SECTION -1- INTRODUCTION 1.1. Purpose

This Personal Data Storage and Destruction Policy ("Policy") has been prepared by Dalbudak Sağlık Hizmetleri Sanayi Ve Ticaret Anonim Şirketi (hereinafter referred to as "Sefa Dalbudak Oral and Dental Health Center" or "Polyclinic") to determine the procedures and principles regarding the storage and destruction activities carried out.

This policy has been prepared by Sefa Dalbudak Oral and Dental Health Center to determine the procedures and principles regarding the processing of personal data belonging to Polyclinic employees, employee candidates, suppliers, supplier representatives/employees, patients, patient relatives, visitors, and other third parties in accordance with the Constitution of the Republic of Turkey, international agreements, the Personal Data Protection Law No. 6698 ("Law"), and other relevant legislation, and the deletion, destruction, or anonymization of personal data in accordance with the Regulation on Deletion, Destruction, or Anonymization of Personal Data in the event that all processing conditions are eliminated.

The Polyclinic carries out the storage and destruction of personal data in accordance with the Policy prepared in line with the principles mentioned.

1.2. Scope

Personal data belonging to Sefa Dalbudak Oral and Dental Health Center employees, employee candidates, suppliers, supplier representatives/employees, patients, patient relatives, visitors, and other third parties are within the scope of this Policy, and this Policy will be applied in all recording environments where personal data are processed under the Polyclinic or managed by the Polyclinic, and in activities related to personal data processing.
 

1.3. Definitions

Recipient Group: The category of real or legal persons to whom personal data are transferred by the data controller,

Explicit Consent: Consent that is informed, related to a specific subject, and freely given,

Anonymization: Rendering personal data in a state that cannot be associated with a specific or identifiable natural person in any way, even by matching it with other data,

Electronic Environment: Environments where personal data can be created, read, modified, and written with electronic devices,

Non-Electronic Environment: All written, printed, visual, etc., environments other than electronic environments,

Related Person: The real person whose personal data is processed,

Destruction: Deletion, destruction, or anonymization of personal data,

Law: Personal Data Protection Law No. 6698,

Recording Environment: Any environment where personal data processed by automated means, whether wholly or partly, or by non-automated means, provided that it is part of any data recording system, is located,

Cloud Environment: Environments where internet-based systems encrypted with cryptographic methods are used, which are not located within the Sefa Dalbudak Oral and Dental Health Center but are used by Sefa Dalbudak Oral and Dental Health Center.

Personal Data: Any information relating to an identified or identifiable real person,

Personal Data Processing Inventory: The inventory created by data controllers by associating the personal data processing activities they carry out depending on their business processes with the purposes and legal basis of processing personal data, data category, transferred recipient group, and data subject group, and detailing the maximum retention period required for the purposes for which personal data are processed, personal data intended to be transferred to foreign countries, and the measures taken regarding data security,

Processing of Personal Data: Any operation performed on data such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, whether wholly or partly automated or non-automated, provided that it is part of any data recording system,

Special Category Personal Data: Data relating to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data,

Periodic Destruction: The deletion, destruction, or anonymization process to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy in the event that all conditions for processing personal data in the Law are eliminated,

Data Processor: The real or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller,

Data Recording System: The recording system in which personal data are processed by structuring them according to certain criteria,

Data Controller: The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Policy: Personal Data Storage and Destruction Policy

Regulation: The Regulation on Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017

SECTION -2- RECORDING ENVIRONMENTS

Personal data are stored in electronic and non-electronic environments in accordance with the law.

ELECTRONIC ENVIRONMENT

NON-ELECTRONIC ENVIRONMENT

Servers (Domain, backup, e-mail, database, web, file sharing, SAP, etc.) Software (office software, portal, EBYS, VERBİS.) Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.) Personal computers (Desktop, laptop) Mobile devices (phone) Optical discs (CD, DVD, etc.) Removable memories (USB, Memory Card, etc.) Printer, scanner, photocopier, Camera recordings Web Page and portal Cloud environment

Paper Manual data recording systems (survey forms, visitor entry book, disciplinary decision book, annual leave book, accounting book, occupational health book, incoming-outgoing document book, etc.)) Written, printed, visual environments

SECTION -3- EXPLANATIONS REGARDING THE LEGAL AND TECHNICAL REASONS REQUIRING THE STORAGE AND DESTRUCTION OF PERSONAL DATA

Personal data belonging to Polyclinic employees, employee candidates, suppliers, supplier representatives/employees, patients, patient relatives, visitors, and other third parties are stored and destroyed by Sefa Dalbudak Oral and Dental Health Center in accordance with the Law. In accordance with Article 7 of the Law, if the reasons requiring processing disappear, personal data must be deleted, destroyed, or anonymized. In this context, detailed explanations regarding storage and destruction are given below.

3.1. Explanations Regarding Storage

In Article 3 of the Law, the concept of processing personal data is defined, in Article 4, it is stated that the processed personal data must be relevant, limited, and proportionate to the purposes for which they are processed, and must be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed, and in Articles 5 and 6, the conditions for processing personal data are listed.

The Polyclinic stores personal data that needs to be stored in line with the processing purposes within the scope of its activities for the period stipulated in the relevant legislation or suitable for our processing purposes.

3.2. Legal Reasons Requiring Storage

Personal data processed within the scope of activities in the institution are kept for the period stipulated in the relevant legislation. In this context, personal data;

• Personal Data Protection Law No. 6698,
• Turkish Commercial Code No. 6102,
• Turkish Code of Obligations No. 6098,
• Social Security and General Health Insurance Law No. 5510,
• Law No. 5651 on the Regulation of Publications Made on the Internet and the Fight Against Crimes Committed Through These Publications,
• Occupational Health and Safety Law No. 6331,
• Labor Law No. 4857,
• Law No. 5188 on Private Security Services,
• Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments,
• Patient Rights Regulation,
• Private Hospitals Regulation
• Regulation on Personal Health Data
• Other secondary regulations in force under these laws

Are stored for the storage periods stipulated within the framework. If no period is stipulated in the legislation; It is stored until the moment the purpose requiring the processing of personal data disappears.

3.3. Reasons Requiring Destruction

Personal data;

• Amendment or abolition of the relevant legislation provisions constituting the basis for processing, elimination of the purpose requiring processing or storage,
• In cases where the processing of personal data takes place only on the condition of explicit consent, the withdrawal of explicit consent by the relevant person,
• Acceptance by the Institution of the application made by the relevant person regarding the deletion and destruction of their personal data within the framework of the rights of the relevant person pursuant to Article 11 of the Law,
• In cases where the Polyclinic rejects the application made to it by the relevant person with a request for deletion, destruction, or anonymization of their personal data, finds the answer insufficient, or does not respond within the period stipulated in the Law; Complaining to the Board and finding this request appropriate by the Board,
• The maximum period required for storing personal data has passed and there is no condition to justify storing personal data for a longer period,
  In cases, it is deleted, destroyed, or ex officio deleted, destroyed, or anonymized by Sefa Dalbudak Oral and Dental Health Center upon the request of the relevant person.

SECTION -4- TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN BY THE COMPANY TO STORE AND DESTROY PERSONAL DATA IN ACCORDANCE WITH THE LAW

Technical and administrative measures are taken by the Polyclinic within the scope of sufficient measures determined by the Board with the Board Decision dated 31.01.2018 and numbered 2018/10 for the secure storage of personal data, prevention of unlawful processing and access, and lawful destruction of personal data, in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law regarding special category personal data.

4.1. Technical Measures

• Network security and application security are ensured.
• Security measures are taken within the scope of information technology systems supply, development, and maintenance.
• The security of personal data stored in the cloud is ensured.
• Current anti-virus systems are used.
• Firewalls are used.
• User account management and authorization control systems are implemented and monitored.
• Log records are kept without user intervention.
• An authorization matrix has been created for employees.

4.2. Administrative Measures

• Personal data processing inventory has been prepared.
• A General Policy on the Protection and Processing of Personal Data has been prepared to regulate Sefa Dalbudak Oral and Dental Health Center's relationship with personal data and is published on the Polyclinic's official website.
• Special Category Personal Data Processing Policy has been prepared and published on the Polyclinic's official website.
• A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
• Training is provided on the prevention of unlawful processing of personal data in order to improve the quality of employees.
• Training and awareness studies are conducted for employees on data security at certain intervals.
• Confidentiality agreements are signed with employees regarding the activities carried out by the Institution.
• The powers of employees who have a change of duty or leave the job are removed in this area.
• Dalbudak Sağlık Hizmetleri Sanayi Ve Ticaret Anonim Şirketi Personal Data Storage, Destruction and Disposal Policy has been prepared and implemented on the storage, destruction, and disposal of personal data.
• A "Framework Protocol on the Transfer of Personal Data with Other Data Controllers and Data Processors" is signed due to joint responsibility as a Data Controller.
• Personal data security problems are reported quickly.
• Personal data security is monitored.
• Dalbudak Sağlık Hizmetleri Sanayi Ve Ticaret Anonim Şirketi Privacy and Cookie Policy has been arranged.
• Necessary security measures are taken regarding the entry and exit of physical environments containing personal data.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• The security of environments containing personal data is ensured.
• Personal data are reduced as much as possible.
• Personal data is backed up and the security of backed-up personal data is also ensured.
• Periodic and/or random audits are carried out and carried out within the Institution.
• A Camera Monitoring and Image Storage Policy has been prepared regarding camera image acquisition and storage within the Polyclinic
• Before starting to process personal data, the Institution fulfills the obligation to inform the relevant persons.

Special category personal data are processed in compliance with the Decision No. 2018/10 of the Personal Data Protection Board dated 31/01/2018 regarding "Sufficient Measures to be Taken by Data Controllers in the Processing of Special Category Personal Data".

SECTION -5- DESTRUCTION TECHNIQUES

5.1. Techniques Applied for Deletion, Destruction and Anonymization of Personal Data

Sefa Dalbudak Ağız Ve Diş Sağlığı Merkezi deletes, destroys, or deletes ex officio the personal data it stores in accordance with the Law and other legislation and the Policy on Processing and Protection of Personal Data, in line with the request of the relevant person or within the periods specified in this Personal Data Storage, Destruction, and Disposal Policy, if the reasons requiring the processing of the data disappear. This transaction is recorded in the minutes presented in the annex to this Policy and signed by the officers.

The most commonly used deletion, destruction, and anonymization techniques by Sefa Dalbudak Ağız Ve Diş Sağlığı Merkezi are listed below;

5.1.1. Deletion Methods

DELETION FOR DATA HELD IN NON-ELECTRONIC ENVIRONMENT
Blackout	Personal data in the non-electronic environment is deleted using the blackout method. The blackout process is carried out by cutting personal data on the relevant document, if possible, and making it invisible by using permanent ink that cannot be returned and cannot be read with technological solutions, if not possible.

 

DELETION FOR DATA HELD IN ELECTRONIC ENVIRONMENT
Safe Deletion from Software	Personal data held in the cloud environment or local digital environments is deleted with a digital command in such a way that it cannot be recovered again. Data deleted in this way cannot be accessed again.

5.1.2. Destruction Methods

DELETION FOR DATA HELD IN NON-ELECTRONIC ENVIRONMENT
Physical Destruction	Documents held in printed form are destroyed with document destruction machines in such a way that they cannot be brought together again or destroyed by burning in a suitable place.

 

DELETION FOR DATA HELD IN ELECTRONIC ENVIRONMENT
Physical Destruction	It is the physical destruction of optical and magnetic media containing personal data, such as melting, burning, or turning into dust. Data is made inaccessible by operations such as melting, burning, turning optical or magnetic media into dust, or passing it through a metal grinder.
Safe Deletion from Software	Personal data held in the cloud environment is deleted with a digital command in such a way that it cannot be recovered again, and all copies of the encryption keys required to make personal data usable are destroyed when the cloud computing service relationship ends. Data deleted in this way cannot be accessed again.

SECTION -6- PERSONS INVOLVED IN THE PERSONAL DATA STORAGE AND DESTRUCTION PROCESS

All units and employees of the Polyclinic actively support the responsible units in taking the technical and administrative measures taken within the scope of the Policy, increasing the training and awareness of unit employees, monitoring and continuous auditing, preventing unlawful processing of personal data, preventing unlawful access to personal data, and ensuring the lawful storage of personal data in order to ensure data security in all environments where personal data is processed.

UNIT	DUTY
Board of Directors	It is responsible for ensuring that employees act in accordance with this Policy.
Doctor	Preventing access to personal data by deleting, destroying, or methods explained in the first periodic destruction period after the expiry of the period requiring the storage of personal data kept for their unit.
Patient Registration/Admission	Preventing access to personal data by deleting, destroying, or methods explained in the first periodic destruction period after the expiry of the period requiring the storage of personal data processed in relation to their department.
Accounting Department Supervisor	Accounting Department Supervisor Prevent access to personal data by deleting, destroying, or methods explained in the first periodic destruction period after the expiry of the period requiring the storage of personal data processed in relation to their department.
Assistant Health Officers Department Supervisor	Preventing access to personal data by deleting, destroying, or methods explained in the first periodic destruction period after the expiry of the period requiring the storage of personal data processed in relation to their department.
Human Resources Department Supervisor	Preventing access to personal data by deleting, destroying, or methods explained in the first periodic destruction period after the expiry of the period requiring the storage of personal data processed in relation to their department.

SECTION -7- STORAGE AND DESTRUCTION PERIODS TABLE

Regarding the personal data processed within the scope of its activities by the Institution;

• Storage periods on a personal data basis for all personal data within the scope of activities carried out depending on the processes in the Personal Data Processing Inventory;
• Storage periods on a data category basis in VERBİS registration;
• Storage periods on a process basis are included in the Personal Data Storage and Destruction Policy.

*The said storage periods may be updated if needed.

Laws Containing Personal Data Storage Periods

Personal Data Source	Duration	Legal Basis
All Records Related to Accounting and Financial Transactions	10 Years	Law No. 6102, Law No. 213
Personal Data Regarding Patients	20 Years after the legal relationship ends.	Law No. 3359, Law No. 2219,
Personal Data Regarding Suppliers	10 Years after the legal relationship ends	Law No. 6102, Law No. 6098 and Law No. 213
Contracts	10 Years from the Termination of the Contract	Law No. 6098
Human Resources Processes	10 Years from the End of the Activity	Law No. 4857
Camera Recordings	3 Months	Law No. 5188/ Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments,
Data Stored Under the Labor Law (e.g. information that may be subject to severance pay, notice pay, bad faith compensation, compensation for violation of the principle of equal treatment, payroll records, annual leave days, etc.)	10 Years	Labor Law No. 4857 and Related Legislation / Turkish Code of Obligations No. 6098
Data Related to the Personnel File Stored Under the Labor Law	10 Years from the Termination of the Employment Relationship	Labor Law No. 4857 and Related Legislation / Turkish Code of Obligations No. 6098
Data That May Be Subject to Union Compensation From Data Stored Under the Labor Law (e.g. performance records, disciplinary penalties, termination documents, etc.)	10 Years from the Termination of the Employment Relationship	Turkish Code of Obligations No. 6098
Data Collected Under Occupational Health and Safety Legislation (e.g. pre-employment health tests, health reports, OHS Trainings, records related to Occupational Health and Safety activities, etc.)	15 Years from the Termination of the Employment Relationship	Occupational Health and Safety Law No. 6331, Regulation on Occupational Health and Safety Services
Data Kept Under SGK Legislation (e.g. job entry declarations, premium/service documents, etc.)	10 Years from the Termination of the Employment Relationship	Social Security and General Health Insurance Law No. 5510 and Related Legislation
Pursuant to the Labor Law: Answering court/enforcement information requests regarding the employee	10 Years from the Termination of the Employment Relationship	Labor Law No. 4857 and Related Legislation
Data Regarding Job Application/Internship Application/Candidate Applications If the Application Is Not Accepted (e.g. CV, Resume, Application Form, etc.)	1 Year	Sectoral Practice
Processed in Contractual Relationships	Following the Termination of the Contract	Turkish No. 6098
Personal Data (e.g. Company Officer, Name Surname, signature circular, etc.)	10 Years	Code of Obligations
Information on Hospital Partners and Board Members	10 Years	Law No. 6102
Decisions on Criminal Conviction and Security Measures	5 Years	Judicial Registry Regulation
Cookie Information	2 Years	Law No. 5651
Patients' Special Category Personal Data	20 Years	Private Hospitals Regulation/Regulation on Personal Health Data
Log Records	5 Years	Law No. 5651
Documents and Information Containing Special Category Personal Data of the Patient's Relatives	20 Years	Private Hospitals Regulation/Regulation on Personal Health Data

7.1. Periodic Destruction Periods

Pursuant to Article 11 of the Regulation, Dalbudak Sağlık Hizmetleri Sanayi Ve Ticaret Anonim Şirketi has determined the periodic destruction period as once every 6 months. Accordingly, Sefa Dalbudak Oral and Dental Health Center performs the periodic destruction process every year in April and October.

SECTION -8- PUBLICATION AND STORAGE OF THE POLICY

The policy is published in two different environments, both with wet signature (printed paper) and in electronic environment, and is disclosed to the public on the website. The printed paper copy is also stored in the Data Storage and Destruction Policy file.

DALBUDAK HEALTH SERVICES
INDUSTRY AND TRADE INCORPORATED COMPANY

Page update date: 31/October/2023 15:10