Personal Data Retention and Disposal Policy

Contact Us

Phone

+90 532 285 94 51

E-Mail

info@drburakonvural.com

Address

Talatpaşa Bulvarı No:75 Sema Apt. K:3 D:10
Alsancak/Izmir, TURKEY

Personal Data Retention and Disposal Policy

Op.Dr.Burak ÖNVURAL

PROTECTION AND PROCESSING OF PERSONAL DATA, PERSONAL DATA STORAGE AND DISPOSAL POLICY

ABBREVIATIONS AND CONCEPTS

KVKK Law	Law No. 6698 on the Protection of Personal Data published in the Official Gazette dated 7 April 2016 and numbered 29677
GDPR	EU (European Union) General Data Protection Regulation
Constitution	The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709, published in the Official Gazette dated 9 November 1982 and numbered 17863
Data Processor	Verilerin teknik olarak depolanması, korunması ve yedeklenmesinden sorumlu olan kişi ya da birim hariç olmak üzere veri sorumlusu organizasyonu dışında ve veri sorumlusundan aldığı yetki ve talimat doğrultusunda kişisel verileri işleyen kişi.
Veri Sahibi/İlgili	ŞİRKET ve/veya ŞİRKET’in bağlı şirketleri/iştiraklerinin ticari ilişki Kişi/İlgili Kişiler içinde bulunduğu çalışanları, müşterileri, iş ortakları, hissedarları, yetkilileri, potansiyel müşterileri, aday çalışanları, stajyerleri, ziyaretçileri, tedarikçileri, iş birliği içinde çalıştığı kurumların çalışanları, üçüncü kişiler ve burada sayılanlarla sınırlı olmamak üzere diğer kişiler gibi kişisel verisi işlenen gerçek kişi.
Veri Sorumlusu	Kişisel verilerin işleme amaçlarını ve vasıtalarını belirleyen, veri kayıt sisteminin kurulmasından ve yönetilmesinden sorumlu olan gerçek veya tüzel kişi.
Açık Rıza	Belirli bir konuya ilişkin, bilgilendirilmeye dayanan ve özgür iradeyle açıklanan rıza.
İmha	Kişisel verilerin silinmesi, yok edilmesi veya anonim hale getirilmesi.
Kayıt Ortamı	Tamamen veya kısmen otomatik olan ya da herhangi bir veri kayıt sisteminin parçası olmak kaydıyla otomatik olmayan yollarla işlenen kişisel verilerin bulunduğu her türlü ortam.
Kişisel Veri	Kimliği belirli veya belirlenebilir gerçek kişiye ilişkin her türlü bilgi.
Özel Nitelikli Kişisel Veri	Kişilerin ırkı, etnik kökeni, siyasi düşüncesi, felsefi inancı, dini, mezhebi veya diğer inançları, kılık ve kıyafeti, dernek, vakıf ya da sendika üyeliği, sağlığı, cinsel hayatı, ceza mahkûmiyeti ve güvenlik tedbirleriyle ilgili verileri ile biyometrik ve genetik verileri.
Kişisel Verilerin İşlenmesi	Kişisel verilerin tamamen veya kısmen otomatik olan ya da herhangi bir veri kayıt sisteminin parçası olmak kaydıyla otomatik olmayan yollarla elde edilmesi, kaydedilmesi, depolanması, muhafaza edilmesi, değiştirilmesi, yeniden düzenlenmesi, açıklanması, aktarılması, devralınması, elde edilebilir hâle getirilmesi, sınıflandırılması ya da kullanılmasının engellenmesi gibi veriler üzerinde gerçekleştirilen her türlü işlem.
Kişisel Verilerin Anonim Hale Getirilmesi	Kişisel verilerin, başka verilerle eşleştirilerek dahi hiçbir surette kimliği belirli veya belirlenebilir bir gerçek kişiyle ilişkilendirilemeyecek hâle getirilmesi.
Deletion of Personal Data	Deletion of personal data; making personal data inaccessible and non-reusable for the relevant users.
Destruction of Personal Data	The process of making personal data inaccessible, irretrievable and unusable by anyone.
Periodic Disposal	The deletion, destruction or anonymization process to be carried out ex officio at repetitive intervals in the event that all the conditions for processing personal data in the law are eliminated.
Regulations	Regulation on the Deletion, Destruction or Anonymization of Personal Data, which was published in the Official Gazette dated 28 October 2017 and numbered 30224 and entered into force as of 1 January 2018.
KVK Board / Board	Personal Data Protection Board
KVK Institution	Personal Data Protection Authority
Policy	Op.Dr.Burak ÖNVURAL Company's Personal Data Protection and Processing Policy
Turkish Penal Code	Published in the Official Gazette dated October 12, 2004 and numbered 25611; Turkish Penal Code No. 5237 dated September 26, 2004.

1. INTRODUCTION

1.1. Purpose - Scope

The purpose of this policy is to regulate the methods and principles to be followed in order to ensure that personal data is processed and protected in accordance with the Law on the Protection of Personal Data (KVKK) published in the Official Gazette dated 7 April 2016 and numbered 29677.

This policy; It includes natural persons whose personal data is processed by the Data Controller, especially the Person Group, by automatic or non-automatic means provided that they are part of any data recording system.

1.2. Effectiveness

This Policy, prepared by Op.Dr.Burak ÖNVURAL, is dated 30.07.2021. In case of renewal of all or certain articles of the Policy, the effective date of the Policy will be updated.

It is published on the website of the Policy Data Controller (www.drburakonvural.com)/bulletin board and is made available to the relevant persons upon the request of the personal data owners.

2. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

Op.Dr.Burak ÖNVURAL, in accordance with Article 12 of the KVK Law, to prevent the unlawful processing of the personal data he is processing, to prevent unlawful access to the data, and to provide the appropriate level of security in order to ensure the preservation of the data. takes the necessary precautions, and makes or has the necessary inspections done in this context.

2.1. Ensuring the Security of Personal Data

2.1.1. Technical and Administrative Measures Taken to Ensuring the Legal Processing of Personal Data, Preventing Unlawful Access and Storing in Secure Environments

The main technical measures taken by Op.Dr.Burak ÖNVURAL to ensure that personal data are processed in accordance with the law, to prevent unlawful access to these data and to store them in safe environments are listed below:

Security measures are taken within the scope of procurement, development and maintenance of information technology systems
Current anti-virus systems are used
User account management and authorization control system is implemented and these are also followed
Personal data is backed up and the security of the backed up personal data is also ensured

2.1.2. Supervision of Measures Taken on the Protection of Personal Data

The main administrative measures taken by Op.Dr.Burak ÖNVURAL to ensure that personal data are processed in accordance with the law, to prevent unlawful access to these data and to store them in safe environments are listed below

There are disciplinary regulations for employees that include data security provisions
Education and awareness activities are carried out periodically on data security for employees
Corporate policies on access, information security, use, storage and destruction have been prepared and implemented
Confidentiality commitments are made
Employees who have a change of job or quit their job are removed from their authority in this field
The signed contracts contain data security provisions
Personal data security policies and procedures have been determined
Personal data security issues are reported quickly
Necessary security measures are taken regarding entry and exit to physical environments containing personal data
Security of environments containing personal data is ensured
Personal data is reduced as much as possible
Personal data security is monitored
The authority matrix has been created for employees
Protocols and procedures for special quality personal data security have been determined and implemented

2.2. Protection of Private Personal Data

With the KVK Law, special importance is attached to certain personal data due to the risk of causing victimization or discrimination in case of unlawful processing. These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Op.Dr.Burak ÖNVURAL acts sensitively in the protection of special quality personal data, which is determined as "special quality" by the KVK Law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Data Controller for the protection of personal data are carefully implemented in terms of special quality personal data and the necessary controls are provided within the Data Controller.

The Data Controller, in the capacity of data supervisor, takes the following measures, in accordance with the Board's decision dated 31.01.2018 and numbered 2018/10, in the processing of Special Quality Personal Data, which is included in Article 6 of the Law:

This policy is systematic, manageable and sustainable, with clear rules for the security of personal data of special nature.
For Employees involved in the processing of special categories of personal data,

Training is provided regularly on the law and related regulations and on the security of Special Quality Personal Data,
Confidentiality agreements are made,
The scope and duration of authorization of users who have access to data are clearly defined,
Periodic authorization checks are carried out,
The authorizations of the Employees who have a change of duty or leave the job are immediately removed in this field. In this context, it receives the inventory allocated to it by the Data Controller.

The environments in which Special Quality Personal Data are processed, stored and/or accessed, if electronic media,

Personal Data are stored using cryptographic methods,
Cryptographical keys are kept in secure and different environments,
Transaction records of all transactions performed on Personal Data are securely logged,
Security updates of the environments in which Personal Data are stored are constantly monitored, necessary security tests are/are carried out regularly, test results are recorded,
If Personal Data is accessed through a software, user authorizations for this software are made, security tests of these software are/are conducted regularly, test results are recorded,
If remote access to Personal Data is required, at least two-stage authentication system is provided.

The environments in which Sensitive Personal Data are processed, stored and/or accessed, if the physical environment is;
Adequate security measures are taken (against electrical leakage, fire, flood, theft, etc.)
Unauthorized entries and exits are prevented by ensuring the physical security of these environments.
If Special Categories of Personal Data will be transferred

If Personal Data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a Registered Electronic Mail (KEP) account,
If it needs to be transferred via media such as Removable Memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment,
If transferring is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between the servers or using the SFTP method,
If the Personal Data needs to be transferred via paper media, necessary precautions are taken against the risks such as theft, loss or viewing of the documents by unauthorized persons, and the document is sent in a "Confidential" format.
In addition to the measures mentioned above, technical and administrative measures to ensure the appropriate level of security specified in the Personal Data Security Guide published on the website of the Personal Data Protection Authority should also be taken into account.

3. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

3.1. Clarifying and Informing the Personal Data Owner

Op.Dr.Burak ÖNVURAL enlightens the personal data owners during the acquisition of personal data in accordance with Article 10 of the KVK Law. In this context, it clarifies the identity of the Data Controller and his representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the personal data owner for legal reasons.

Article 20 of the Constitution states that everyone has the right to be informed about their personal data. Accordingly, in Article 11 of the KVK Law, "requesting information" is also listed among the rights of the personal data owner. In this context, the Data Controller provides the necessary information in case the personal data owner requests information in accordance with the 20th article of the Constitution and the 11th article of the KVK Law.

3.2. Processed Personal Data and Person Groups

Personal Data Categorization	Data Owner Category to which the Relevant Personal Data is Related
Name-Surname	Employee Employee Candidate Potential Product or Service Buyer Product or Service Recipient Patient Supplier Doctor Bank Official Visitor Employee Relative Patient Relative Supplier Officer Supplier Employee Patient's Parent/Guardian/Representative Patient's Relative / 3rd Person
Phone number etc.	Employee Employee Candidate Potential Product or Service Buyer Product or Service Recipient Patient Doctor Patient Relative Supplier Officer Supplier Employee
TC ID number etc.	Employee Person Receiver of Products or Services Supplier Doctor Relatives of Employees Candidate Employees Patient Potential Product or Service Purchaser Relatives of Patients Patient's Parent/Guardian/Representative
Information in correspondence with judicial authorities	Employee Person Receiver of Product or Service Supplier
Information in the case file, etc.	Employee Person Receiver of Product or Service Supplier
Payroll information	Employee
Mission	Employee
Registration of employment entry-exit document	Employee
Balance sheet information	Supplier Doctor
Invoice	Supplier Product or Service Receiver
Contact address	Supplier Person Receiving Product or Service Doctor Employee Candidate Employee Patient Potential Product or Service Buyer Patient Relative Supplier Official Supplier Employee
Financial performance information	Doctor
Credit and risk information	Doctor
Signature	Employee Supplier Person Receiver of Products or Services Doctor Patient Patient Relatives Patient's Parent/Guardian/Representative
Employee Bank Account Information	Employee
Email address	Bank Official Person Receiving Product or Service Supplier Doctor Employee Candidate Employee Patient Potential Product or Service Purchaser
Order information	People Receiving a Product or Service
Bank Account IBAN Information	Doctor Employee
Tax Identity Number	Doctor
Registered e-mail address (REM)	Employee
Password and password information etc.	Employee Doctor Visitor
Entry and exit registration information of employees and visitors	Employee
Camera recordings etc.	Employee Potential Product or Service Purchaser Visitor Supplier Employee Supplier
Physical Space Entry-Exit Information	Potential Product or Service Buyer
Cookie records	Visitor
IP address information	Visitor
Website login and logout information	Visitor
Parent Name	Employee Employee Relative Employee Candidate
Date of birth	Employee Relatives of Employees Candidate Employees Person Receiving Products or Services Patient Potential Product or Service Purchaser
Place of birth	Employee Employee Candidate
Marital status	Employee Employee Candidate
Address no	Employee Doctor Patient
Personal health information	Employee Person Receiver of Product or Service Patient Potential Product or Service Purchaser
Personnel Overtime Attendance Information	Employee
Identity card serial number	Employee Doctor
Blood group information	Employee Person Receiving Products or Services Patient
Incapacity Report Information	Employee
Employee Reference Information	Employee Candidate
Diploma information	Employee Candidate Employee
Courses attended	Employee Candidate Employee
Visual Records	Employee Candidate Person Receiving Product or Service Patient
In-service training information	Employee Candidate Employee
Curriculum vitae	Employee Candidate
Certificates	Employee Candidate Employee
Transcript information etc.	Employee Candidate Employee
Title	Doctor
Photo	Employee Patient
Employee Family Members Identity and Address Information	Employee
Information on criminal convictions	Employee
Information on security measures, etc.	Employee
Salary and Payment Information	Employee
Disability information	The Person Receiving the Product or Service Patient
Patient/Customer SSI Information	People Receiving a Product or Service Patient Potential Product or Service Recipient
Diagnosis of the Disease	People Receiving a Product or Service Patient Potential Product or Service Recipient
Device used and prosthesis information etc.	The Person Receiving the Product or Service Patient
Private Health Insurance Information	The Person Receiving the Product or Service Patient
Information on Sexual Life etc.	The Person Receiving the Product or Service Patient
Genetic Data etc.	The Person Receiving the Product or Service Patient
Medicines Used by the Patient in the Last Year	People Receiving a Product or Service Patient Potential Product or Service Recipient
Medications Taken by the Patient on Prescription in the Last Year	People Receiving a Product or Service Patient Potential Product or Service Recipient
Drug Information	The Person Receiving the Product or Service Patient
Medula Tracking Number	The Person Receiving the Product or Service Patient
Protocol Number	The Person Receiving the Product or Service Patient
Prescription Protocol Number	The Person Receiving the Product or Service Patient
Assay-Test Results	The Person Receiving the Product or Service Patient
Patient's Relative/3rd Person T.C. ID Number	People Receiving a Product or Service
Drug Information	The Person Receiving the Product or Service Patient
Medula Tracking Number	The Person Receiving the Product or Service Patient
Protocol Number	The Person Receiving the Product or Service Patient
Prescription Protocol Number	The Person Receiving the Product or Service Patient
Assay-Test Results	The Person Receiving the Product or Service Patient
Patient's Relative/3rd Person T.C. ID Number	People Receiving a Product or Service
Audio Recordings etc.	The Person Receiving the Product or Service Patient
SSI Number	The Person Receiving the Product or Service Patient
Video Recordings	The Person Receiving the Product or Service Patient
Doctor Stamp and Signature	Doctor
Information of the Health Institution Where the Doctor Works	Doctor
Diploma Registration Number	Doctor
Digital Signature	Doctor
Doctor's Branch	Doctor
Drug DataMatrix	Patient
Prescription Number	Patient Person Receiving Products or Services
Prescription Type	Patient Person Receiving Products or Services
Gender	Patient
Drug Usage Information	Patient
Height and Weight	Patient
Demand information etc.	Patient's Relative / 3rd Person Patient
Association Membership Information	The Person Receiving the Product or Service Patient
Inspection Fee Information	The Person Receiving the Product or Service Patient
Foundation Membership Information	The Person Receiving the Product or Service Patient

3.3. Conditions of Processing of Personal Data and Purposes of Processing

Op.Dr.Burak ÖNVURAL processes personal data limited to the purposes and conditions within the personal data processing conditions specified in Articles 5 and 6 of the KVK Law. These terms and conditions;

Obtaining Explicit Consent
Explicitly stipulated in the Laws for the Data Subject to act in relation to the processing of your personal data
The processing of your personal data by the Data Controller is directly related to and necessary for the establishment or performance of a contract
The processing of your personal data is mandatory for the Data Controller to fulfill its legal obligation
Provided that your personal data has been made public by you; limited processing of you by the Data Controller
The processing of your personal data by the Data Controller is mandatory for the establishment, exercise or protection of the rights of the Data Controller or you or third parties
It is mandatory to process personal data for the legitimate interests of the Data Controller, provided that it does not harm your fundamental rights and freedoms
Personal data processing by the Data Controller is mandatory for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to express his consent due to actual or legal invalidity
The fact that it is stipulated in the laws in terms of special quality personal data other than the health and sexual life of the personal data owner
In terms of sensitive personal data related to the health and sexual life of the personal data owner, for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, persons or authorized persons under the obligation of keeping confidentiality. It is processed by institutions and organizations.

In this context, the Data Controller processes your personal data for the following purposes:

PROCESSING OBJECTIVES

Execution of Communication Activities

Following and Execution of Legal Affairs

Tracking of Requests / Complaints

Informing Authorized Persons, Institutions and Organizations

Execution of Activities in Compliance with the Legislation

Execution of Finance and Accounting Affairs

Execution of Goods / Services Procurement Process

Execution of Goods / Services Sales Processes

Execution of Goods / Services Production and Operation Processes

Execution of Management Activities

Execution of Information Security Processes

Providing Physical Space Security

Ensuring the Security of Movable Property and Resources

Execution of Audit / Ethical Activities

Execution of Access Authorities

Creating and Tracking Visitor Records

Fulfilling Employee Contract and Legal Obligations

Execution of Benefits and Benefits Processes for Employees

Execution of Occupational Health / Safety Activities

Execution of Business Continuity Activities

Execution / Supervision of Business Activities

Executing the Application Process of Employee Candidates

Execution of Employee Candidate / Intern / Student Selection and Placement Processes

Execution of Educational Activities

Health Service Presentation for the Relevant Person

Execution of Medical Diagnosis, Treatment and Care Services

Planning and Management of Health Services and Financing

Execution of Customer Relationship Management Processes

Execution of Contracted Institutions Business Processes

Executing Supply Chain Management Processes

Receiving and Evaluating Suggestions for Improvement of Business Processes

3.4. Recording and Storage of Personal Data

3.4.1. Recording and Storage Media

Personal data of data owners are securely recorded and stored by the Data Controller in the environments listed in the table below, in accordance with the relevant legislation, especially the provisions of the KVKK:

Recording and Storage Media

Phone

Overseas Server

Domestic Server

Locked Archive Cabinet

Archive Cabinet

Computer

Flash Memory

Hard Disk

Paper

Overseas Email Server

Domestic Email Server

Business Server

DVD

Access Restricted File

3.4.2. Retention Periods of Personal Data

Data Controller keeps personal data for the period specified in these legislations, if it is stipulated in the relevant laws and regulations. The storage, destruction and periodic destruction periods determined by the Data Controller are as follows:

Activity	Retention Period	Destruction Time
Contact Management	1 Year From The End Of The Purpose Of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the end of the Storage Period, at the first Periodic Destruction time Within 30 days of response time after the Deletion Request
Execution of Health Service Activities	1 Year from the End of the Data Processing Purpose 10 Years from the End of the Data Processing Purpose 10 Years from the End of the Legal Relationship 3 Months - 1 Year 2 Years	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the end of the Storage Period, at the first Periodic Destruction time Within 30 days of response time after the Deletion Request
Litigation and Enforcement Follow-up Process	10 Years Since the End of Legal Relationship	At the first Periodic Disposal time as of the expiry of the Storage Period
Execution of Financial Activities	10 Years Since the End of Legal Relationship	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Preparation of Financial Statements and Sending to Relevant Institutions	10 Years Since the End of Legal Relationship	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Cash Operation Process	10 Years Since the End of Legal Relationship	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Bank and Payment Transactions	10 Years From The End Of The Legal Relationship 15 Years From The End Of The Business Relationship	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Invoice Process	10 Years Since the End of Legal Relationship	At the first Periodic Disposal time as of the expiry of the Storage Period
Declaration Process	10 Years Since the End of Legal Relationship	At the first Periodic Disposal time as of the expiry of the Storage Period
Security of Information Systems	6 Months - 2 Years	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Office Equipment Records - Photocopy, Fax, Printer Etc. Usage Information Logging	6 Months - 2 Years	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Security Management	6 Months - 2 Years 48 Hours	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
The Process of Conducting Activities in Compliance with the Legislation	48 Hours 10 Years From The End Of The Legal Relationship 15 Years From The End Of The Employment Contract	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Occupational Health and Safety Processes Management	48 Hours 15 Years from the End of the Employment Relationship 15 Years from the End of the Employment Contract	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Camera Recordings	48 Hours	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Cookie Usage Process	6 Months - 2 Years	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
User Experience Improvement Activity	6 Months - 2 Years	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Web Page Visitor Access Process	6 Months - 2 Years	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Preparation of Payroll and Salary Files	15 Years Since the Termination of the Employment Relationship	At the time of the first Periodic Destruction as of the end of the Retention Period Not Longer than 30 Days from the Communiqué of the Personal Data Protection Board's Decision Regarding the Destruction of Personal Data
SGK-Accrual Transactions	15 Years Since the Termination of the Employment Relationship	At the first Periodic Disposal time as of the expiry of the Storage Period
Payroll Process	15 Years Since the Termination of the Employment Relationship	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Personnel File Creation Process	15 Years Since the Termination of the Employment Relationship	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Retirement Reports and Collection	15 Years Since the Termination of the Employment Relationship	At the first Periodic Disposal time as of the expiry of the Storage Period
Notification of Occupational Accident, Occupational Disease	15 Years Since the Termination of the Employment Relationship	At the first Periodic Disposal time as of the expiry of the Storage Period
Personnel Time Tracking	15 Years Since the Termination of the Employment Relationship	At the first Periodic Disposal time as of the expiry of the Storage Period
Creating Personnel Name List	15 Years Since the Termination of the Employment Relationship	At the first Periodic Disposal time as of the expiry of the Storage Period
Layoff Process	15 Years Since the Termination of the Employment Relationship	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Annulment Procedures	15 Years from the End of the Employment Relationship 15 Years from the End of the Employment Contract	At the time of the first Periodic Destruction as of the end of the Retention Period Not Longer than 30 Days from the Communiqué of the Personal Data Protection Board's Decision Regarding the Destruction of Personal Data
Recruitment Notices	15 Years Since the Termination of the Employment Relationship	At the first Periodic Disposal time as of the expiry of the Storage Period
The Process of Recruitment and Creation of Personal File	15 Years Since the Termination of the Employment Relationship	At the time of the first Periodic Destruction as of the end of the Retention Period After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the Latest 30 Days Within 30 days of response time after the Deletion Request
Recruitment/Periodic Inspection Process	15 Years Since the Termination of the Employment Relationship	At the first Periodic Disposal time as of the expiry of the Storage Period
Processing of Health Reports	15 Years from the Termination of the Business Relationship 10 Years from the Termination of the Purpose of Data Processing	At the time of the first Periodic Destruction as of the end of the Retention Period Not Longer than 30 Days from the Communiqué of the Personal Data Protection Board's Decision Regarding the Destruction of Personal Data
Creating the Employee's Personal File	15 Years from the End of the Employment Relationship 15 Years from the End of the Employment Contract	At the time of the first Periodic Destruction as of the end of the Retention Period Not Longer than 30 Days from the Communiqué of the Personal Data Protection Board's Decision Regarding the Destruction of Personal Data
Employee Employment	1 Year	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Execution of Job Application Activities	15 Years Since the Termination of the Employment Relationship	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Recruitment Process	15 Years from the Termination of the Employment Relationship 15 Years from the Termination of the Employment Contract	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Tracking and Processing of Personnel Leaves	15 Years Since the Termination of the Employment Relationship	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
SGK Accrual and İşkur Transactions	10 Years from the End of the Legal Relationship 15 Years from the End of the Employment Contract	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Executing Human Resources Activities	15 Years from Termination of Employment	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Training Activities	15 Years From Termination of Employment	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Creating Patient File Records	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Health Service Usage Data Collection Activity	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Customer Communication Management	3 Months - 1 Year 1 year from the Expiration of the Purpose of Data Processing 2 Years	After the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days After the expiry of the Storage Period, at the first Periodic Destruction time Within 30 days of response time after the Deletion Request Deletion/Destruction It is immediately deleted and destroyed at his request
Creating Customer/Patient Appointment Records	1 Year	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Processing of Medical Examination and Laboratory Results	10 Years From The End Of The Purpose Of Data Processing 3 Months - 1 Year	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Conducting Scientific Education and Research Activities	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Creating Patient File Records	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Continuing Patient Safety Monitoring Activities	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Prescription Operations Activity	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Prescription Control Approval Process	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Purchasing and Procurement Activities	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Order Process	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Execution of Procurement Activities	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Supplier Communication Management	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Patient Clarification/Information Process	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Approval Procedures	10 Years from the End of the Purpose of Data Processing	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Emergency Management	3 Months - 1 Year	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Customer Complaint Management	2 Years	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Billing	10 Years Since the End of Legal Relationship	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Private Health Insurance Process	10 Years Since the End of Legal Relationship	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Provisioning Process	10 Years Since the End of Legal Relationship	After the Notification of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days At the time of the first Periodic Destruction as of the end of the Storage Period
Social Media Management	1 year from the Expiration of the Purpose of Data Processing	After the Communiqué of the Decision of the Personal Data Protection Board on the Destruction of Personal Data, at the latest 30 Days After the expiry of the Storage Period, at the first Periodic Destruction time Within 30 days of response time after the Deletion Request Deletion/Destruction It is immediately deleted and destroyed at his request

The purpose of processing personal data has ended; if the storage periods determined by the relevant legislation and the Data Controller have also come to an end; Personal data can only be stored to provide evidence in possible legal disputes or to assert the right related to personal data or to establish a defense. Despite the expiry of the statute of limitations and the statute of limitations for asserting the right mentioned in the establishment of the periods herein, retention periods are determined based on the examples in the requests made to the Data Controller on the same issues before. In this case, the stored personal data is not accessed for any other purpose and access is provided only when it is necessary to use it in the relevant legal dispute. Here, too, personal data is deleted, destroyed or anonymized after the aforementioned period expires.

3.5. Third Parties and Purposes of Transfer of Personal Data

Op.Dr.Burak ÖNVURAL notifies the personal data owner of the groups of persons to whom personal data is transferred in accordance with Article 10 of the KVK Law.

Data Controller, in accordance with Articles 8 and 9 of the KVK Law, may transfer the personal data of data subjects managed by the Policy to the following categories of persons:

Domestic Buyers: Authorized Public Institutions and Organizations, Natural Persons or Private Law Legal Entities
Foreign Buyers: Natural Persons or Private Law Legal Entities

The scope and data transfer purposes of the persons mentioned above are stated below.

Persons to whom Data can be Transferred	Definition	Data Transfer Purpose
Authorized Public Institutions and Organizations	Public institutions and organizations authorized to receive information and documents from the Company in accordance with the provisions of the relevant legislation	Court Order Following the Legal Actions and Transactions of the Data Controller Administrative Request Legal Liability Server Usage Operational Transactions Mandatory System-Infrastructure Usage Service for the Relevant Person Presentation Transmission to Data Processors
Real Persons or Private Law Legal Entities	Private legal persons or natural persons authorized to receive information and documents from the Company in accordance with the provisions of the relevant legislation	Scientific Research Activity Providing Service for the Relevant Person Conveying to Data Processors Using Mandatory System-Infrastructure Providing Communication via Social Media
Digital Communication Provider (Google Inc.,WhatsApp LLC. Facebook Gruops etc.)		Providing Communication on Social Media Server Usage
Legal Counsel		Consulting Following the Legal Affa Talatpaşa Bulvarı No:75 Sema Apt. K:3 D:10 Alsancak/Izmir, TURKEY +90 532 285 94 51 info@drburakonvural.com Quick Links Home Page About Us Appointment Detailed Text Cookie-Policy Personal Data Retention and Disposal Policy Blog Contact Our Services SVF Treatment Knee Replacement HIP Replacement Arthroscopy © Op.Dr. Burak Önvural 2021 All rights reserved. Design and Coding: DigiTongue

info@drburakonvural.com

+90 532 285 94 51

Personal Data Retention and Disposal Policy

Contact Us

+90 532 285 94 51

info@drburakonvural.com

Talatpaşa Bulvarı No:75 Sema Apt. K:3 D:10 Alsancak/Izmir, TURKEY

Personal Data Retention and Disposal Policy

Op.Dr.Burak ÖNVURAL

PROTECTION AND PROCESSING OF PERSONAL DATA, PERSONAL DATA STORAGE AND DISPOSAL POLICY

ABBREVIATIONS AND CONCEPTS

1. INTRODUCTION

1.1. Purpose - Scope

1.2. Effectiveness

2. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

2.1.1. Technical and Administrative Measures Taken to Ensuring the Legal Processing of Personal Data, Preventing Unlawful Access and Storing in Secure Environments

2.1.2. Supervision of Measures Taken on the Protection of Personal Data

2.2. Protection of Private Personal Data

3. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

3.1. Clarifying and Informing the Personal Data Owner

3.2. Processed Personal Data and Person Groups

3.3. Conditions of Processing of Personal Data and Purposes of Processing

3.4. Recording and Storage of Personal Data

3.4.1. Recording and Storage Media

3.4.2. Retention Periods of Personal Data

3.5. Third Parties and Purposes of Transfer of Personal Data

Talatpaşa Bulvarı No:75 Sema Apt. K:3 D:10
Alsancak/Izmir, TURKEY