Important Warning

Dr. Andaç AYKAN does not collaborate with any person, organization, or institution.

Use only the official numbers mentioned here for communication, appointment, or consultation.

Önemli Uyarı

Dr. Andaç AYKAN hiçbir kişi, kuruluş veya kurumla işbirliği yapmamaktadır.
İletişim, randevu veya danışma için yalnızca burada belirtilen resmi numaraları kullanın.

Important Warning

Dr. Andaç AYKAN does not collaborate with any person, organization, or institution.
Use only the official numbers mentioned here for communication, appointment, or consultation.

PERSONAL DATA and PRIVATE PERSONAL DATA STORAGE and DISPOSAL POLICY

1.INTRODUCTION

1.1 Objective

Personal Data Storage and Destruction Policy (“Policy”) has been prepared in order to determine the procedures and principles regarding the works and transactions regarding the storage and destruction activities carried out by “Assoc. Dr. Andaç AYKAN” (“Institution”).

The Institution has prioritized the processing of personal data of the Institution’s employees, employee candidates, patients, suppliers, service providers, visitors and other third parties in accordance with the Constitution of the Republic of Turkey, international conventions, the Law on the Protection of Personal Data No. 6698 (“Law”) and other relevant legislation and ensuring that the relevant persons use their rights effectively. The works and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Institution in this direction.

 1.2 Scope

Personal data belonging to the employees of the Institution, employee candidates, patients, suppliers, service providers, visitors and other third parties are within the scope of this Policy and this Policy is applied in all recording environments where personal data owned or managed by the Institution are processed and in activities for personal data processing.

1.3 Abbreviations and Definitions

Recipient Group : The category of natural or legal person to whom personal data is transferred by the data controller.

Explicit Consent : Consent on a specific subject, based on information and expressed with free will.

Anonymization : Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Employee : “Assoc. Prof. Dr. Andaç AYKAN” Agency staff.

Patient : A person who receives health and medical treatment services from “Assoc. Dr. Andaç AYKAN”.

Electronic Environment : Environments where personal data can be created, read, changed and written with electronic devices.

Non-Electronic Media : All written, printed, visual, etc. media other than electronic media. other environments.

Service Provider : A natural or legal person who provides services under a specific contract with the Personal Data Protection Authority.

Contact Person : Natural person whose personal data is processed.

Related User : Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.

Destruction : Deletion, destruction or anonymization of personal data.

Law : Personal Data Protection Law No. 6698.

Recording Medium : Any medium in which personal data processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Personal Data : Any information relating to an identified or identifiable natural person.

Personal Data Processing Inventory : Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal grounds for processing personal data, the data category, the group of recipients transferred and the group of data subjects, and by explaining the maximum retention period required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.

Processing of Personal Data : All kinds of operations performed on personal data such as obtaining, recording, storing, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Personal Data of Special Nature : Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Periodic Destruction : The process of deletion, destruction or anonymization to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy in the event that all of the conditions for processing personal data specified in the Law disappear.

Policy : Personal Data Retention and Destruction Policy

Data Processor : Natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

Data Recording System : Recording system where personal data is structured and processed according to certain criteria.

Data Controller : The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Controllers Registry Information System : The information system created and managed by the Presidency, accessible via the internet, which data controllers will use in the application to the Registry and other related transactions regarding the Registry.

VERBIS : Data Controllers Registry Information System

Regulation : Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

2. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES

All units and employees of the Institution actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law, by properly implementing the technical and administrative measures taken by the responsible units within the scope of the Policy, training and raising awareness of the unit employees, monitoring and continuous supervision. The distribution of titles, units and job descriptions of those involved in the storage and destruction of personal data is given in Table 1.

Table 1: Task distribution for storage and disposal processes

TITLEDUTY
Data ManagerResponsible for ensuring that employees act in accordance with the policy.
Data ManagerIt is responsible for the preparation, development, execution, publication and updating of the Policy in the relevant media and its cancellation and storage upon the decision of the Authority.
Data Security OfficerResponsible for providing technical solutions needed for the implementation of the Policy.
Other UnitsResponsible for the execution of the Policy in accordance with their duties  and the tasks defined by the internal directive

3.RECORDING MEDIA

Personal data is securely stored by the Institution in accordance with the law in the environments listed below.

Table 2: Personal data storage media

Electronic Media
Servers (Domain, backup, e-mail, database, web, file sharing, etc.)
Software (office software, portal, EBYS, VERBIS.)
Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
Personal computers (desktop, laptop)
Mobile devices (phone, tablet, etc.) Optical disks (CD, DVD, etc.)
Removable memories (USB, Memory Card, etc.)
Printer, scanner, copier
Non-Electronic Media
Paper
Manual data recording systems (survey forms, visitor logbook)
Written, printed, visual media

4.EXPLANATIONS ON STORAGE AND DISPOSAL

Personal data belonging to employees, employee candidates, patients, suppliers, visitors and employees of third parties, institutions or organizations with whom the Institution has a relationship as a service provider are stored and destroyed in accordance with the Law. In this context, detailed explanations on retention and destruction are given below respectively.

4.1 Explanations on Safekeeping

Article 3 of the Law defines the concept of processing personal data, Article 4 states that the personal data processed must be relevant, limited and proportionate to the purpose for which they are processed and must be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and Articles 5 and 6 list the conditions for processing personal data. Accordingly, within the framework of our Organization’s activities, personal data are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

4.1.1 Legal Grounds Requiring Retention

Personal data processed within the framework of the activities of the Agency are retained for the period stipulated in the relevant legislation. In this context, personal data;

  • Law No. 6698 on the Protection of Personal Data,
  • Law No. 5651,
  • Turkish Code of Obligations No. 6098,
  • Turkish Commercial Code No. 4721,
  • Law No. 6563
  • Regulation on Private Health Insurance and related legislation
  • Patient Rights Regulation and related legislation
  • Deontology Regulation,
  • Law No. 5510 on Social Security and General Health Insurance, insurance legislation
  • Law No. 6331 on Occupational Health and Safety,
  • Law No. 4982 on Access to Information,
  • Law No. 3071 on the Exercise of the Right to Petition,
  • Labor Law No. 4857,
  • Law No. 5434 on Retirement Health,
  • Law No. 2828 on Social Services
  • Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
  • Regulation on Archive Services
  • They are retained for the retention periods stipulated under other secondary regulations in force pursuant to these laws.

4.1.2 Processing Purposes that Require Retention

The Organization stores the personal data it processes within the framework of its activities for the following purposes.

  • Performance of health service
  • Invoicing operations
  • To carry out human resources processes.
  • To ensure corporate communication.
  • Institutional security and supervision,
  • Ensure data security,
  • Ensuring physical security of the institution’s interior,
  • Staff training,
  • To be able to perform works and transactions as a result of signed contracts and protocols.
  • Within the scope of VERBIS, to determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, to organize the services provided accordingly and to update them if necessary.
  • To ensure that legal obligations are fulfilled as required or mandated by legal regulations.
  • To liaise with real/legal persons who have a business relationship with the organization.
  • For informational purposes on Social Media accounts
  • To be able to send sms, electronic messages, respond to questions and complaints within the scope of health services
  • Procurement of financial consultancy and legal consultancy services
  • The burden of proof as evidence in future legal disputes.

4.2 Reasons for Destruction

Personal data;

  • Amendment or abolition of the relevant legislation provisions that constitute the basis for processing,
  • The purpose requiring processing or storage disappears,
  • In cases where the processing of personal data is carried out only on the basis of explicit consent, the data subject may withdraw his/her explicit consent,
  • Pursuant to Article 11 of the Law, the application made by the data subject for the deletion and destruction of his/her personal data within the framework of his/her rights is accepted by the Authority,
  • In cases where the Authority rejects the application made by the data subject with the request for deletion, destruction or anonymization of personal data, finds the answer insufficient or does not respond within the period stipulated in the Law; the data subject files a complaint with the Personal Data Protection Authority and this request is approved by the Personal Data Protection Authority,
  • Personal data shall be deleted, destroyed or ex officio deleted, destroyed or anonymized by the Authority upon the request of the person concerned, in cases where the maximum period required for the storage of personal data has expired and there are no conditions that justify keeping personal data for a longer period of time.

5. TECHNICAL AND ADMINISTRATIVE MEASURES

Technical and administrative measures are taken by the Authority within the framework of adequate measures determined and announced by the Board for special categories of personal data in accordance with Article 12 of the Law and Article 6, paragraph four of the Law for the safe storage of personal data, prevention of unlawful processing and access and destruction of personal data in accordance with the law.

5.1 Technical Measures

The technical measures taken by the Authority regarding the personal data it processes are listed below:

  • Through penetration tests, risks, threats, vulnerabilities and vulnerabilities, if any, to the information systems of our organization are revealed and necessary measures are taken.
  • Risks and threats that will affect the continuity of information systems are continuously monitored as a result of real-time analysis with information security incident management.
  • Necessary measures are taken for the physical security of the organization’s information systems equipment, software and data.
  • In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 monitoring system, ensuring the physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, keys to the physical environments (archive, accounting, patient files, etc.) where the data are located are only available to the authorized person, etc.) and software (firewalls, attack prevention systems, anti-virus software, log recording tracking system, network access control, systems that prevent malware, etc.) measures are taken.
  • Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks, technical controls are carried out for the measures taken and regular IT support is received.
  • Access procedures are established within the organization and reporting and analysis studies on access to personal data are carried out.
  • Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control.
  • The Institution takes the necessary measures to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.
  • In the event that personal data is unlawfully obtained by others, a suitable system and infrastructure has been established by the Authority to notify the relevant person and the Board.
  • Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up-to-date.
  • Strong passwords are used in electronic environments where personal data is processed.
  • Secure logging systems are used in electronic environments where personal data is processed.
  • Data backup programs are used to ensure that personal data is stored securely.
  • Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
  • Necessary clarifications have been made for sensitive personal data and explicit consents have been obtained where required by law.
  • Trainings on special categories of personal data security were provided for employees involved in special categories of personal data processing processes, confidentiality agreements were made, and the authorizations of users authorized to access data were defined.
  • Adequate security measures are taken for the physical environments where special categories of personal data are processed, stored and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
  • If sensitive personal data is required to be transferred via e-mail, it is transferred encrypted via corporate e-mail address or using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept on different media. If transferring between servers in different physical environments, data transfer is performed by setting up a VPN between servers or by FTP method. If the document must be transferred via paper media, necessary precautions are taken against risks such as theft, loss or unauthorized viewing of the document and the document is sent in “confidential” format.

5.2 Administrative Measures

The administrative measures taken by the Authority regarding the personal data it processes are listed below:

  • In-house trainings are provided to improve the quality of employees, to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the protection of personal data.
  • Employees related to the activities carried out by the organization and suppliers etc. from whom services are procured. confidentiality agreements are signed by private and legal persons.
  • Legal action is taken against employees who do not comply with security policies and procedures.
  • Personal Data Protection Law Disciplinary Policy has been prepared.
  • Personal Data Protection Law Internal Directive has been prepared.
  • Personal Data Protection Law Cookie Policy has been prepared.
  • Personal Data Protection Law Application Form has been prepared.
  • Before starting to process personal data, the Authority fulfills its obligation to inform the data subjects and obtains the consent of the data subjects where required by law.
  • Clarification and Consent Forms have been prepared.
  • In-practice/Physical space KVK notifications are available.
  • Personnel Contracts are in compliance with the KVK.
  • A personal data processing inventory was prepared.
  • Internal periodic and random audits are conducted.
  • Information security trainings are provided for employees.
  • Physical environments containing personal data are secured against external risks (fire, flood, etc.).
  • Personal data is minimized as much as possible.
  • Protocols and procedures for the security of sensitive personal data have been determined and implemented.
  • Personal Data Protection Law measures required by the pandemic process have been taken and necessary clarifications and information are provided to our patients and staff.

6. PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the period stipulated in the relevant legislation or at the end of the retention period required for the purpose for which they are processed, personal data are destroyed by the Authority ex officio or upon the application of the person concerned, in accordance with the provisions of the relevant legislation, by the following techniques.

6.1 Deletion of Personal Data

Personal data are deleted by the methods given in Table-3.

Table 3: Deletion of Personal Data

Data Recording EnvironmentDescription
Personal Data on ServersFor the personal data on the servers, deletion is made by the system administrator by removing the access authorization of the relevant users for those whose retention period has expired.
Personal Data in Electronic MediaThe personal data stored in electronic media that expire after the period of time required for their retention are rendered inaccessible and non-reusable in any way for employees (relevant users) other than the database administrator.
Personal Data in Physical EnvironmentFor personal data kept in physical media, those that expire after the expiration of the period required to be stored are rendered inaccessible and non-reusable in any way for other employees, except for the unit manager responsible for the document archive. It is also blacked out by scratching/painting/erasing it so that it cannot be read.
Personal Data on Portable MediaThe personal data kept in Flash-based storage media and those whose period of retention has expired are encrypted by the system administrator and access authorization is given only to the system administrator and stored in secure environments with encryption keys.

6.2 Destruction of Personal Data

Personal data shall be destroyed by the Institution by the methods given in Table-4.

Table 4: Destruction of Personal Data

Personal Data in Physical EnvironmentThe personal data in paper form, which are destroyed irreversibly at the end of the period for which they are required to be retained.
Personal Data in Optical / Magnetic MediaPhysical destruction of personal data on optical media and magnetic media, such as melting, incineration or pulverization, is applied to those whose retention period has expired. In addition, the magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.

6.3 Anonymization of Personal Data

Anonymization of personal data means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data.

In order for personal data to be anonymized; personal data must be rendered unassociated with an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of personal data by the data controller or third parties and/or matching the data with other data.

7. STORAGE AND DESTRUCTION PERIODS

Regarding the personal data processed by the Institution within the scope of its activities;

  • Retention periods on personal data basis for all personal data within the scope of the activities carried out depending on the processes in the Personal Data Processing Inventory;
  • Retention periods based on data categories are recorded in VERBIS;
  • Process-based retention periods are included in the Personal Data Retention and Destruction Policy.

On these retention periods, if necessary      updates are made by the Institution Administrator. Ex officio deletion, destruction or anonymization of personal data whose retention periods have expired shall be carried out by the Data Security Officer.

Table 5: Process-based retention and disposal times table

Preparation and Execution of Contracts 10 years following the expiration of the contract At the first periodic destruction period following the end of the retention period

Execution of Corporate Communication Activities 10 years following the end of the activity In the first periodic destruction period following the end of the retention period

PROCESSSTORAGE TIMEDISPOSAL PERIOD
Carrying out patient registration and diagnosis and treatment processes20 years from the completion of the processAt the first periodic destruction following the end of the storage period
Execution of services (communication, etc.) activities other than institutional treatment processes Preparation of contracts10 years from completion of the process10 years from completion of the processAt the first periodic destruction period following the end of the storage periodAt the first periodic destruction period following the end of the storage period
Accounting Processes10 years from the completion of the processAt the first periodic destruction following the end of the storage period
Execution of Human Resources Processes Severance pay, notice pay payments, documents, payroll information of the personnel leaving the job10 years from the completion of the process5 years from the date of termination of employmentAt the first periodic destruction period following the end of the storage periodAt the first periodic destruction period following the end of the storage period
Log Recording Tracking SystemsExecution of Hardware and Software Access ProcessesCamera RecordsData on Customers and Potential Customers (cookies)IYS Records2 years2 years from the completion of the process1 month13 months from the completion of the morning3  years from the date of registrationIn the first periodic destruction period following the end of the storage periodIn the first periodic destruction period following the end of the storage periodIn the first periodic destruction period following the end of the storage periodIn the first periodic destruction period following the end of the storage periodIn the first periodic destruction period following the end of the storage period
  1. PERIODIC DESTRUCTION PERIOD

Pursuant to Article 11 of the Regulation, the Agency has set the periodic destruction period as 6 months. Accordingly, the Agency carries out periodic destruction in June and December each year.

9. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

9.1 Special sensitivity is shown in the processing of Sensitive Personal Data, which is believed to be more critical for the Data Owner in various respects.

Special Categories of Personal Data are processed in accordance with the Law, provided that adequate measures to be determined by the Board are taken, in the presence of the following conditions:

  • If the Data Owner has explicit consent or
  • If the Data Owner does not have explicit consent; Sensitive personal data other than the health and sexual life of the Data Owner are processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, in cases stipulated by law, and sensitive personal data regarding the health and sexual life of the Data Owner.

MEASURES REGARDING THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

6 of the Law In accordance with the Board’s decision dated 31.01.2018 and numbered 2018/10, the following measures are taken in the capacity of data controller in the processing of Special Categories of Personal Data:

This Policy has been determined for the security of sensitive personal data in a systematic, clear, manageable and sustainable manner. For employees involved in the processing of sensitive personal data,

  • Confidentiality agreements are in place,
  • The scope and duration of authorization of users authorized to access data are clearly defined,
  • Periodic authorization checks are carried out.
  • Protocols and procedures for the security of sensitive personal data have been determined and implemented.
  • Employees who are reassigned or leave their jobs are immediately de-authorized in this area. In this context, it returns the inventory allocated to it by the Data Controller.
  • If the environments where Special Categories of Personal Data are processed, stored and/or accessed are physical environments;
    • * Adequate security measures (against electric leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where Sensitive Personal Data is located,
    • * Unauthorized access is prevented by ensuring the physical security of these environments.

10. TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA

The Sensitive Personal Data obtained in accordance with the law, in line with the purposes of data processing, the Sensitive Personal Data of the Data Owner is not transferred to third parties.

  1. PUBLICATION AND STORAGE OF THE POLICY

The Policy is published in two different media, wet signed (printed paper) and electronic media, and disclosed to the public on the website. The hard copy is also kept on file by the data manager.

12. POLICY UPDATE PERIOD

The policy is reviewed as needed and the necessary sections are updated.

13.ENFORCEMENT AND REPEAL OF THE POLICY

The Policy is deemed to have entered into force on the date written below. In the event that it is decided to be abolished, the old copies of the Policy with wet signature shall be canceled (by stamping or writing cancellation) with the decision to be made by the data manager and shall be kept by the data manager for at least 5 years. 10.09.2022