Privacy Policy
POLICY ON STORAGE AND DESTRUCTION OF SPECIAL CATEGORIES OF PERSONAL DATA WITHIN THE SCOPE OF LAW NO. 6698 BY DENTHEKİM SAĞLIK HİZMETLERİ ANONİM ŞİRKETİ
1.1 Purpose
The Special Categories of Personal Data Storage and Destruction Policy (“Policy”) has been prepared to establish the procedures and principles regarding the storage and destruction activities carried out by Denthekim Sağlık Hizmetleri Anonim Şirketi (“Company”).
The Company has prioritized the processing of personal data belonging to its employees, job candidates, service providers, visitors, and other third parties in compliance with the Constitution of the Republic of Turkey, international agreements, Law No. 6698 on the Protection of Personal Data (“Law”), and other relevant legislation, as well as ensuring the effective exercise of the rights of the relevant persons, in line with the mission, vision, and core principles determined in the Strategic Plan.
The procedures and operations regarding the storage and destruction of special categories of personal data are conducted in accordance with this Policy prepared by the Company.
1.2 Scope
This Policy covers the special categories of personal data belonging to the Company’s employees, job candidates, service providers, visitors, and other third parties, and applies to all recording environments where such data is stored or processed, whether owned or managed by the Company, as well as all activities related to personal data processing.
1.3 Abbreviations and Definitions
| Term | Definition |
|---|---|
| Recipient Group | The category of natural or legal persons to whom personal data is transferred by the data controller. |
| Explicit Consent | Consent given freely, explicitly, and based on being informed about a specific matter. |
| Anonymization | The process of rendering personal data such that it cannot be associated with an identified or identifiable natural person, even when combined with other data. |
| Employee | Personnel of the Personal Data Protection Authority. |
| EBYS | Electronic Document Management System. |
| Electronic Environment | Environments where personal data can be created, read, modified, and written using electronic devices. |
| Non-Electronic Environment | All environments outside of electronic media, including written, printed, visual, etc. |
| Service Provider | Natural or legal persons providing services under a specific contract with the Personal Data Protection Authority. |
| Data Subject | The natural person whose personal data is processed. |
| Relevant User | Persons processing personal data within the data controller’s organization or under its authority and instructions, except for those responsible for technical storage, protection, and backup. |
| Destruction | The deletion, destruction, or anonymization of personal data. |
| Law | Law No. 6698 on the Protection of Personal Data. |
| Recording Environment | Any environment where personal data is processed, either fully or partially automated, or manually as part of any data recording system. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Personal Data Processing Inventory | An inventory detailing data processing activities carried out by data controllers in relation to business processes, including purposes, legal grounds, categories of data, recipient groups, data subjects, maximum retention periods, international transfers, and security measures. |
| Processing of Personal Data | Any operation performed on personal data, fully or partially automated or manual, such as collection, recording, storage, alteration, disclosure, transfer, classification, or prevention of use. |
| Board | Personal Data Protection Board. |
| Special Categories of Personal Data | Data related to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing, association or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. |
| Periodic Destruction | The automatic or repeated deletion, destruction, or anonymization of personal data at intervals defined in the data retention and destruction policy once the legal basis for processing ceases to exist. |
| Policy | The Personal Data Storage and Destruction Policy. |
| Data Processor | Natural or legal persons processing personal data on behalf of the data controller based on authorization. |
| Data Recording System | A system structured according to certain criteria for processing personal data. |
| Data Controller | The natural or legal person who determines the purposes and means of personal data processing and is responsible for establishing and managing the data recording system. |
| Data Controllers Registry Information System (VERBIS) | The IT system created and managed by the Authority, accessible online, used by data controllers for registry applications and related processes. |
| Regulation | Regulation on Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017. |
All units and employees of the Company actively support the responsible units in ensuring the proper implementation of the technical and administrative measures taken under the Policy, training and raising awareness of employees, monitoring, continuous auditing, preventing unlawful processing and unlawful access to personal data, and ensuring lawful storage of personal data. They also support the implementation of technical and administrative security measures in all environments where personal data is processed.
The distribution of titles, units, and job descriptions for personnel involved in data retention and destruction processes is shown in Table 1.
| Title | Unit | Responsibility |
|---|---|---|
| Denthekim Sağlık Hizmetleri A.Ş. | Data Controller | Responsible for ensuring employees act in compliance with the Policy. |
| Denthekim Sağlık Hizmetleri A.Ş. | Data Controller | Responsible for preparing, developing, implementing, publishing, and updating the Policy in relevant environments. |
| Denthekim Sağlık Hizmetleri A.Ş. | Data Controller | Responsible for providing the technical solutions needed for the implementation of the Policy. |
| Human Resources and Support Services | Other Units | Responsible for executing the Policy according to their duties. |
3. STORAGE MEDIA
Personal data is securely stored by the Institution in a lawful manner in the media listed in Table 2.
| Electronic Media | Non-Electronic Media |
|---|---|
| Servers (Domain, backup, email, database, web, file sharing, etc.) | Manual data recording systems (survey forms, visitor logbook) |
| Information security devices (firewall, intrusion detection, etc.) | Written, printed, visual media |
| Personal computers (desktop, laptop) | Paper |
| Mobile devices (phone, tablet, etc.) | |
| Optical disks (CD, DVD, etc.) | |
| Removable memory devices (USB, memory card, etc.) | |
| Printer, scanner, photocopier |
4. EXPLANATIONS REGARDING STORAGE AND DESTRUCTION
Special category personal data belonging to employees, job candidates, visitors, and third parties engaged as service providers are stored and destroyed in accordance with the law and policy by the company.
Detailed explanations regarding storage and destruction are provided below in order.
4.1 Explanations Regarding Storage
Article 3 of the Law defines the concept of processing personal data. Article 4 states that the processed personal data must be connected, limited, and proportionate to the purpose of processing and must be retained for the period required by relevant legislation or the purpose of processing. Articles 5 and 6 list the conditions for processing personal data.
Accordingly, personal data within the company's activities is retained for the period prescribed by the relevant legislation or appropriate for our processing purposes.
4.1.1 Legal Reasons Requiring Storage
Personal data processed within the company’s activities is retained for the duration stipulated in the relevant legislation. Within this scope, personal data is stored according to the retention periods prescribed by:
- Law No. 6698 on the Protection of Personal Data,
- Turkish Code of Obligations No. 6098,
- Social Insurance and General Health Insurance Law No. 5510,
- Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through These Publications,
- Public Financial Management Law No. 5018,
- Occupational Health and Safety Law No. 6331,
- Right to Information Law No. 4982,
- Petition Law No. 3071,
- Labor Law No. 4857,
- Retirement Health Law No. 5434,
- Social Services Law No. 2828,
- Regulation on Health and Safety Measures in Workplace Buildings and Annexes,
- Regulation on Archive Services,
- Other secondary regulations in force under these laws.
4.1.2 Processing Purposes Requiring Storage
The company stores special category personal data processed in its activities for the following purposes:
- Fulfillment of employment contract and legislative obligations for employees,
- Execution of emergency management processes,
- Fulfillment of contract procedures,
- Execution of storage and archiving activities,
- Planning human resources processes,
- Conducting finance and accounting tasks,
- Managing job candidate application processes,
- Conducting occupational health and safety activities,
- Execution of emergency management processes,
- Monitoring employee check-in and check-out and work tracking,
- Predicting workplace risks,
- Planning, auditing, and implementing information security processes,
- Establishing and managing information technology infrastructure,
- Planning and implementation of employee benefits and rights,
- Planning and implementing corporate communication and social responsibility activities involving employees,
- Managing employee access rights to information,
- Tracking and/or auditing employees’ work activities,
- Managing finance and/or accounting activities,
- Managing legal affairs,
- Planning human resources processes,
- Planning and implementing efficiency/productivity analyses of work activities,
- Planning and execution of work activities,
- Planning and managing access rights of business partners and/or suppliers,
- Managing relationships with business partners and/or suppliers,
- Planning and implementation of occupational health and safety processes,
- Planning and implementation of business continuity activities,
- Planning and implementing corporate communication activities,
- Planning and implementing corporate governance activities,
- Planning and executing logistics activities,
- Planning and execution of customer relationship management processes,
- Planning and/or execution of customer satisfaction activities,
- Tracking customer requests and/or complaints,
- Conducting personnel recruitment processes,
- Fulfillment of employment contract and legal obligations for company employees,
- Planning and execution of company audit activities,
- Planning and execution of external training activities,
- Ensuring that company activities comply with company procedures and relevant legislation,
- Planning and/or execution of internal training activities,
- Planning and execution of internal orientation activities,
- Ensuring security of company operations and tracking visitor records,
- Ensuring security of company campuses and/or facilities,
- Planning and/or execution of processes to create or increase loyalty to company products and/or services,
- Planning and/or execution of company production and/or operational risk processes,
- Conducting company and partnership law transactions,
- Tracking contract processes and/or legal claims,
- Executing strategic planning activities,
- Planning and execution of supply chain management processes,
- Payroll management,
- Planning and execution of service and/or operational processes,
- Planning and execution of market research for service sales and marketing,
- Planning and execution of service marketing processes,
- Planning and execution of service sales processes,
- Ensuring data accuracy and up-to-date status,
- Providing information to authorized institutions as required by legislation.
4.2 Reasons Requiring Destruction
Special category personal data shall be deleted, destroyed, or anonymized by the company upon request of the related person or ex officio in the following cases:
- Amendment or repeal of relevant legislation provisions governing its processing,
- Elimination of the purpose requiring processing or storage,
- Withdrawal of explicit consent by the related person,
- Acceptance by the company of the request for deletion and destruction of personal data made by the related person under Article 11 of the Law,
- If the company rejects, finds insufficient, or fails to respond within the legal time frame to a request by the related person for deletion, destruction, or anonymization of personal data, and the related person files a complaint with the Board, and the Board approves the request,
- The expiration of the maximum retention period required for storing personal data and no other justification for further retention exists.
5. TECHNICAL AND ADMINISTRATIVE MEASURES
To ensure the secure storage, lawful processing, prevention of unauthorized access, and lawful destruction of personal data, the company takes sufficient technical and administrative measures announced and determined by the company for special category personal data, pursuant to Articles 12 and 6/4 of the Law.
5.1 Technical Measures
Technical measures taken by the company regarding the personal data processed are listed below:
- Network and application security is ensured,
- Closed system networks are used for personal data transfers via networks,
- Key management is applied,
- Security measures are taken within the scope of IT systems procurement, development, and maintenance,
- Security of personal data stored in the cloud is ensured,
- Access logs are regularly kept,
- Data masking is applied when necessary,
- Access rights of employees with role changes or who leave the company are revoked,
- Up-to-date antivirus systems are used,
- Firewalls are used,
- Personal data security issues are reported promptly,
- Physical environments containing special category personal data are protected against external risks (fire, flood, etc.),
- Security of environments containing special category personal data is ensured,
- Collection of special category personal data is minimized as much as possible,
- Backup copies of special category personal data are maintained and their security is ensured,
- User account management and authorization control systems are implemented and monitored,
- Periodic and/or random internal audits are conducted,
- Log records are maintained without user intervention,
- Existing risks and threats are identified,
- Intrusion detection and prevention systems are used,
- Cybersecurity measures are implemented and continuously monitored,
- Special category personal data is protected using cryptographic methods,
- Cryptographic keys are securely stored in separate environments.
5.2 Administrative Measures
Administrative measures taken by the company regarding the personal data processed are listed below:
- Employees receive training to improve their skills and prevent unlawful processing or access to special category personal data, including communication techniques, technical knowledge, Law No. 657, and other relevant legislation,
- Employees sign confidentiality agreements related to company activities,
- Disciplinary procedures are prepared for employees who do not comply with security policies and procedures,
- The company fulfills its obligation to inform the related persons before starting personal data processing,
- A personal data processing inventory has been prepared,
- Periodic and random internal audits are conducted,
- Employees receive information security training.
6. PERSONAL DATA DESTRUCTION TECHNIQUES
At the end of the retention period prescribed by the relevant legislation or the necessary retention period for the processing purposes, personal data is destroyed by the company ex officio or upon the related person's request, using the techniques specified below, in compliance with relevant legislation.
6.1 Deletion of Personal Data
Personal data are deleted using the methods specified in Table 3.
| Data Storage Medium | Description |
|---|---|
| Personal Data on Servers | For special category personal data on servers whose retention period has expired, the system administrator removes access rights of relevant users and deletes the data. |
| Personal Data in Electronic Environment | Special category personal data in electronic environment whose retention period has expired become completely inaccessible and unusable by all employees except the database administrator. |
| Personal Data in Physical Environment | For special category personal data held physically, after the retention period expires, all employees except the unit manager responsible for document archives are denied access, and the data are made unusable. Additionally, redaction (crossing out/painting/scratching) is applied to make the data unreadable. |
| Personal Data on Portable Media | Special category personal data stored on flash-based media, whose retention period has expired, are encrypted by the system administrator and the access rights are limited only to the system administrator. Encryption keys are stored securely. |
| Personal Data in Electronic Environment (Non-Special Category) | Personal data in electronic environment whose retention period has expired become completely inaccessible and unusable by all employees except the database administrator. |
| Personal Data in Physical Environment (Non-Special Category) | For personal data held physically, after the retention period expires, all employees except the unit manager responsible for document archives are denied access, and the data are made unusable. Redaction is also applied to make the data unreadable. |
| Personal Data on Portable Media (Non-Special Category) | Personal data stored on flash-based media whose retention period has expired are encrypted by the system administrator with access limited only to the system administrator. Encryption keys are stored securely. |
6.2 Destruction of Personal Data
| Data Storage Medium | Description |
|---|---|
| Personal Data in Physical Environment | Paper-based personal data whose retention period has expired are destroyed irreversibly. |
6.3 Anonymization of Personal Data
Anonymization of personal data means making it impossible to associate the data with an identified or identifiable natural person, even when combined with other data.
For personal data to be considered anonymized, it must be ensured that, by using appropriate technical methods related to the storage medium and activity area — such as preventing restoration by the data controller or third parties and disallowing combination with other data — it cannot be linked to an identified or identifiable individual in any way.
7. RETENTION AND DESTRUCTION PERIODS
Regarding personal data processed within its activities, the institution determines:
- Retention periods for personal data by individual data in the Personal Data Processing Inventory,
- Retention periods by data category in the VERBİS registry,
- Retention periods by process in the Special Category Personal Data Retention and Destruction Policy.
The company may update these retention periods if necessary.
For personal data whose retention periods have expired, deletion, destruction, or anonymization is carried out automatically by the IT department.
| Process | Retention Period | Destruction Period |
|---|---|---|
| Special Category Personal Data (racial/ethnic origin, association, foundation, union, health, and genetic data) | 20 years | At the first periodic destruction period following expiration of the retention period |
8. PERIODIC DESTRUCTION PERIOD
The company has set the periodic destruction period to once a year. Accordingly, periodic destruction is carried out every December.
9. POLICY PUBLICATION AND STORAGE
The policy is published in two different formats: wet-signed (printed paper) and electronically. It is publicly disclosed on the company website. The printed copy is kept on file at the company.
10. POLICY REVIEW PERIOD
The policy is reviewed and updated as needed.
11. ENFORCEMENT AND TERMINATION OF THE POLICY
The policy is considered effective once it is published on the company’s website. In case of a decision to repeal the policy, the old signed copies of the policy are annulled by the company (either by stamping "canceled" or writing cancellation notes) and signed, and kept by the company for at least 5 years.
DENTHEKİM HEALTH SERVICES JOINT STOCK COMPANY PERSONAL DATA STORAGE AND DESTRUCTION POLICY
UNDER LAW NO. 6698
Address: Başakşehir Mah. Prof. Dr. Necmettin Erbakan Cad. Arterium Residence 2, No:13 D:15 Başakşehir/Istanbul
Tel: 444 8 814
Web: [email protected]
1. INTRODUCTION
1.1 Purpose
The Personal Data Storage and Destruction Policy ("Policy") is prepared to set out the procedures and principles regarding the storage and destruction activities carried out by the Personal Data Protection Authority ("Authority").
The Authority prioritizes the processing of personal data belonging to its employees, job applicants, service providers, visitors, and other third parties in accordance with the Constitution of the Republic of Turkey, international treaties, Law No. 6698 on the Protection of Personal Data ("Law"), and other relevant legislation, and ensures that the relevant individuals exercise their rights effectively.
All procedures and operations related to the storage and destruction of personal data are carried out in accordance with this Policy prepared by the Authority.
1.2 Scope
This Policy applies to the personal data of the Authority’s employees, job applicants, service providers, visitors, and other third parties, and to all recording environments and data processing activities where the personal data owned or managed by the Authority is processed.
1.3 Abbreviations and Definitions
| Term | Definition |
|---|---|
| Recipient Group | The category of real or legal persons to whom personal data is transferred by the data controller. |
| Explicit Consent | Consent given freely, based on information, and regarding a specific subject. |
| Anonymization | Rendering personal data so that it cannot be associated with an identified or identifiable person, even when matched with other data. |
| Employee | Personnel of the Personal Data Protection Authority. |
| EBYS (Electronic Document Management System) | Electronic Document Management System. |
| Electronic Environment | Environments where personal data can be created, read, modified, and written using electronic devices. |
| Non-Electronic Environment | All written, printed, visual, or other media outside of electronic environments. |
| Service Provider | Real or legal persons providing services under a specific contract with the Personal Data Protection Authority. |
| Data Subject | The real person whose personal data is processed. |
| Relevant User | Persons processing personal data within the data controller organization or authorized by the data controller, excluding those responsible for technical storage, protection, and backup of data. |
| Destruction | Deletion, destruction, or anonymization of personal data. |
| Law | Law No. 6698 on the Protection of Personal Data. |
| Recording Environment | Any environment where personal data is processed, either fully or partially automatically or through non-automatic means as part of any data recording system. |
| Personal Data | Any information relating to an identified or identifiable real person. |
| Personal Data Processing Inventory | Inventory where data controllers document their personal data processing activities linked to their business processes, including purpose, legal basis, data category, recipient groups, data subjects, retention periods, international transfers, and security measures. |
| Personal Data Processing | Any operation performed on personal data, including collection, recording, storage, alteration, reorganization, disclosure, transfer, classification, or prevention of use. |
| Board | Personal Data Protection Board. |
| Special Categories of Personal Data | Data revealing race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, membership in associations, health, sexual life, criminal convictions and security measures, biometric and genetic data. |
| Periodic Destruction | Deletion, destruction, or anonymization process carried out periodically and automatically when the conditions for processing personal data under the Law no longer exist. |
| Policy | Personal Data Storage and Destruction Policy. |
| Data Processor | Real or legal persons processing personal data on behalf of the data controller under authorization. |
| Data Recording System | Systems where personal data is processed according to specific criteria. |
| Data Controller | Real or legal person who determines the purposes and means of processing personal data and responsible for establishing and managing the data recording system. |
| Data Controllers Registry Information System (VERBİS) | The information system managed by the Presidency, used for registration and related procedures by data controllers. |
| Regulation | Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017. |
All units and employees of the company actively support the responsible units in ensuring that technical and administrative measures under this Policy are properly implemented; in training and raising awareness among company employees; monitoring and continuous auditing; preventing unlawful processing and access to personal data; and ensuring lawful storage of personal data by taking necessary technical and administrative security measures in all environments where personal data is processed.
The titles, units, and job descriptions of personnel involved in storage and destruction processes are listed in Table 1.
| Title | Unit | Task Description |
|---|---|---|
| Denthekim Health Services Joint Stock Company | Data Controller | Responsible for employees’ compliance with the policy. |
| Denthekim Health Services Joint Stock Company | Data Controller | Responsible for preparing, developing, implementing, publishing, and updating the policy. |
| Denthekim Health Services Joint Stock Company | Data Controller | Responsible for providing the technical solutions needed for policy implementation. |
| Human Resources and Support Services | Other Units | Responsible for executing the policy according to their duties. |
STORAGE MEDIA
Personal data is securely stored by the Institution in a lawful manner in the media listed in Table 2.
Electronic Media Non-Electronic Media
Servers (domain, backup, e-mail, database, web, file sharing, etc.) Software (office software, portal)
Information security devices Manual data recording systems (survey forms, visitor logs)
(firewall, intrusion detection and prevention, log files, antivirus, etc.)
Personal computers (desktop, laptop) Written, printed, visual media
Mobile devices (phones, tablets, etc.) Paper
Optical disks (CD, DVD, etc.)
Removable storage (USB, memory cards, etc.)
Printers, scanners, photocopy machines
Table 2: Personal Data Storage Media
4. EXPLANATIONS REGARDING STORAGE AND DESTRUCTION
Personal data belonging to employees, job applicants, visitors, and third parties engaged as service providers are stored and destroyed by the company in accordance with the law.
Detailed explanations regarding storage and destruction are provided below.
4.1 Explanations Regarding Storage
Article 3 of the Law defines the concept of personal data processing. Article 4 states that processed personal data must be relevant, limited, and proportionate to the purposes for which they are processed and must be retained only for the period prescribed by related legislation or necessary for the purpose of processing. Articles 5 and 6 list the conditions for processing personal data.
Accordingly, within the scope of company activities, personal data is stored for the period prescribed by relevant legislation or for the period appropriate to the processing purposes.
4.1.1 Legal Grounds Requiring Storage
Personal data processed within the company’s activities is retained for the periods prescribed by relevant legislation. Within this scope, personal data is stored for the periods prescribed by laws including but not limited to:
- Law No. 6698 on the Protection of Personal Data (KVKK)
- Turkish Code of Obligations No. 6098
- Social Insurances and General Health Insurance Law No. 5510
- Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publications
- Public Financial Management Law No. 5018
- Occupational Health and Safety Law No. 6331
- Law on the Right to Information No. 4982
- Law No. 3071 on the Right to Petition
- Labor Law No. 4857
- Retired Health Law No. 5434
- Social Services Law No. 2828
- Regulation on Health and Safety Precautions to be Taken in Workplace Buildings and Annexes
- Regulation on Archival Services
and other secondary legislation in force under these laws.
4.1.2 Processing Purposes Requiring Storage
The company stores personal data processed within its activities for the following purposes:
- Planning, auditing, and execution of information security processes
- Establishment and management of IT infrastructure
- Planning and implementation of employee benefits and entitlements
- Planning and/or execution of corporate communication, corporate social responsibility, and/or NGO activities involving employees
- Planning and execution of employee access authorizations
- Monitoring and/or auditing employees’ work activities
- Monitoring finance and/or accounting processes
- Monitoring legal affairs
- Planning human resources processes
- Planning and/or executing activity efficiency, productivity, and/or appropriateness analyses
- Planning and executing business activities
- Planning and execution of access authorizations for business partners and/or suppliers
- Managing relationships with business partners and/or suppliers
- Planning and/or execution of occupational health and/or safety processes
- Planning and/or execution of business continuity activities
- Planning and execution of corporate communication activities
- Planning and execution of corporate governance activities
- Planning and execution of logistics activities
- Planning and execution of customer relationship management processes
- Planning and/or execution of customer satisfaction activities
- Tracking customer requests and/or complaints
- Conducting recruitment processes
- Fulfilling contractual and/or legal obligations related to company employees
- Planning and execution of company audit activities
- Planning and execution of external training activities
- Planning and execution of operational activities in compliance with company procedures and relevant legislation
- Planning and/or execution of internal training activities
- Planning and execution of internal orientation activities
- Ensuring security of company operations, creating and tracking visitor records
- Ensuring security of company campuses and/or facilities
- Planning and/or execution of loyalty-building and/or enhancement processes related to company products and/or services
- Planning and/or execution of production and/or operational risk processes
- Execution of company and partnership law transactions
- Tracking contract processes and/or legal claims
- Execution of strategic planning activities
- Planning and execution of supply chain management processes
- Salary management
- Planning and execution of service and/or operational processes
- Planning and execution of market research activities for sales and marketing of services
- Planning and execution of marketing processes of services
- Planning and execution of sales processes of services
- Ensuring accuracy and currency of data
- Providing legally required information to authorized institutions
4.2 Reasons Requiring Destruction
Personal data shall be deleted, destroyed, or anonymized by the company upon request of the relevant individual or ex officio in cases including but not limited to:
- Amendment or repeal of the related legal provisions that form the basis of processing
- Elimination of the purpose requiring processing or storage
- Withdrawal of explicit consent by the individual, if processing is based solely on explicit consent
- Acceptance by the company of the individual's application for deletion or destruction of their personal data under the rights granted by Article 11 of the Law
- If the company rejects the application for deletion, destruction, or anonymization, or if the reply is insufficient or no response is given within the legally prescribed period, the individual may file a complaint with the Board, and if the Board deems the request appropriate, the data shall be deleted, destroyed, or anonymized
- Expiry of the maximum retention period requiring storage of personal data and absence of any justified reason for further storage
5. TECHNICAL AND ADMINISTRATIVE MEASURES
In accordance with Article 12 and the fourth paragraph of Article 6 of the Law, the company takes sufficient technical and administrative measures for the secure storage, lawful processing, prevention of unlawful access, and lawful destruction of personal data, including special categories of personal data.
5.1 Technical Measures
Technical measures taken by the company related to the personal data processed include:
- Ensuring network and application security
- Implementing key management
- Procurement, development, and maintenance of IT systems with security measures
- Ensuring security of personal data stored in the cloud
- Disciplinary regulations including data security provisions for employees
- Establishing an authorization matrix for employees
- Regularly maintaining access logs
- Applying data masking where necessary
- Signing confidentiality agreements
- Removing data access rights for employees who change roles or leave the company
- Using up-to-date antivirus systems
- Using firewalls
- Including data security clauses in contracts
- Defining personal data security policies and procedures
- Monitoring personal data security and securing environments containing personal data
- Minimizing personal data wherever possible
- Backing up personal data and securing backups
- Managing user accounts and authorization controls and monitoring them
- Conducting periodic and/or random internal audits
- Keeping log records tamper-proof
- Sending special category personal data via encrypted means such as KEP (Registered Electronic Mail) or corporate mail accounts
- Using secure encryption/cryptographic keys managed by different units for special category data
- Using intrusion detection and prevention systems
- Performing penetration testing
- Implementing and continuously monitoring cybersecurity measures
- Encrypting data
- Periodically auditing service providers processing personal data for data security
- Ensuring awareness of service providers regarding data security
- Performing periodic system backups to prevent data loss
5.2 Administrative Measures
Administrative measures taken by the company regarding personal data include:
- Providing training to employees on preventing unlawful processing and access to personal data, data retention, communication techniques, technical skills, Law No. 657, and related legislation
- Requiring employees to sign confidentiality agreements related to company activities
- Preparing disciplinary procedures for employees who do not comply with security policies and procedures
- Fulfilling the obligation to inform data subjects before processing personal data
- Maintaining a personal data processing inventory
- Conducting periodic and random internal audits
- Providing information security training to employees
6. TECHNIQUES FOR DESTRUCTION OF PERSONAL DATA
At the end of the retention period stipulated by the relevant legislation or the retention period necessary for the purposes for which the personal data were processed, personal data are destroyed by the company ex officio or upon the request of the relevant person, in accordance with the provisions of the applicable legislation, using the techniques specified below.
6.1 Deletion of Personal Data
Personal data are deleted using the methods provided in Table 3.
| Data Storage Medium | Description |
|---|---|
| Personal Data Stored on Servers | For personal data stored on servers whose retention period has expired, the system administrator removes the access rights of the relevant users and performs the deletion process. |
| Personal Data Stored in Electronic Environment | Personal data stored in electronic environments whose retention period has expired are made completely inaccessible and unusable for all employees except the database administrator (relevant users). |
| Personal Data Stored in Physical Environment | For personal data stored in physical environments whose retention period has expired, all employees except the unit manager responsible for the document archive are prevented from accessing or using them again. Additionally, the data are blacked out by crossing out/painting/erasing so that they cannot be read. |
| Personal Data Stored on Portable Media | Personal data stored in flash-based storage media whose retention period has expired are encrypted by the system administrator and stored securely with encryption keys, with access rights granted only to the system administrator. |
6.2 Destruction of Personal Data
| Data Storage Medium | Description |
|---|---|
| Personal Data Stored in Physical Environment | Personal data stored on paper whose retention period has expired are destroyed irreversibly. |
| Personal Data Stored on Optical / Magnetic Media | Personal data stored on optical and magnetic media whose retention period has expired are physically destroyed by melting, burning, or pulverizing. Additionally, magnetic media are passed through a special device and exposed to a high-strength magnetic field to render the data unreadable. |
6.3 Anonymization of Personal Data
Anonymization of personal data means rendering the data in such a way that they cannot be associated with an identified or identifiable natural person, even if matched with other data.
For personal data to be considered anonymized, they must be processed using appropriate techniques for the storage medium and activity area such that the data cannot be reversed or matched by the data controller or third parties to identify a natural person.
7. RETENTION AND DESTRUCTION PERIODS
Regarding the personal data processed by the institution within the scope of its activities:
- Retention periods for each personal data item related to activities carried out according to processes are listed in the Personal Data Processing Inventory;
- Retention periods by data categories are recorded in VERBIS (Data Controllers’ Registry System);
- Retention periods by processes are included in the Personal Data Retention and Destruction Policy.
The company may update these retention periods when necessary.
For personal data whose retention periods have expired, deletion, destruction, or anonymization is carried out ex officio by the Directorate of Data Security and Information Systems.
| PROCESS | RETENTION PERIOD | DESTRUCTION PERIOD |
|---|---|---|
| Preparation of Contracts | 10 years following contract termination | During the first periodic destruction period after the retention period expires |
| Execution of Company Communication Activities | 10 years following the end of the activity | During the first periodic destruction period after the retention period expires |
| Execution of Human Resources Processes | 10 years following the end of the activity | During the first periodic destruction period after the retention period expires |
| Special Categories of Personal Data (Race, Ethnic Origin, Association, Foundation, Union, Health, and Genetic Data) | 5 years | During the first periodic destruction period after the retention period expires |
| Execution of Hardware and Software Access Processes | 2 years | During the first periodic destruction period after the retention period expires |
| Visitors and Meetings | Until the end of the event | Following the end of the retention period |
| Camera Recordings | 2 years | During the first periodic destruction period after the retention period expires |
PERIODIC DESTRUCTION PERIOD
The company has set the periodic destruction period to once a year. Accordingly, the periodic destruction process is carried out every December.
9. PUBLICATION AND STORAGE OF THE POLICY
The policy is published in two different formats: signed hard copy (printed paper) and electronic format, and it is publicly disclosed on the company’s website. The printed copy is kept in the company’s file.
10. POLICY UPDATE PERIOD
The policy is reviewed and updated as needed.
11. ENFORCEMENT AND REVOCATION OF THE POLICY
The policy is considered effective once published on the company’s website. If it is decided to revoke the policy, the signed old copies of the policy are cancelled by the company (stamped or marked as cancelled) and signed, and kept by the company for at least 5 years.
Regarding the Processing of Personal Data of Our Patients and Visitors
Clarification Text
As DENTHEKİM SAĞLIK HİZMETLERİ ANONİM ŞİRKETİ (“Company”), we prioritize the security and privacy of your personal data. In accordance with Article 10 of the Personal Data Protection Law No. 6698 (“KVKK”), we would like to inform and clarify you as the data controller about our personal data processing activities.
Purposes of Processing Personal Data
Your personal data is processed by the Company for the following purposes:
- Compliance with obligations set forth in the relevant legislation, primarily Law No. 3359 on Basic Health Services, Regulation on Private Health Institutions Providing Oral and Dental Health Services, Regulation on the Processing and Protection of Personal Health Data,
- Protection of public health, provision of medical treatment and diagnostic services, and the development of related services and methods,
- Creation, tracking, storage, and archiving of visitor records,
- Execution of advertising, campaign, and promotion processes,
- Execution of financial, accounting, and contract-related operations,
- Provision of after-service support,
- Management of customer relations and conducting activities aimed at customer satisfaction,
- Confirmation of relationships with contracted institutions,
- Ensuring physical security of the premises and protection of patient information.
Methods and Legal Basis for Collecting Personal Data
Your personal data may be collected by automatic or non-automatic means depending on your relationship with the Company, such as through the website, call center, verbal or written declarations made by the relevant person at our hospitals and branches, or electronically. Your personal data is collected lawfully within the scope of the conditions stipulated in Articles 5 and 6 of the KVKK, including but not limited to being prescribed by laws, the necessity for the performance of a contract, the legitimate interest of the data controller, or obtaining explicit consent.
Transfer of Your Personal Data
As a Company that respects the confidentiality of your personal data, we only share your personal data with legally authorized institutions and organizations, except in cases where the legal relationship between us requires otherwise.
Retention Periods for Your Personal Data
Your personal data is retained for the duration specified in the relevant legislation when a retention period is prescribed. If no retention period is specified by law, your data is retained as long as required by the nature of our relationship and the duration specified in the contract made between us.
Your Rights under KVKK
As a data subject, you have the following rights regarding your personal data processed by us:
- To learn whether your personal data is processed,
- To request information if your personal data has been processed,
- To learn the purpose of processing your personal data and whether it is used accordingly,
- To know the third parties to whom your personal data is transferred domestically or abroad,
- To request correction if your personal data is incomplete or inaccurate,
- To request deletion or destruction of your personal data within the conditions stipulated by KVKK,
- To request notification of third parties to whom your personal data has been transferred about the correction, deletion, or destruction of your personal data,
- To demand compensation for damages if you suffer harm due to unlawful processing of your personal data.
To exercise the rights mentioned above, you may personally deliver your signed identity information, the right you wish to exercise, and a detailed explanation of your request to the address: Başakşehir Mah. Prof. Dr. Necmettin Erbakan Cad. Arterium Residance 2, No:13 D:15 Başakşehir/İstanbul; send it via a notary; or securely send it with an electronic signature to our email address: [email protected].
