PERSONAL DATA DELETION POLICY
The data controller is the practice of Assoc. Prof. Dr. Güncel Öztürk, which stores and disposes of your personal data in accordance with the Constitution, Law No. 6698 on the Protection of Personal Data, the Regulation on the Deletion, Destruction or Anonymization of Personal Data, and other relevant legislation, in line with the general principles and provisions set out in this Personal Data Retention and Disposal Policy.
With this Policy, the Practice aims to set out the general principles and rules regarding the retention and disposal of personal data of real persons subject to personal data processing activities within the scope of the PDPL (KVKK) and to fulfill the obligations determined by legislation.
Explicit Consent: Consent given for a specific subject, based on being informed and expressed with free will,
Recipient Group:The category of natural or legal persons to whom personal data is transferred by the data controller,
Anonymization : Rendering personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching it with other data.
Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data,
Disposal:Deletion, destruction, or anonymization of personal data,
Personal Data:Any information relating to an identified or identifiable natural person (e.g., name-surname, Turkish ID number, e-mail, address, date of birth, credit card number, bank account number
Data Subject: The natural person whose personal data is processed,
Processing of Personal Data: Any operation performed on data such as obtaining (fully or partially automatic or non-automatic provided that it is part of a data recording system), recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data,
Special Categories of Personal Data: Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data,
Periodic Disposal: The deletion, destruction, or anonymization process to be carried out ex officio at repeating intervals specified in this Policy in cases where all conditions for processing personal data under the PDPL (KVKK) cease to exist,
RECORDING MEDIA REGULATED BY THE POLICY
It covers all personal data subject to data processing activities within the scope of the PDPL (KVKK). In addition, the documents referenced by the Policy include both physical and digital copies.
The Practice stores all personal data subject to data processing activities within the scope of the PDPL (KVKK), which are processed fully or partially automatically or non-automatically provided that they are part of a data recording system, in the environments listed below:
Practice computers, e-mail accounts, desktop computers, employees’ devices (e.g., mobile phones), backup areas, paper files, folders, visitor logbook, CD, DVD, USB, hard drives, printer, photocopier, etc.
REASONS REQUIRING THE RETENTION AND DISPOSAL OF PERSONAL DATA
In personal data processing activities, the following principles are adopted:
- Compliance with law and the rule of good faith,
• Ensuring that personal data is accurate and, when necessary, up to date,
• Processing for specific, explicit, and legitimate purposes,
• Being relevant, limited, and proportionate to the purposes for which they are processed,
• Retaining for the period stipulated in relevant legislation or required for the purposes for which they are processed.
Our Practice retains and uses personal data in line with personal data processing purposes and based on the conditions for processing personal data set out in Articles 5 and 6 of the PDPL (KVKK) listed below; and if all of these conditions cease to exist, it disposes of personal data ex officio or upon the request of the data subject:
Having the Data Subject’s Explicit Consent: The first condition for processing personal data is the data subject’s explicit consent.
Explicitly Stipulated by Law:The personal data of the data subject may be processed lawfully without obtaining explicit consent where it is explicitly stipulated by law.
Inability to Obtain the Data Subject’s Explicit Consent Due to Actual Impossibility:Where it is necessary to process personal data to protect the life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent cannot be deemed valid, or of another person, the data subject’s personal data may be processed.
Directly Related to the Establishment or Performance of a Contract:Processing of personal data is possible where it is necessary, provided that it is directly related to the establishment or performance of a contract, for processing personal data belonging to the parties of the contract.
Legal Obligation: Where processing is mandatory for the Company to fulfill its legal obligations, the data subject’s personal data may be processed.
Data Subject Making Personal Data Public:Where the data subject has made their personal data public, such personal data may be processed limited to the extent of the public disclosure.
Necessity of Processing for the Establishment, Exercise, or Protection of a Right:Where processing is mandatory for the establishment, exercise, or protection of a right, the data subject’s personal data may be processed.
Necessity of Processing for Our Company’s Legitimate Interest:Provided that it does not harm the fundamental rights and freedoms of the data subject, the data subject’s personal data may be processed where processing is mandatory for our Company’s legitimate interests.
DELETION, DESTRUCTION, OR ANONYMIZATION OF PERSONAL DATA
Personal data are deleted, destroyed, or anonymized by the Company upon the request of the data subject or ex officio in cases where the relevant legislative provisions forming the basis for processing are amended or repealed; the purpose requiring processing or retention ceases to exist; in cases where processing is based solely on explicit consent and the data subject withdraws such consent; the maximum retention period has expired and there is no condition justifying retaining personal data for a longer period.
Unless the Personal Data Protection Board decides otherwise, our Company selects the appropriate method among ex officio deletion, destruction, or anonymization methods according to technological capabilities and implementation costs. Upon the data subject’s request, the rationale for the appropriate method is explained. Necessary technical and administrative measures are taken for each of these operations.
TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN
In accordance with Article 12 of the PDPL (KVKK) and the Regulation, the general principles stated above, this Policy, and the decisions of the Personal Data Protection Board, our Practice takes the necessary technical and administrative measures in line with technological capabilities and implementation costs regarding the following matters:
- The necessary software and hardware have been determined. Strong passwords are used on computers and e-mail accounts.
- What must be protected in terms of safeguarding patient information has been conveyed to our staff through training, and responsibilities have been set out in writing through employment contracts. (Confidentiality Agreements) This obligation continues even after the relevant persons leave their positions.
- The necessary infrastructure has been established for backing up all data.
- The employees who can access data on computers have been identified.
- Client files and information are provided only to the data subjects themselves, their relatives for whom they have given written approval, relevant public institutions and organizations within the framework of legislation, and competent judicial authorities in judicial cases.
- Before starting personal data processing, the obligation to inform the relevant persons is fulfilled by the Institution.
- A personal data processing inventory has been prepared.
RETENTION AND DISPOSAL PERIODS
Our Practice retains and disposes of personal data only for the period specified in the legislation it is obliged to comply with or for the period required for the purposes for which they are processed.
If the data subject applies to our Company requesting the disposal of their personal data:
If all conditions for processing personal data have ceased to exist: The Company finalizes the data subject’s request within thirty days at the latest and informs the data subject; if the personal data subject to the request have been transferred to third parties, it notifies the third party and ensures that the necessary actions are taken before the third party.
If all conditions for processing personal data have not ceased to exist: The Company may reject the data subject’s request by explaining the reason pursuant to the third paragraph of Article 13 of the PDPL (KVKK) and notifies the data subject of the rejection response within thirty days at the latest in writing or electronically.
PERIODIC DISPOSAL PERIODS
Personal data are disposed of during the first periodic disposal process following the date on which the obligation to dispose of personal data arises. In this scope, if the obligation to dispose of personal data arises, they are subject to disposal in 6-month periods.
| PROCESS | RETENTION PERIOD | DISPOSAL PERIOD |
| Preparation of Contracts | 10 years from the end of the contract | In the first periodic disposal period following the end of the retention period |
| Execution of Human Resources Processes | 10 years from the end of the activity | In the first periodic disposal period following the end of the retention period |
| Execution of Hardware and Software Access Processes | 5 years | In the first periodic disposal period following the end of the retention period |
| Registration of Visitors and Meeting Participants | 5 years | In the first periodic disposal period following the end of the retention period |
| Personal Health Data Records | For the period specified in the relevant legislation | In the first periodic disposal period following the end of the retention period |
| Identity data | For the period specified in the relevant legislation | In the first periodic disposal period following the end of the retention period |
| CCTV Footage
|
For the period specified in the relevant legislation | In the first periodic disposal period following the end of the retention period |
This Policy shall be deemed to have entered into force after it is published on the website.