially automatically or non-automatically provided that it is a part of any data recording system or any kind of operation performed on the data, such as preventing its use.
Special Qualified Personal Data: The data regarding the race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data and genetic data.
Periodic Destruction: The deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are eliminated.
Policy: Personal Data Storage and Disposal Policy
Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Registration System: The registration system in which personal data is processed and structured according to certain criteria.
Data Controller : The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System: An information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in their application to the Registry and other related transactions related to the Registry.
VERBIS : Data Controllers Registry Information System
Regulation: The Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.
2. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES
All units and employees of the institution, by the responsible units, the necessary implementation of the technical and administrative measures taken within the scope of the Policy, increasing the training and awareness of the unit employees, monitoring and continuous inspection of personal data, preventing the illegal processing of personal data, preventing unlawful access to personal data and It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure that it is stored in accordance with the law. The distribution of the titles, units and job descriptions of those involved in the storage and destruction processes of personal data is given in Table 1.
Table 1: Task distribution of storage and disposal processes
TITLE MISSION
The Data Manager is responsible for the employees to act in accordance with the policy.
The Data Manager is responsible for preparing, developing, executing, publishing and updating the Policy in the relevant media, canceling and keeping it with the decision of the Institution.
The Data Security Officer is responsible for providing the technical solutions needed in the implementation of the Policy.
Other Units are responsible for the execution of the Policy in accordance with their Duties and the duties defined by the internal directive.
3. RECORDING ENVIRONMENTS
Personal data is stored safely by the Institution in the environments listed below, in accordance with the law.
Table 2: Personal data storage environments
Electronic Media Non-Electronic Media
Servers (Domain, backup, email, database, web, file sharing, etc.)
Software (office software, portal, EBYS, VERBIS.)
Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
Personal computers (Desktop, laptop)
Mobile devices (phone, tablet, etc.)
Optical discs (CD, DVD, etc.)
Removable memories (USB, Memory Card etc.)
Printer, scanner, copier
Paper
Manual data recording systems (survey forms, visitor logbook)
Written, printed, visual media
4. EXPLANATIONS ON STORAGE AND DISPOSAL
By the institution; Personal data belonging to employees of third parties, institutions or organizations that are in contact as employees, employee candidates, patients, suppliers, visitors and service providers are stored and destroyed in accordance with the Law. In this context, detailed explanations regarding storage and disposal are given below, respectively.
4.1 Remarks on Retention
In Article 3 of the Law, the concept of processing personal data is defined, in Article 4 it is stated that the processed personal data should be related to the purpose for which they are processed, limited and measured, and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation. counted. Accordingly, within the framework of the activities of our Institution, personal data is stored for a period of time stipulated in the relevant legislation or suitable for our processing purposes.
4.1.1 Legal Reasons for Retention
Personal data processed within the framework of its activities in the institution are kept for the period stipulated in the relevant legislation. In this context, personal data;
Law No. 6698 on the Protection of Personal Data,
Law No. 5651,
Turkish Code of Obligations No. 6098,
Turkish Commercial Code No. 4721,
Law No. 6563
Private Health Insurance regulation and related legislation
Patient Rights Regulation and related legislation
Code of Deontology,
Social Insurance and General Health Insurance Law No. 5510, insurance legislation
Occupational Health and Safety Law No. 6331,
Law on Access to Information No. 4982,
Law No. 3071 on the Use of the Right to Petition,
Labor Law No. 4857,
Retirement Health Law No. 5434,
Social Services Law No. 2828
Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments,
Regulation on Archive Services
It is stored as long as the storage periods stipulated in the framework of other secondary regulations in force in accordance with these laws.
4.1.2 Processing Purposes Requiring Storage
Personal data;
Changing or repealing the provisions of the relevant legislation, which is the basis for processing,
The disappearance of the purpose that requires processing or storage,
In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his explicit consent,
In accordance with Article 11 of the Law, the application made by the Authority regarding the deletion and destruction of personal data within the framework of the rights of the person concerned,
In the event that the Institution rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the Law; the person concerned makes a complaint to the Personal Data Protection Authority and this request is approved by the Personal Data Protection Authority,
In cases where the maximum period requiring the storage of personal data has passed and there is no condition to justify keeping the personal data for a longer period, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the Institution upon the request of the person concerned.
4.2 Reasons for Disposal
5. TECHNICAL AND ADMINISTRATIVE MEASURES
In accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law, in accordance with the adequate measures determined and announced by the Board for personal data to be stored securely, to prevent unlawful processing and access, and to destroy personal data in accordance with the law, technical and administrative measures are taken.
5.1 Technical Measures
The technical measures taken by the Institution regarding the personal data it processes are listed below:
With the penetration tests, the risks, threats, vulnerabilities and vulnerabilities, if any, regarding the information systems of our Institution are revealed and necessary precautions are taken.
As a result of real-time analysis with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
Necessary measures are taken for the physical security of the information systems equipment, software and data of the institution.
In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, physical data storage system) The keys of the media (archive, accounting, patient files, etc.) are only available to the authorized person, etc.) and software (firewalls, attack prevention systems, anti-virus software, log tracking system, network access control, systems that prevent malware, etc.) precautions is taken.
Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken to ensure that these risks are taken, technical controls are carried out for the measures taken, and data processing support is received regularly.
By establishing access procedures within the institution, reporting and analysis studies are carried out regarding access to personal data.
Inappropriate access or access attempts are kept under control by recording the accesses to the storage areas where personal data is stored.
The Institution takes the necessary measures to ensure that the deleted personal data is inaccessible and reusable for the relevant users.
In case personal data is obtained by others unlawfully, a system and infrastructure has been established by the Authority to notify the relevant person and the Board.
Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up-to-date.
Strong passwords are used in electronic environments where personal data is processed.
Secure record keeping (logging) systems are used in electronic environments where personal data is processed.
Data backup programs are used to keep personal data safe.
Access to personal data stored in electronic or non-electronic media is limited according to access principles.
Necessary disclosures have been made for special quality personal data, and express consent has been obtained when deemed necessary by law.
Special quality personal data security trainings have been provided for employees involved in special quality personal data processing, confidentiality agreements have been made, and the authorizations of users who have access to data have been defined.
Adequate security measures are taken for the physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entries and exits are prevented by ensuring physical security.
If sensitive personal data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment. If transferring is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between servers or by FTP method. If it is required to be transferred via paper media, necessary precautions are taken against the risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a “confidential” format.
5.2 Administrative Measures
Administrative measures taken by the Institution regarding the personal data it processes are listed below:
In-house trainings are provided to improve the quality of employees, to prevent the illegal processing of personal data, to prevent illegal access to personal data, and to ensure the protection of personal data.
Regarding the activities carried out by the institution, the employees and the suppliers, etc. from which the service is purchased. Confidentiality agreements are signed by private and legal persons.
Legal action is taken against employees who do not comply with security policies and procedures.
KVKK Disciplinary Policy has been prepared.
KVKK Institutional Internal Directive has been prepared.
KVKK Cookie Policy has been prepared.
KVKK Application Form has been prepared.
Before starting to process personal data, the Authority fulfills the obligation to inform the relevant persons, and obtains the consent of the relevant persons when deemed necessary by the law.
Clarification and Consent Forms have been prepared.
In-office/Physical place KVK information is available.
Personnel Contracts are in compliance with KVK.
Personal data processing inventory has been prepared.
Periodic and random audits are carried out within the institution.
Information security trainings are provided for employees.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
Personal data is reduced as much as possible.
Protocols and procedures for special quality personal data security have been determined and implemented.
KVKK measures required by the pandemic process have been taken, and necessary illumination and information are provided to our patients and staff.
6. PERSONAL DATA DISPOSAL TECHNIQUES
At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data is destroyed by the Institution ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, with the following techniques.
6.1 Deletion of Personal Data
Personal data is deleted with the methods given in Table-3.
Table 3: Deletion of Personal Data
Data Recording Media Description
Personal Data on the Servers For the personal data on the servers that require their storage, the system administrator removes the access authorization of the relevant users and deletes them.
Personal Data in the Electronic Media The personal data in the electronic media, which require their storage, are rendered inaccessible and non-reusable in any way for other employees (related users) except the database administrator.
Personal Data in the Physical Environment Personal data kept in the physical medium is rendered inaccessible and unusable in any way for other employees, except for the unit manager responsible for the document archive, for those whose period has expired. In addition, the process of blackening is applied by drawing/painting/erasing in a way that cannot be read.
Personal Data in Portable Media Among the personal data kept in Flash-based storage media, the ones that have expired are encrypted by the system administrator and the access authorization is given only to the system administrator, and they are stored in secure environments with encryption keys.
6.2 Destruction of Personal Data
Personal data is destroyed by the methods given in Table-4 by the Institution.
Table 4: Destruction of Personal Data
Personal Data in the Physical Media Personal data in the paper media, which require storage, are irreversibly destroyed.
Personal Data in Optical / Magnetic Media Among the personal data in optical media and magnetic media, physical destruction is applied, such as melting, burning or pulverizing the expired personal data. In addition, magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.
6.3 Anonymization of Personal Data
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.
In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning personal data by the data controller or third parties and/or matching the data with other data.
7. STORAGE AND DISPOSAL TIMES
Regarding the personal data being processed by the Institution within the scope of its activities;
Personal data-based storage periods for all personal data within the scope of activities carried out in connection with processes are in the Personal Data Processing Inventory;
Storage periods on the basis of data categories are recorded in VERBIS;
Process-based retention periods are included in the Personal Data Retention and Disposal Policy.
If necessary, updates are made on the said retention periods by the Institution Manager. For personal data whose storage period has expired, ex officio deletion, destruction or anonymization is carried out by the Data Security Officer.
Table 5: Process-based storage and disposal times table
Preparation and Performance of Contracts 10 years following the expiry of the contract In the first periodic destruction period following the end of the storage period
Execution of Corporate Communication Activities 10 years following the end of the activity In the first periodic destruction period following the end of the storage period
PROCESS STORAGE TIME DISPOSAL TIME
Execution of patient registration and diagnosis and treatment processes 20 years from the completion of the process In the first periodic destruction period following the end of the storage period
Execution of services (communication, etc.) outside the institution’s treatment processes Preparation of contracts 10 years from the completion of the process 10 years from the completion of the process In the first periodical destruction period following the end of the storage period In the first periodical destruction period following the end of the storage period
Accounting Processes 10 years from the completion of the process In the first periodic destruction period following the end of the retention period
Execution of Human Resources Processes Severance pay, notice pay payments, documents, payroll information of the personnel leaving the job 10 years from the completion of the process 5 years from the date of termination of the employment contract In the first periodical destruction period following the end of the storage period In the first periodical destruction period following the end of the storage period
Log Log Tracking SystemsExecution of Hardware and Software Access Processes
Camera Recordings
Data on Customers and Potential Customers (cookies, cookies)
IYS Records
2 years from completion of the process 2 years
1 month after registration
13 Months
For 3 years from the date of registration
In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period
At the first periodic disposal period following the end of the storage period
At the first periodic disposal period following the end of the storage period
At the first periodic disposal period following the end of the storage period
PERIODIC DISPOSAL TIME
Pursuant to Article 11 of the Regulation, the Authority has determined the period of periodic destruction as 6 months. Accordingly, periodic destruction is carried out at the Institution in June and December each year.
9. PROCESSING OF SPECIAL QUALITY PERSONAL DATA
9.1 Special sensitivity is shown in the processing of Personal Data of Special Quality, whose protection is believed to be of more critical importance for the Data Owner in various aspects.
Special Quality Personal Data are processed in accordance with the Law, provided that adequate measures to be determined by the Board are taken, in the presence of the following conditions:
If the Data Owner has express consent, or
If there is no explicit consent of the Data Owner; Special quality personal data other than the health and sexual life of the Data Owner, in cases stipulated by the laws, the personal data of the Data Owner regarding his health and sexual life can only be used for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, health It is processed by persons or authorized institutions and organizations under the obligation of secrecy for the purpose of planning and managing its services and financing.
MEASURES REGARDING THE PROCESSING OF SPECIAL QUALITY PERSONAL DATA
Pursuant to the Board’s decision dated 31.01.2018 and numbered 2018/10, the following measures are taken, in the capacity of data controller, in the processing of Special Quality Personal Data, which is included in Article 6 of the Law:
This Policy has been determined to be systematic, clearly defined, manageable and sustainable for the security of sensitive personal data. For employees involved in the processing of special categories of personal data,
Confidentiality agreements are made,
The scope and duration of authorization of users who have access to data are clearly defined,
Periodic authorization checks are carried out.
Protocols and procedures for special quality personal data security have been determined and implemented.
Employees who have a change of job or quit their job are immediately removed from their authority in this field. In this context, it receives the inventory allocated to it by the Data Controller.
The environments in which Sensitive Personal Data are processed, stored and/or accessed, and the physical environment;
* Adequate security measures are taken (against electrical leakage, fire, flood, theft, etc.)
* Unauthorized access is prevented by ensuring the physical security of these environments.
10. TRANSFER OF SPECIAL QUALITY PERSONAL DATA
Special Quality Personal Data obtained in accordance with the law are not transferred to third parties for the purposes of data processing, Special Quality Personal Data of the Data Owner.
PUBLICATION AND STORAGE OF THE POLICY
The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is also kept in its file by the data manager.
12. POLICY UPDATE PERIOD
The policy is reviewed as needed and the necessary sections are updated.
13. ENFORCEMENT AND REVOCATION OF THE POLICY
The policy is deemed to have entered into force on the date written below. In the event that it is decided to be revoked, old copies of the Policy with wet signatures are canceled and signed by the data manager (with the cancellation stamp or written cancellation) and are kept by the data manager for at least 5 years. 10.12.2021