GDPR - Dt. Aslı Çoban

ASLI ÇOBAN ARSLAN PRACTICE

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

ARTICLE 1- PURPOSE

Personal data storage and destruction policy ASLI ÇOBAN ARSLAN PRIVACY It has been prepared to determine the procedures and principles regarding the work and transactions regarding the storage and destruction of personal data processed by.

ARTICLE 2 – SCOPE

Personal data of employees, prospective employees, product and service buyers, potential product and service buyers, visitors and suppliers are within the scope of this policy. This policy applies to all recording environments where personal data owned or managed by the Workplace is processed and activities related to personal data processing.

ARTICLE 3 – DEFINITIONS

recipient group : Category of natural or legal person to whom personal data is transferred by the data controller.

Explicit consent Consent regarding a specific issue, based on information and expressed with free will .

Anonymization : Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.

Worker : Workplace personnel

Electronic environment : Environments where personal data can be created, read, changed and written with electronic devices

non-electronic media : All written, printed, visual, etc. except electronic media. other media

Service provider : Real or legal person who provides services within the framework of a specific contract with the workplace.

Related person : Natural person whose personal data is processed

Related user Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data .

Destruction : Deletion, destruction or anonymization of personal data

Law : Personal Data Protection Law No. 6698

recording media : Any environment where personal data is processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system.

personal data : Any information regarding an identified or identifiable natural person

Personal data processing inventory : Personal data processing activities carried out by data controllers depending on their business processes; The inventory they create by associating the personal data with the purposes and legal reason for processing personal data, data category, transferred recipient group and data subject person group, and detailing the maximum retention period required for the purposes for which personal data are processed, personal data envisaged to be transferred to foreign countries and measures taken regarding data security.

Processing of personal data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system . Any action performed on data, such as blocking

Board : Personal Data Protection Board

Special personal data : Data regarding people’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data .

periodic destruction : In case all the conditions for processing personal data specified in the law are eliminated, the process of deletion, destruction or anonymization is specified in the personal data storage and destruction policy and will be carried out ex officio at recurring intervals.

Policy : Personal Data Storage and Destruction Policy

Workplace : ASLI ÇOBAN ARSLAN PRACTICE

Product and service buyer : Patient

data processor : Natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

Data recording system : Registration system where personal data is structured and processed according to certain criteria

Data controller : Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Data controllers registry information system : Information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in applying to the Registry and other relevant transactions related to the Registry.

VERBIS : Data Controllers Registry Information System

regulation : Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017, 21.06.2019 dated 30808 numbered Official in the newspaper Regulation on Personal Health Data, which came into force after being published

ARTICLE 4 – RESPONSIBILITIES AND DUTIES

Employees and units of the workplace; It provides full and active support to the units responsible for obtaining, processing and storing personal data in accordance with the law. All employees and units support the responsible units in the implementation of administrative and technical measures taken within the scope of the policy, in training unit employees, in ensuring, increasing and monitoring the awareness of employees, in preventing unlawful access to personal data and in maintaining personal data in accordance with the law. Storage and destruction of personal data . The distribution of the titles, units and job descriptions of those involved in the processes is shown in ANNEX TABLE: 1 .

ARTICLE 5 – RECORDING MEDIA

Personal data is kept securely by the workplace in accordance with the law in the environments listed in ANNEX TABLE: 2 .

ARTICLE 6 – LEGAL REASONS REQUIRING STORAGE

Personal data processed in the workplace within the scope of activities are kept for the period stipulated in the relevant legislation and within the scope of the relevant legislation. The reasons that require storage in this context are as follows:

Storing personal data because it is directly related to the establishment and execution of contracts,
Storing personal data for the purpose of establishing, exercising or protecting a right
It is mandatory to keep personal data for the legitimate interests of the workplace, provided that it does not harm the fundamental rights and freedoms of individuals.
Storing personal data for the purpose of fulfilling any legal obligations of the workplace
Storage of personal data is clearly stipulated in the legislation
Explicit consent of data owners is required for storage activities that require explicit consent of data owners.

ARTICLE 7 – PURPOSE OF PROCESSING THAT REQUIRES STORAGE

The workplace may process the personal data of the data subject or third parties specified by the data subject for various purposes, including but not limited to:

Fulfillment of obligations arising from employment contracts and legislation for employees
Managing goods and services purchasing processes
Follow-up and execution of legal affairs
Carrying out activities in accordance with the legislation
Carrying out marketing processes of products and services
Carrying out after-sales support services for goods and services
Carrying out communication activities
Carrying out fringe benefits and benefits processes for employees
Managing goods and services purchasing processes
Creating and tracking visitor records
Carrying out occupational health and safety activities
Providing information to authorized persons, institutions and organizations
Performance of the service
Ensuring physical space security

PROCESSING OF SPECIAL PERSONAL DATA

race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress And outfit, society, foundation either in union membership, health, sexual vital, punishment conviction And security with its measures relating to datas with biometric And genetic datas special qualified personal data.

workplace private qualified personal of data in processing to the law And other Complies with the provisions of the legislation . In this regard, special personal data the following to the principles suitable aspect is processed:

to law And honesty to the rules suitable being
TRUE And when necessary current being
They are processed for the purpose connected, annoyed And measured being
Clear, open and legitimate purposes processing for
in legislation predicted either in were committed aim for necessary the one which… duration much

casing not to be

Special categories of personal data are collected in cases where the explicit consent of the data owner is obtained by the workplace or when required by law. predicted in cases is being processed.
Health data is collected with the explicit consent of the data owner. diagnosis, treatment and care in cases services execution, for the purpose of is being processed.

Health of your data in processing 21.06.2019 dated 30808 numbered Official in the newspaper in accordance with the provisions of the Regulation on Personal Health Data, which came into force after being published also respect is done.

ARTICLE 8 – LEGAL REASONS REQUIRING DESTRUCTION

Personal data is deleted or destroyed by the workplace upon the request of the relevant person or ex officio in case of the following situations:

Changing or removing the relevant legislative provisions that form the basis for the processing of personal data
Elimination of the purpose requiring processing or storage of personal data
In cases where processing of personal data occurs only on the basis of explicit consent, the relevant person may withdraw his/her explicit consent
In accordance with Article 11 of the Law, the application made by the relevant person for the deletion and destruction of his personal data within the framework of his rights is accepted by the data controller.
The maximum period requiring personal data to be stored has passed and there are no conditions that justify storing personal data for a longer period of time.

ARTICLE 9 – TECHNICAL MEASURES

The technical measures taken by the workplace regarding the personal data it processes are as follows:

Network security and application security are ensured.
Personal data is backed up and the security of the backed up personal data is ensured.
Up-to-date anti-virus systems are used
Encryption is done.

ARTICLE 10 – ADMINISTRATIVE MEASURES

Administrative measures taken by the workplace regarding the personal data it processes are as follows:

Employees are informed and informed about data security.
The authorities of employees who change their duties or leave their jobs in this area are removed.
The signed contracts contain data security provisions.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly.
Personal data security is monitored.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
The security of environments containing personal data is ensured.
Personal data is reduced as much as possible.
Periodic and/or random audits are carried out within the institution.
Current risks and threats have been identified.
In case the processed personal data is obtained by others through illegal means, it notifies the relevant person and the Board as soon as possible.

ARTICLE 11- METHODS OF DELETION OF PERSONAL DATA

Personal data is deleted by the methods specified in ADDITIONAL TABLE: 3.

ARTICLE 12- METHODS OF DESTRUCTION OF PERSONAL DATA

Personal data is destroyed by the methods specified in ADDITIONAL TABLE: 4.

ARTICLE 13 – STORAGE AND DISPOSAL PERIOD

When determining the storage period of personal data by the workplace; First of all, if a period of time is stipulated in the legal legislation for the storage of personal data in question, this period is respected. Except that; The storage and destruction period table in ANNEX TABLE: 5 is taken as basis.

ARTICLE 14 – PERIODIC DESTRUCTION PERIOD

Periodic destruction of the workplace is carried out every year in January and June .

ARTICLE 15- PUBLISHING, STORING AND UPDATING THE POLICY

The policy is kept within the workplace as a printed paper copy with wet signature. The policy is reviewed as needed and necessary sections are updated. If it is decided to repeal the policy, the old copies with wet signatures are canceled and signed (with a cancellation stamp or written cancellation) and kept by the workplace for at least 5 years.

ARTICLE 16 – ENFORCEMENT

This Personal Data Storage and Destruction Policy …… /…. ./…… It entered into force after it was signed by the workplace official on . Procedures for any changes that can be made to the Policy are regulated in Article 15 of this Policy .

ADDITIONAL TABLE: 1 Storage and disposal processes task distribution

TITLE	UNIT OF	DUTY
business owner	Workplace	Responsible for employees to comply with the policy.
business owner	Workplace	Responsible for the preparation, development, execution, publication and updating of the policy in relevant media.
business owner	Workplace	It is responsible for providing the technical solutions needed in the implementation of the policy.
business owner	Workplace	He is responsible for the execution of the Policy in accordance with his duties.

ADDITIONAL TABLE: 2 Personal Data Storage Environments

Electronic Media

Non-Electronic Media

Computers

Mobile Devices

Printers, scanners, copiers

Removable and portable memories

papers

Written and printed media

visual recordings

Manual data recording systems

ADDITIONAL TABLE: 3 Methods of Deletion of Personal Data

Data Recording Environment	Deletion Method
Electronic environment	The period requiring personal data stored electronically has expired. for other employees (relevant users) except the database administrator is rendered inaccessible and unusable in any way.
physical environment	The period requiring personal data kept in physical media to be stored has expired. Except for the person responsible for the document archive for employees, there is no is rendered inaccessible and unusable. Also, it cannot be read The darkening process is also applied by drawing/painting/erasing.
portable media	Storing personal data kept in Flash-based storage media whose required period has expired are encrypted and accessed by the business owner. It is secured with encryption keys, with authority given only to the system administrator. in environments .

ADDITIONAL TABLE: 4 Anonymization of Personal Data through Destruction Methods

Data Recording Environment

Destruction Method

physical environment

Personal data on paper whose storage period has expired,

It is irreversibly destroyed in document shredder machines.

Optical or magnetic media

The period requiring personal data to be stored on optical media and magnetic media has expired.

objects , such as melting, burning, or pulverizing them

is applied .

Anonymization of special personal data

Personal of data anonymous halo bringing, personal of data Another with data under no circumstances with an identified or identifiable natural person, even if matched not relatable halo is to be brought.

Personal of data anonymous halo brought to be for; personal of data, data responsible or third persons by back rotating and/or of data Another Appropriate recording environment and relevant field of activity, such as matching with data an identified or identifiable fact, even through the use of techniques with person not relatable halo bringing must.

APPENDIX TABLE: 5 Storage and Disposal Period Table

Sequence Number:	Data category	document containing data	STORAGE PERIOD	DESTRUCTION PERIOD
one	Communication	Forms, Patient consent form, Employment contracts	10 years following the end of the employment relationship 20 years following receipt from Patient – Parent/Guardian/ Representative	180 days following the end of the storage period
2	Identity	Identity card sample, Family status statement, Passport photo, Patient consent form, Confidentiality agreements, Employment contracts	10 years following the end of the employment relationship 20 years from date of receipt from Patient – Parent/Guardian/ Representative	180 days following the end of the storage period
3	Professional experience	Family status statement, Diplomas and certificates,	10 years following the end of the employment relationship	180 days following the end of the storage period
4	Health information	Health report	10 years following the end of the employment relationship / In reports received due to occupational health and safety, the termination of the employment relationship Following 15 years / Obtained from Patient -Parent/Guardian/ Representative 20 years following the	180 days following the end of the storage period
5	personnel	Sample of identity card, Military status certificate	10 years following the end of the employment relationship	180 days following the end of the storage period
6	Audiovisual Records	Photo-videos taken of patients	10 years following acquisition	180 days following the expiration of the storage period or, in the case of withdrawal of express consent, immediately from the withdrawal of consent.

…/…./….

ASLI ÇOBAN ARSLAN EXAMINATION ROOM

STAMP – SIGNATURE