EN
TR
Personal Data Storage and Destruction Policy ("Policy") has been prepared to determine the procedures and principles regarding the storage and destruction activities carried out by "Damla Demir Clinic" ("Institution").
The Institution; has prioritized the processing of personal data belonging to Institution employees, job applicants, patients, suppliers, service providers, visitors, and other third parties in accordance with the Turkish Constitution, international agreements, Law No. 6698 on the Protection of Personal Data ("Law"), and other relevant legislation, and ensuring that the rights of relevant individuals are effectively exercised. The storage and destruction of personal data are carried out by the Institution in accordance with the Policy prepared for this purpose.
Personal data belonging to Institution employees, job applicants, patients, suppliers, service providers, visitors, and other third parties fall within the scope of this Policy, and this Policy applies to all record environments where personal data owned or managed by the Institution is processed and to all activities related to the processing of personal data.
Any kind of operation performed on data including obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making data available, classifying, or preventing the use of data, whether performed fully or partially automatically or non-automatically within the framework of any data recording system.
Racial or ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, dress and clothing, membership of associations, foundations, or trade unions, health, sex life, criminal conviction, and security measures related to individuals as well as biometric and genetic data.
The deletion, destruction, or anonymization process to be resolutely carried out at regular intervals as stated in the personal data storage and destruction policy when all the conditions for the processing of personal data specified in the law are no longer valid.
A natural or legal person who processes personal data on behalf of the data controller based on the authorization given by the data controller.
The system where personal data is processed by being structured according to certain criteria.
A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
An information system accessible via the internet, created and managed by the Presidency, which data controllers will use for applications to the Registry and other relevant transactions.
The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.
All units and employees of the Institution actively support the responsible units in the implementation of technical and administrative measures taken within the scope of the Policy, ensuring that they are implemented properly, increasing the training and awareness of unit employees, monitoring and continuously auditing to prevent the unlawful processing of personal data, preventing unauthorized access to personal data, and ensuring the lawful storage of personal data by taking technical and administrative measures to ensure data security in all environments where personal data is processed. The titles, units, and job descriptions of those involved in the storage and destruction processes of personal data are given in Table 1.
| TITLE | RESPONSIBILITY |
|---|---|
| Data Manager | Responsible for ensuring employees' compliance with the policy. Responsible for the preparation, development, implementation, publication, and updating of the Policy in relevant environments and for its cancellation and storage by decision of the Institution. |
| Data Security Officer | Responsible for providing the technical solutions required for the implementation of the Policy. |
| Other Units | Responsible for the implementation of the Policy and tasks defined by the internal directive according to their duties. |
| Electronic Environments | Non-Electronic Environments |
|---|---|
|
|
The personal data of employees, job applicants, patients, suppliers, visitors, and third parties in relationships such as service providers with whom the institution interacts are stored and destroyed in accordance with the law. In this context, detailed explanations regarding storage and destruction are sequentially provided below.
The concept of processing personal data is defined in Article 3 of the Law, Article 4 emphasizes that the processed personal data should be relevant, limited, and proportionate to the purposes for which they are processed and should be kept for the period stipulated in the relevant legislation or necessary for the processing purpose. Articles 5 and 6 list the processing conditions for personal data. Accordingly, personal data within the scope of our institution's activities are stored for the duration stipulated in the relevant legislation or for a period compatible with our processing purposes.
In the institution, personal data processed within the scope of activities is kept for the duration stipulated in the relevant legislation. In this context, personal data is retained under the following laws:
These personal data are stored for the periods stipulated within the framework of other secondary regulations in force under these laws.
The institution stores personal data processed within the scope of its activities for the following purposes:
In accordance with Article 11 of the Law, the acceptance by the Institution of the application made by the relevant individual within the framework of their rights for the deletion and destruction of personal data,
If the Institution rejects the request of the relevant individual for the deletion, destruction, or anonymization of personal data, finds the response inadequate, or fails to respond within the period prescribed in the Law; the relevant individual may lodge a complaint with the Personal Data Protection Authority, and if the Authority deems the request appropriate,
If the maximum storage period required for personal data has elapsed and there are no conditions justifying the storage of personal data for a longer period, the Institution shall delete, destroy, or anonymize the personal data upon the request of the relevant individual or ex officio.
In accordance with Article 12 of the Law and Article 6 paragraph four of the Law regarding special categories of personal data, within the framework of the adequate measures determined and announced by the Board for the secure storage of personal data, prevention of unlawful processing and access to personal data, and lawful destruction of personal data, the Institution takes technical and administrative measures.
At the end of the period foreseen in the relevant legislation or for the purpose for which they were processed, personal data are destroyed by the Institution in accordance with the relevant legislation and the techniques listed below, ex officio or upon the application of the data subject.
Personal data are deleted using the methods provided in Table-3.
| Data Recording Environment | Description |
|---|---|
| Personal Data on Servers | For those whose storage period requiring personal data on servers has expired, the system administrator removes access rights of the relevant users and performs deletion. |
| Personal Data in Electronic Environment | For those whose storage period requiring personal data in electronic environment has expired, except for the database administrator, other employees (relevant users) cannot access and reuse it in any way. |
| Personal Data in Physical Environment | For those whose storage period requiring personal data in physical environment has expired, except for the unit manager responsible for document archives, other employees cannot access and reuse it in any way. Additionally, a blackout process is applied by crossing out/painting/erasing it so that it cannot be read. |
| Personal Data on Portable Media | For those whose storage period requiring personal data on flash-based storage environments has expired, they are encrypted by the system administrator and stored in secure environments with encryption keys given only to the system administrator. |
Personal data are destroyed by the Institution using the methods provided in Table-4.
| Personal Data in Physical Environment | Those whose storage period requiring personal data in physical environment has expired are destroyed in a way that cannot be retrieved. |
|---|---|
| Personal Data on Optical / Magnetic Media | Those whose storage period requiring personal data on optical media and magnetic media has expired are physically destroyed by melting, burning, or turning into powder. Additionally, magnetic media is rendered unreadable by subjecting it to a high-value magnetic field from a special device. |
Anonymization of personal data refers to rendering personal data unidentifiable or not associable with any identifiable natural person in any way, even if they are matched with other data.
For personal data to be anonymized, appropriate techniques in terms of the recording environment and the relevant field of activity, such as the reversal of personal data by data controllers or third parties and/or the matching of data with other data, should be used to ensure that the personal data cannot be associated with any identifiable natural person.
In relation to personal data processed within the scope of its activities, the institution:
The institution's manager may make updates to these storage periods when necessary. The process of deleting, destroying, or anonymizing personal data that has reached the end of its storage period is carried out by the Data Security Officer.
| Activity | Storage Period | Destruction Period |
|---|---|---|
| Preparation and Execution of Contracts | 10 years following the termination of the contract | During the first periodic destruction period following the end of the storage period |
| Execution of Corporate Communication Activities | 10 years following the end of the activity | During the first periodic destruction period following the end of the storage period |
| PROCESS | STORAGE PERIOD | DESTRUCTION PERIOD |
|---|---|---|
| Execution of patient registration and diagnosis and treatment processes | 20 years from the completion of the process | During the first periodic destruction period following the end of the storage period |
| Execution of institutional services other than treatment processes (communication, etc.) Preparation of Contracts | 10 years from the completion of the process | During the first periodic destruction period following the end of the storage period |
Special Category Personal Data is processed in compliance with the Law, provided that adequate measures determined by the Board are taken. If there is explicit consent from the Data Subject or if there is no explicit consent from the Data Subject; Special category personal data, except for the health and sexual life of the data subject, are processed in cases prescribed by laws.
In the processing of Special Category Personal Data as stipulated in Article 6 of the Law, in accordance with the decision of the Board dated 31.01.2018 and numbered 2018/10, the data controller takes the following measures:
Special Category Personal Data obtained lawfully is not transferred to third parties for purposes of data processing.
The Policy is published in two different media, wet-signed (printed paper) and electronic, and disclosed to the public on the website. A printed paper copy is also kept in the data controller's file.
The Policy is reviewed and necessary sections are updated as required.
The Policy is deemed effective as of the date written below. In case of decision to revoke, the wet-signed old copies of the Policy are canceled (by stamping or writing canceled) and signed by the data controller, and kept by the data controller for at least 5 years. June 10, 2023
2024 © All rights reserved - The Clapin Digital