Personal Data Deletion Policy

ASG Health and Tourism Services and Trade Inc. (Private DRGO Clinic), as the datacontroller, stores and destroys your personal data in accordance with the general principles and regulations specified in this Personal Data Storage and Destruction Policy, which is prepared in compliance with the Constitution, the Personal Data Protection LawNo. 6698, the Regulation on the Deletion, Destruction, or Anonymization of PersonalData, and other relevant legislation.

This Policy aims to set out the general principles and rules related to the storage anddestruction of real person data subject to personal data processing activities under thePDPL, and to fulfill the obligations determined by the legislation.

Explicit Consent: Consent that is informed, based on specific matters, and declaredfreely,

Recipient Group: The category of real or legal person to whom personal data is transferred by the data controller,

Anonymization: The process of altering personal data in such a way that it can no longerbe associated with an identified or identifiable real person, even when matched with otherdata.

Related User: Individuals within the data controller’s organization, or those processingpersonal data under the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backupof the data,

Destruction: The deletion, destruction, or anonymization of personal data,

Personal Data: Any information relating to an identified or identifiable natural person(e.g., name, surname, national identification number, email, address, date of birth, creditcard number, bank account number),

Related Person: The real person whose personal data is processed,

Processing of Personal Data: Any operation performed on personal data, whether or not by automated means, such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, orblocking the use of data,

Special Categories of Personal Data: Data related to racial or ethnic origin, politicalopinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations, or trade unions, health, sex life, criminalconvictions and security measures, and biometric and genetic data,

Periodic Destruction: The deletion, destruction, or anonymization process to be carriedout at repeating intervals as specified in this Policy, automatically when all conditions forprocessing personal data specified in the PDPL are no longer present.

RECORDING ENVIRONMENTS REGULATED BY THE POLICY

This policy encompasses all personal data subject to data processing activities within thescope of the PDPL. Additionally, the documents referred to by the Policy cover bothphysical and digital copies.

The company stores all personal data subject to data processing activities within the scopeof the PDPL, whether processed wholly or partly by automated means or non-automatedprovided that it is part of any data recording system, in the following environments:

Company computers, email accounts, desktop computers, tools of employees (e.g., mobile phones), backup areas, paper files, folders, visitor logs, CDs, DVDs, USBs, hard drives, printers, photocopiers, etc.

REASONS REQUIRING THE STORAGE AND DESTRUCTION OF PERSONAL DATA

The following principles are considered in personal data processing activities:

• Compliance with the law and honesty rules,

• Ensuring personal data are accurate and up to date when necessary,

• Processing for specified, explicit, and legitimate purposes,

• Being related, limited, and measured with the purposes they are processed for,

• Retention for the period foreseen by the relevant legislation or necessary for the purposefor which they are processed.

Our company stores and uses personal data based on the processing conditions specifiedin the 5th and 6th articles of the PDPL and for the purposes of processing personal data. Upon the complete removal of these conditions, personal data are destroyed eitherautomatically or upon the request of the data subject:

• Existence of Explicit Consent of the Personal Data Owner: The first condition forprocessing personal data is the explicit consent of its owner.

• Clearly Stipulated by Laws: Personal data can be processed lawfully without explicitconsent if it is clearly stipulated by laws.

• Impossibility of Obtaining Explicit Consent Due to Actual Impossibility: If it’simpossible for the data owner to express consent due to actual impossibility, or if theconsent cannot be deemed valid, personal data can be processed if it is necessary toprotect the life or physical integrity of the person themselves or someone else.

• Directly Related to the Execution or Performance of a Contract: If it’s necessary for theprocessing of personal data of the parties to a contract, provided that it’s directly related tothe establishment or performance of that contract.

• Legal Obligation: Personal data can be processed if it is necessary for our company tofulfill its legal obligations.

• Personal Data Owner Makes His/Her Personal Data Public: If the data owner has madehis/her personal data public, then those personal data can be processed, limited to theconditions of making it public.

• Data Processing Being Necessary for the Establishment or Protection of a Right: If dataprocessing is necessary for the establishment, use, or protection of a right, the personaldata of the data owner can be processed.

• Data Processing Being Necessary for the Legitimate Interests of Our Company: Provided that it does not harm the fundamental rights and freedoms of the personal dataowner, personal data can be processed if it is necessary for our company’s legitimateinterests.

DELETION, DESTRUCTION, OR ANONYMIZATION OF PERSONAL DATA

Personal data is deleted, destroyed, or anonymized by the company upon the request of the relevant person or ex officio in the following situations: if the provisions of therelevant legislation that constitute the basis for processing are changed or repealed, if thepurpose that requires processing or storing is eliminated, in cases where the processing of personal data occurs solely based on explicit consent and the relevant person withdrawstheir consent, if the maximum period required for storing personal data has passed, and ifthere are no conditions justifying the longer storage of personal data.

Unless decided otherwise by the Personal Data Protection Board, our Company choosesthe appropriate method of deletion, destruction, or anonymization of personal data basedon technological possibilities and implementation costs. If requested by the personal dataowner, the reason for choosing the appropriate method is explained. Necessary technicaland administrative measures are taken in each of these processes.

TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN

In accordance with Article 12 of the PDPL, the provisions of the Regulation, the general principles mentioned above, this Policy, and the decisions of the Personal Data ProtectionBoard, our company takes the necessary technical and administrative measures related tothe following matters based on technological possibilities and implementation costs:

• Necessary software and hardware have been determined. Strong passwords are used on computers and email accounts.

• Our personnel are trained on the protection of customer information, and theirresponsibilities are documented in employment contracts (Confidentiality Agreements). This obligation continues even after the relevant persons leave their positions.

• The necessary infrastructure has been established for the purpose of backing up all data.

• Employees who can access the data on computers have been identified.

• Customer files and information are provided only to the individuals themselves, theirrelatives who have given written consent, relevant public institutions and organizationswithin the framework of the legislation, and competent judicial authorities in legal cases.

• The obligation to inform relevant individuals before starting personal data processing is fulfilled by the Institution.

• A personal data processing inventory has been prepared.

STORAGE AND DESTRUCTION PERIODS

Our company stores and destroys personal data only for the duration specified in thelegislation it is obligated to follow, or for the period necessary for the purposes for whichthe data are processed.

If the personal data owner applies to our company requesting the destruction of theirpersonal data:

• If all conditions for processing the personal data have ceased to exist: The company willfinalize the request of the personal data owner within no later than thirty days, inform thedata owner, and if the personal data subject to the request have been transferred to thirdparties, notify the third party of this situation; ensures that the necessary actions are takenat the third party.

• If all conditions for processing the personal data have not ceased to exist: The request of the personal data owner can be rejected in accordance with the third paragraph of Article13 of the PDPL by explaining the reason, and the rejection response is communicated tothe personal data owner in writing or through digital means within no later than thirtydays.

PERIODIC DESTRUCTION PERIODS

Personal data are destroyed in the first periodic destruction process following the datewhen the obligation to destroy arises. In this context, if the obligation to destroy personaldata arises, they are subjected to the destruction process in six-month intervals.

PERIODIC DESTRUCTION PERIODS

Personal data are destroyed in the first periodic destruction process followingthe date on which the obligation to destroy arises. In this context, thedestruction of personal data is subjected to a destruction process in six-monthintervals should the obligation to destroy the data arise.

PROCESS	STORAGE PERIOD	DESTRUCTION PERIOD
Preparation of Contracts	10 years following theconclusion of the contract	In the first periodicdestruction period followingthe end of the storage period
Execution of Human Resources Processes	10 years following thetermination of the activity	In the first periodicdestruction period followingthe end of the storage period
Execution of Hardware and Software Access Processes	5 years	In the first periodicdestruction period followingthe end of the storage period
Registration of Visitorsand Meeting Participants	5 years	In the first periodicdestruction period followingthe end of the storage period
Recording of PersonalHealth Data	As specified by thelegislation	In the first periodicdestruction period followingthe end of the storage period
Identity Data	As specified by thelegislation	In the first periodicdestruction period followingthe end of the storage period
Camera Recordings	Stored for at least 2 yearsas required by theRegulation on PrivateHospitals	In the first periodicdestruction period followingthe end of the storage period

This Policy is considered to have entered into force after its publication on thewebsite.

Personal Data Deletion Policy

Plan your treatment online, get a price now.

DENTAL TREATMENTS

CLINIC

Aesthetics and Dental Treatments in Turkey | Dr. GO Smile - DRGO Smile Clinic

Request a free consultation and price estimate

24/7 Chat with Doctor