Data Disposal Policy
Personal Data Disposal Policy
Data supervisor, Private Cinik Polyclinic (ERC Estetik Turizm Sağlık Hizmetleri Tic. Ltd. Şti.) stores and destroys your personal data in accordance with the general principles and regulations set forth in this Personal Data Storage and Disposal Policy prepared in accordance with the Constitution, the Law on Protection of Personal Data No. 6698, the Regulation on the Deletion, Destruction or Anonymization of Personal Data and other relevant legislation.
With this Policy, the Company aims to set forth the general principles regarding the storage and destruction of real personal data subject to personal data processing activities within the scope of PDPL and to fulfill the obligations determined by the legislation.
Explicit Consent: Consent on a specific subject, based on the information and expressed with free will,
Recipient Group: The natural or legal person category to which personal data is transferred by the data controller,
Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data.
Relevant User: Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data,
Destruction: Deletion, destruction or anonymization of personal data,
Personal Data: Any information relating to an identified or identifiable natural person (e.g. name-surname, TCKN, e-mail, address, date of birth, credit card number, bank account number)
Relevant Person: The natural person whose personal data is processed,
Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, and making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use,
Special Quality Personal Data: Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,
Periodic Destruction: The deletion, destruction, or anonymization process, which will be carried out ex officio at repetitive intervals and specified in this Policy, if all of the personal data processing conditions in the PDPL are eliminated,
Registration Environments Regulated By Policy
It covers all personal data subject to data processing activities within the scope of the Personal Data Protection Law (KVKK). In addition, the documents referred to by the Policy cover both physical and digital copies.
It stores all personal data subject to data processing activities within the scope of Personal Data Protection Law (KVKK) in the following environments, where there is personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system:
Company computers, e-mail accounts, desktop computers, employees’ tools (e.g. mobile phones), backup areas, paper files, folders, guestbooks, CDs, DVDs, USBs, Hard disks, printers, copiers, etc.
Reasons For Requesting the Storage and Disposal of Personal Data
Personal data is subject to change or repeal of the provisions of the relevant legislation, which is the basis for processing, the disappearance of the purpose that requires its processing or storage, in cases where the processing of personal data is carried out only based on express consent, the data subject withdraws his explicit consent, the maximum period requiring the storage of personal data has passed, and the personal data In the absence of any conditions justifying keeping the data for a longer period, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the company at the request of the person concerned.
Unless a contrary decision is taken by the Personal Data Protection Board, our Company chooses the appropriate method of deletion, destruction, or anonymization of personal data ex officio, according to technological possibilities and application cost. At the request of the personal data owner, the rationale for the appropriate method is explained. Necessary technical and administrative measures are taken in each of these transactions.
Technical and Administrative Measures Taken
Our company takes the necessary technical and administrative measures according to the technological possibilities and implementation costs regarding the following issues in accordance with the provisions of Article 12 of the PDPL and the provisions of the Regulation, the general principles stated above and the decisions of this Policy and the Personal Data Protection Board:
- Required software and hardware have been determined. Strong passwords are used on computers and e-mail accounts.
- What needs to be protected in terms of protecting customer information was conveyed to our personnel through training, and their responsibilities with business contracts were written. (Confidentiality Agreements) This obligation continues even after the persons concerned leave their positions.
- Necessary infrastructure has been established for the backup of all data.
- Employees who can access data on computers have been identified.
- Customer files and information are only given to the persons concerned, to their relatives to whom they have given written consent, to the relevant public institutions and organizations within the framework of their legislation, and to the competent judicial authorities in judicial cases.
- Before starting to process personal data, the Authority fulfills the obligation to inform the relevant persons.
- Personal data processing inventory has been prepared.
Storage and Disposal Times
Şirketimiz, kişisel verileri ancak uymakla yükümlü olduğu mevzuatta belirtildiği veya işlendikleri amaç için gerekli olan süre kadar muhafaza ve imha etmektedir.
Kişisel veri sahibinin, şirketimize başvurarak kendisine ait kişisel verilerin imha edilmesini talep etmesi halinde:
Kişisel verileri işleme şartlarının tamamı ortadan kalkmışsa: Kişisel veri sahibinin talebini en geç otuz gün içinde sonuçlandırır ve kişisel veri sahibine bilgi verir ve talebe konu olan kişisel veriler üçüncü kişilere aktarılmışsa, bu durumu üçüncü kişiye bildirir; üçüncü kişi nezdinde gerekli işlemlerin yapılmasını temin eder.
Kişisel verileri işleme şartlarının tamamı ortadan kalkmamışsa: Kişisel veri sahibinin talebini KVKK’nın 13’üncü maddesinin üçüncü fıkrası uyarınca gerekçesini açıklayarak reddedilebilir ve ret cevabını kişisel veri sahibine en geç otuz gün içinde yazılı olarak ya da dijital ortamda bildirir.
Periodic Disposal Times
In the first periodical destruction process following the date on which the obligation to destroy personal data arises, personal data is destroyed. In this context, if the obligation to destroy personal data arises, it is subject to destruction in 6 months.
| PROCESS | STORAGE TIME | DISPOSAL TIME |
| Preparation of Contracts | 10 years from the end of the contract | At the first periodic disposal period following the end of the storage period |
| Execution of Human Resources Processes | 10 years from the end of the activity | At the first periodic disposal period following the end of the storage period |
| Execution of Hardware and Software Access Processes | 5 years | At the first periodic disposal period following the end of the storage period |
| Registration of Visitors and Meeting Participants | 5 years | At the first periodic disposal period following the end of the storage period |
| Personal Health Data Record | For the period specified in the legislation. | At the first periodic disposal period following the end of the storage period |
| Identity data | For the period specified in the legislation. | At the first periodic disposal period following the end of the storage period |
| Camera records | It is kept for at least 2 months by the Private Hospitals Regulation. | At the first periodic disposal period following the end of the storage period |
This Policy is deemed to have entered into force after its publication on the website.