KVKK Board Internal Directive
DENTAFORUM TREATMENT SERVICES TOURISM PRIVATE HEALTH SERVICES INDUSTRY AND TRADE JOINT STOCK COMPANY
PERSONAL DATA PROTECTION COMMITTEE INTERNAL DIRECTIVE
Dentaforum Treatment Services Tourism Private Health Services Industry and Trade Inc. (Dentaforum) Personal Data Protection Committee (“Committee”) Internal Directive (“Internal Directive”) has been prepared in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”) published in the Official Gazette dated 07/04/2016 and numbered 29677, the Regulation on the Deletion, Destruction or Anonymization of Personal Data issued by the Personal Data Protection Authority and published in the Official Gazette dated 28/10/2017 and numbered 30224 (“Regulation”), Dentaforum Treatment Services Tourism Private Health Services Industry and Trade Inc. Personal Data Protection and Processing Policy (“Policy”) and Dentaforum Treatment Services Tourism Private Health Services Industry and Trade Inc. Personal Data Storage and Destruction Policy (“Storage and Destruction Policy”).
In order to carry out the personal data storage and destruction processes and to carry out the necessary work and transactions in accordance with the Law and Regulation, a Personal Data Protection Committee has been established under the data controller Dentaforum. Within this scope, necessary internal arrangements are made by Dentaforum for the storage and destruction of personal data in accordance with the personal data protection regulations and Policies, and the necessary system is established to create awareness.
Purpose:
Article 1-This Internal Directive has been prepared to determine the matters regarding the Committee’s fulfillment of its duties, the principles it must comply with within the framework of the personal data protection regulations and Policies, and the procedures it will implement in accordance with the Policies.
Scope:
Article 2-This Internal Directive covers the relevant responsibilities, works and activities of the Committee and its members.
Base:
Article 3-This Internal Directive has been prepared based on the above-mentioned regulations regarding the Personal Data Protection Law No. 6698.
Dentaforum Personal Data Protection Committee:
Article 4-The Committee is appointed by the Dentaforum Board of Directors to fulfill its obligations under the Law, ensure and supervise the implementation of the Policies, and make recommendations regarding their operation. The Board is responsible for ensuring the supervision, compliance and sustainable effectiveness of Dentaforum within the scope of the KVK regulations. The distribution of duties of the Committee members, the removal or addition of members from the Committee are carried out by the Committee Chair with the authority granted by the Data Controller.
Data Controller Representative:
Article 5-The Data Controller Representative is selected from the Committee and manages Dentaforum’s relations with the Institution.
Members:
Article 6-The formation of the Committee and the duties of the individuals are determined below.
Status
Duty
President
Committee President – responsible for governance and communication
Member
Responsible for law compliance and auditing and business process planning-reporting
Member
Information Technologies – responsible for data security, risk management, policies and procedures
Article 7- The Committee is responsible for the protection, storage, processing of personal data and the operation of the processes of deleting, destroying and anonymizing personal data.
In this context, the Committee;
Creates the necessary procedures and ensures the implementation of the said procedure.
If there is a change in the legislation regarding personal data, ensures that the work and transactions within Dentaforum are carried out in order to comply with the new regulations.
Prepares the inventory of personal data.
Periodically updates the inventory of personal data.
Reports the inventory of personal data to the registry and ensures that it is kept up to date.
Conducts correspondence with the registry and stores the correspondence.
Third parties processing personal data check the contracts to be made with these parties and confirm their compliance within the scope of the regulations. Inspects third parties.
It determines and authorizes real and legal persons who process personal data.
Article 8- The Board is obliged to take technical and administrative measures for the protection of all personal data in Dentaforum, to continuously follow developments and administrative activities, to prepare the necessary procedures and announce them in Dentaforum, to ensure compliance with them and to supervise them. The Board ensures that audits are carried out by itself or externally at certain periods within the scope of the protection of personal data. It periodically convenes the senior management regarding the protection of personal data and ensures that both the current situation and the risks are discussed. It files the meeting decisions with wet signatures. It periodically informs the units related to the protection of personal data via portal / e-mail / announcement.
Article 9- The Committee is obliged to fulfill the obligation of disclosure regarding all personal data processing processes and to ensure that explicit consent is obtained and preserved when necessary.
The Committee is obliged to;
It ensures that the identity of the data controller is announced.
The purposes of processing personal data; specific, legitimate and clear purposes
ensures that it is done for, supervises it and ensures that it is announced to both employees and customers.
Explains to whom and for what purpose the processed data will be transferred.
Explains the data collection method and legal reason.
The Committee determines the methods of obtaining the explicit consent of the person for the processing of personal data, enforces and supervises it.
In case of recording of special personal data, it absolutely guarantees that the explicit consent is obtained.
If personal data will be kept in cloud systems or stored abroad, it absolutely ensures that the explicit consent of the personal data owner is obtained. It ensures that the foreign country to which the personal data will be transferred is declared by the board.
Article 10- In case of transfer of personal data to third parties, it determines whether or not explicit consent will be obtained from the data owner according to the status of the place/authority to which it will be shared. The situations in which explicit consent will not be obtained are specified below. In all cases, it records which data is shared with the following institutions and that third parties that comply with the following status comply with the valid principle:
In case of actual impossibilities, express consent cannot be obtained
When the life or physical integrity of the person or another person is at stake
When it is directly related to the establishment or performance of a contract
When the processing of personal data belonging to the parties to the contract is necessary
When data processing is mandatory for the establishment, exercise or protection of a right
When it is mandatory for the data controller to fulfill its legal obligation
When the person has made his/her own data public
When data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person
When non-profit organizations or formations such as political parties, foundations, associations or unions process data for their own members and affiliates, provided that it complies with the legislation and objectives they are subject to, is limited to their fields of activity and is not disclosed to third parties
For the protection of public health, preventive medicine, medical diagnosis, treatment and care services and health in case of processing by persons under a confidentiality obligation or authorized institutions and organizations for the purpose of planning, managing and financing of services
If personal data is to be transferred abroad and explicit consent is not obtained; if there is sufficient protection in the place where the data will be transferred or if there is not sufficient protection, if the data controllers in Turkey and the relevant foreign country undertake in writing to provide sufficient protection and if the permission of the Board is obtained, it coordinates the sharing.
The data sharer ensures that the place and purpose of sharing this data is made in writing and approved. It is checked and documented whether the consent of the proposed data is obtained. It ensures that it is shared after it is received with the approval of the law and the data controller.
Article 11- The Committee evaluates the applications of personal data owners and ensures coordination within Dentaforum to respond to the applications. It ensures the necessary coordination and communication in cases where communication with the Board is required.
Upon application by the personal data owner, it ensures that the following personal rights are fulfilled within 30 calendar days at the latest:
Knowing whether the person’s own personal data is processed
Requesting information regarding personal data
Explaining the purpose of processing
Explaining third parties to whom personal data is transferred, domestically or abroad
Receiving requests for correction of incomplete or incorrect processing of personal data and responding when the process is completed
Receiving requests from the person to delete or destroy their personal information and responding when the process is completed
Receiving requests for objections from the data owner in the event that a result is found to their detriment as a result of the analysis of the processed data exclusively through automated systems and responding when the process is completed
Checking whether personal data is processed against the law and following up on and concluding requests from the person
Article 12- The Committee takes the necessary measures to eliminate any deficiency or risk in terms of compliance with the Law and Policies in the processes of protection, storage, processing and destruction of personal data. In this context, the Board conducts the audit of each new processing process reported to it.
Article 13- The Committee determines the storage and destruction period for the storage and destruction of personal data;
The storage and destruction period required for the purpose for which they are processed or as stipulated in the relevant legislation.
In accordance with Article 11/2 of the Regulation on the Erasure, Destruction or Anonymization of Personal Data, it audits the personal data processed at periods not exceeding six months and ensures that the personal data that needs to be erased, destroyed or anonymized is erased, destroyed or anonymized.
It ensures that all transactions regarding the erasure, destruction and anonymization of personal data are recorded and that the records in question are kept in accordance with other legal obligations.
excluding those for a minimum of three years.
In case of any of the following reasons; it ensures that personal data is deleted, destroyed or anonymized within the framework of the procedures and principles specified in the regulations:
In case the reasons requiring processing are eliminated
In case the term expires
In case of request by the data owner
Article 14- The Committee creates an action plan in accordance with the regulations regarding the violations regarding the situations reported to it by Dentaforum employees and the work, transaction or actions that it considers to be contrary to the procedures and principles specified in the Policies. The Committee prepares the notification to be made to the Personal Data Owner or the Institution regarding the violation by taking into account the provisions of the legislation in force on the subject, and carries out the correspondence and communication to be made with the Institution.
In applications regarding personal data, in cases of improper procedures, the audit is carried out and concluded as stipulated in the Annex-1 Incident Management scheme. Other departments provide the necessary assistance in the relevant works.
Article 15- It sends the documents and information requested by the Board within 15 calendar days and enables on-site inspection when necessary.
In case of a complaint or for any reason, it follows up on the notifications of the Board and ensures that they are fulfilled within 30 calendar days.
Article 16- The Committee ensures that Dentaforum employees are informed in order to prevent unlawful access and to process personal data in accordance with the law. Necessary procedures are created to ensure access by employees who need to access Dentaforum personal data, and the Data Controller Representative and the Committee are jointly responsible for the creation and implementation of these. The list of limited employees who are authorized to access special personal data and the monitoring of the list are carried out by the Committee.
Entry into Force of the Internal Directive and Amendments
Article 17- The Internal Directive is put into effect by the Dentaforum management. Amendments to be made to the Internal Directive and the regulation of the Directive are also subject to the same procedure.
ANNEX-1 INCIDENT MANAGEMENT