Personal data processing inventory – Özel Çağdaş Yaşam Ağız ve Diş Sağlığı Polikliniği

DATA PROCESSED WITHIN THE SCOPE OF HEALTH SERVICE PROVIDED IN THE FIELD OF ORAL AND DENTAL HEALTH
Data Categories
Non-Private Personal Data
Identity Information (Name-surname, mother and father’s name, gender, date and place of birth, marital status, TR Identity Number, nationality information, signature information)
Contact Information (Contact address, e-mail address, telephone number, address number, fax number)
Financial Information ((Bank account number (IBAN), bank account information (account holder, etc.), credit card information, information required for issuing invoices, private health insurance amount, etc.)
Private Personal Data
Health Information (All kinds of information about the physical and mental health of the person, including the diseases he has had, the drugs he has used, medical reports, analysis, laboratory and imaging results, the medical history in the clinical file, the history of the disease, the photographs taken to show the change achieved as a result of the medical intervention applied)
In order to provide health services, sexual life information may be requested when necessary. (Execution of diagnosis and diagnosis processes related to mouth lesions, obtaining birth control pill usage information in order to prescribe medication, etc.)
Persons who have a conviction decision and whose execution continues, can apply to the health institution by obtaining permission from the relevant penal institution. In this case, the data related to the criminal conviction and security measures of the patients in question can be processed.
Personal Data Processing Purposes
Personal data listed in the title of A.1 and personal data of a special nature; providing health services to patients, determining an appointment date, etc. processed in order to carry out the processes.

Data Subject Group
The data listed in Title A.1 of the patients who apply for services in the field of oral and dental health are taken. In addition, the identity and contact data of the parents of the patients who are not yet 18 years old are also collected.

Legal Reason for Personal Data Processing
Fulfilling the professional and legal obligations in line with the obligations stipulated by the Law No. 1219, the Regulation on Private Healthcare Institutions Providing Oral and Dental Health Services, the Medical Deontology Regulation, the Turkish Dental Association’s Dental Professional Ethics Rules and the Patient Rights Regulation.

Maximum Retention Period of Personal Data
The personal data listed in the title A.1 will be kept for 20 years from the end of the treatment due to professional obligations.

Transfer of Personal Data
Recipient/Recipient Groups

The patient’s identity information is shared with the Accountant/Independent Financial Advisor so that the price received in return for the health service provided can be billed.
The patient’s identity information can be shared with the relevant insurance company and SGK so that the price paid for the health service provided can be obtained from the insurance company contracted by the patient or the Social Security Institution.
In cases where the privacy of personal medical records must be restricted for the protection of public health, such as the obligation to report infectious diseases to the competent authorities, regulated in Article 58 of the General Public Health Law No. 1593, or in cases of legal necessity, such as the obligation to report the crime, the patient’s health, communication and identity data can be shared with authorized authorities.
Data Transfer to Foreign Countries
Identity and contact information of patients whose residence is abroad and who receive service from our health institution can be shared with insurance companies of foreign origin that the patients have contracted with.
In order to plan the health service to be provided, the health and identity information of the patients can be processed in some programs of foreign origin. In this case, the purpose is not to transfer the data abroad, but this process is mandatory in order to provide health services.
PERSONAL DATA PROCESSED BY THE HEALTH INSTITUTION WITHIN THE SCOPE OF EMPLOYEE EMPLOYMENT
Data Categories
Non-Private Personal Data
Identity Information (Name-surname, mother and father’s name, gender, date and place of birth, marital status, TR Identity Number, nationality information, signature information)
Contact Information (Contact address, e-mail address, telephone number, address number, fax number, relatives and family members who can be reached in an emergency)
Personal Information (Payroll information, disciplinary investigation, employment document records, resume, performance evaluation reports, CV, social security number)
Professional Experience (educational status, certificate, diploma, foreign language information)
Financial Information (Bank account number (IBAN), bank account information (account holder, etc.), credit card information, financial and salary details of employees, payrolls, minimum living allowance information, private health insurance amount, etc.)
Private Personal Data
A criminal record is required from the employees who will be employed in the health institution before they are hired. For this reason, data related to criminal convictions and security measures, if any, can be processed in the criminal record.
Within the scope of occupational health and safety activities in the health institution, some health data of the employees can be received and processed.
If the employees are members of a union, union information is processed.
Personal Data Processing Purposes

B.1 Personal data listed in the title and personal data of a special nature; It is processed in order to register the employees with SGK, to fulfill the obligations of the employer in accordance with the Labor Law No. 4857 and the Occupational Health and Safety Law No. 6331, and to create the personnel files of the employees.

Data Subject Group
Employees employed by the data responsible health institution (secretary, oral and dental health technician / technician, etc.)

Legal Reason for Personal Data Processing
Fulfillment of legal obligations in line with the Labor Law No. 4857 and the Occupational Health and Safety Law No. 6331 and the employment contract signed with the employee.

Maximum Retention Period of Personal Data
In accordance with the Labor Law No. 4857 and the Social Insurance and General Health Insurance Law No. 5510, the personal data listed in Title B.1 regarding identity, communication, personnel, finance and all kinds of convictions are kept for 10 years after the employee leaves the job.
In accordance with the Occupational Health and Safety Law No. 6331 and the Regulation on Occupational Health and Safety Services published in the Official Gazette dated 29.12.2012 and numbered 28512, the personal data listed in Title B.1 are kept for 15 years after the employee leaves the job.
Transfer of Personal Data
Recipient/Recipient Groups
Social Security Institution
Contracted accountant/public accountant
Other authorized public institutions and organizations
Data Transfer to Foreign Countries
Personal data of the employees listed in Title B.1 are not transferred abroad.

ECURITY MEASURES TAKEN UNDER THE PERSONAL DATA PROTECTION LAW
Administrative Measures
Employees are trained on improving the qualifications and technical knowledge/skills of the employees, preventing the illegal processing of personal data, preventing illegal access to personal data, ensuring the protection of personal data, communication techniques and relevant legislation.
Employees are made to sign confidentiality agreements.
A disciplinary procedure is applied for employees who do not comply with security policies and procedures.
The obligation to inform the relevant persons is fulfilled.
Periodic and random audits are carried out within the institution.
Technical Measures
Necessary measures are taken for the physical security of the information systems equipment, software and data of the institution.
The risks to prevent unlawful processing are determined.
Technical measures are taken in accordance with the identified risks.
Procedures are established and implemented for the distribution of access authorizations and roles.
Authorization matrix is applied, accesses are recorded and inappropriate accesses are kept under control.
Disposal processes in accordance with the storage and disposal policy are defined and implemented.
In case of detection of illegal processing, a system and infrastructure is established to notify the relevant person and the board.
Security vulnerabilities are followed and appropriate security patches are installed.
Information systems are kept up to date.
In electronic environments where personal data is processed, strong passwords are used, secure record keeping (logging) systems are used, and backup programs are used to keep personal data safe.