PDPL
Personal Data Retention and Destruction Policy
1. INTRODUCTION
1.1 Purpose
This Personal Data Retention and Destruction Policy (“Policy”) has been prepared to set out the principles and procedures regarding the retention and destruction of personal data carried out by the Data Controller.
Data Controller Title: Assoc. Prof. Dr. Ata Can
Address: İnönü, Nizamiye Cd. No:9 D:No:1, 34373 Şişli/İstanbul
Phone: +90 536 576 66 66
E-mail: atababay@yahoo.com
Website: https://dratacan.com/
Our practice has adopted as a priority the processing of personal data in accordance with the Constitution of the Republic of Turkey, international conventions, Law No. 6698 on the Protection of Personal Data (“Law”), and other applicable legislation, in line with our lawful mission, vision, and fundamental principles, and ensuring that data subjects can effectively exercise their rights.
The retention and destruction of personal data are carried out in accordance with this Policy.
1.2 Scope
This Policy applies to the personal data of patients, companions, employees, employee candidates, and service providers, and covers all data processing activities and storage media managed by our practice.
1.3 Abbreviations and Definitions
(Definitions such as Data Subject, Data Processor, Recipient Group, Explicit Consent, Anonymization, Special Categories of Personal Data, Board, VERBIS, etc. are included in this Policy and correspond to the definitions set out in the Law and related regulations.)
2. PRINCIPLES REGARDING RETENTION AND DESTRUCTION
Personal data processed by our practice is retained in compliance with the Law and destroyed once the retention period expires.
2.1 Retention Principles
In line with Articles 3, 4, 5, and 6 of the Law, personal data is retained only for as long as required by legislation or for the purposes for which it was processed.
2.1.1 Legal Grounds for Retention
Personal data may be processed and retained on the basis of at least one of the following legal grounds:
Explicitly stipulated by law
Necessary for the performance of a contract
Necessary for compliance with a legal obligation
Necessary for the establishment, exercise, or protection of a right
Necessary for the legitimate interests of the data controller, provided that the rights and freedoms of the data subject are not harmed
Preventive medicine, medical diagnosis, treatment, and healthcare services
Explicit consent
2.1.2 Purposes of Retention
Personal data may be processed and retained for the following purposes: recruitment, performance of employment obligations, payroll and HR processes, training, access management, compliance with legislation, finance and accounting, facility and occupational safety, archiving, complaint and request management, contract management, communication and promotional activities, etc.
2.2 Grounds for Destruction
Personal data will be deleted, destroyed, or anonymized when:
Legal provisions forming the basis of processing are amended or repealed
The purpose of processing no longer exists
The data subject withdraws consent
Data subject requests are accepted under Article 11 of the Law
Retention periods expire and no justification exists for further storage
3. TECHNICAL AND ADMINISTRATIVE MEASURES
3.1 Technical Measures
Network and application security
IT security measures for supply, development, and maintenance
Access restrictions and removal of access upon role changes
Firewalls and anti-virus systems
Security tests and updates for systems storing personal data
Periodic deletion, destruction, or anonymization of digital data
3.2 Administrative Measures
Disciplinary regulations for staff
Staff training and awareness activities on data security
Confidentiality undertakings
Security clauses in contracts
Secure transfer of paper-based data
Periodic and random audits
Defined protocols for special category personal data
4. RETENTION AND DESTRUCTION PERIODS
Retention periods are listed in the Retention Schedule Table (e.g., patient data: 20 years, employee data: 15 years, CCTV: 2 months, etc.).
At the end of these periods, personal data is deleted, destroyed, or anonymized in the first periodic destruction cycle.
5. PERIODIC DESTRUCTION
The periodic destruction period is determined as 6 months, in accordance with Article 11 of the Regulation.
Methods:
Deletion: Access to expired data removed from systems and physical archives
Destruction: Shredding paper records, erasing/destroying optical or magnetic media
Anonymization: Making data permanently unidentifiable even if combined with other data
6. ENSURING LEGAL COMPLIANCE IN DESTRUCTION
Both upon request and during periodic destruction, personal data is deleted, destroyed, or anonymized in compliance with the Law, Regulation, and this Policy. Technical and administrative safeguards are applied.
7. STORAGE MEDIA
Personal data may be stored in:
Electronic Media: servers, databases, mobile devices, CDs, USBs, software, medical devices, etc.
Non-Electronic Media: paper, manual records, printed/visual archives, etc.
8. DATA SECURITY MEASURES
8.1 Technical Measures
Network and system security
Firewalls, anti-virus, and DLP software
Data deletion, destruction, and anonymization tools
8.2 Administrative Measures
Staff training and awareness programs
Confidentiality undertakings
Policies on access, retention, and destruction
Internal monitoring and audits
9. ROLES AND RESPONSIBILITIES
All departments and staff are responsible for ensuring compliance with this Policy, maintaining data security, and supporting the implementation of technical and administrative measures.
Clinic Owner / Physician: Responsible for implementing and updating the Policy and ensuring compliance.
Secretary/Assistant: Ensures staff compliance, supports audits, and assists with technical measures.
10. UPDATES TO THE POLICY
This Policy may be amended in line with changes in legislation, Board decisions, or sectoral/technological developments. Updates are documented in the Amendments Table.
11. FINAL PROVISIONS
This Personal Data Retention and Destruction Policy has been prepared by the Data Controller and published both:
Within the practice, and
