Processing of Personal Data and Protection Policy
1. PURPOSE AND SCOPE OF THE POLICY
Processing and protection of personal data in accordance with the law, data controller Dr. It is of great importance for Birkan Duras. This Personal Data Processing and Protection Policy (“Policy”) has been prepared in order to ensure that personal data processing activities comply with the Personal Data Protection Law No. 6698 and the regulations, circulars and directives issued within the scope of this law, and to harmonize the company as a whole with the KVKK legislation. In addition, this Policy determines the principles, procedures and principles of personal data processing, storage and security.
Among the legal and technical terms included in this Policy;
Explicit Consent | Consent regarding a specific subject, based on information and expressed with free will, |
Relevant User | Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data, |
Destruction | Deletion, destruction or anonymization of personal data, |
Law | Personal Data Protection Law No. 6698 dated 24.3.2016, |
Recording media | Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system, |
Personal Data | Any information regarding an identified or identifiable natural person, |
Personal Data Processing | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, obtaining personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any operation performed on data such as making it accessible, classifying it or preventing its use, |
Personal Data Deletion | Deletion of personal data; making personal data inaccessible and unusable in any way for Relevant Users, |
Personal Data Destruction | The process of making personal data inaccessible, irretrievable and unusable by anyone, |
Board | Personal Data Protection Board, |
Special Qualified Personal Data | Regarding people’s race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures data and biometric and genetic data, |
Periodic Destruction | The deletion, destruction or anonymization process specified in the personal data storage and destruction policy, which will be carried out ex officio at recurring intervals, in case all the conditions for processing personal data specified in the law are eliminated. |
Contact Person / Data Owner | The real person whose personal data is processed, |
Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system |
expresses
3. PROCESSING OF PERSONAL DATA
3.1 Basic Principles in Processing Personal Data
Personal data will be processed in accordance with the basic principles specified in the law. In this context, personal data;
- It will be processed in accordance with the law and the rules of honesty.
- Personal data will be ensured to be accurate and up-to-date when necessary.
- It will be processed for specific, clear and legitimate purposes.
- They will be used and disclosed in a limited and measured manner in connection with the legal purpose for which they are processed.
- They will be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
3.2 Terms of Processing of Personal Data
Personal data that are not of special nature may be processed in the presence of at least one of the following legal reasons or by obtaining the explicit consent of the relevant person.
- Clearly prescribed by law
- It is necessary to process the data of the parties for the performance of the contract
- It is mandatory for the data controller to fulfill its legal obligation
- Data processing is mandatory for the establishment, exercise or protection of a right
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned
3.3 Processing of Special Personal Data
The procedures and principles to be followed when processing special personal data are explained in detail in the Processing of Special Personal Data Policy prepared and published by our company. You can access the Processing of Special Personal Data Policy on our website drbirkanduras.com. 3.4 Disclosure of the Personal Data Owner
Relevant persons are informed in accordance with the Law. In this context, relevant persons are informed about the identity of the data controller, the purposes for which personal data will be processed, to whom it will be transferred, the method by which it is collected, the legal reason and the following rights of the relevant person.
Rights of Relevant Persons;
- Learning whether personal data is processed,
- Requesting information if personal data has been processed,
- Learning the purpose of processing personal data and whether they are used for their intended purpose,
- Knowing the third parties to whom personal data is transferred at home or abroad,
- Requesting correction of personal data if they are incomplete or incorrectly processed,
- Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
- Requesting updates or deletions regarding personal data to be notified to transferred third parties,
- Objecting to the emergence of a result against the individual by analyzing the processed data exclusively through automatic systems,
- Requesting compensation for damages in case of damage due to unlawful processing of personal data.
Relevant persons may exercise their rights under Article 11 of the Law by completely filling out the Relevant Person Application Form, which can be accessed on our website drbirkanduras.com, and in writing to Ayazağa Mah. Kemerburgaz Cad. They can request it by sending it to our address No:10/A İç Kapı No:100 Sarıyer/ İSTANBUL or by sending it to our e-mail address info@drbirkanduras.com via the e-mail address they have previously notified us and registered in our system.
Applications will be responded to as soon as possible and within 30 (thirty) days at the latest, free of charge.
4. PURPOSES OF PROCESSING PERSONAL DATA
It is processed for the purposes listed below, in accordance with the basic principles set out in Article 4 of the Law and based on at least one of the processing conditions of personal data and special personal data specified in Articles 5 and 6 of the Law.
- Execution of emergency management processes
- Executing information security processes
- Conducting the application processes of employee candidates
- Fulfillment of obligations arising from employment contracts and legislation for employees
- Execution of fringe benefits and benefits processes for employees
- Conducting educational activities
- Execution of access authorizations
- Conducting activities in accordance with the legislation
- Carrying out finance and accounting affairs
- Ensuring physical space security
- Execution of assignment processes
- Following up and carrying out legal affairs
- Carrying out communication activities
- Planning human resources processes
- Carrying out occupational health and safety activities
- Receiving and evaluating suggestions for improving business processes
- Conducting performance evaluation processes
- Carrying out storage and archive activities
- Execution of contract processes
- Following up requests and complaints
- Ensuring the security of movable goods and resources
- Ensuring the security of data controller operations
- Carrying out talent and career development activities
- Providing information to authorized persons, institutions and organizations
- The execution of promotional activities is processed limited to its purposes.
5. STORAGE PERIOD AND DESTRUCTION OF PERSONAL DATA
In accordance with the provisions of the Law and the Regulation on Deletion, Destruction or Anonymization of Personal Data, personal data are stored for the period necessary for the purpose for which they are processed and in accordance with the periods stipulated in the legal legislation governing the relevant activity.
First of all, it is determined whether the relevant legislation provides for a period of storage of personal data. If a period is specified in the legislation, it is stored until this period, or if there is no legal period, it is stored for the period necessary for the purpose for which it is processed.
The storage periods determined separately for each category of personal data in accordance with the specified criteria are shown in the table below. Personal data is destroyed by the specified destruction methods within six months periodic destruction periods starting from the end of these periods, or within thirty days at the latest if the relevant person applies. Storage periods of personal data;
PROCESSED DATA | CONTACT PERSON CATEGORY | STORAGE PERIOD | |
Identity Information | Employee | 15 years after termination of active employment relationship | |
Employee Candidate | The job application will not be stored if it is rejected | ||
Patient | 20 years from the end of treatment | ||
Companion | During service | ||
Real Persons Providing External Services | 10 years from end of service | ||
Contact Information | Employee | 15 years after termination of active employment relationship | |
Employee Candidate | The job application will not be stored if it is rejected | ||
Patient | 20 years from the end of treatment | ||
Companion | During service | ||
Real Persons Providing External Services | 10 years from end of service | ||
Personal Health Data | Employee | 15 years after termination of active employment relationship | |
Employee Candidate | The job application will not be stored if it is rejected | ||
Patient | 20 years from the end of treatment | ||
Criminal Conviction and Security Measures Information | Employee | 10 years after termination of active employment relationship | |
Employee Candidate | The job application will not be stored if it is rejected | ||
Abstract
| Employee | 10 years after termination of active employment relationship | |
Employee Candidate | The job application will not be stored if it is rejected | ||
Legal Action | Employee and Patient | 10 years from the end of the legal process | |
Transaction Security | Employee and Patient | 2 years | |
Customer Transaction | Patient | 20 years | |
Real Persons Providing External Services | 10 years from end of service | ||
Finance | Patient | 20 years | |
Camera Recordings | For All Contact Groups | 2 months | |
Professional Experience | Employee | 10 years after termination of active employment relationship | |
Employee Candidate | If the job application process is negative, it will not be stored | ||
Visual and Audio Recordings
| Employee | 15 years after termination of active employment relationship | |
Employee Candidate | If the job application process is negative, it will not be stored | ||
Reference Information | Employee Candidate | If the job application process is negative, it will not be stored | |
Smoking Information | Employee Candidate | If the job application process is negative, it will not be stored | |
Family Information | Employee | 10 years after termination of active employment relationship | |
6.1 Transfer of Personal Data Domestically
Processed personal data may be transferred to the third parties listed below.
Personal data of our personnel;
- To judicial authorities and party lawyers, limited to the requested personal data upon request in case of legal dispute
- Identity and contact information to the authorized financial advisor for the purpose of tracking legal obligations
- Identity and financial information to the contracted bank for salary payment
- Identity information to the private insurance company for the Private Pension System
- Identity, communication, health, photograph, diploma and criminal conviction data are sent to the district/provincial health directorate for the purpose of applying for a personnel work certificate
- Identity and title information to the Health Personnel Tracking System within the Ministry of Health
- Identity information to the Social Security Institution for the purpose of employment declaration
- Identity and financial information to the tax office for tax return
- Identity and family information to the tax office for minimum subsistence allowance
- To the software company that is the developer of workplace computer programs for archiving purposes
Personal data of patients receiving service;
- To judicial authorities and party lawyers, limited to the requested personal data upon request in case of legal dispute
- Identity, contact, health and companion information will be sent to the health institution to be referred in case the patient is referred
- To the software company that is the developer of the patient registration program for the purpose of archiving patient files in accordance with the Private Hospitals Regulation
Personal data obtained from real persons providing services;
- Judicial authorities and party lawyers upon request in case of legal dispute
- Authorized financial advisor in accordance with legal obligations,
- Contracted bank for payments
- Software company that develops workplace computer programs for archiving
Personal data obtained from other groups of individuals;
In case of a legal dispute, it can be transferred to judicial authorities and party lawyers upon request.
7. PROTECTION OF PERSONAL DATA
Our business, as stated in Article 12 of the Law;
- To prevent unlawful processing of personal data,
- To prevent unlawful access to personal data,
- In order to ensure the protection of personal data, it takes the necessary technical and administrative measures to ensure the appropriate level of security and carries out the necessary inspections or has them carried out to implement the measures taken.
7.1 Measures Taken for the Protection of Personal Data
- There are disciplinary regulations for employees that include data security provisions.
- Training and awareness activities are carried out for employees on data security at regular intervals.
- Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
- Confidentiality commitments are made.
- The signed contracts contain data security provisions.
- Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.
- Personal data security policies and procedures have been determined.
- Personal data security issues are reported quickly.
- Personal data security is monitored.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
- The security of environments containing personal data is ensured.
- Personal data is reduced as much as possible.
- Periodical and/or random audits are carried out within the institution.
- Protocols and procedures for the security of special personal data have been determined and implemented.
- If sensitive personal data is to be sent via e-mail, it must be sent encrypted and using a KEP or corporate mail account.
- The authorization scope and duration of users who are authorized to access sensitive personal data are clearly defined.
- Inventory allocated to employees who change their duties or leave their jobs is returned.
- Personal data inventory has been prepared.
- Deletion, destruction or anonymization are carried out at periodic intervals.
- Network security and application security are provided.
- Security measures are taken within the scope of supply, development and maintenance of information technology systems.
- An authority matrix has been created for employees.
- Access logs are kept regularly.
- Employees who change their duties or leave their jobs have their authorizations in this area removed.
- Up-to-date anti-virus systems are used.
- Firewalls are used.
- User account management and authorization control system is implemented and these are also monitored.
- Log records are kept without user intervention.
- Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
- Cyber security measures have been taken and their implementation is constantly monitored.
- Special qualified persons’ data transferred on portable memory, CD, DVD media are encrypted.
- Periodically authorization checks are carried out for employees who have access to sensitive personal data.
- Security updates for the environments where the data is stored are constantly monitored, necessary security tests are performed or performed regularly and the test results are recorded.
- Security tests of software that access sensitive personal data are carried out regularly and the test results are recorded.
- A two-stage authentication system is used for remote access to sensitive personal data.
- If personal health data is to be transferred between servers in different physical environments, transfer is made between the servers by establishing a VPN or using sFTP methods.
- For personal data stored in digital environment, periodic deletion, destruction or anonymization processes are carried out.
7.2 Precautions to be Taken in Case of Data Breach
If the personal data processed by our business is obtained by others through illegal means, our business will notify the data owner and the Board as soon as possible after learning of the violation.
Following the identification of the persons affected by the violation in question by our business, we will contact the relevant persons as soon as possible, directly if the contact address of the relevant person can be reached, or if not, through the drbirkanduras.com website. It will be published on.
In the violation notification to be made to the relevant person;
- When the violation occurred,
- Which personal data was affected by the breach,
- Possible consequences of the violation,
- Measures taken or proposed to be taken to reduce the effects of the violation,
- The name and contact details of the contact person who will ensure that the relevant person receives information about the data breach will be included.
8. COORDINATION OF PERSONAL DATA PROTECTION AND PROCESSING PROCESSES
The Responsible Manager coordinates the protection and processing of personal data.
Our business has the right to make changes to this Personal Data Processing and Protection Policy due to changes in legislation, in accordance with Board decisions or in line with developments in the sector or the field of informatics. Changes made in this context are immediately recorded in the text and explanations regarding the changes are added to the updates table below. Updates Table
07.01.2021 | Personal Data Processing and Protection Policy has entered into force. |
This Personal Data Processing and Protection Policy has been prepared by the Data Controller and announced on the drbirkanduras.com website.
Storage and Protection of Personal Data Destruction Policy
Personal Data Storage and Destruction Policy (“Policy”), Dr. It has been prepared to determine the procedures and principles regarding the works and transactions regarding personal data storage and destruction activities carried out by Birkan Duras as the data controller.
Our business; In line with the legal mission, vision and basic principles; Personal data of patients, companions, personnel, personnel candidates and service providers are transferred to the Republic of Turkey. It has prioritized processing in accordance with the Constitution, international conventions, Personal Data Protection Law No. 6698 (“Law”) and other relevant legislation and ensuring that relevant persons exercise their rights effectively.
Work and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared accordingly.
Personal data of patients, companions, personnel, personnel candidates and service providers are within the scope of this Policy, and this Policy is applied to all recording environments where personal data managed by our business is processed and activities related to personal data processing.
1.3 Abbreviations and Definitions
Among the legal and technical terms included in this Policy;
Buyer Group | Category of natural or legal person to whom personal data is transferred by the data controller |
Explicit Consent | Consent regarding a specific subject, based on information and expressed with free will, |
Anonymization | The process of making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data. |
Employee | Operation personnel, |
EBYS | Electronic Document Management System, |
Electronic Media | Environments where personal data can be created, read, changed and written with electronic devices |
Non-Electronic Media | All written, printed, visual, etc. except electronic media. other media, |
Service Provider | Real or legal person who provides services within the framework of a specific contract with our business |
Contact Person | The real person whose personal data is processed, |
Relevant User | Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data. |
Destruction | Deletion, destruction or anonymization of personal data, |
Law | Personal Data Protection Law No. 6698 dated 24.3.2016, |
Recording media | Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system, |
Personal Data | Any information regarding an identified or identifiable natural person, |
Personal Data Processing Inventory | The personal data processing activities carried out by data controllers depending on their business processes; Explaining the purposes and legal reason for processing personal data, the data category, the transferred recipient group and the maximum retention period required for the purposes for which the personal data are processed by associating them with the data subject group, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security. their detailed inventory, |
Personal Data Processing | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, obtaining personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any operation performed on data such as making it accessible, classifying it or preventing its use, |
Board | Personal Data Protection Board, |
Special Qualified Personal Data | Regarding people’s race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures data and biometric and genetic data, |
Periodic Destruction | The deletion, destruction or anonymization process specified in the personal data storage and destruction policy, which will be carried out ex officio at recurring intervals, in case all the conditions for processing personal data specified in the law are eliminated. |
Policy | Personal Data Storage and Destruction Policy, |
Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller, |
Data Recording System | The recording system in which personal data is structured and processed according to certain criteria, |
VERBIS | Data Controllers Registry Information System, |
Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system, |
Regulation | Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017, |
It expresses.
2. EXPLANATIONS ON STORAGE AND DISPOSAL
Personal data processed by our business is stored and destroyed in accordance with the Law.
In this context, detailed explanations regarding storage and disposal are given below.
In Article 3 of the Law, the concept of processing personal data is defined, in Article 4, it is stated that the personal data processed should be related to the purpose for which they are processed, limited and proportionate and should be kept for the period required by the relevant legislation or for the purpose for which they are processed, and in Articles 5 and 6, it is stated that the processing of personal data should be limited and proportionate. conditions are listed.
Accordingly, personal data is stored for the period stipulated in the relevant legislation or for the period appropriate to our processing purposes.
2.1.1 Legal Reasons Requiring Personal Data Storage
Processed personal data is processed and stored if at least one of the legal reasons listed below exists.
- Clearly prescribed by law
- It is necessary to process the data of the parties for the performance of the contract
- It is mandatory for the data controller to fulfill its legal obligation
- Data processing is mandatory for the establishment, exercise or protection of a right
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned
- Providing preventive medicine, medical diagnosis, treatment and care services
- Explicit Consent
2.1.2 Processing Purposes Requiring Storage
Personal data is processed and stored for the purposes stated below.
- Execution of emergency management processes
- Executing information security processes
- Conducting the application processes of employee candidates
- Fulfillment of obligations arising from employment contracts and legislation for employees
- Execution of fringe benefits and benefits processes for employees
- Conducting educational activities
- Execution of access authorizations
- Conducting activities in accordance with the legislation
- Carrying out finance and accounting affairs
- Ensuring physical space security
- Execution of assignment processes
- Following up and carrying out legal affairs
- Carrying out communication activities
- Planning human resources processes
- Carrying out occupational health and safety activities
- Receiving and evaluating suggestions for improving business processes
- Conducting performance evaluation processes
- Carrying out storage and archive activities
- Execution of contract processes
- Following up requests and complaints
- Ensuring the security of movable goods and resources
- Ensuring the security of data controller operations
- Carrying out talent and career development activities
- Providing information to authorized persons, institutions and organizations
- Carrying out promotional activities
2.2 Reasons Requiring Destruction
Personal data;
- Amendment or abolition of the relevant legislative provisions that constitute the basis for its processing,
- The purpose requiring processing or storage is eliminated,
- In cases where personal data is processed only on the basis of explicit consent, the relevant person may withdraw his/her explicit consent.
- Our business accepts the application made by the relevant person regarding the deletion and destruction of his personal data within the framework of his rights in accordance with Article 11 of the Law,
- In cases where our business rejects the application made by the relevant person requesting the deletion, destruction or anonymization of his personal data, finds the answer given insufficient, or does not respond within the time period stipulated in the Law; Complaining to the Board and this request being approved by the Board,
- The maximum period requiring personal data to be stored has passed and there are no conditions that justify storing personal data for a longer period of time,
In such cases, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by our business upon the request of the relevant person.
3. TECHNICAL AND ADMINISTRATIVE MEASURES
In order to safely store personal data, prevent unlawful processing and access of personal data, and destroy personal data in accordance with the law, technical and administrative measures are taken within the framework of adequate measures determined and announced by the Board for special personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law. measures are taken.
The technical measures taken regarding the processed personal data are listed below:
- Network security and application security are provided.
- Security measures are taken within the scope of supply, development and maintenance of information technology systems.
- An authority matrix has been created for employees.
- Access logs are kept regularly.
- Employees who change their duties or leave their jobs have their authorizations in this area removed.
- Up-to-date anti-virus systems are used.
- Firewalls are used.
- User account management and authorization control system is implemented and these are also monitored.
- Log records are kept without user intervention.
- Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
- Cyber security measures have been taken and their implementation is constantly monitored.
- Special qualified persons’ data transferred on portable memory, CD, DVD media are encrypted.
- Periodically authorization checks are carried out for employees who have access to sensitive personal data.
- Security updates for the environments where the data is stored are constantly monitored, necessary security tests are performed or performed regularly and the test results are recorded.
- Security tests of software that access sensitive personal data are carried out regularly and the test results are recorded.
- A two-stage authentication system is used for remote access to sensitive personal data.
- If personal health data is to be transferred between servers in different physical environments, transfer is made between the servers by establishing a VPN or using sFTP methods.
- For personal data stored in digital environment, periodic deletion, destruction or anonymization processes are carried out.
Administrative measures taken regarding processed personal data are listed below:
- There are disciplinary regulations for employees that include data security provisions.
- Training and awareness activities are carried out for employees on data security at regular intervals.
- Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
- Confidentiality commitments are made.
- The signed contracts contain data security provisions.
- Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.
- Personal data security policies and procedures have been determined.
- Personal data security issues are reported quickly.
- Personal data security is monitored.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
- The security of environments containing personal data is ensured.
- Personal data is reduced as much as possible.
- Periodical and/or random audits are carried out within the institution.
- Protocols and procedures for the security of special personal data have been determined and implemented.
- If special personal data is to be sent via e-mail, it must be sent encrypted and using a KEP or corporate mail account.
- The authorization scope and duration of users who are authorized to access sensitive personal data are clearly defined.
- Inventory allocated to employees who change their duties or leave their jobs is returned.
- Personal data inventory has been prepared.
- Deletion, destruction or anonymization are carried out at periodic intervals.
4. STORAGE AND DISPOSAL PERIOD
Regarding the personal data processed by our business within the scope of its activities; retention periods are included in the Personal Data Storage and Destruction Policy.
Updates are made to these retention periods if necessary.
For personal data whose storage period has expired, ex officio deletion, destruction or anonymization is carried out during the first periodic destruction period following the end of the storage period.
PROCESSED DATA | CONTACT PERSON CATEGORY | STORAGE PERIOD | |
Identity Information | Employee | 15 years after termination of active employment relationship | |
Employee Candidate | The job application will not be stored if it is rejected | ||
Patient | 20 years from the end of treatment | ||
Companion | During service | ||
Real Persons Providing External Services | 10 years from end of service | ||
Contact Information | Employee | 15 years after termination of active employment relationship | |
Employee Candidate | The job application will not be stored if it is rejected | ||
Patient | 20 years from the end of treatment | ||
Companion | During service | ||
Real Persons Providing External Services | 10 years from end of service | ||
Personal Health Data | Employee | 15 years after termination of active employment relationship | |
Employee Candidate | The job application will not be stored if it is rejected | ||
Patient | 20 years from the end of treatment | ||
Criminal Conviction and Security Measures Information | Employee | 10 years after termination of active employment relationship | |
Employee Candidate | The job application will not be stored if it is rejected | ||
Abstract | Employee | 10 years after termination of active employment relationship | |
Employee Candidate | The job application will not be stored if it is rejected | ||
Legal Action | Employee and Patient | 10 years from the end of the legal process | |
Transaction Security | Employee and Patient | 2 years | |
Customer Transaction | Patient | 20 years | |
Real Persons Providing External Services | 10 years from end of service | ||
Finance | Patient | 20 years | |
Camera Recordings | For All Contact Groups | 2 months | |
Professional Experience | Employee | 10 years after termination of active employment relationship | |
Employee Candidate | If the job application process is negative, it will not be stored | ||
Visual and Audio Recordings | Employee | 15 years after termination of active employment relationship | |
Employee Candidate | If the job application process is negative, it will not be stored | ||
Smoking Information | Employee Candidate | If the job application process is negative, it will not be stored | |
Family Information | Employee | 10 years after termination of active employment relationship | |
Our business ex officio deletes, destroys or anonymizes personal data in accordance with the principles and procedures set out in this Policy, in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data in accordance with the provisions of the Law and Regulation arises.
If the data controller duly applies to us using the right to request the deletion of personal data specified in Article 13 of the Law;
- If all the conditions for processing personal data have been eliminated; Personal data subject to the request will be deleted, destroyed or anonymized by an appropriate destruction method within 30 (thirty) days from the day the request is received.
- If all the conditions for processing personal data have not been eliminated, the request may be rejected by explaining the reason for the request in accordance with the third paragraph of Article 13 of the Law, and the rejection response will be notified to the relevant person in writing or electronically within 30 (thirty) days at the latest.
In accordance with Article 11 of the Regulation, the periodic destruction period is determined as 6 months. Accordingly, periodic destruction is carried out every year in June and December.
At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, personal data are destroyed ex officio or upon the application of the relevant person, using the techniques specified below, in accordance with the provisions of the relevant legislation.
Personal data is deleted by the methods given below.
Data Recording Medium | Description |
Personal Data on Servers | For the personal data on the servers whose retention period has expired, the system administrator removes the access authorization of the relevant users and deletes them. |
Personal Data in Electronic Environment | Among the personal data in the electronic environment, those whose period of storage has expired are made inaccessible and unusable in any way for other employees (relevant users) except the database administrator. |
Personal Data in the Physical Environment | For personal data kept in the physical environment, for which the period requiring its storage has expired, it is made inaccessible and unusable in any way for other employees, except for the unit manager responsible for the document archive. In addition, blackening is also applied by drawing/painting/erasing the surface so that it cannot be read. |
Portable Personal Data in Media | Personal data kept in Flash-based storage media, which have expired, are stored in secure environments with encryption keys, by being encrypted by the system administrator and access authorization is given only to the system administrator. |
6.2 Destruction of Personal Data
Personal data is destroyed by the methods given below.
Data Recording Medium | Description |
Personal Data in the Physical Environment | Among the personal data stored on paper that have expired, they are irreversibly destroyed in paper shredding machines. |
Personal Data Contained in Optical / Magnetic Media | Personal data contained in optical media and magnetic media whose storage period has expired are physically destroyed, such as melting, burning or pulverizing. In addition, the data on the magnetic media is rendered unreadable by passing it through a special device and exposing it to a high magnetic field. |
6.3 Anonymization of Personal Data
Anonymization of personal data means making it impossible to associate personal data with an identified or identifiable natural person in any way, even if it is matched with other data.
In order for personal data to be anonymized; Personal data must be returned by the data controller or third parties and/or made impossible to associate with an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording environment and relevant field of activity, such as matching the data with other data.
While our company anonymizes personal data, it does so in accordance with the above-mentioned standards. After the anonymization of personal data, personal data cannot be associated with an identified or identifiable natural person in any way.
7. MEASURES TAKEN TO ENSURE THE LEGAL COMPLIANCE OF THE DISPOSAL PROCESS
Destruction operations carried out ex officio upon request and during periodic destruction processes are carried out in accordance with the Law, the Regulation and this Policy. The technical and administrative measures taken in this context are shown separately below.
- Access rights to personal data of employees in information technology units are kept under control.
- The destruction of personal data is ensured in a way that the data cannot be recycled and does not leave an audit trail.
- Personnel are trained on personal data protection legislation, data security and destruction.
- The destruction processes are inspected at regular intervals. Necessary measures are taken to eliminate detected security vulnerabilities.
Personal data is stored in accordance with the provisions of the law, regulation and other relevant legislation. The recording media of personal data stored in this context are shown in the table below.
Electronic Media | Non-Electronic Media |
Servers (Domain, backup, email, database, web, file sharing, etc.) Software (Meddata Software, office software, portal.) Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.) Computers (Desktop, laptop) Mobile devices (phone, tablet, etc.) Optical discs (CD, DVD, etc.) Removable memories (USB, Memory Card, etc.) Printer, scanner, copier, Medical devices | Paper Manual data recording systems Written, printed and visual media |
9. PRECAUTIONS TAKEN FOR PERSONAL DATA SECURITY
In order to safely store personal data, prevent unlawful processing and access of personal data, and destroy personal data in accordance with the law, technical and administrative measures are taken within the framework of adequate measures determined and announced by the Board for special personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law. measures are taken.
The technical measures taken regarding the processed personal data are listed below:
- Network security and application security are provided.
- Security measures are taken within the scope of supply, development and maintenance of information technology systems.
- Up-to-date anti-virus systems are used.
- Firewalls are used.
- Intrusion detection and prevention systems are used.
- Cyber security measures have been taken and their implementation is constantly monitored.
- Cryptographic encryption and backup are provided.
- User account management, key management and data masking are performed.
- Deletion, destruction or anonymization is carried out
- Data loss prevention software is used.
Administrative measures taken regarding processed personal data are listed below:
- There are disciplinary regulations for employees that include data security provisions.
- Training and awareness activities are carried out for employees on data security at regular intervals.
- Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
- Employees who change their duties or leave their jobs have their authorizations in this area removed.
- Personal data security policies and procedures have been determined.
- Personal data security is monitored.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
- The security of environments containing personal data is ensured.
- Personal data is reduced as much as possible.
- Periodical and/or random audits are carried out within the institution.
10. PERSONNEL TITLE, UNIT AND DUTY DISTRIBUTION
All units and employees are required to ensure that the technical and administrative measures taken by the responsible units within the scope of the Policy are properly implemented, the training and awareness of the unit employees are increased, their monitoring and continuous supervision are ensured, and personal data is prevented from being processed unlawfully, personal data is unlawfully accessed, and personal data is protected against the law. It actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure proper storage. 11. UPDATES TO THE POLICY
Changes may be made to this Personal Data Storage and Destruction Policy due to changes in legislation, in accordance with Board decisions or in line with developments in the sector or the field of informatics. Changes made in this context are immediately recorded in the text and explanations regarding the changes are added to the updates table below.
Updates Table
07.01.2021 | Personal Data Processing and Destruction Policy has entered into force. |
This Personal Data Storage and Destruction Policy, Dr. It was prepared by Birkan Duras and announced in appropriate places within the enterprise and announced to the personnel working under employment contracts and other relevant persons.
Cookie Information Text
This information text is written by the data controller Dr. It has been prepared in order to fulfill the disclosure obligation specified in Article 10 of the Personal Data Protection Law No. 6698 (“Law”) regarding the processing of personal data obtained by Birkan Duras.
Purpose of Use of Cookies
Cookies are stored by websites on computers, smartphones, tablets, etc. These are definition files left to communication tools. It enables the recognition of accessed devices in order to provide improved user experience when websites are revisited.
Cookies help the relevant website remember information about your visit to any website. It can facilitate your next visit and make the site more useful.
The use of cookies left at the address of the data controller is carried out in accordance with the Law and the legislation we are obliged to comply with.
1. Use of Cookies
When you visit the website drbirkanduras.com, you agree to the cookies necessary for the use of the website to be placed on your device.
If you do not want our business to use cookies on your device, you can reject the use of cookies in the cookie settings section of your browser. If you reject the use of cookies https://drbirkanduras.com
You may not be able to use some parts of the website properly.
When deemed necessary, our business may stop using the cookies it uses, change their types or functions, or add new cookies to the website. In cases where the Cookie Policy is changed, the modified policy will be valid from the date of change.
Types of Cookies Used and Purposes of Use
Session cookies:Refer to temporary cookies that are kept on your devices until you leave the website.
Persistent cookies: These are cookies that remain on your device’s hard disk for a long time.
Mandatory cookies: Enable the website to function properly and allow users to navigate the site and benefit from its features. Mandatory cookies are anonymous.
Functional and Analytical cookies:They include data about remembering your preferences, using the website effectively, optimizing the site to respond to user requests, and how visitors use the site. Due to their nature, these types of cookies may contain your personal information consisting of username and password.
The retention period of the session, permanent, functional and analytical cookies described above is approximately six months, but necessary adjustments can be made for this period in the settings of the internet browser from which our site is accessed. Ways to Control Cookie Usage
You have the opportunity to personalize your preferences regarding cookies by changing the settings of your browser.
Purpose of Processing Personal Data
It is processed for the following purposes in accordance with the principles specified in Article 4 of the Law.
- Remembering your preferences, using the website effectively, optimizing the site to respond to user requests,
- It is processed on a limited basis for the purpose of being used as evidence in disputes that may arise.
Transfer of Personal Data
Processed personal data may be transferred to the third parties listed below.
- Judicial authorities and party lawyers in case of legal dispute
- To the company from which server service is obtained for recording and archiving purposes
Personal Data Collection Method and Legal Reason
Personal data obtained electronically is processed automatically for the legal reasons stated below.
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned
Rights of the Personal Data Owner
In accordance with Article 11 of the Law, everyone can apply to the data controller and obtain;
- Learning whether personal data is processed,
- Requesting information if personal data has been processed,
- Learning the purpose of processing personal data and whether they are used for their intended purpose,
- Knowing the third parties to whom personal data is transferred at home or abroad,
- Requesting correction of personal data in case of incomplete or incorrect processing and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
- Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the law and other relevant legal provisions, and requesting that the action taken in this context be notified to third parties to whom the personal data has been transferred,
- Objecting to the emergence of a result against the individual by analyzing the processed data exclusively through automatic systems,
- He/she has the right to request compensation for the damage in case of damage due to unlawful processing of personal data.
By completely filling out the Relevant Person Application Form, which you can obtain from our website https://drbirkanduras.com, you can submit your requests within the scope of your rights specified in Article 11 of the Law in writing to Ayazağa Mah. Kemerburgaz Cad. You can send it to our address No:10/A İç Kapı No:100 Sarıyer/ İSTANBUL or via your e-mail address registered in our system that you have previously notified us info@drbirkanduras.com You must send it to our address.
Applications made as stated above will be responded to free of charge as soon as possible and within 30 (thirty) days at the latest. However, if the transaction subject to your request causes an additional cost, the fee at the tariff determined by the Personal Data Protection Board will be charged.