WhatsApp
Bizi Arayın

Dr.Ebru Ulu

Facebook Instagram Youtube
Menu

Privacy Policy

PERSONAL DATA and SPECIAL PERSONAL DATA STORAGE and DESTRUCTION POLICY

1. INTRODUCTION

1.1 Purpose

The Personal Data Storage and Destruction Policy (“Policy”) has been prepared to determine the procedures and principles regarding the business and operations related to storage and destruction activities carried out by “Dr. Ebru Ulu” (“Institution”).

The Institution has prioritized the processing of personal data belonging to Institution employees, job candidates, patients, suppliers, service providers, visitors and other third parties in accordance with the Constitution of the Republic of Turkey, international agreements, Law No. 6698 on Protection of Personal Data (“Law”) and other relevant legislation, and ensuring that the relevant persons can effectively exercise their rights. Business and operations related to storage and destruction of personal data are carried out in accordance with the Policy prepared by the Institution in this direction.

1.2 Scope

Personal data belonging to Institution employees, job candidates, patients, suppliers, service providers, visitors and other third parties are within the scope of this Policy, and this Policy applies to all recording environments where personal data owned by the Institution or managed by the Institution is processed and activities aimed at processing personal data.

1.3 Abbreviations and Definitions

Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.

Explicit Consent: Consent that is expressed freely and based on being informed about a specific matter.

Anonymization: Making personal data in such a way that it cannot be associated with a specific or identifiable natural person in any way, even if matched with other data.

Employee: Personnel of “Dr. Ebru Ulu” Institution.

Patient: Person receiving health, medical treatment services from “Dr. Ebru Ulu”.

Electronic Environment: Environments where personal data can be created, read, modified and written with electronic devices.

Non-Electronic Environment: All written, printed, visual etc. other environments outside of electronic environments.

Service Provider: Natural or legal person providing services within the framework of a specific contract with the Personal Data Protection Authority.

Data Subject: Natural person whose personal data is processed.

Relevant User: Persons who process personal data within the data controller organization or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.

Destruction: Deletion, destruction or anonymization of personal data.

Law: Law No. 6698 on Protection of Personal Data.

Recording Environment: Any environment containing personal data processed completely or partially automatically or in non-automatic ways provided that they are part of any data recording system.

Personal Data: All kinds of information about a specific or identifiable natural person.

Personal Data Processing Inventory: The inventory that data controllers create by associating their personal data processing activities that they carry out depending on their business processes with personal data processing purposes and legal reasons, data category, recipient group to which they are transferred and data subject group, and detailing by explaining the maximum retention period required for the purposes for which personal data are processed, personal data intended to be transferred to foreign countries and measures taken regarding data security.

Processing of Personal Data: Any operation performed on data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying or preventing the use of personal data completely or partially automatically or in non-automatic ways provided that they are part of any data recording system.

Special Categories of Personal Data: Data related to people’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.

Periodic Destruction: Deletion, destruction or anonymization process that will be carried out ex officio at intervals specified in the personal data storage and destruction policy and repeated, in case all the conditions for processing personal data specified in the Law are eliminated.

Policy: Personal Data Storage and Destruction Policy

Data Processor: Natural or legal person who processes personal data on behalf of the data controller based on the authorization given by the data controller.

Data Recording System: Recording system where personal data is structured and processed according to certain criteria.

Data Controller: Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Data Controllers Registry Information System: Information system that data controllers will use in applications to the Registry and other related transactions regarding the Registry, accessible via the internet, created and managed by the Presidency.

VERBIS: Data Controllers Registry Information System

Regulation: Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

2. RESPONSIBILITIES AND TASK DISTRIBUTIONS

All units and employees of the Institution actively support the responsible units in the proper implementation of technical and administrative measures taken within the scope of the Policy, training and raising awareness of unit employees, monitoring and continuous auditing, preventing unlawful processing of personal data, preventing unlawful access to personal data, and taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure lawful storage of personal data. The distribution of titles, units and job descriptions of those who have duties in personal data storage and destruction processes is given in Table 1.

Table 1: Task distribution of storage and destruction processes

TITLE DUTY
Data Manager Responsible for employees acting in accordance with the policy.
Data Manager Responsible for the preparation, development, implementation, publication and updating of the Policy in relevant environments and for its cancellation and storage by Institution decision.
Data Security Officer Responsible for providing technical solutions needed in the implementation of the Policy.
Other Units Responsible for the implementation of the Policy in accordance with their duties and the duties defined by internal directive

3. RECORDING ENVIRONMENTS

Personal data is stored securely in accordance with the law by the Institution in the environments listed below.

Table 2: Personal data storage environments

Electronic Environments Non-Electronic Environments
Servers (Domain, backup, e-mail, database, web, file sharing, etc.) Software (office software, portal, EDMS, VERBIS.) Information security devices (firewall, intrusion detection and prevention, log file, antivirus etc.) Personal computers (Desktop, laptop) Mobile devices (phone, tablet etc.) Optical disks (CD, DVD etc.) Removable memories (USB, Memory Card etc.) Printer, scanner, photocopy machine Paper Manual data recording systems (survey forms, visitor entry log) Written, printed, visual media

4. EXPLANATIONS REGARDING STORAGE AND DESTRUCTION

Personal data belonging to employees, job candidates, patients, suppliers, visitors and employees of third parties, institutions or organizations with which the Institution has relations as service providers are stored and destroyed in accordance with the Law by the Institution. In this context, detailed explanations regarding storage and destruction are given below respectively.

4.1 Explanations Regarding Storage

In Article 3 of the Law, the concept of processing personal data is defined, in Article 4 it is stated that processed personal data should be connected, limited and proportionate to the purpose for which it is processed and should be kept for the period required for the purpose for which it is processed or as provided in the relevant legislation, and in Articles 5 and 6, the conditions for processing personal data are listed. Accordingly, personal data is stored within the framework of our Institution’s activities for the period provided in the relevant legislation or appropriate for our processing purposes.

4.1.1 Legal Reasons Requiring Storage

In the Institution, personal data processed within the framework of activities are kept for the period provided in the relevant legislation. In this context, personal data;

  • Law No. 6698 on Protection of Personal Data,
  • Law No. 5651,
  • Turkish Code of Obligations No. 6098,
  • Turkish Commercial Code No. 4721,
  • Law No. 6563
  • Private Health Insurance regulation and related legislation
  • Patient Rights Regulation and related legislation
  • Deontology Regulation,
  • Social Insurance and General Health Insurance Law No. 5510, insurance legislation
  • Occupational Health and Safety Law No. 6331,
  • Right to Information Law No. 4982,
  • Law No. 3071 on the Use of the Right to Petition,
  • Labor Law No. 4857,
  • Retired Health Law No. 5434,
  • Social Services Law No. 2828
  • Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
  • Regulation on Archive Services
  • They are stored for the storage periods provided within the framework of other secondary regulations in force pursuant to these laws.

4.1.2 Processing Purposes Requiring Storage

The Institution stores personal data it processes within the framework of its activities for the following purposes.

  • Fulfillment of health services
  • Billing processes
  • To carry out human resources processes.
  • To ensure corporate communication.
  • Corporate security and audit,
  • To ensure data security,
  • To ensure corporate indoor physical security,
  • Personnel training,
  • To be able to fulfill business and operations as a result of signed contracts and protocols.
  • Within the scope of VERBIS, to identify the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, to organize the services provided accordingly and to update them if necessary.
  • To ensure the fulfillment of legal obligations as required or mandated by legal regulations.
  • To establish contact with natural/legal persons in business relationship with the Institution.
  • For informational purposes on Social Media accounts
  • To be able to send SMS, electronic messages, to be able to answer questions and complaints within health services
  • Financial consultancy, legal consultancy service procurement
  • Burden of proof as evidence in legal disputes that may arise in the future.

4.2 Reasons Requiring Destruction

Personal data;

  • Amendment or repeal of relevant legislation provisions that form the basis for processing,
  • Elimination of the purpose that requires processing or storage,
  • In cases where processing personal data is carried out only based on the explicit consent condition, withdrawal of explicit consent by the relevant person,
  • Acceptance by the Institution of the application made by the relevant person regarding the deletion and destruction of their personal data within the framework of the rights of the relevant person pursuant to Article 11 of the Law,
  • If the Institution rejects the application made by the relevant person with the request to delete, destroy or anonymize their personal data, finds the answer given insufficient or does not respond within the period provided in the Law; the relevant person’s complaint to the Personal Data Protection Authority and this request being deemed appropriate by the Personal Data Protection Authority,
  • In cases where the maximum period requiring the storage of personal data has expired and there is no condition that would justify storing personal data for a longer period, they are deleted, destroyed or anonymized by the Institution upon the request of the relevant person or deleted, destroyed or anonymized ex officio.

5. TECHNICAL AND ADMINISTRATIVE MEASURES

Technical and administrative measures are taken by the Institution within the framework of sufficient measures determined and announced by the Board pursuant to Article 12 of the Law and Article 6, paragraph 4 of the Law for special categories of personal data, for the secure storage of personal data, prevention of unlawful processing and access, and lawful destruction of personal data.

5.1 Technical Measures

Technical measures taken by the Institution regarding the personal data it processes are listed below:

  • Penetration tests reveal risks, threats, vulnerabilities and weaknesses, if any, regarding our Institution’s information systems and necessary measures are taken.
  • With information security incident management, risks and threats that will affect the continuity of information systems are continuously monitored as a result of real-time analyses.
  • Necessary measures are taken for the physical security of the Institution’s information systems equipment, software and data.
  • To ensure information systems security against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, ensuring physical security of edge switches that make up the local area network, fire suppression system, air conditioning system, keys of physical environments where data is located (archive, accounting, patient files, etc.) being only with the authorized person, etc.) and software (firewalls, attack prevention systems, anti-virus software, log recording tracking system, network access control, systems that prevent malicious software, etc.) measures are taken.
  • Risks aimed at preventing unlawful processing of personal data are identified, appropriate technical measures are taken for these risks, technical controls are carried out for the measures taken, and IT support is received regularly.
  • Access procedures are created within the Institution and reporting and analysis studies are carried out regarding access to personal data.
  • Access to storage areas where personal data is located is recorded and inappropriate access or access attempts are kept under control.
  • The Institution takes necessary measures to ensure that deleted personal data is inaccessible and cannot be reused by relevant users.
  • In case personal data is unlawfully obtained by others, a suitable system and infrastructure has been established by the Institution to report this situation to the relevant person and the Board.
  • Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up to date.
  • Strong passwords are used in electronic environments where personal data is processed.
  • Secure logging systems are used in electronic environments where personal data is processed.
  • Data backup programs that ensure secure storage of personal data are used.
  • Access to personal data stored in electronic or non-electronic environments is restricted according to access principles.
  • Necessary disclosures have been made for special categories of personal data, and explicit consents have been obtained in cases deemed necessary by law.
  • Training has been provided to employees involved in special categories of personal data processing processes on special categories of personal data security, confidentiality agreements have been made, and the authorities of users with access to data have been defined.
  • Sufficient security measures are taken for physical environments where special categories of personal data are processed, stored and/or accessed, physical security is ensured and unauthorized entry and exit are prevented.
  • If special categories of personal data need to be transferred via e-mail, they are transferred encrypted with corporate e-mail address or using KEP account. If they need to be transferred via portable memory, CD, DVD and similar media, they are encrypted with cryptographic methods and the cryptographic key is kept in a different medium. If transfer is carried out between servers in different physical environments, VPN is established between servers or data transfer is carried out via FTP method. If transfer via paper medium is required, necessary measures are taken against risks such as theft, loss or viewing by unauthorized persons and the document is sent in “confidential” format.

5.2 Administrative Measures

Administrative measures taken by the Institution regarding the personal data it processes are listed below:

  • Internal trainings are provided for the development of employees’ qualifications, prevention of unlawful processing of personal data, prevention of unlawful access to personal data, and ensuring the preservation of personal data.
  • Confidentiality agreements are signed with employees and private and legal persons such as suppliers from whom services are procured regarding the activities carried out by the Institution.
  • Legal action is taken against employees who do not comply with security policies and procedures.
  • PDPL Discipline Policy has been prepared.
  • PDPL Internal Directive has been prepared.
  • PDPL Cookie Policy has been prepared.
  • PDPL Application Form has been prepared.
  • Before starting to process personal data, the Institution fulfills the obligation to inform the relevant persons, and in cases deemed necessary by law, consent of the relevant persons is obtained.
  • Disclosure and Consent Forms have been prepared.
  • There are PDPL information notices in the clinic/physical space.
  • Personnel Contracts are compliant with PDPL.
  • Personal data processing inventory has been prepared.
  • Periodic and random audits are carried out within the Institution.
  • Information security training is provided to employees.
  • Security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  • Personal data is minimized as much as possible.
  • Protocols and procedures for special categories of personal data security have been determined and implemented.
  • PDPL measures required by the pandemic process have been taken, and necessary disclosures and information have been provided to our patients and personnel.

6. PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the period provided in the relevant legislation or the storage period required for the purpose for which they are processed, personal data are destroyed by the Institution ex officio or upon the application of the relevant person, again in accordance with the relevant legislation provisions, using the techniques specified below.

6.1 Deletion of Personal Data

Personal data is deleted using the methods given in Table-3.

Table 3: Deletion of Personal Data

Data Recording Environment Description
Personal Data Located on Servers For personal data located on servers whose storage period has expired, the deletion process is carried out by the system administrator by removing the access authorization of the relevant users.
Personal Data Located in Electronic Environment Personal data located in electronic environment whose storage period has expired are made inaccessible and reusable in no way for other employees (relevant users) except the database administrator.
Personal Data Located in Physical Environment Personal data kept in physical environment whose storage period has expired are made inaccessible and reusable in no way for other employees except the unit manager responsible for document archive. In addition, obscuring process is also applied by crossing out/painting/erasing so that the content cannot be read.
Personal Data Located on Portable Media Personal data kept on flash-based storage media whose storage period has expired are encrypted by the system administrator and access authorization is given only to the system administrator, and they are stored in secure environments with encryption keys.

6.2 Destruction of Personal Data

Personal data is destroyed by the Institution using the methods given in Table-4.

Table 4: Destruction of Personal Data

Personal Data Located in Physical Environment Personal data located on paper whose storage period has expired are destroyed irreversibly.
Personal Data Located on Optical/Magnetic Media Personal data located on optical media and magnetic media whose storage period has expired are physically destroyed by melting, burning or pulverizing. In addition, magnetic media is passed through a special device and exposed to high-value magnetic field, making the data on it unreadable.

6.3 Anonymization of Personal Data

Anonymization of personal data is making personal data in such a way that it cannot be associated with a specific or identifiable natural person in any way, even if matched with other data.

For personal data to be anonymized; personal data must be made in such a way that it cannot be associated with a specific or identifiable natural person through the use of appropriate techniques in terms of recording environment and relevant activity area, such as reversal by the data controller or third parties and/or matching data with other data.

7. STORAGE AND DESTRUCTION PERIODS

Regarding personal data being processed within the scope of activities by the Institution;

  • Storage periods based on personal data for all personal data within the scope of activities carried out depending on processes are in the Personal Data Processing Inventory;
  • Storage periods based on data categories are in VERBIS registration;
  • Storage periods based on processes are included in the Personal Data Storage and Destruction Policy.

Updates are made to the mentioned storage periods by the Institution Manager when necessary. Ex officio deletion, destruction or anonymization process is carried out by the Data Security Officer for personal data whose storage periods have expired.

Table 5: Process-based storage and destruction periods table

Preparation and Performance of Contracts Activity 10 years following the termination of the contract In the first periodic destruction period following the end of the storage period

Execution of Corporate Communication Activities 10 years following the termination of the activity In the first periodic destruction period following the end of the storage period

PROCESS STORAGE PERIOD DESTRUCTION PERIOD
Patient registration and diagnosis and treatment processes 20 years from the completion of the process In the first periodic destruction period following the end of the storage period
Performance of Institution services (communication etc.) activities outside treatment processes Contract preparation 10 years from the completion of the process 10 years from the completion of the process In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period
Accounting Processes 10 years from the completion of the process In the first periodic destruction period following the end of the storage period
Execution of Human Resources Processes Severance pay, notice pay payments, documents, payroll information for personnel who left the job 10 years from the completion of the process 5 years from the termination date of the employment contract In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period
Log Recording Tracking Systems Execution of Hardware and Software Access Processes Camera Records Customer and Potential Customer Data (cookies) IYS Records 2 years from the completion of the process 2 years 1 month following the completion of the recording 13 Months 3 years from the registration date In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period In the first periodic destruction period following the end of the storage period

8. PERIODIC DESTRUCTION PERIOD

In accordance with Article 11 of the Regulation, the Institution has determined the periodic destruction period as 6 months. Accordingly, periodic destruction process is carried out in June and December of each year at the Institution.

9. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

9.1 Special sensitivity is shown in the processing of Special Categories of Personal Data, which are believed to be of more critical importance for protection in various aspects for the Data Subject.

Special Categories of Personal Data are processed in accordance with the Law, provided that sufficient measures to be determined by the Board are taken, in the presence of the following conditions:

  • If there is explicit consent of the Data Subject or
  • If there is no explicit consent of the Data Subject; Special categories of personal data other than the Data Subject’s health and sexual life are processed in cases provided for in laws, and special categories of personal data related to the Data Subject’s health and sexual life are processed only for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, by persons or authorized institutions and organizations under the obligation of confidentiality.

MEASURES REGARDING PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

In the processing of Special Categories of Personal Data specified in Article 6 of the Law, in accordance with the decision of the Board dated 31.01.2018 and numbered 2018/10, as a data controller, the following measures are taken:

This systematic, clearly defined rules, manageable and sustainable Policy has been determined for the security of special categories of personal data. For employees involved in special categories of personal data processing processes,

  • Confidentiality agreements are made,
  • Authority scopes and durations of users with access to data are clearly defined,
  • Periodic authority controls are carried out.
  • Protocols and procedures for special categories of personal data security have been determined and implemented.
  • The authorities of employees who have job changes or leave the job in this field are immediately revoked. In this context, the Data Controller takes back the inventory allocated to him/her.
  • Environments where Special Categories of Personal Data are processed, stored and/or accessed, if they are physical environments;
    • * Sufficient security measures (against electrical leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where Special Categories of Personal Data are located,
    • * Physical security of these environments is ensured and unauthorized access is prevented.

10. TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA

Special Categories of Personal Data that have been lawfully obtained are not transferred to third parties for the Data Subject’s Special Categories of Personal Data in line with data processing purposes.

11. PUBLICATION AND STORAGE OF THE POLICY

The Policy is published in two different environments, with wet signature (printed paper) and electronic environment, and is disclosed to the public on the website. The printed paper copy is also stored in the file by the data manager.

12. POLICY UPDATE PERIOD

The Policy is reviewed as needed and necessary sections are updated.

13. POLICY ENTRY INTO FORCE AND REPEAL

The Policy is deemed to have entered into force on the date written below. In case it is decided to repeal it, the old wet-signed copies of the Policy are cancelled (by stamping or writing cancelled) and signed by the decision of the data manager and stored by the data manager for at least 5 years. 07.11.2023