The Personal Data Storage and Destruction Policy (the “Policy”)has been prepared in order to determine the procedures and principles regarding the works and transactions related to the storage and destruction activities carried out by ”Mustafa Bağlı Clinic” (the “Institution”).

The Institution; T of the personal data belonging to the institution’s employees, employee candidates, patients, suppliers, service providers, visitors and other third parties.C. The Constitution, international conventions, the Law on the Protection of Personal Data numbered 6698 (the “Law”) and other relevant legislation in accordance with the processing and ensuring the effective use of the rights of the persons concerned has determined as a priority. The works and operations related to the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Institution in this direction.

 1.2 Scope 

Personal data belonging to corporate employees, employee candidates, patients, suppliers, service providers, visitors and other third parties are within the scope of this Policy and this Policy is applied to all recording environments and personal data processing activities owned or managed by the Institution in which personal data are processed.

1.3 Abbreviations and Definitions 

Recipient Group : The category of natural or legal person to whom personal data is transferred by the data controller.

Explicit Consent : Consent related to a specific topic, based on information and explained by free will.

Anonymization : Making personal data that cannot be associated with an identified or identifiable real person under any circumstances, even by matching it with other data.

Employee : The staff of the institution ”Mustafa Bağlı Clinic “.

Patient : A person who receives health, medical treatment services from ”Mustafa Bağlı Clinic “.

Electronic Environment: Environments where personal data can be created, read, modified and written with electronic devices.

Non-Electronic Media : All written, printed, visual, etc. that are outside the electronic media. other environments.

Service Provider : A natural or legal person who provides services within the framework of a specific contract with the Personal Data Protection Authority.

Contact Person : The real person whose personal data is processed.

Related User: Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of data.

Destruction : Deletion, destruction or anonymization of personal data.

Law : Law No. 6698 on the Protection of Personal Data.

Recording Environment: Any environment in which personal data is processed by non-automatic means, provided that it is fully or partially automatic or part of any data recording system.

Personal Data : Any kind of information related to an identified or identifiable real person.

Personal Data Processing Inventory: An inventory in which data controllers detail the personal data processing activities they perform depending on their business processes; the purposes and legal reason for processing personal data, the data category, the transferred recipient group and the data subject group, explaining the maximum retention period required for the purposes for which personal data are processed, the personal data intended for transfer to foreign countries and the measures taken for data security.

Processing of Personal Data: All kinds of operations performed on data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, inheriting, making available, classifying or preventing the use of personal data by means that are fully or partially automatic or non-automatic provided that they are part of any data recording system.

Special Categories of Personal Data: Race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs of persons, clothing and clothing, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures related data, as well as biometric and genetic data.

Periodic Destruction: The process of erasure, destruction or anonymization of personal data to be performed on your own at December intervals specified in the retention and destruction policy in case all of the conditions for processing personal data contained in the law disappear.

Policy : Personal Data Storage and Destruction Policy

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Recording System: A recording system in which personal data is processed by being structured according to certain criteria.

Data Controller: The natural or legal person responsible for the establishment and management of the data recording system, who determines the purposes and means of processing personal data.

Data Controllers Registry Information System: An information system that data controllers will use for applying to the Registry and other related transactions related to the Registry, accessible via the Internet, created and managed by the Presidency.

VERBIS : Data Controllers Registry Information System

Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

2.DISTRIBUTION OF RESPONSIBILITIES AND DUTIES 

All units and employees of the institution actively support the responsible units in the proper implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy, increasing the training and awareness of unit employees, monitoring and continuous supervision, and taking technical and administrative measures to ensure data security in all environments where personal data are processed in order to prevent illegal processing of personal data, prevent illegal access to personal data, and ensure that personal data is stored in accordance with the law. The distribution of the titles, units and job descriptions of those involved in the storage and destruction of personal data is given in Table 1.

Table 1: Storage and disposal processes task distribution

TITLE DUTY
The Data Manager is responsible for ensuring that employees act in accordance with the policy.
The Data Manager is responsible for the preparation, development, execution, publication and updating of the Policy in the relevant environments, as well as cancellation and storage by the decision of the Institution.
The Data Security Officer is responsible for providing the technical solutions needed for the implementation of the Policy.
Other Units are responsible for the execution of the Policy in accordance with their duties and for the tasks defined by the internal directive

3.RECORDING MEDIA 

Personal data is stored securely by the Institution in accordance with the law in the environments listed below.

Table 2: Personal data storage environments

Electronic Environments Non-Electronic Environments
Servers (Domain, backup, e-mail, database, web, file sharing, etc.)Software (office software, portal, EBYS, VERBIS.)Information security devices (firewall, intrusion detection and prevention, log log file, antivirus, etc. )Personal computers (Desktop, laptop)Mobile devices (phone, tablet, etc.)Optical discs (CD, DVD, etc.)Removable memories (USB, Memory Card, etc.)Printer, scanner, copier PaperManuel data recording systems (survey forms, visitor logbook) Written, printed, visual media

4.EXPLANATIONS RELATED TO STORAGE AND DISPOSAL

Personal data belonging to employees of employees, employee candidates, patients, suppliers, visitors and employees of third parties, institutions or organizations that are in a relationship as a service provider are stored and destroyed by the institution in accordance with the Law. In this context, detailed explanations related to storage and disposal are given below respectively.

4.1 Explanations Related to Storage

The concept of processing of personal data is defined in Article 3 of the Law, it is stated in article 4 that the personal data processed must be related, limited and measured for the purposes for which they are processed and must be stored for the period required for the purpose stipulated in the relevant legislation or processed, and the conditions for processing personal data are listed in articles 5 and 6. Accordingly, within the framework of the activities of our Institution, personal data is stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

4.1.1 Legal Reasons Requiring Retention 

The personal data processed in the institution within the framework of its activities are kept for the period stipulated in the relevant legislation. In this context, personal data;

Personal Data Protection Law No. 6698,
Law No. 5651,
Turkish Code of Obligations No. 6098,
Turkish Commercial Code No. 4721,
Law No. 6563
Regulation on Private Health Insurance and related legislation
Patient Rights Regulation and related legislation
Deontology Regulations,
Social Insurance and General Health Insurance Law No. 5510, insurance legislation
Occupational Health and Safety Law No. 6331,
Information Acquisition Law No. 4982,
Law No. 3071 on the Exercise of the Right of Petition,
Labor Law No. 4857,
Retiree Health Law No. 5434,
Social Services Law No. 2828
Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
Regulation on Archive Services
It is stored for the period of storage stipulated within the framework of other secondary regulations in force in accordance with these laws.

4.1.2 Processing Purposes Requiring Storage 

The institution stores the personal data it processes within the framework of its activities for the following purposes.

Performance of health service
Billing operations
To carry out human resources processes.
To provide corporate communication.
Corporate security and supervision,
Ensuring data security,
To ensure the physical security of the corporate interior,
Personnel training,
To be able to perform works and transactions as a result of signed contracts and protocols.
Within the scope of VERBIS, to determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, to organize the services provided accordingly and to update them if necessary.
To ensure the fulfillment of legal obligations as required or mandated by legal regulations.
To provide communication with natural / legal persons who have a business relationship with the institution.
For informational purposes on Social Media accounts
To be able to send sms, electronic messages, to be able to answer questions and complaints within the health services
Financial consultancy, legal consultancy service procurement
The obligation of proof as evidence in legal disputes that may arise in the future.

4.2 Reasons Requiring Destruction 

Personal data;

Amendment or relevance of the provisions of the relevant legislation that constitute the basis for its processing,
Elimination of the purpose that requires processing or storage,
In cases where the processing of personal data takes place only in accordance with the explicit consent condition, the withdrawal of the explicit consent of the person concerned,
Acceptance of the application made by the Institution for the deletion and destruction of personal data within the framework of the rights of the relevant person in accordance with Article 11 of the Law,
If the institution rejects the application made to it by the person concerned with the request for deletion, destruction or anonymization of his personal data, finds the answer he gave insufficient or does not respond within the time stipulated by the Law, the person concerned should file a complaint with the Personal Data Protection Authority and this request is deemed appropriate by the Personal Data Protection Authority,
If the maximum period requiring the storage of personal data has passed and there are no conditions justifying the storage of personal data for a longer period, they will be deleted, destroyed or re-deleted, destroyed or anonymized by the Institution at the request of the relevant person.

5.TECHNICAL AND ADMINISTRATIVE MEASURES 

Technical and administrative measures are taken by the Institution within the framework of adequate measures determined and announced by the Board for special personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law in order to store personal data securely, prevent illegal processing and access, as well as to destroy personal data in accordance with the law.

5.1 Technical Measures 

The technical measures taken by the institution in relation to the personal data it processes are listed below:

Necessary measures are taken by revealing risks, threats, vulnerabilities and openings, if any, for the information systems of our Institution with penetration tests.
Risks and threats that will affect the continuity of information systems are constantly monitored as a result of real-time analyses conducted with information security incident management.
Necessary measures are taken for the physical security of the information systems equipment, software and data of the institution.
To ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, physical security of the edge keys that make up the local area network, fire suppression system, air conditioning system, physical environments where data are stored (archive, accounting, patient files, etc.) keys are available only to the authorized person, etc.) and software (firewalls, attack prevention systems, anti-virus software, log log tracking system, network access control, systems that block malware, etc.) precautions are being taken.
Risks to prevent the unlawful processing of personal data are determined, technical measures appropriate to these risks are taken, and technical controls are carried out for the measures taken, and information processing support is regularly received.
Access procedures are established within the institution and reporting and analysis studies related to access to personal data are carried out.
Access to the storage areas where personal data is stored is recorded and inappropriate access or access attempts are kept under control.
The institution takes the necessary measures to make the deleted personal data inaccessible and unusable again for the relevant users.
In case of unlawful acquisition of personal data by others, an appropriate system and infrastructure has been established by the Institution in order to inform the relevant person and the Board about this situation.
Appropriate security patches are installed by monitoring security vulnerabilities and information systems are kept up-to-date.
Strong passwords are used in the electronic environments where personal data are processed.
Secure record keeping (logging) systems are used in electronic environments where personal data are processed.
Data backup programs are used that ensure the secure storage of personal data.
Access to personal data stored in electronic or non-electronic environments is restricted according to access principles.
The necessary clarifications have been made for the personal data of a special nature, and explicit consents have been obtained in cases deemed necessary by law.
Special quality personal data security trainings have been given to employees involved in special quality personal data processing processes, confidentiality agreements have been made, and the powers of users authorized to access data have been defined.
Adequate security measures are taken for the physical environments where special personal data are processed, stored and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
If it is necessary to transfer personal data of a private nature via e-mail, it is transferred encrypted with a corporate e-mail address or using a KEP account. If portable memory needs to be transferred via media such as CD, DVD, it is encrypted by cryptographic methods and the cryptographic key is stored in a different medium. If the transfer is performed between servers in different physical environments, data transfer is performed between the servers by setting up a VPN or by FTP method. Decryption of the data is carried out. Decryption of the data between the servers is performed by setting up a VPN or by FTP method. If it is necessary to transfer via paper medium, the necessary measures are taken against risks such as theft, loss of the document or being seen by unauthorized persons, and the document is sent in a “confidential” format.

5.2 Administrative Measures

The administrative measures taken by the institution in relation to the personal data it processes are listed below:

In-house trainings are provided to improve the quality of employees, to prevent the unlawful processing of personal data, to prevent the unlawful access of personal data, to ensure the preservation of personal data.
Employees related to the activities carried out by the institution and the supplier from whom the purchase of services is made, etc. confidentiality agreements are made to be signed by individuals and legal entities.
Legal action is taken against employees who do not comply with security policies and procedures.
The KVKK Disciplinary Policy has been prepared.
KVKK Institution Internal Directive has been prepared.
KVKK Cookie Policy has been prepared.
The KVKK Application Form has been prepared.
Before starting to process personal data, the Institution fulfills its obligation to inform the relevant persons, and the consent of the relevant persons is obtained if deemed necessary by law.
The Disclosure and Consent Forms have been prepared.
In-office/Physical space KVK informations are available.
The Personnel Contracts are in compliance with the KVK.
The personal data processing inventory has been prepared.
Periodic and random internal audits are carried out.
Information security trainings are provided for employees.
The physical environments containing personal data are subject to external risks (fire, flood, etc.) counter security is provided.
Personal data is reduced as much as possible.
Protocols and procedures for the security of personal data of a special nature have been determined and are being implemented.
KVKK measures required by the pandemic process have been taken and the necessary information and information are being provided to our patients and staff.

6.METHODS OF DESTRUCTION OF PERSONAL DATA 

At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, personal data are destroyed by the Institution, either on your own or upon the application of the data subject, again in accordance with the provisions of the relevant legislation, using the techniques specified below.

6.1 Deletion of Personal Data

Personal data is deleted by the methods given in Table-3.

Table 3: Deletion of Personal Data

Data Recording Environment Description
The Personal Data Contained on the Servers are deleted by the system administrator by removing the access authority of the relevant users for those who have expired the period requiring the storage of the personal data contained on the servers.

The Personal Data Contained in the Electronic Environment are made inaccessible and unusable again in any way for other employees (relevant users) except the database administrator, those who have expired the period that requires the storage of personal data contained in the electronic environment.
The Personal Data Contained in the Physical Environment are made inaccessible and unusable in any way for other employees, except for the unit manager responsible for the document archive, for those who expire the period that requires the storage of the personal data stored in the physical environment. In addition, the darkening process is also applied by drawing / painting /erasing in such a way that it cannot be read.
The Personal Data Contained in Portable Media are stored in secure environments with encryption keys by encrypting the personal data stored in Flash-based storage media and giving access authority only to the system administrator.

6.2 Destruction of Personal Data 

Personal data is destroyed by the Institution using the methods given in Table-4.

Table 4: Destruction of Personal Data

Personal Data Contained in the Physical Environment Those that expire after the period requiring the storage of personal data contained in the paper environment are irreversibly destroyed.
Personal Data Contained in Optical / Magnetic Media Physical destruction of those that have expired, such as melting, burning or pulverizing, which requires the storage of personal data contained in optical media and magnetic media, is performed. In addition, the magnetic media is passed through a special device and the data on it is made unreadable by exposing it to a high value magnetic field.

6.3 Anonymization of Personal Data 

Anonymization of personal data is the anonymization of personal data so that it cannot be associated with an identified or identifiable real person under any circumstances, even if it is matched with other data.

In order for the personal data to be anonymized, the personal data must be returned by the data controller or third parties and /or the matching of the data with other data, even through the use of appropriate techniques in terms of the recording environment and the relevant field of activity, so that it cannot be associated with an identified or identifiable real person.

7.STORAGE AND DISPOSAL PERIODS 

In relation to the personal data being processed by the institution within the scope of its activities,;

Storage periods on the basis of personal data related to all personal data within the scope of activities performed depending on the processes are included in the Personal Data Processing Inventory;
Storage periods based on data categories are recorded in VERBIS;
Storage periods based on the process are included in the Personal Data Storage and Destruction Policy.

Updates are made on these storage periods by the Institution Administrator if necessary. For personal data whose retention periods have expired, the process of erasure, destruction or anonymization is performed by the Data Security Officer.

Table 5: Table of storage and disposal times based on the process

Preparation of Contracts and Performance Activities During the first periodic destruction period following the expiration of the 10-year Retention period following the termination of the Contract

Execution of Corporate Communication Activities During the first periodic destruction period following the expiration of the 10-year Storage period following the termination of the activity

PROCESS STORAGE TIME DESTRUCTION TIME
Patient registration and execution of diagnosis and treatment processes During the first periodic destruction period following the expiration of the storage period of 20 years from the completion of the process
Execution of services (communication, etc.) activities other than institutional treatment processes Preparation of contracts 10 years from the completion of the process 10 years from the completion of the process During the first periodic destruction period following the expiration of the storage period During the first periodic destruction period following the expiration of the storage period
Accounting Processes During the first periodic destruction period following the expiration of the storage period of 10 years from the completion of the process
Execution of Human Resources Processes Severance pay, notice compensation payments, documents, payroll information Belonging to the personnel who left the job 10 years from the completion of the process During the first periodic destruction period following the expiration of the retention period of 5 years from the expiration date of the employment contract During the first periodic destruction period following the expiration of the retention period

Log Log Tracking Systems Execution of Access Processes to My Domain and Software Camera Registrations Data about Customers and Potential Customers (cookies, cookies)IYS Records 2 years 2 years from the completion of the process 1 month following the completion of the day For 3 years from the date of registration During the first periodic destruction period following the expiration of the storage period during the first periodic destruction period following the expiration of the storage period During the first periodic destruction period following the expiration of the storage period During the first periodic destruction period following the expiration of the storage period During the first periodic destruction period following the expiration of the storage period During the first periodic destruction period following the expiration of the storage period During the first periodic destruction period following the expiration of the storage period During the first periodic destruction period following the expiration of the storage period During the first periodic destruction period following the expiration of the storage period During the first periodic destruction period following the expiration of the storage period During the first periodic destruction period following the expiration of the storage period During the first periodic destruction period following the expiration of the storage period

 8. PERIODIC DESTRUCTION TIME

In accordance with Article 11 of the Regulation, the Institution has determined the periodic destruction period as 6 months. December June and December of every year, according to this, periodic destruction process is carried out in the institution.

9.PROCESSING OF PERSONAL DATA OF A SPECIAL NATURE

9.1 Special sensitivity is shown in the processing of Personal Data of a Special Nature, the protection of which is believed to be of more critical importance from the point of view of the Data Owner in various respects.

Personal Data of a Special Nature are processed in accordance with the Law in the presence of the following conditions, provided that adequate measures to be determined by the Board are taken:

If the Data Owner has explicit consent, or
If the Data Subject does not have explicit consent, personal data of a special nature other than the health and sexual life of the Data Subject, in cases stipulated by law, personal data of a special nature related to the health and sexual life of the Data Subject are processed only by persons or authorized institutions and organizations under the obligation to keep secrets for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

PRECAUTIONS REGARDING THE PROCESSING OF PERSONAL DATA OF A SPECIAL NATURE

6 of the Law. In accordance with the decision of the Board Dated 31.01.2018 and numbered 2018/10, the following measures are taken in the processing of Personal Data of a Special Nature contained in the Article, in the capacity of data controller, in accordance with the decision of the Board dated 31.01.2018 and numbered 2018/10:

This Policy, which is systematic, clearly defined, manageable and sustainable for the security of personal data of a special nature, has been determined. For the employees involved in the processing of personal data of a special nature,

Confidentiality agreements are being made,
The scope and duration of the authorization of the users who have the authority to access the data are clearly defined,
Authority checks are carried out periodically.
Protocols and procedures for the security of personal data of a special nature have been determined and are being implemented.
The powers of employees who change their duties or leave their jobs in this area are immediately removed. In this context, he receives the return of the inventory allocated to him by the Data Controller.
The environments in which Personal Data of a Special Nature are processed, stored and/or accessed are the physical environment;
* Adequate security measures (electricity leakage, fire, flooding, theft, etc.) according to the nature of the environment in which Special Personal Data is stored. against situations) are taken,
* Unauthorized access is prevented by ensuring the physical security of these environments.

10.TRANSFER OF PERSONAL DATA OF A SPECIAL NATURE

Personal Data of a Special Nature obtained in accordance with the law are not transferred to third parties for the purposes of data processing, Personal Data of a Special Nature of the Data Owner.

11. PUBLICATION AND STORAGE OF THE POLICY

The policy is published in two different media, wet signed (printed paper) and electronic media, and disclosed to the public on the website. The printed paper copy is also stored in a file by the data manager.

12.UPDATE PERIOD OF THE POLICY

The policy is reviewed as needed and the necessary sections are updated.

13.ENTRY INTO FORCE AND REPEAL OF THE POLICY

The policy is considered to have entered into force on the date written below. If a decision is made to repeal, the wet signed old copies of the Policy are canceled by the decision to be made by the data administrator and signed (by striking the cancellation stamp or writing the cancellation) and stored by the data administrator for at least 5 years. 21.07.2023