1. OBJECTIVE OF THE POLICY
The purpose of this policy is to determine all the rules, roles, and responsibilities
related to the storage and destruction of personal data in accordance with the obligations of personal data protection and other obligations specified in the Personal Data Protection Law No. 6698 (Law) and the Regulation on Deletion, Destruction, or
Anonymization of Personal Data published in the Official Gazette No. 30224 on
28.10.2017 (Regulation) within the framework of DOÇ. DR. PELİN ÖZTÜRK.
2. SCOPE OF THE POLICY
The policy covers all personal data and special categories of personal data defined in Law No. 6698 held within DOÇ. DR. PELİN ÖZTÜRK, including all employees, managers, consultants, affiliates in cases of personal data sharing, external service
providers, and individuals, both legal and natural, with whom DOÇ. DR. PELİN ÖZTÜRK has legal relations.
Unless otherwise specified in this policy, the term “Personal Data” will generally refer to personal data and special categories of personal data.
3. DEFINITIONS
Anonymization: The process of making personal data untraceable to any identifiable or identifiable real person, even if matched with other data.
Destruction: The process of deleting or destroying personal data.
Personal Data: Any kind of information related to a real person who is identified or
identifiable.
Personal Data Storage Table (Periods): A table showing the periods during which personal data will be kept at DOÇ. DR. PELİN ÖZTÜRK.
Personal Data Processing Inventory: An inventory created by data controllers, associating the personal data processing activities they carry out with their business processes; specifying the maximum period required for the purposes for which personal data is processed, personal data transferred to foreign countries, and the measures taken for data security.
Personal Data Deletion: The process of making personal data inaccessible and unusable for relevant users.
Personal Data Destruction: The process of making personal data inaccessible, irretrievable, and unusable by anyone.
Special Categories of Personal Data: Data related to a person’s race, ethnic origin,
political opinion, philosophical belief, religion, sect, or other beliefs, appearance, clothing, membership in associations, foundations or trade unions, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.
Periodic destruction: Periodic deletion, destruction, or anonymization process performed ex officio at specified intervals as stated in the personal data storage and destruction policy when all processing conditions specified in the law are eliminated.
Data record system: The record system where personal data is processed by being
structured according to certain criteria.
Direct identifiers: Identifiers that directly reveal, disclose, and distinguish the person theyn are related to, on their own.
Indirect identifiers: Identifiers that, when combined with other identifiers, reveal, disclose, and distinguish the person they are related to.
Law: Personal Data Protection Law published in the Official Gazette on 07.04.2016 and numbered 29677.
Regulation: Regulation on Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette No. 30224 on 28.10.2017.
Board: Personal Data Protection Board.
Record medium: Any environment where personal data processed by wholly or partly
automatic means or as a part of any data recording system is located.
Personal Data Protection and Processing Policy: The policy determining the procedures and principles regarding the management of personal data held by DOÇ. DR. PELİN ÖZTÜRK, which can be accessed at “www.corclinic.com.tr.”
Data recording system: The system where personal data is processed by being structured according to certain criteria.
4. RECORD MEDIA REGULATED BY THE POLICY
Any environment where personal data processed by wholly or partly automatic
means or as a part of any data recording system is located falls within the scope of the
record medium.
4.1. ENVIRONMENTS WHERE PERSONAL DATA IS STORED
Personal data stored within DOÇ. DR. PELİN ÖZTÜRK is kept in a record environment in compliance with the ISO 27001:2013 Information Security Management System, considering the
nature of the data and our legal obligations.
The record environments used for storing personal data are generally as follows. However, some data may be in a different environment than those shown here due to their special qualities or our legal obligations. DOÇ. DR. PELİN ÖZTÜRK acts as the data controller, processes and protects
data within the scope of the KVKK Law, the Personal Data Protection and Processing Policy, this Personal Data Storage and Destruction Policy, and ISO 27001:2013 Information Security Management System, in accordance with legal requirements.
a) Physical Environments | These are the environments where data is printed on paper or microfilms. |
b) Local Digital Environments | These include digital environments within DOÇ. DR. PELİN ÖZTÜRK, such as servers, fixed or portable disks, optical disks, and other digital media. |
c) Cloud Environments | Although not directly within DOÇ. DR. PELİN ÖZTÜRK, these are environments used by DOÇ. DR. PELİN ÖZTÜRK that involve internet-based systems encrypted using cryptographic methods. |
4.2. ENSURING THE SECURITY OF ENVIRONMENTS
“DOÇ. DR. PELİN ÖZTÜRK” takes all necessary technical and administrative measures within the scope of ISMS (ISO 27001:2013) to ensure the secure storage of personal data and prevent its unlawful processing and access. These measures, not limited to, cover the following administrative and technical measures within the scope of ISMS (ISO 27001:2013), to the extent appropriate for the nature of the relevant personal data and the environment in which it is held:
4.2.1. Technical Measures
“DOÇ. DR. PELİN ÖZTÜRK” takes the following technical measures for all environments where personal data is stored, considering the nature of the relevant data and the environment:
- Only up-to-date and secure systems compatible with technological developments are used in environments where personal data is stored.
- Security systems are employed for the environments where personal data is stored.
- Security tests and research are conducted to identify vulnerabilities in information systems, and any identified current or potential risk factors are addressed.
- Access to the environments where personal data is stored is restricted, allowing only authorized individuals limited access for the purpose of storing personal data.
- Adequate technical personnel are employed within DOÇ. DR. PELİN ÖZTÜRK to ensure the security of the environments where personal data is stored.
4.2.2. Administrative Measures
“DOÇ. DR. PELİN ÖZTÜRK” takes the following administrative measures within the scope of the Personal Data Protection Law (KVKK) for all environments where personal data is stored:
- Training and awareness programs are conducted for all employees of “DOÇ. DR. PELİN ÖZTÜRK” who have access to personal data to increase awareness and knowledge regarding information security, personal data, and privacy.
- Legal and technical consultancy services are obtained to monitor developments in information security, privacy, and personal data protection and to take necessary actions accordingly.
- Protocols are signed with third parties to whom personal data may be transferred due to technical or legal requirements, ensuring that these third parties comply with their obligations stated in these protocols.
4.2.3. Internal Audit
“DOÇ. DR. PELİN ÖZTÜRK” conducts internal audits in accordance with Article 12 of the Law to ensure compliance with the provisions of the Law and the Personal Data Storage and Destruction Policy and the Personal Data Protection and Processing Policy. In case of any deficiencies or shortcomings identified during the audit, these are promptly rectified. In case it is understood during the audit or in any other way that personal data under the responsibility of “DOÇ. DR.
PELİN ÖZTÜRK” has been obtained unlawfully by others, “DOÇ. DR. PELİN ÖZTÜRK” reports this situation to the relevant individual and the Authority as soon as possible.
5. RESPONSIBILITIES AND AUTHORITIES OF THE PERSONAL DATA PROTECTION COMMITTEE
5.1. Personal Data Protection Committee
The Personal Data Protection Committee is responsible for announcing the Policy to the relevant business units and ensuring the implementation of its requirements by the units of “DOÇ. DR. PELİN ÖZTÜRK.”
5.2. Responsibilities
The Personal Data Protection Committee determines and announces the processes for reviewing, evaluating, tracking, and concluding processes related to laws and regulations, decisions, and regulations of the Board, court decisions, and/or requests regarding the protection of personal data.
5.3. The Personal Data Protection
Committee determines the processes for the examination, evaluation, follow-up and finalisation of the decisions and/or requests of the Law and its secondary regulations, the decisions and regulations of the Board, court decisions and other competent authorities and announces them to the relevant units.
6. PROCEDURES IN CASE THE CONDITIONS FOR PROCESSING PERSONAL DATA CEASE TO EXIST
6.1. Cessation of Processing Conditions
If the purpose of processing personal data ceases to exist, explicit consent is withdrawn, or all the processing conditions specified in Articles 5 and 6 of the Law cease to exist, or none of the exceptions mentioned in these articles apply, the personal data for which the processing conditions have ceased to exist is deleted, destroyed, or anonymized in accordance with the requirements of the Regulation (ISO 27001:2013) by the relevant business unit, taking into account the type of personal data, the systems it is part of, and the responsible business unit.
6.2. Periodic Review
Users and data controllers who process or store personal data of “DOÇ. DR. PELİN ÖZTÜRK” will review whether the conditions for processing have ceased to exist at least every four months in the data recording environments they use. Regardless of the periodic review period, if it is understood, upon the request of the data subject or notification from the Authority or a court, that the conditions for processing have ceased to exist, the relevant users and units will conduct this review in the data recording environments they use without delay.
6.3. Decision on Deletion
As a result of periodic reviews or at any time when it is determined that the processing conditions have ceased to exist, the relevant user or data owner will decide on the deletion, destruction, or anonymization of the personal data in their possession, taking into account the type of personal data and the responsible business unit. In case of doubt, the decision will be made in consultation with the relevant data owner unit. When it is necessary to decide on the destruction of personal data with multi-stakeholder ownership in Central Information Systems, the opinion of the Personal Data Protection Committee will be obtained, and the decision on whether to store or delete, destroy, or anonymize the data will be made by the relevant data owner unit in accordance with this policy.
6.4. Record Keeping
All processes related to the deletion, destruction, or anonymization of personal data are recorded, and these records are kept for at least three years, except for other legal obligations.
6.5. Announcement of Methods
Methods applied for the deletion, destruction, or anonymization of personal data will be published and disclosed after the implementation of the Policy.
6.6. Compliance with Legal Requirements
The deletion, destruction, or anonymization of personal data must comply with the general principles in Article 4 of the Law and the technical and administrative measures to be taken within
the scope of Article 12 of the Law, relevant legislation, Board decisions, and court decisions.
6.7. Notification in Case of Unlawful Acquisition
In the event that it is understood during the audit or in any other way that personal data under the responsibility of “DOÇ. DR. PELİN ÖZTÜRK” has been unlawfully obtained by others, “DOÇ. DR. PELİN ÖZTÜRK” will immediately notify the concerned parties and the Authority.
6.8. Request for Deletion
If a natural person, who is the owner of personal data, requests the deletion, destruction, or anonymization of their personal data by applying to “DOÇ. DR. PELİN ÖZTÜRK,” the relevant data
owner unit will examine whether all processing conditions for the requested personal data have ceased to exist. If all processing conditions have ceased to exist, the requested personal data will be deleted, destroyed, or anonymized. In this case, the request will be concluded within thirty days from the date of application, and information will be provided to the relevant person through the Data Protection Officer appointed by the Personal Data Protection Committee. If all processing conditions have not ceased to exist and the personal data subject to the request has been transferred to third parties, the relevant data owner unit will immediately inform the third party to whom the transfer was made and ensure that the necessary procedures are carried out with the third party within the scope of the Regulation.
6.9. Identity Verification
Requests for the deletion or destruction of personal data will only be evaluated if the identity of the relevant person is verified. In cases where requests are made outside these channels, the relevant individuals will be directed to channels where their identity can be verified.
7. IMPLEMENTATION OF THE POLICY, VIOLATIONS, AND SANCTIONS
7.1. Effective Date
This Policy will come into effect by being announced to all employees and data subjects through the “DOÇ. DR. PELİN ÖZTÜRK” website, and it will be binding on all units, consultants, customers, insurance companies, external service providers, and all other parties processing personal data on behalf of “DOÇ. DR. PELİN ÖZTÜRK.”
7.2. Monitoring and Reporting
The monitoring of whether employees of “DOÇ. DR. PELİN ÖZTÜRK” comply with the requirements of the Policy is the responsibility of their superiors. If a violation is detected, the matter will be immediately reported to the immediate superior of the relevant employee, and in case of a significant violation, the Personal Data Protection Committee will be informed without delay.
7.3. Administrative Actions
After an evaluation by Human Resources, administrative actions will be taken if an employee violates the Policy.
7.4. Security Measures
“DOÇ. DR. PELİN ÖZTÜRK” takes all necessary security measures within the scope of the Personal Data Protection Law to fulfill the requirements of the Policy.
8. INDIVIDUALS INVOLVED IN PERSONAL DATA STORAGE AND DESTRUCTION PROCESSES AND THEIR RESPONSIBILITIES
All employees, customers, insurance companies, consultants, external service providers, and anyone processing personal data on behalf of “DOÇ. DR. PELİN ÖZTÜRK” are responsible for fulfilling the requirements of the Law, Regulation, and Policy related to the storage and processing of personal data. Each business unit is responsible for storing and protecting the data it produces in its business processes; however, if the data produced is only found in information systems beyond the control and authorization of the business unit, the data will be stored by the relevant information systems departments.
8.1. PERSONAL DATA PROTECTION COMMITTEE
“DOÇ. DR. PELİN ÖZTÜRK” establishes a Personal Data Protection Committee. The committee is authorized and responsible for performing the necessary processes for the storage and processing of the personal data of relevant individuals in accordance with the law, the Personal Data Protection and Processing Policy, and the Personal Data Storage and Destruction Policy. The Personal Data Protection Committee consists of at least three people, including a manager, an administrative expert, and a technical expert. The titles and job descriptions of employees assigned to the Personal Data Committee are as follows:
Title | Job Description |
Personal Data Protection Committee Manager | Responsible for directing all planning, analysis, research, and risk identification activities in projects related to compliance with the law; managing the processes to be carried out in accordance with the Law, the Personal Data Protection and Processing Policy, and the Personal |
GDPR Specialist (Contact Person) | Responsible for:
|
8.2. STORAGE AND DESTRUCTION REASONS
8.2.1. Storage Reasons
Personal data held within the scope of DOÇ. DR. PELİN ÖZTÜRK is stored for the purposes and reasons specified here in accordance with the Law and our Personal Data Policy (you can access the relevant policy at www.corclinic.com.tr).
8.2.2. Destruction Reasons
Personal data held within “DOÇ. DR. PELİN ÖZTÜRK” is deleted, destroyed, or anonymized according to this destruction policy in case of the request of the relevant person or the elimination of the reasons stated in Articles 5 and 6 of the Law. The reasons specified in Articles 5 and 6 of the KVKK Law are as follows:
- Clearly envisaged in the laws.
- It is necessary to protect the life or physical integrity of the data
- subject or another person who cannot express his/her consent due to actual impossibility or to whom legal validity is not granted for his/her consent.
- It is necessary for the establishment or performance of a contract directly related to the parties of the contract, provided that it is limited to the personal data of the parties to the contract.
- It is necessary for the data controller to fulfill its legal obligation.
- It has been made public by the data subject himself/herself.
- Processing is mandatory for the establishment, exercise, or protection of a right.
- Processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
8.3. DESTRUCTION METHODS
“DOÇ. DR. PELİN ÖZTÜRK,” in accordance with the Law and other legislation and the Personal Data Protection and Processing Policy, deletes, destroys, or anonymizes personal data stored as required by the reasons for processing data when the reasons for processing cease, either at the request of the relevant person or within the periods specified in this Personal Data Storage and Destruction Policy.
8.3.1.1 Deletion Methods
For Personal Data Kept in Physical Environment
- Redaction: Personal data in physical format is deleted using redaction, where personal data on the relevant document is cut where possible, or, if not possible, it is made unreadable by using indelible ink. For Personal Data Kept in Cloud and Local Digital Environment
- Secure software deletion: Personal data stored in the cloud or local digital environments is digitally deleted irreversibly.
8.3.1.2 Destruction Methods
For Personal Data Kept in Physical Environment
- Physical destruction: Documents kept in physical format are destroyed in a way that cannot be reassembled using document destruction machines. For Personal Data Kept in Local Digital Environment
- Physical destruction: Personal data-containing optical and magnetic media are physically destroyed by melting, burning, turning into dust, or similar methods.
- Degaussing: Exposing magnetic media to a high magnetic field to render the data on it unreadable.
- Overwriting: Writing random data consisting of 0s and 1s at least seven times on magnetic and rewritable optical media to prevent the old data from being read and recovered. For Personal Data Kept in Cloud Environment
- Secure software deletion: Personal data stored in the cloud is digitally deleted irreversibly, and all copies of encryption keys necessary to make personal data usable are destroyed when the cloud computing service relationship is terminated.
8.3.1.3. Anonymization Methods
Anonymization is the process of rendering personal data incapable of being associated with a real person in any way, even if matched with other data. The following anonymization methods are used by “DOÇ. DR. PELİN ÖZTÜRK” based on the nature of the relevant data. When using these anonymization methods, “DOÇ. DR. PELİN ÖZTÜRK” may utilize statistical methods such as K- Anonymity, L-Diversity, and T-Closeness.
- Removal of variables: Removing one or more of the direct identifying variables within personal data related to the data subject.
- Regional concealment: Deleting information that may be distinctive about the data in the data table where personal data is anonymously present in bulk.
- Generalization: Combining personal data from many individuals, removing distinctive information, and turning it into statistical data.
- Lower and upper limit coding/global coding: Defining intervals for a specific variable and categorizing it. If the variable does not contain numerical values, similar values in the variable are categorized. Values within the same category are merged.
- Micro-aggregation: All records in the data set are first arranged in a meaningful order and then the entire set is divided into a certain number of subsets. Then, the average of the value of the variable for each subset is taken, and the value of the variable for that subset is replaced with the average value. This makes it difficult to associate the data with the data subject, as the indirectly identifying characteristics in the data are compromised.
- Data mixing and scrambling: Mixing or scrambling direct or indirect identifiers in personal data with other values to sever their relationship with the data subject and make them lose their identifying characteristics.
9. PERSONAL DATA STORAGE AND DESTRUCTION PERIODS
The table showing Personal Data Storage and Destruction Periods is included in Annex: 1. In periodic destruction or destruction processes to be carried out upon request, the storage and destruction periods will be taken into account. The business units that own the processes included in the personal data inventory, with the evaluations of the Personal Data Protection Committee in case of doubt, will update the table showing Personal Data Storage and Destruction Periods.
9.1. Personal data Retention Table (Periods)
DATA OWNER | DATA CATEGORY | DATA STORAGE PERIOD |
Employee | Personal data based on recruitment documents and notifications to the Social Security Institution regarding service duration and wage, excluding personal data related to service duration and | Stored for a period of 50 (fifty) years from the continuation and termination of the employment contract. |
Employee | Personal data other than personnel data related to service duration and wage based on recruitment documents, including but not limited to, those based on recruitment documents and notifications to the Social Security Institution regarding service duration and wage. | Stored for a period of 10 (ten) years from the beginning of the calendar year following the continuation and termination of the employment contract. |
Employee | Data in the Workplace Personal Health File Content | Stored for a period of 30 (thirty) years from the continuation and termination of the employment contract. |
Business Partner/Solution Partner/Consultant | Identity information, contact information, financial information, voice recordings taken during phone calls related to the conduct of the commercial relationship between “…………….” and the Business Partner/Solution Partner/Consultant. | Stored for a period of 10 (ten) years in accordance with Turkish Code of Obligations Article 146 and Turkish Commercial Code Article 82, starting from the duration and termination of the business/commercial relationship with “…………………”. |
* If a longer period is stipulated by the legislation or if a longer period is specified for statutes of limitations, lapse of rights, retention periods, etc. under the legislation, the periods specified in the legislation are considered as the maximum retention periods.
3.3.2. Destruction Periods
“DOÇ. DR. PELİN ÖZTÜRK” initiates the deletion, destruction, or anonymization of personal data for which it is responsible in the first periodic destruction process following the date on which the obligation to delete, destroy, or anonymize arises, in accordance with the Law, relevant legislation, the Personal Data Protection and Processing Policy, and this Personal Data Storage and Destruction Policy.
When the data subject requests the deletion or destruction of their personal data from “DOÇ. DR. PELİN ÖZTÜRK” in accordance with Article 13 of the Law:
- If all processing conditions for personal data have ceased to exist, “DOÇ. DR. PELİN ÖZTÜRK” deletes, destroys, or anonymizes the personal data subject to the request within 30 (thirty) days from the date of receiving the request, explaining the reasons and using an appropriate destruction method. For “DOÇ. DR. PELİN ÖZTÜRK” to be deemed to have received the request, the data subject must make the request in accordance with the Personal Data Protection and Processing Policy. In any case, “DOÇ. DR. PELİN ÖZTÜRK” informs the data subject about the transaction.
- If all processing conditions for personal data have not ceased to exist, this request may be rejected by “DOÇ. DR. PELİN ÖZTÜRK” in accordance with the third paragraph of Article 13 of the Law, stating the reasons, and the rejection response is communicated to the data subject in writing or electronically within thirty days at the latest.
10. PERIODIC DESTRUCTION PERIODS
In case all processing conditions for personal data stipulated in Law No. 6698 cease to exist; “DOÇ. DR. PELİN ÖZTÜRK” deletes, destroys, or anonymizes the personal data whose processing conditions have ceased to exist in a transaction to be carried out periodically at intervals specified in this Personal Data Storage and Destruction Policy. Periodic destruction processes start on 30.09.2019 and recur every 6 (six) months.
10.1. LEGALITY CONTROL OF THE DESTRUCTION PROCESS
“DOÇ. DR. PELİN ÖZTÜRK” performs deletion, destruction, or anonymization processes, both upon request and in periodic destruction processes, in accordance with the Law, other legislation,
the Personal Data Protection and Processing Policy, and this Personal Data Storage and Destruction Policy.
10.1.1. Technical Measures
“DOÇ. DR. PELİN ÖZTÜRK” provides technical tools and equipment suitable for each destruction method specified in this policy.
- “DOÇ. DR. PELİN ÖZTÜRK” ensures the security of the location where the destruction processes are carried out.
- “DOÇ. DR. PELİN ÖZTÜRK” keeps access records of individuals performing the destruction process.
- “DOÇ. DR. PELİN ÖZTÜRK” employs competent and experienced personnel to perform the destruction process or, if necessary, obtains services from competent third parties.
10.1.2. Administrative Measures
“DOÇ. DR. PELİN ÖZTÜRK” conducts awareness and training activities for employees who will perform the destruction process to increase awareness and consciousness in the fields of information security, the privacy of personal data, and private life.
- “DOÇ. DR. PELİN ÖZTÜRK” receives legal and technical consultancy services to follow developments in information security, the privacy of private life, personal data protection, and secure destruction techniques and to take necessary actions.
- “DOÇ. DR. PELİN ÖZTÜRK” signs protocols with third parties when the destruction process is performed by third parties due to technical or legal requirements, showing all due diligence to ensure that the third parties comply with their obligations in these protocols for the protection of personal data.
- “DOÇ. DR. PELİN ÖZTÜRK” regularly audits whether the destruction processes are carried out in accordance with the regulations and the conditions and obligations specified in this Personal Data Storage and Destruction Policy, takes necessary actions.
- All transactions related to the deletion, destruction, and anonymization of personal data are recorded, and these records are kept for at least three years, except for other legal obligations.**
11. EFFECT
11.1. This policy will take effect as of the publication date.
11.2. The announcement of the policy throughout DOÇ. DR. PELİN ÖZTÜRK and making necessary updates are the responsibility of the Personal Data Protection Committee.
12. UPDATING and COMPLIANCE
“DOÇ. DR. PELİN ÖZTÜRK” reserves the right to make changes to the Personal Data Storage and Destruction Policy due to changes in the Law, institutional decisions, developments in the sector, or developments in the field of information technology. Changes to this Personal Data Storage and Destruction Policy are promptly incorporated into the text, and explanations regarding the changes are provided at the end of the policy.