Privacy Policy – Özel Çağdaş Yaşam Ağız ve Diş Sağlığı Polikliniği

PERSONAL DATA STORAGE AND DISPOSAL POLICY

ENTRANCE

NATURE, PURPOSE AND SCOPE OF THE DISPOSAL POLICY

This destruction policy (POLICY) is the procedure to be followed for the deletion, destruction and/or anonymization of personal data obtained as PRIVATE CONTEMPORARY LIFE MOUTH AND DENTAL AND DENTAL HEALTH SERVICES, as per the Personal Data Protection Law No. 6698 and the relevant legislation. It has been prepared for the purpose of determining the principles. The data controller defines the POLIKLINK definition.

In this context, the personal data of POLİKLINK employees, employee candidates, patients, patient companions/guardians-parents and all real persons who have personal data within the POLİKLINK for any reason; is carried out in accordance with the Constitution and laws within the framework of this Personal Data Retention and Disposal Policy.

DEFINITIONS

Data Controller

The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Related person

The real person whose personal data is processed,

Personal Data

Any information relating to an identified or identifiable natural person

Private Personal Data

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data

Processing of Personal Data

Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system Any operation performed on data such as

Data Processor

The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.

Disposal

Deletion, destruction or anonymization of personal data

Annihilation

It is the process of making personal data inaccessible, irretrievable and reusable by anyone.

Deletion

It is the process of making personal data inaccessible and unusable for the relevant users in any way.

Anonymization

Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Law/KVKK

Law on Protection of Personal Data No. 6698 published in the Official Gazette dated 07.04.2016 and numbered 29677,

regulation

Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224

Board

Personal Data Protection Board

Organisation

Personal Data Protection Authority

recording media

Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.

data logging system

The registry system where personal data is processed and structured according to certain criteria.

means.

DISTRIBUTION OF RESPONSIBILITIES AND DUTIES

The DATA SPEAKER is responsible for the preparation, development, execution, publication and updating of the POLICY, the employees to act in accordance with the policy, and the provision of technical solutions needed in the implementation of the POLICY.

POLIKLINK employees take technical and administrative measures to ensure data security in all environments where personal data is processed in order to properly implement the technical and administrative measures taken within the scope of the POLICY, to prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law. warn.

METHODS OF COLLECTION OF PERSONAL DATA

Personal data can be processed by natural or legal persons authorized by the DATA RESPONSIBLE, within the conditions and purposes specified in the Law on the Protection of Personal Data No. 6698 and secondary regulations issued pursuant to this law; Data owners apply to the POLYCLINIC and make the first information, open the record and create a patient file, forms and minutes kept in paper and electronic media, online through the SGK system, from the records shared in case of benefiting from a private insurance company, and through the records of other health institutions if they are referred to the POLYCLINIC. It is provided verbally, in writing or electronically, with automatic and non-automatic methods, when the POLİKLINK is contacted for any purpose and service is received, with the submission of CV or job applications, as a supplier/service provider.

RECORDING ENVIRONMENTS

Personal data are stored safely by POLIKLINK in the environments listed in Table 2, in accordance with the law.

3.1. DATA STORED IN ELECTRONIC ENVIRONMENTS

Servers (Domain, backup, email, database, web, file sharing, etc.)

Software (office software, portal, medical programs)

Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)

Personal computers (Desktop, laptop)

Mobile devices (phone, tablet, etc.)

Optical discs (CD, DVD, etc.)

Removable memories (USB, Memory Card etc.)

Printer, scanner, copier

3.2. NON-ELECTRONIC ENVIRONMENTS

Paper

Manual data recording systems (patient files, protocol book, inspection and audit book, working documents, visitor entry book and other books that must be kept in accordance with the Regulation on Private Healthcare Organizations Providing Oral and Dental Health Services)

Written, printed, visual media

EXPLANATIONS ON STORAGE AND DISPOSAL

by the DATA SPEAKER; Personal data of employees, employee candidates, patients, patient companions/parents-guardians and all real persons who have personal data within the POLIKLINK for any reason are stored and destroyed in accordance with the Law. In this context, detailed explanations regarding storage and disposal are given below, respectively.

4.1. EXPLANATIONS ON STORAGE

In Article 3 of the Law, the concept of processing personal data is defined, in Article 4 it is stated that the personal data processed should be related to the purpose for which they are processed, limited and measured, and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation. counted. Accordingly, within the framework of the activities of the POLYCLINIC, personal data is stored by the DATA SPEAKER for the period stipulated in the relevant legislation or for the processing purposes.

4.1.1. LEGAL REASONS FOR KEEPING

Personal data processed within the scope of the activities are kept as long as required by the service provided and for the period stipulated in the relevant legislation. In this context, personal data;

Law No. 6698 on the Protection of Personal Data,

Law No. 1219 Concerning the Execution of the Style of Medicine and Medical Arts

Turkish Code of Obligations No. 6098,

Turkish Penal Code No. 5237,

Social Insurance and General Health Insurance Law No. 5510,

Health Services Basic Law No. 3359,

Occupational Health and Safety Law No. 6361,

Labor Law No. 4857,

Regulation on Private Health Institutions Providing Oral and Dental Health Services,

Occupational Health and Safety Services Regulation

Patient Rights Regulation,

Medical Deontology Regulation

Turkish Dental Association Code of Dentistry Professional Ethics

Other relevant laws and other secondary regulations in force in accordance with these laws

are kept for the specified storage periods.

4.1.2. PROCESSING OBJECTIVES THAT REQUIRE STORAGE

Personal data processed within the framework of POLİKLINK activities are stored for the following purposes.

To be able to perform work and transactions as a result of signed contracts and protocols.

Obligation of proof as evidence in legal disputes that may arise in the future

Ensuring the fulfillment of legal obligations as required or mandated by legal regulations

4.2. REASONS FOR DISPOSAL

Personal data;

Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing,

The disappearance of the purpose requiring its processing or storage,

In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his explicit consent,

In accordance with the 11th article of the Law, the application made by the POLYCLINIC regarding the deletion and destruction of personal data within the framework of the rights of the person concerned,

In the event that the POLIKLINK rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of his personal data, finds the answer insufficient or does not respond within the time stipulated in the Law; Making an application to the Board and this request being approved by the Board,

The maximum period for keeping personal data has passed and there are no conditions to justify keeping personal data for a longer period of time,

In such cases, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the POLYCLINIC upon the request of the person concerned.

TECHNICAL AND ADMINISTRATIVE MEASURES

In accordance with Article 12 of the Law and paragraph 4 of Article 6 of the Law, in accordance with the adequate measures determined and announced by the Board for personal data to be stored securely, to prevent unlawful processing and access, and to destroy personal data in accordance with the law, technical and administrative measures are taken.

5.1. TECHNICAL MEASURES

The technical measures taken by the DATA SPEAKER regarding the personal data he/she processes are listed below:

Risks, threats, vulnerabilities and vulnerabilities are determined by performing technical controls (eg penetration/penetration tests) to prevent unlawful processing of personal data, technical measures are taken in line with these risks, and control results are recorded.

Necessary measures are taken for the security of all personal data, including private personal data stored in electronic media. In this context; firewalls, attack prevention systems, network access control, systems that prevent malware, security patches are used. Information systems are kept up-to-date, data backup programs are used, strong passwords are used in electronic environments where personal data is processed, electronic media is kept using cryptographic methods, cryptographic keys are kept in secure environments.

Access to electronic or non-electronic storage areas where personal data is stored, inappropriate access or access attempts are kept under control, secure record keeping (logging) systems are used, access authorization is made, necessary measures are taken to ensure that deleted personal data is inaccessible and reusable for relevant users. .

Considering that special quality personal data is processed in the polyclinic, employees are provided with training on personal data security and confidentiality agreements are made.

Necessary precautions (limiting access of unauthorized persons, (fire extinguishing system, air conditioning system, etc.)) are taken for the physical security of information systems equipment, software and the environments where all personal data, including sensitive data, are kept and/or accessed in the outpatient clinic.

5.2. ADMINISTRATIVE MEASURES

Administrative measures taken by the DATA SPEAKER regarding the personal data he/she processes are listed below:

Trainings are provided on the prevention of unlawful processing of personal data, the prevention of illegal access to personal data, the protection of personal data, communication techniques, technical knowledge and skills, the Law on the Protection of Personal Data, the Labor Law and other relevant legislation in order to improve the quality of employees.

Confidentiality agreements are signed by the employees regarding the activities carried out by the DATA SPEAKER.

Before starting the processing of personal data, the obligation to inform the data subject is fulfilled by the DATA SPEAKER.

Personal data processing inventory has been prepared.

Periodic and random inspections are carried out within the POLYCLINIC.

Information security trainings are provided for employees.

PERSONAL DATA DISPOSAL TECHNIQUES

At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data is destroyed by the DATA RESPONSIBLE ex officio or upon the application of the data subject, again in accordance with the provisions of the relevant legislation, with the following techniques.

6.1. DELETING PERSONAL DATA

Personal data is deleted by the following methods:

Personal data on servers: For the personal data on the servers that require storage, the data controller will remove the access authorization of the relevant users and delete them.

Personal data in the electronic environment: Personal data in the electronic environment, which require storage, are made inaccessible and non-reusable for other employees (related users) except for the DATA SPEAKER.

Personal data in the physical environment: Personal data kept in the physical environment is rendered inaccessible and unusable in any way for persons other than the DATA RESPONSIBLE for those whose period has expired. In addition, the process of blackening is applied by drawing/painting/erasing in a way that cannot be read.

Personal data in portable media: Personal data kept in flash-based storage media, whose period has expired, are encrypted by the DATA SPECIALIST and the access authorization is given only to the DATA CUSTOMER, and stored in secure environments with encryption keys.

6.2. DESTRUCTION OF PERSONAL DATA

Personal data is destroyed by the following methods:

Personal data in physical media: Personal data in paper media, which require storage, are irreversibly destroyed in paper clipping machines.

Personal data in optical/magnetic media: The physical destruction of personal data in optical media and magnetic media, such as melting, burning or pulverizing, is applied. In addition, magnetic media is passed through a special device, and the data on it is rendered unreadable by exposing it to a high magnetic field.

6.3. MAKING PERSONAL DATA ANONYMOUS

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. The anonymization methods used in the outpatient clinic are as follows:

Removing variables: It is the removal of one or more of the direct identifiers that are included in the personal data of the relevant person and that will help to identify the relevant person in any way.

6.3. MAKING PERSONAL DATA ANONYMOUS

Regional hiding: It is the process of deleting the information that may be distinctive about the exceptional data in the data table in which the personal data is collected in an anonymous form.

Generalization: It is the process of bringing together the personal data of many people and turning them into statistical data by removing their distinctive information.

Lower and Upper Bound Coding: For a certain variable, the ranges of that variable are defined and categorized. If the variable does not contain a numeric value, then close data in the variable are categorized. Values within the same category are combined.

Macro Joining: With this method, all the records in the data set are first arranged in a meaningful order and then the whole set is divided into a certain number of subsets. Then, by taking the average of the value of each subset of the determined variable, the value of that variable of the subset is replaced with the mean value. In this way, since the indirect identifiers in the data will be corrupted, it is difficult to associate the data with the relevant person.

Data mixing and corruption: Direct or indirect identifiers in personal data are mixed with other values or their relationship with the relevant person is broken and they lose their descriptive qualities.

STORAGE AND DISPOSAL TIMES

Regarding the personal data being processed by the DATA SPEAKER within the scope of his activities;

The retention periods on the basis of personal data regarding all personal data within the scope of the activities carried out in connection with the processes are in the Personal Data Processing Inventory;

Storage periods on the basis of data categories are recorded in VERBIS;

Process-based retention periods are included in the Personal Data Retention and Disposal Policy.

If necessary, updates are made on the storage periods in question by the DATA SPEAKER. For personal data whose storage period has expired, the deletion, destruction or anonymization of personal data is carried out by the DATA CUSTOMER.

NOTE: If it is arranged for a longer period in accordance with the law and other legislation, or in accordance with the legislation, the statute of limitations, foreclosure period, storage periods, etc. If a longer period is foreseen for the storage period, the periods in the provisions of the legislation are considered as the maximum storage period.

PUBLICATION AND STORAGE OF THE POLICY

The POLICY is arranged on printed paper with a wet signature and is kept in the relevant files at the Polyclinic. If the POLYCLINIC has a web page, the POLICY is also disclosed to the public on the web page.

UPDATE PERIOD OF THE POLICY

The POLICY is reviewed as needed and the necessary sections are updated.

ENFORCEMENT AND ANNOUNCEMENT OF THE POLICY

The POLICY is deemed to have entered into force after the VERBIS registration is completed by the DATA SPEAKER.

In the event that it is decided to be revoked, the wet signed old copies of the POLICY are canceled and signed by the DATA SPEAKER (with an annulment stamp or written cancellation) and kept in the relevant files at the Polyclinic for at least 5 years.