1. INTRODUCTION
1.1 Purpose
This Personal Data Retention and Disposal Policy (“Policy”) has been prepared in order to determine the procedures and principles regarding the operations and transactions regarding the storage and destruction activities carried out by the “Data Controller” (“Assoc. Dr. Çiğdem YAYLA ABIDE”).
In this context, the Personal Data of Data Controller (“Assoc. Within the framework of the Data Retention and Destruction Policy, T.C. It has been determined as a priority to process it in accordance with the Constitution, international conventions, the Law on the Protection of Personal Data No. 6698 (“Law”) and other relevant legislation, and to ensure that the relevant persons use their rights effectively.
1.2 Scope
Works and transactions regarding the storage and destruction of personal data, Assoc. Dr. It is carried out in accordance with the Policy prepared by Çiğdem YAYLA ABIDE in this direction.
1.3 Abbreviations and Definitions
Explicit Consent: Consent about a specific subject, based on information and expressed with free will.
Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data.
Employee: Data Controller employees.
Electronic Media: Environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic Media: All written, printed, visual etc. other than electronic media. other environments.
Relevant Person: The natural person whose personal data is processed.
Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Destruction: Deletion, destruction or anonymization of personal data.
Law: Law on Protection of Personal Data No. 6698.
Recording Media: Any environment in which personal data is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory, which is created by associating the personal data processing purposes and legal reason, data category, transferred recipient group and data subject group, by explaining the maximum storage period required for the purposes for which personal data is processed, personal data foreseen to be transferred to foreign countries, and the measures taken regarding data security.
Board: Personal Data Protection Board
Periodic Destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all the conditions for processing personal data in the law are eliminated.
Policy: Personal Data Retention and Disposal Policy
Data Registration System: A registration system in which personal data is processed and structured according to certain criteria.
Data Controllers Registry Information System: An information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in their application to the Registry and other related transactions.
VERBIS: Data Controllers Registry Information System.
Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.
2. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES
All Assoc. Dr. Çiğdem YAYLA ABIDE employees, Implementing the technical and administrative measures taken within the scope of the Policy, raising the training and awareness of the employees, monitoring and continuous supervision of the personal data, preventing the illegal processing of personal data, preventing illegal access to personal data and ensuring that personal data is stored in accordance with the law. It actively supports responsible employees in taking technical and administrative measures to ensure data security in all environments where personal data is processed for the purpose.
3. RECORDING ENVIRONMENTS
Personal data is stored securely in accordance with the law in the environments listed in Table 1 by the Data Controller.
Table 1: Personal data storage environments
Digital Media Non – Digital Media
- Servers (Domain, backup, email, database,web, file sharing, etc.)
- Digital Radiography Programs
- Software (office software.)
- Information security devices (security firewall, intrusion detection and blocking, antivirus etc.)
- Personal computers (Desktop, laptop)
- Mobile devices (phone, tablet, etc.)
- Optical discs (CD, DVD, etc.)
- Removable memories (USB, Memorycard etc.)
- Printer, scanner, copier
- Paper
- Manual data recording systems (survey forms, application forms) • Written, printed, visual media
4. EXPLANATIONS ON STORAGE AND DISPOSAL
By the Data Controller; Personal data of employees, employee candidates and patients are stored and destroyed in accordance with the Law. In this context, detailed explanations regarding storage and disposal are given below, respectively.
4.1 Remarks on Storage
In Article 3 of the Law, the concept of processing personal data is defined, in Article 4 it is stated that the personal data processed should be related to the purpose for which they are processed, limited and measured, and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation, in Articles 5 and 6, the processing conditions of personal data are listed.
4.1.1 Legal Reasons for Retention.
Accordingly, within the framework of the activities of the Data Controller, personal data is stored for a period of time stipulated in the relevant legislation or suitable for our processing purposes.
In this context, personal data;
- Law No. 6698 on the Protection of Personal Data,
- Health Services Basic Law No. 359,
- Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliates,
- Regulation on the Processing and Privacy of Personal Health Data,
- Turkish Code of Obligations No. 6098,
- Turkish Commercial Code No. 6102,
- Social Insurance and General Health Insurance Law No. 5510,
- Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts,
- Occupational Health and Safety Law No. 6331,
- The Law on Access to Information No. 4982,
- Law No. 3071 on the Use of the Right to Petition,
- Labor Law No. 4857,
- Social Services Law No. 2828,
- Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments,
- Regulation on Archive Services
It is stored as long as the storage periods stipulated in the framework of other secondary regulations in force in accordance with these laws.
4.1.2 Processing Purposes Requiring Storage
The Data Controller stores the personal data she processes within the framework of her activities for the following purposes:
- To provide corporate communication.
- Ensuring corporate security
- To be able to do statistical studies.
- To ensure that accounting records are kept.
- To be able to perform work and transactions as a result of signed contracts and protocols.
- To determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors within the scope of VERBIS, to organize the services provided accordingly and to update them if necessary.
- To ensure the fulfillment of legal obligations as required or mandated by legal regulations.
- To liaise with real / legal persons who have a business relationship with the Data Controller.
- To make legal reports.
- Obligation to prove as evidence in legal disputes that may arise in the future.
4.2 Reasons for Destruction
Personal data;
- Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing,
- The disappearance of the purpose that requires processing or storage,
- In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his explicit consent,
- In accordance with Article 11 of the Law, the application made by the Authority regarding the deletion and destruction of personal data within the framework of the rights of the person concerned,
- In cases where the maximum period requiring the storage of personal data has passed and there is no condition to justify keeping the personal data for a longer period, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the Data Controller at the request of the person concerned. .
5. TECHNICAL AND ADMINISTRATIVE MEASURES REGARDING THE STORAGE AND DISPOSAL OF PERSONAL DATA
In order to protect personal data securely, to prevent unlawful processing and access, and to destroy personal data in accordance with the law, in accordance with Article 12 of the Law and Article 6/4 of the Law, for special quality personal data, within the framework of adequate measures determined and announced by the Board, the Data Controller provides technical information. and administrative measures are taken.
5.1 Technical Precautions for Storage
The technical measures taken by the Data Controller regarding the storage of the personal data he/she processes are listed below:
Hardware and software security systems are established in order to ensure the security of information systems against environmental threats in accordance with technological developments regarding the storage areas of personal data. Only authorized employees can access personal data. Strong passwords are used in electronic environments where personal data is processed. Adequate security measures are taken for the physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entry and exit is prevented by ensuring physical security. If sensitive personal data needs to be transferred via e-mail, it is transferred via a corporate e-mail address. If it is required to be transferred via paper media, necessary precautions are taken against risks such as theft, loss or viewing of documents by unauthorized persons. The Data Controller also requests commitments from the 3rd parties he works with regarding the fulfillment of certain standards in data storage. In addition, the Data Controller takes the necessary measures to ensure that personal data is not lost and used unlawfully.
5.2 Administrative Measures Regarding Retention
The administrative measures taken by the Data Controller regarding the storage of the personal data they process are listed below:
Employees are informed about the technical and administrative risks related to the storage of personal data and awareness is created. There are provisions that set forth the obligations and responsibilities of the persons to whom the personal data is transferred, regarding the protection of the transferred personal data and taking the necessary security measures in order to keep it safe.
5.3 Technical Measures for Disposal
At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data is destroyed by the Data Controller ex officio or upon the application of the data subject, again in accordance with the provisions of the
relevant legislation, with the techniques specified below.
5.4 Deletion of Personal Data
Personal data is deleted with the methods given in Table-2.
Table 2: Deletion of Personal Data
Data Recording Environment Explanation
Personal Data on
Servers The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period of time has expired.
Personal Data in
Electronic Media Among the personal data in the electronic environment, the ones that need to be kept are made inaccessible and non-reusable in any way for other employees (related users) except the database administrator.
Personal Data in
Physical
Environment Among the personal data kept in the physical environment, it is made inaccessible and non-usable in any way for other employees, except for the unit manager responsible for the document archive, for those whose period of time has expired. In addition, the process of blackening is applied by drawing / painting / wiping in a way that cannot be read.
Personal Data in
Portable Media Of the personal data kept in flash-based storage media, the expired ones are encrypted by the system administrator and the access authorization is given only to the system administrator, and they are stored in secure environments with encryption keys.
5.5 Destruction of Personal Data
Personal data is destroyed by the methods given in Table-3 by the Data Controller.
Table 3: Destruction of Personal Data
Data Recording Environment Explanation
Personal Data in
Physical
Environment Of the personal data in the paper medium, the ones that need to be kept, which have expired, are irreversibly destroyed in the paper clipping machines.
Personal Data in
Optical / Magnetic
Media The physical destruction of the personal data in optical media and magnetic media, such as melting, burning or pulverizing, is applied. In addition, magnetic media is passed through a special device, and the data on it is rendered unreadable by exposing it to a high magnetic field.
5.6 Anonymization of Personal Data
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.
In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the personal data by the Data Controller or third parties and/or matching the data with other data.
5.7 Administrative Measures Regarding Disposal
Destruction of data is carried out only by authorized employees of the Data Controller. Employees are informed within the scope of the legislation regarding the protection and destruction of personal data. Necessary equipment for physical destruction is kept within the workplace.
6. STORAGE AND DISPOSAL TIMES
Regarding the personal data being processed by the Data Controller within the scope of its activities;
The retention periods on the basis of personal data regarding all personal data within the scope of the activities carried out in connection with the processes are in the Personal Data Processing Inventory;
Process-based retention periods are included in the Personal Data Retention and Disposal Policy.
For personal data whose storage period has expired, ex officio deletion, destruction or anonymization is carried out.
Tablo 4: Periods for Data Retention and Destruction
Process Storage Time Destruction Time
Patients 10 Years 6 Months From the Expiry of the Storage Period
Employee 15 Years After Resignation Date 6 Months From the Expiry of the Storage Period
Candidates Applying for a Job 15 Years from the Application Period 6 Months From the Expiry of the Storage Period
Contacts Other than the 10 Years 6 Months From the Expiry of the Storage Period
Data Owners Above 10 Years 6 Months From the Expiry of the Storage Period
7. PUBLICATION AND STORAGE OF THE POLICY
The policy is published in two different media, with wet signature (printed paper) and electronic media.
8. UPDATE PERIOD OF THE POLICY
The policy is reviewed as needed and the necessary sections are updated.
9. ENFORCEMENT OF THE POLICY
This Policy enters into force on ………………………….
Doç. Dr. Çiğdem YAYLA ABİDE
