PERSONAL DATA STORAGE AND DISPOSAL POLICY
Homepage > PERSONAL DATA STORAGE AND DISPOSAL POLICY
PROF.DR.AHMET MURAT BÜLBÜL PERSONAL DATA STORAGE AND DISPOSAL POLICY
1.INTRODUCTION
1.1 Purpose
This Personal Data Retention and Disposal Policy (“Policy”) is applied to the entirety of Prof.Dr.Ahmet Murat BÜLBÜL’s Office (hereinafter referred to as the “Examination”) within the framework of the current legislation and is based on the nationally accepted basic principles regarding personal data destruction. It includes the framework and principles regarding the necessary destruction works within the scope of the relevant legislation.
In the third paragraph of Article 7 of the Law on the Protection of Personal Data (“Law”), there is the provision “The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by a regulation”. Pursuant to this provision and subparagraph (e) of the first paragraph of Article 22 of the Law, the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”) has been prepared by the Personal Data Protection Board (“Board”) and dated 28 October 2017. It was published in the Official Gazette numbered 30224.
Based on the above regulation, the purpose of this Policy is to determine the procedures and principles regarding the deletion, destruction or anonymization of the personal data processed in the course of the practice in accordance with the Regulation.
1.2.Scope
The personal data of the patients, relatives, employees, employees/authorities of the companies receiving/provided services and suppliers with whom our practice has legal relations are within the scope of this Policy. is applied.
1.3. Abbreviations and Definitions
CONCEPT | DEFINITION |
Recipient group | Natural or legal person category to whom personal data is transferred by the data controller |
Open Consent | Consent on a particular subject, based on information and expressed with free will |
Anonymization | Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
Electronic environment | Environments where personal data can be created, read, changed and written by electronic devices. |
Non-Electronic Media | All written, printed, visual etc. other than electronic media. other environments. |
Related person | Natural person whose personal data is processed |
Related user | Except for the person or unit responsible for the technical storage, protection and backup of the data, the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller. |
Destruction | Deletion, destruction or anonymization of personal data |
Law | Law No. 6698 on the Protection of Personal Data |
recording media | Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system. |
Personal data | Any information relating to an identified or identifiable natural person |
Personal data owner | Natural person whose personal data is processed |
Processing of personal data | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. all kinds of operations performed on the data, such as blocking |
Personal data processing inventory | Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the purposes of processing, the data category, the transferred recipient group and the data subject group, explaining the maximum time required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security. |
Board | Personal Data Protection Board |
Institution | Personal Data Protection Authority |
Special categories of personal data | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data |
periodic destruction | In the event that all of the personal data processing conditions in the law are eliminated, the deletion, destruction or anonymization process to be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy. |
Policy | The policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization. |
Record | The registry of data controllers kept by the Personal Data Protection Authority. |
data processor | The real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. |
data logging system | The registry system where personal data is processed and structured according to certain criteria. |
data controller | Prof.Dr. Ahmet Murat BÜLBÜL |
regulation | Regulation on the Deletion, Destruction or Anonymization of Personal Data, which entered into force by being published in the Official Gazette dated 28.10.2017 and numbered 30224. |
DISTRIBUTION OF RESPONSIBILITIES AND DUTIES
Data controller in the storage and destruction processes of personal data, Prof.Dr. Ahmet Murat BÜLBÜL is responsible.
3. RECORDING ENVIRONMENTS
Personal data is stored safely by the Institution in the environments listed in Table 2, in accordance with the law.
Table 2: Personal data storage environments
Electronic Media | Non-Electronic Media |
|
|
|
|
EXPLANATIONS ON STORAGE AND DISPOSAL
By the practice; Personal data of patients, relatives, employees, company employees/authorities from whom services are provided/provided, and suppliers are stored and destroyed in accordance with KVKK.
In this context, detailed explanations regarding storage and disposal are given below, respectively.
4.1 Remarks on Retention
In Article 3 of the Law, the concept of processing personal data is defined, in Article 4 it is stated that the personal data processed should be related to the purpose for which they are processed, limited and measured and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation. counted.
Accordingly, personal data within the scope of practice activities are stored for a period of time stipulated in the relevant legislation or suitable for our processing purposes.
4.1.1 Legal Reasons for Retention
The practice preserves the personal data processed within the framework of its activities for the period stipulated in the relevant legislation. In this context, personal data;
Tax Procedure Law No. 213
Labor Law No. 4857
Social Insurance and General Health Insurance Law No. 5510
Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts
Turkish Code of Obligations No. 6098
Turkish Commercial Code No. 6102
Health Services Basic Law No. 3359
Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliates,
Private Hospitals Regulation
Law No. 6698 on the Protection of Personal DataIt is stored as long as the storage periods specified in the other secondary legislation in force, especially
4.1.2. Processing Purposes Requiring Storage
The system stores business ID data:
Fulfillment of Employment Contract and Legislative Obligations for Employees
Execution of Benefits and Benefits Processes for Employees
Execution of Activities in Compliance with the Legislation
Execution of Finance and Accounting Affairs
Follow-up and Execution of Legal Affairs
Execution of Communication Activities
Planning of Human Resources Processes
Execution of Goods / Services Purchasing Transactions
We are on the way of production and operations of goods / services
Execution of Storage and Archive Activities
Execution of Contract Processes
Execution of Supply Chain Processes
Execution of Medical Diagnosis, Treatment and Care Services
Providing Information to Authorized Persons, Institutions and Organizations
4.2. Reasons for Destruction
Personally;
Making, or repealing, the entity’s principal doing
without processing or use
To withdraw your personal data, only in cases where the business is based on express consent conditions,
Obtaining the ‘acceptance’ of the KVKK’s 11th education by the people involved in the upbringing,
Deletion of personal data by the persons concerned or not taking advantage of the training with no reason, not keeping it within the time limit; Remuneration to the Board and the appropriate type and form of this request beforehand.
In the expiry of the period in which the personal data is held and the personal data are valid, the examination room is requested by the relevant persons, is absent, ex officio, destroyed or for a short time.
TECHNICAL AND ADMINISTRATIVE MEASURES
All of the personal data is received in a way, when it is received in order to be accepted in accordance with the law, and in order to be delivered in accordance with the personal data, the 12th target of the KVKK and the 6th application for the 4th application are targeted by the board to be received. Technique and preparation are done by the practice.
5.1. Technical Measures
Sent by the sender in connection with inspection by inspection;
Current anti-virus systems are used.
Firewalls are used.
Encryption is done.
5.2. Administrative Measures
Sent by the sender in connection with inspection by inspection;
Confidentiality commitments are made.
Preparations for entry to trainings related to personal data.
Preparations for entry to trainings related to personal data.
Environments containing personal data are exposed to external risks, floods, etc. about protection.
From the creators of the media containing personal data.
It is made customizable.
6. PERSONAL DATA DISPOSAL TECHNIQUES
It is destroyed by signs, as appropriate, for use by the practice ex officio or in relation to the target, for the relevant training planning intended for the time used in the delivery or for the purpose that can be processed.
6.1. Deletion of Personal Data
Your personal data allocated in Table-3 is deleted.
Table 3: Deletion of personal data
Data Recording Environment | Explanation |
Personal data in the physical environment | Personal data in the physical environment are deleted by using the blackout method or by keeping the document in a secure environment where it cannot be accessed by the relevant users. |
Personal data in the physical environment | Personal data in the physical environment are deleted by using the blackout method or by keeping the document in a secure environment where it cannot be accessed by the relevant users. |
Personal Data on Servers | The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period of time has expired. |
Personal data in databases | By assigning a role and permission, the relevant user is prevented from accessing the personal data in the database. |
6.2. Destruction of Personal Data
As a practice, the methods used by us in order to legally destroy personal data are as follows:
Table 4: Destruction of Personal Data
Data Recording Environment | Explanation |
Personal data in the physical environment | Personal data in the physical environment are deleted by using the blackout method or by keeping the document in a secure environment where it cannot be accessed by the relevant users. |
Personal data in the physical environment | Personal data in the physical environment are deleted by using the blackout method or by keeping the document in a secure environment where it cannot be accessed by the relevant users. |
Personal Data on Servers | The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period of time has expired. |
Personal data in databases | By assigning a role and permission, the relevant user is prevented from accessing the personal data in the database. |
6.3. Anonymization of Personal Data
Anonymization of personal data means making personal data not associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.
In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the personal data by the data controller or third parties and/or matching the data with other data.
STORAGE AND DISPOSAL TIMES
Regarding the personal data being processed by the practice within the scope of its activities;
The retention periods on the basis of personal data regarding all personal data within the scope of the activities carried out in connection with the processes are in the Personal Data Processing Inventory;
Storage periods on the basis of data categories are recorded in VERBIS;
Process-based retention periods are included in this Personal Data Retention and Disposal Policy.
The destruction process of personal data is carried out by the Practice in accordance with the retention periods determined in accordance with the relevant legislation in accordance with each relationship. Personal data whose storage period has expired are deleted, destroyed or anonymized in periodic destruction periods determined by the Practice.
Table 5: Process-Based Storage and Disposal Times Table
PERIOD | STORAGE PERIOD | DISPOSAL TIME |
Execution of human resources employee processes | 10 years from the employee’s departure | In the period of periodic destruction of the first 6 months following the end of the retention period. |
Execution of contract processes | 10 years after contract expiration | In the period of periodic destruction of the first 6 months following the end of the retention period. |
Accounting and finance processes | 10 years after registration | In the period of periodic destruction of the first 6 months following the end of the retention period. |
Patient/ person receiving product service | 10 years from the end of the client/patient relationship | In the period of periodic destruction of the first 6 months following the end of the retention period. |
Ex officio deletion, destruction or anonymization of personal data whose storage period has expired is carried out by Prof.Dr. It is carried out by Ahmet Murat BÜLBÜL.
PERIODIC DISPOSAL TIME
In accordance with Article 11 of the Regulation, the period of periodic destruction has been determined by the practice as [6] months. Accordingly, periodic destruction is carried out by the Practice in June and December each year.PUBLICATION AND STORAGE OF THE POLICY
The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website.UPDATE PERIOD OF THE POLICY
The policy is updated as needed and changed processes are found.EFFECT AND REVOCATION OF THE POLICY
This Policy is deemed to have entered into force after its publication on the website of the Practice.
I deal with the treatment of diseases related to the locomotor system, that is, the musculoskeletal system, which is designed to move, which is needed by human beings to maintain this function.
