PERSONAL DATA DISPOSAL POLICY

Data officer  Dr. Merdan Çelik   Clinic, your personal data in accordance with the general principles and regulations set forth in this Personal Data Retention and Disposal Policy, which is prepared in accordance with the  Constitution,  the Law on the Protection of Personal Data No. 6698, the Regulation on the Deletion, Destruction or Anonymization of Personal Data and other relevant legislation. properly stored and disposed of.

With this Policy, it is aimed to set forth the general principles and principles regarding the storage and destruction of real person data subject to personal data processing activities within the scope of the practice KVKK and to fulfill the obligations determined by the legislation.

Explicit Consent: Consent  on a specific subject, based on information and expressed with  free will,

Recipient Group: The category of real or legal person to whom personal data is transferred by the data controller ,

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way  , even by matching with other data .

Relevant User:  Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for technical storage, protection and backup of the data,

Destruction: Deletion, destruction or anonymization of personal data,
Personal Data: Any information relating to an identified or identifiable real person (e.g. name-surname, TCKN, e-mail, address, date of birth, credit card number, bank account number

Relevant Person: The  real person whose personal data is processed ,

Processing of Personal Data:  Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data fully or partially automatically or by non-automatic means, provided that it is a part of any data recording system . All kinds of operations performed on data such as classification or prevention of use,

Sensitive Personal Data: Data  related to race, ethnic origin , political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,

Periodic Destruction:  In the event that all of the personal data processing conditions in the KVKK are eliminated, the deletion, destruction or anonymization process specified in this Policy and which will be carried out ex officio at repetitive intervals,

RECORDING ENVIRONMENTS REGULATED BY POLICY

It covers all personal data subject to data processing activities within the scope of KVKK . In addition, the documents referred to by the Policy cover both physical and digital copies.

All personal data subject to data processing activities within the scope of KVKK are stored in the following environments, where personal data are fully or partially automated or processed by non-automatic means provided that they are part of any data recording system:

Practice computers, e-mail accounts, desktop computers, employees' tools (e.g. mobile phone), backup areas, paper files, folders, guest book, CD, DVD, USB, Hard disks, printer, copier, etc.

REASONS REQUESTING THE STORAGE AND DISPOSAL OF PERSONAL DATA

Personal data processing activities are based on the following principles:

• Compliance with the law and the rule of honesty,
• Ensuring that personal data is accurate and up-to-date when necessary ,
• Processing for specific, clear and legitimate purposes,
• Being limited and proportional to the purpose for which they are processed,
• As long as required by the relevant legislation or for the purpose for which they are processed. don't preserve.

Our practice stores and uses personal data for the purposes of processing personal data and in accordance with the processing conditions of personal data set forth in Articles 5 and 6 of the KVKK below. or at the request of the personal data owner:

Explicit Consent of the Personal Data Owner :  The first condition for the processing of personal data is the explicit consent of the owner.

Explicitly Provided in Laws: Personal data of the data owner may be processed in accordance with the law without obtaining his explicit consent, provided that it is expressly stipulated in the Laws.

Failure to Obtain Explicit Consent of the Personal Data Owner due to Actual Impossibility : In case the personal data of the person who is unable to express his/her consent due to actual impossibility or whose consent cannot be validated is required to be processed in order to protect the life or bodily integrity of himself or another person, the personal data of the data owner may be processed.

Being Directly Related to the Establishment or Performance of a Contract: Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process the personal data of the parties to the contract .

Legal Obligation:  If data processing is necessary for our practice to fulfill its legal obligations, the data of the personal data owner may be processed.

Making Personal Data Public by the Personal Data Owner: In case the data owner has made his personal data public by himself, the relevant personal data may be processed limitedly by making it public.

Obligatory Data Processing for the Establishment or Protection of a Right : In case data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.

Obligatory Data Processing for the Legitimate Interest of Our Practice : Provided that the fundamental rights and freedoms of the personal data owner are not harmed, the personal data of the data subject may be processed if data processing is mandatory for the legitimate interests of our practice.

DELETING, DISPOSAL OR MAKING PERSONAL DATA ANONYMOUS

Personal data, the amendment or repeal of the provisions of the relevant legislation, which is the basis for the processing, the disappearance of the purpose requiring its processing or storage, in cases where the processing of personal data is carried out only on the condition of express consent, the person concerned withdraws their explicit consent, the maximum period requiring the storage of personal data has passed, and In the absence of any conditions justifying keeping the personal data for a longer period of time, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the practice at the request of the person concerned.

Unless a contrary decision is taken by the Personal Data Protection Board , our practice chooses the appropriate method of deletion, destruction or anonymization of personal data ex officio, according to technological possibilities and application cost. At the request of the personal data owner, the rationale for the appropriate method is explained. Necessary technical and administrative measures are taken in each of these transactions.

TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN

Our practice takes the necessary technical and administrative measures according to the technological possibilities and implementation cost regarding the following issues in accordance with the provisions of Article 12 of the KVKK and the Regulations, the general principles stated above, and the decisions of this Policy and the Personal Data Protection Board:

·          Required software and hardware have been determined. Strong passwords are used on computers and e-mail accounts .

· What needs to be protected in terms          of the protection of customer information has been conveyed to our personnel through trainings, and their responsibilities with employment contracts have been put into writing. (Confidentiality Agreements) This obligation continues even after the persons concerned leave their positions.

·          Necessary infrastructure has been established for the backup of all data.

· Employees who          can access data on computers  have been identified.

·          Customer files and information are only given to the persons concerned, to their relatives to whom they have given written consent, to  the relevant public institutions and organizations within the framework of their legislation, and to the competent judicial authorities in judicial cases.

·          Before starting to process personal data,  the Authority fulfills the obligation to inform the relevant persons.

·          Personal data processing inventory has been prepared.

STORAGE AND DISPOSAL PERIODS

Our practice preserves and destroys personal data only for as long as required by the legislation it is obliged to comply with or for the purpose for which it is processed.

If the personal data owner requests the destruction of his personal data by applying to our practice:

If all the conditions for processing personal data have been removed: Finalizes the personal data owner's request within thirty days at the latest and informs the personal data owner and notifies the third party if the personal data subject to the request has been transferred to third parties; ensures that the necessary actions are taken before the third party.

If all the conditions for processing personal data have not disappeared: The request of the personal data owner may be rejected by explaining the reason in accordance with the third paragraph of Article 13 of the KVKK , and the personal data owner shall notify the rejection in writing or digitally within thirty days at the latest.

PERIODIC DISPOSAL TIMES

In the first periodical destruction process following the date on which the obligation to destroy personal data arises, personal data is destroyed. In this context, if the obligation to destroy personal data arises, it is subject to destruction in 6-month periods.

This Policy is deemed to have entered into force after its publication on the website .