Gizlilik Politikası – Mahmutlar Diş Hekimi

1. NATURE AND PURPOSE OF THE POLICY

This Personal Data Storage and Destruction Policy (hereinafter referred to as the 'Policy') has been prepared by DOCTOR TORUN – TOLGA TORUN (hereinafter referred to as the 'Practice') as the data controller, in order to determine the procedures and principles to be applied by the Practice regarding the deletion, destruction and anonymization of personal data in accordance with the Law on the Protection of Personal Data No. 6698 ("LPPD") and other legislation.

This Policy covers all departments, employees, job candidates, customers and third parties involved in any process where the Practice processes Personal Data.

2. DEFINITIONS

Explicit Consent: Consent based on informed consent and expressed freely on a specific subject.

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even when matched with other data.

TOElectronic Media: Environments where personal data can be created, read, changed and written using electronic devices.

TONon-electronic Media: All written, printed, visual etc. media other than electronic media. Service Provider: A natural or legal person who provides services within the framework of a specific contract with the Personal Data Protection Authority.

Contact Person: The natural person whose personal data is processed.

Related User: Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.

Destruction: Deletion, destruction or anonymization of personal data.

Kanun: Personal Data Protection Law No. 6698.

Regulations: Deletion, Destruction or Removal of Personal Data published in the Official Gazette dated 28 October 2017

Regulation on Anonymization.

KPersonal Data: Any information relating to an identified or identifiable natural person.

KPersonal Data Processing Inventory: Inventory in which data controllers create personal data processing activities that they carry out in connection with their business processes by relating them to the purposes and legal reason for processing personal data, data category, recipient group to which the data is transferred and the data subject group, and detail the maximum retention period required for the purposes for which personal data is processed, personal data planned to be transferred to foreign countries and the measures taken regarding data security.

KProcessing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, in whole or in part, by automatic means or non-automatic means provided that it is part of any data recording system.

Kurul: Personal Data Protection Board

KPersonal Data Protection Committee: The committee, established by the relevant persons within the company and under the chairmanship of the Data Controller, is authorized and tasked with carrying out/having the necessary procedures and supervising the processes for the storage, destruction and processing of Personal Data in accordance with the law, the Personal Data Storage and Destruction Policy and the Personal Data Inventory.

Special Personal Data: Data regarding individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

PtorIodic Destruction: In case all the processing conditions of personal data specified in the law are eliminated, the deletion, destruction or anonymization process, which will be carried out ex officio at recurring intervals and as specified in the personal data storage and destruction policy.

Data Controllers Registry Information System: The information system created and managed by the Presidency, accessible via the internet, to be used by data controllers in applying to the Registry and other relevant transactions related to the Registry. Data Controller: Data controller refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

VERBIS: Data Controllers Registry Information System

3. PRINCIPLES

The practice stores and destroys personal data in accordance with the Law and this policy, with the following principles:

is moving.

a) In the storage, deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law and the measures to be taken within the scope of Article 12 of the Law are complied with, the relevant legislation and Board decisions and this policy text.

b) All transactions regarding the deletion, destruction and anonymization of personal data are recorded by the Practice within the framework of the provisions of the Law, relevant legislation and this policy, and the records in question are kept for a period of 3 years in accordance with Article 7/3 of the Regulation, excluding other legal obligations.

c) Unless otherwise decided by the Board, the Practice chooses the most appropriate method of deleting, destroying or anonymizing personal data.

d) If all the conditions for processing personal data specified in the law are eliminated, personal data is deleted, destroyed or made anonymous by the Practice or upon the request of the relevant person.

4. PRECAUTIONS

The clinic ensures that personal data is stored securely and that it is not processed or accessed unlawfully.

In order to prevent this, it takes all necessary technical and administrative measures in accordance with the characteristics of the relevant personal data and the environment in which the data is stored and preserved.

4.1. Technical Measures

The practice takes the following appropriate technical measures:

• Uses safe systems that are compatible with technological developments.

• It uses security systems according to the environments in which personal data is kept.

• Access to the environments where personal data is stored is restricted and only authorized persons are allowed to access this data limited to the purpose for which the personal data is stored (Data Controller and Personal Data Protection Committee and other personnel determined by the data controller).

• It has a sufficient number of personnel to ensure the security of the environments/systems where personal data is located.

• In systems where personal data is processed, authorization matrix, authorization control, access logs, encryption, firewall, penetration testing and log records are used.

4.2. Administrative Measures

The practice takes the following appropriate administrative measures:

• Studies are carried out to increase the awareness of all clinic employees who have access to personal data on information security, personal data and privacy.

• Internal and external audits will be conducted to follow developments in the field of protection of personal data and to take the necessary measures.

• If personal data is transferred to third parties when necessary, the relevant third parties are required to sign protocols for the protection of personal data and all necessary care is taken to ensure that these third parties comply with their obligations under these protocols.

• Information and consent texts have been prepared and signed by all personal data owners.

• Confidentiality Commitments have been prepared and signed.

• Personal Data Processing Inventory has been prepared.

• This Storage and Destruction Policy has been prepared and published.

• Data Breach Policy has been prepared.

4.3. Internal Audit

Article 12 of the Law, in accordance with the obligations regarding data security, the provisions of the Law and this Policy

In case of any update required, internal audits are carried out regarding the implementation of the provisions of the company immediately or at 6-month intervals in any case.

These audits are carried out by the Data Controller and the Personal Data Protection Committee, and if a deficiency or defect in relation to obligations is detected as a result of these audits and/or a violation of legal provisions is detected, this deficiency or defect is immediately remedied.

If it is understood during the audit or otherwise that personal data under the responsibility of the Practice has been obtained by others through illegal means, this situation will be reported by the Practice to the relevant person and the Personal Data Protection Board as soon as possible.

5. RECORDING MEDIA

The Practice, with this Policy, covers the environments containing Personal Data and the ones listed below and in addition to these.

agrees to include Personal Data in other media that may appear within the scope of the Policy:

• Computers/servers/systems allocated by the Practice and/or used on behalf of the Practice.

• Network devices

• Shared/unshared disk drives used for storing data on the network

• Cloud Systems

• Mobile phones and all storage areas

• Paper

• Peripherals such as printer, fingerprint reader

• Optical discs

• Archive

• Flash memories

• Camera recordings

6. DESTRUCTION OF PERSONAL DATA

6.1. Reasons for Storage and Destruction

If all the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated,

Personal data is deleted, destroyed or made anonymous by the Practice ex officio or upon the request of the person concerned.

The reasons listed in Articles 5 and 6 of the Law are as follows:

• It is clearly stated in the laws.

• If it is necessary for the protection of the life or physical integrity of the person or someone else who is unable to give his consent due to a physical impossibility or whose consent is not legally valid.

• It is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract.

• It is mandatory for the data controller to fulfill its legal obligations.

• It has been made public by the relevant person himself.

• Data processing is necessary for the establishment, exercise or protection of a right.

6.2. Destruction Methods

The Practice will store the personal data it obtains in accordance with the KVKK and relevant legislation within the scope of this Policy.

However, if the reasons requiring the processing of Personal Data listed in the Law and Regulation are eliminated or upon the request of the relevant person who is the data owner, it will be deleted, destroyed or anonymized ex officio by the techniques specified below within the periods determined by the Law, relevant legislation and this Policy. The deletion, destruction and anonymization techniques used by the Practice are as follows:

6.2.1. Deletion Methods

• Deletion methods for personal data kept in the cloud and local digital environment consist of secure deletion by software. While data that is processed in whole or in part automatically and stored in digital environments is deleted, methods are used to prevent access and reuse by the relevant users in any way. In short, personal data kept in the cloud or local digital environments is deleted by digital command in a way that cannot be recovered again, and the data deleted in this way cannot be accessed again.

However, if deletion of personal data will prevent access to other data and prevent the use of these data, personal data will be deemed to have been deleted if the personal data is archived by making it unassociated with the person, provided that the following conditions are met.

• The method of deleting personal data on paper is blackout. Personal data on printed media is deleted using the blackout method. The blackout process is a method of preventing unintended use, physically cutting and removing personal data on the relevant document when possible, or, if not possible, making it invisible/covered using permanent ink in a way that cannot be reversed and cannot be read with technological solutions.

6.2.2. Destruction Methods

In order to destroy personal data kept in a printed environment, it is necessary to physically destroy it again with document shredders.

must be destroyed in a way that cannot be brought together.

The methods that can be used to destroy personal data kept in digital and cloud environments are as follows: Physical destruction: This method consists of physically destroying the optical and magnetic media containing personal data, such as melting, burning or pulverizing it. Melting, burning, pulverizing or grinding the media in question renders personal data inaccessible.

Demagnetization: It is a method of exposing magnetic media to higher magnetic fields and passing it through special devices to make the data on it unreadable. However, if this method fails and the data on the media is still readable, the media can be physically destroyed and the destruction process is completed.

Overwriting: This method is a data destruction method that makes it impossible to read and recover old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media using special software.

Securely deleting from software: In this method, personal data is deleted by digital command in a way that it cannot be recovered again.

6.2.3. Anonymization

Anonymization means that personal data is not identified or identified in any way, even by matching it with other data.

is to make it impossible to associate it with a real person.

The procedures and principles regarding the Practice's techniques for anonymizing personal data are listed below:

• After the data collected with the method of extracting variables and the descriptive data are brought together, the existing data set is anonymized by removing the "highly descriptive" variables from the data set created. For example, anonymization can be achieved by removing the highly descriptive data groups from the environment where personal data is located (documents, tables, etc.).

• In the regional hiding method, it is the process of deleting information that may be distinctive about the data that is an exception in the data table where personal data is collectively and anonymously stored.

• By using the lower and upper limit coding method, ranges for a certain variable are defined and categorized. For example, if the employee working in a workplace has worked for less than 5 years, 5 to

Depending on whether it is between 10 years or more, it can be combined as 'very experienced', 'experienced' or 'inexperienced' and made anonymous.

• It is the process of bringing together personal data belonging to many people using the generalization method and turning it into statistical data by removing distinguishing information.

• With the data hashing and corruption method, direct or indirect identifiers in personal data are compared with other values or corrupted, thus severing their relationship with the relevant person and causing them to lose their identifier qualities.

6.3. Storage Periods

The Practice complies with the legal retention and destruction periods specified in the Personal Data Inventory, this Policy and the relevant legislation.

The physical and digital data filling the personal data are periodically destroyed. The Practice deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data for which it is responsible arises in accordance with the Personal Data Inventory, the Law, relevant legislation and this Policy.

6.4. Destruction Periods

The Practice shall delete the personal data for which it is responsible in accordance with the Personal Data Inventory, the Law, relevant legislation and this Policy,

erases, destroys or anonymizes personal data in the periodic destruction process following the date on which the obligation to destroy or anonymize arises.

The relevant person whose personal data is processed may apply to the Clinic in accordance with Article 13 of the Law and request the deletion of his/her personal data.

or may request its destruction.

If the relevant person makes such a request and all the conditions for processing personal data have been eliminated, the Practice shall delete, destroy or anonymize the request by explaining the reason within 30 days from the day it receives the request, using an appropriate destruction method. However, if all the conditions for processing personal data have not been eliminated, the request may be rejected by the Practice by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection shall be sent to the relevant person within 30 days at the latest.

shall be notified in writing or electronically.

The Practice deletes, destroys or anonymizes personal data for which the processing conditions have been eliminated, through a process specified in this Policy and which will be carried out ex officio at recurring intervals. Periodic destruction processes will start for the first time on 14 FEBRUARY 2024 and will be repeated every 6 (six) months.

7. PRIVACY POLICY

The Practice processes Personal Data in line with its business purposes and for the time and work required to fulfill this purpose.

It will keep the Personal Data with the Practice for the duration of the commercial relationship between the partner/supplier/consultant/auditor or third party and/or for a limited period specified in the legislation, and it may transfer the Personal Data to third parties if it uses the services of third party providers for the fulfillment of the said purpose, but only in this case,

declares that it will ensure that the third parties in question comply with the provisions of the Law.

The Practice is obliged to take technical and administrative measures in accordance with the Law and Regulation to prevent unauthorized access to Personal Data by its personnel or third parties and use of Personal Data for purposes other than those for which it was transferred.

8) ENFORCEMENT

This Policy will come into force from the date of publication.

Within the practice, a Personal Data collection system is used to monitor and manage the actions required to comply with the Law.

A Protection Committee was established.

Employees to be selected from Office Management, Physicians, Accounting and Finance Department and Human Resources Department

It consists of at least two (2) persons.