Personal Data Storage and Destruction Policy
DENTAFORUM TİCARET HİZMETLERİ TURİZM ÖZEL SAĞLIK HİZMETLERİ
SANAYİ ve TİCARET ANONYMOUS COMPANY
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
ARTICLE 1- PURPOSE
Personal data storage and destruction policy has been prepared to determine the procedures and principles regarding the work and transactions regarding the storage and destruction of personal data processed by Dentaforum Tedavi Hizmetleri Turizm Özel Sağlık Hizmetleri Sanayi ve Ticaret Anonim Şirketi (Dentaforum).
ARTICLE 2- SCOPE
Personal data belonging to the company employees, job candidates, product and service buyers, potential product and service buyers, visitors, suppliers are within the scope of this policy.
This policy is applied to all recording environments where personal data owned or managed by the company is processed and activities related to personal data processing.
ARTICLE 3 – DEFINITIONS
Recipient group: The category of real or legal persons to whom personal data is transferred by the data controller.
Explicit consent: Consent based on information and expressed with free will regarding a specific subject
Anonymization: Making personal data in no way associable with an identified or identifiable real person, even when matched with other data
Employee: Company personnel
Electronic environment: Environments where personal data can be created, read, changed and written with electronic devices
Non-electronic environment: All written, printed, visual etc. outside of electronic environments. other environments
Service provider: A natural or legal person who provides services within the framework of a specific contract with the Company
Relevant person: A natural person whose personal data is processed
Relevant user: Persons who process personal data within the data controller organization or in accordance with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data
Destruction: Deletion, destruction or anonymization of personal data
Law: Law No. 6698 on the Protection of Personal Data
Recording medium: Any medium containing personal data processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system
Personal data: Any information related to an identified or identifiable natural person
Personal data processing inventory: Personal data processing activities carried out by data controllers in connection with their business processes; the inventory they create by relating the purposes and legal reason of processing personal data, data category, recipient group to which it is transferred and the data subject group and detailing the maximum retention period required for the purposes for which personal data is processed, personal data planned to be transferred to foreign countries and the measures taken regarding data security
Processing of personal data: Any operation performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, which is fully or partially automatic or non-automatic provided that it is part of any data recording system
Board: Personal Data Protection Board
Special personal data: Data regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures of individuals, and biometric and genetic data
Periodic destruction: Data regarding the processing conditions of personal data specified in the law in case of complete disappearance, the process of deletion, destruction or anonymization specified in the personal data storage and destruction policy and carried out ex officio at recurring intervals
Policy: Personal Data Storage and Destruction Policy
Company: Dentaforum Tedavi Hizmetleri Turizm Özel Sağlık Hizmetleri Sanayi ve Ticaret Anonim Şirketi (Dentaforum)
Product and service recipient: Patient
Data processor: Natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller
Data recording system: Recording system in which personal data is structured and processed according to certain criteria
Data controller: Natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system
Data controllers registry information system: Information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in applying to the Registry and other relevant transactions related to the Registry
VERBİS: Data Controllers Registry Information System
Regulation: October 28 Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 2017
ER
All employees and units of the company provide full and active support to the responsible units regarding the legal acquisition, processing and storage of personal data. All employees and units support the responsible units in the implementation of administrative and technical measures taken within the scope of the policy, in the training of unit employees, in ensuring, increasing and monitoring the awareness of employees, in preventing unlawful access to personal data and in the legal storage of personal data.
The distribution of titles, units and job descriptions of those responsible for the storage and destruction of personal data is shown in ADDITIONAL TABLE: 1.
ARTICLE 5- RECORDING ENVIRONMENTS
Personal data is stored securely in accordance with the law by the company in the environments listed in ADDITIONAL TABLE: 2.
ARTICLE 6- LEGAL REASONS REQUIRING STORAGE
Personal data processed within the scope of the activities in the company are stored for the period stipulated in the relevant legislation and within the scope of the law and the relevant legislation. In this context, the reasons that require storage are as follows:
Storing personal data because it is directly related to the establishment and execution of contracts,
Storing personal data for the purpose of establishing, exercising or protecting a right
Storing personal data is mandatory for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of individuals
Storing personal data for the purpose of fulfilling any legal obligations of the company
The legislation clearly stipulates that personal data should be stored
Explicit consent of data owners is available for storage activities that require the explicit consent of data owners
ARTICLE 7 – PROCESSING PURPOSES REQUIRING STORAGE
The company may process the personal data of the relevant person or third parties specified by the relevant person for various purposes, including but not limited to the following:
Conducting Emergency Management Processes
Conducting Information Security Processes
Conducting the Selection and Placement Processes of Employee Candidates / Interns / Students
Application of Employee Candidates Execution of Processes
Execution of Employee Satisfaction and Loyalty Processes
Fulfillment of Employment Contract and Legislative Obligations for Employees
Execution of Side Rights and Benefits Processes for Employees
Execution of Audit / Ethics Activities
Execution of Training Activities
Execution of Access Authorizations
Execution of Activities in Accordance with Legislation
Execution of Finance and Accounting Affairs
Ensuring Physical Space Security
Execution of Assignment Processes
Follow-up and Execution of Legal Affairs
Execution of Internal Audit / Investigation / Intelligence Activities
Execution of Communication Activities
Planning of Human Resources Processes
Execution / Audit of Business Activities
Execution of Occupational Health / Safety Activities
Improvement of Business Processes Receiving and Evaluating Recommendations
Conducting Business Continuity Activities
Conducting Logistics Activities
Conducting Goods/Service Purchasing Processes
Conducting Goods/Service After-Sales Support Services
Conducting Goods/Service Sales Processes
Conducting Goods/Service Production and Operation Processes
Conducting Customer Relationship Management Processes
Conducting Activities for Customer Satisfaction
Organization and Event Management
Conducting Marketing Analysis Studies
Conducting Performance Evaluation Processes
Conducting Advertising/Campaign/Promotion Processes
Conducting Risk Management Processes
Conducting Storage and Archive Activities
Conducting Contract Processes
Conducting Strategic Planning Activities
Following Up Requests/Complaints
Protecting the Security of Movable Goods and Resources Provision
Execution of Supply Chain Management Processes
Execution of Wage Policy
Execution of Marketing Processes of Products/Services
Ensuring the Security of Data Controller Operations
Execution of Investment Processes
Execution of Talent/Career Development Activities
Provision of Information to Authorized Persons, Institutions and Organizations
Execution of Management Activities
Creation and Monitoring of Visitor Records
ARTICLE 8- LEGAL REASONS REQUIRING DESTRUCTION
Personal data shall be deleted or destroyed by the company upon the request of the relevant person or ex officio in the event of the existence of the following situations:
Changes or removal of relevant legislative provisions constituting the basis for processing personal data
Disappearance of the purpose requiring processing or storage of personal data
In cases where processing of personal data is carried out only based on the condition of explicit consent, the relevant person withdraws his/her explicit consent
Article 11 of the Law The data controller accepts the application made by the relevant person regarding the deletion and destruction of his/her personal data within the framework of his/her rights as per Article 1 of the Law
Person
ARTICLE 4- RESPONSIBILITY AND DUTY