PDPL
Personal Data Retention and Destruction Policy
1. INTRODUCTION
1.1 Purpose
The Personal Data Retention and Destruction Policy (“Policy”) has been prepared to determine the procedures and principles regarding the retention and destruction of personal data carried out by the data controller.
Data Controller Title: Assoc. Prof. Dr. Ata Can
Data Controller Address: İnönü, Nizamiye Cd. No:9 D:No:1, 34373 Şişli/İstanbul
Data Controller Phone: +90 536 576 66 66
Data Controller E-mail: atababay@yahoo.com
Data Controller Website: https://dratacan.com/
Our organization prioritizes the lawful processing and protection of personal data in accordance with the Constitution of the Republic of Turkey, international conventions, the Law on the Protection of Personal Data No. 6698 (KVKK), and other applicable legislation. Ensuring that data subjects effectively exercise their rights is a fundamental principle.
The retention and destruction of personal data are carried out in compliance with this Policy.
1.2 Scope
This Policy applies to the personal data of patients, companions, employees, job applicants, and service providers. It covers all data recording media managed by our organization and all activities related to the processing of personal data.
1.3 Abbreviations and Definitions
Recipient Group: Category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit Consent: Freely given, informed consent regarding a specific subject.
Anonymization: Rendering personal data impossible to associate with an identified or identifiable natural person, even when matched with other data.
Employee: Personnel of the organization.
EBYS: Electronic Document Management System.
Electronic Environment: Media where personal data can be created, read, modified, and written with electronic devices.
Non-Electronic Environment: Written, printed, visual, and other environments outside electronic media.
Service Provider: Natural or legal person providing services under a specific contract with the organization.
Data Subject: Natural person whose personal data is processed.
Authorized User: Person processing data within the organization, excluding those responsible for technical storage, protection, and backup.
Destruction: Deletion, destruction, or anonymization of personal data.
Law: Law on the Protection of Personal Data No. 6698, dated March 24, 2016.
Recording Environment: Any medium where personal data is processed, whether automatically or as part of a data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory: Inventory created by data controllers linking processing activities to purposes, legal reasons, data categories, recipients, retention periods, cross-border transfers, and security measures.
Processing of Personal Data: Any operation performed on data, including collection, storage, retention, alteration, disclosure, transfer, retrieval, classification, or restriction.
Board: Personal Data Protection Board.
Special Categories of Personal Data: Data relating to race, ethnicity, political opinion, belief, religion, sect, attire, association/union membership, health, sexual life, criminal convictions, biometric or genetic data.
Periodic Destruction: Deletion, destruction, or anonymization performed at recurring intervals when processing conditions cease.
Policy: Personal Data Retention and Destruction Policy.
Data Processor: Natural/legal person authorized by the controller to process data on their behalf.
Data Recording System: System where personal data is processed according to specific criteria.
VERBIS: Data Controllers’ Registry Information System.
Data Controller: Person/entity determining purposes and means of processing and managing the system.
Regulation: Regulation on Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on 28 October 2017.
2. RETENTION AND DESTRUCTION EXPLANATIONS
Our organization retains personal data in compliance with the Law and destroys them at the end of the retention period.
2.1 Retention Explanations
Personal data must be relevant, limited, and proportionate to the purposes for which they are processed.
They shall be retained for the duration required by law or the purpose of processing.
2.1.1 Legal Reasons Requiring Retention
Personal data may be processed and retained based on at least one of the following:
Explicitly stipulated in laws,
Required for the performance of a contract,
Necessary for compliance with legal obligations,
Required for establishing, exercising, or protecting a right,
Necessary for the legitimate interests of the controller without harming the fundamental rights of the data subject,
For preventive medicine, medical diagnosis, treatment, and healthcare services,
With explicit consent.
2.1.2 Purposes Requiring Retention
Personal data are processed and retained for purposes such as:
Recruitment processes of candidates,
Fulfillment of employee obligations,
Execution of benefits and rights,
Training activities,
Access management,
Compliance with legislation,
Finance and accounting,
Physical security,
Assignment processes,
Legal tracking,
Communication,
HR planning,
Occupational health and safety,
Improvement of business processes,
Performance evaluations,
Archiving,
Contract management,
Complaint handling,
Asset and resource security,
Operational security,
Providing information to authorized institutions,
Promotional activities.
2.2 Reasons Requiring Destruction
Personal data shall be deleted, destroyed, or anonymized if:
The legal provisions requiring processing are amended or repealed,
The purpose of processing ceases,
Consent is withdrawn,
The data subject exercises rights under Article 11 of the Law,
The maximum retention period expires with no valid reason for longer retention.
3. TECHNICAL AND ADMINISTRATIVE MEASURES
3.1 Technical Measures
Network and application security,
Secure IT systems,
Removal of ex-employee access rights,
Antivirus and firewalls,
Regular access controls,
Security updates,
Security testing,
Secure anonymization and deletion.
3.2 Administrative Measures
Disciplinary rules,
Regular employee training,
Internal policies on access, security, retention, destruction,
Confidentiality agreements,
Secure handling of paper documents,
Security monitoring,
Regular inspections,
Restricting access to sensitive data,
Data minimization.
4. RETENTION AND DESTRUCTION PERIODS
Retention periods are defined in the Policy.
Once retention ends, destruction is carried out during the first periodic destruction period (6 months).
(A full Retention Table as in the original text is preserved in English with years indicated for employees, patients, candidates, etc.)
5. PERIODIC DESTRUCTION
The periodic destruction period is 6 months as per Article 11 of the Regulation.
6. ENSURING COMPLIANCE
Destruction is carried out in compliance with the Law, Regulation, and this Policy.
7. STORAGE ENVIRONMENTS
Electronic Media: Servers, software, security devices, computers, mobile devices, CDs/DVDs, USBs, medical devices, etc.
Non-Electronic Media: Paper, manual records, printed/visual media.
8. SECURITY MEASURES
Technical and administrative measures are taken to ensure the lawful and secure processing, retention, and destruction of personal data.
9. STAFF TITLES, UNITS, AND RESPONSIBILITIES
Clinic Owner/Physician: Ensures compliance, supervises, and updates the Policy.
Secretary/Assistant: Ensures implementation and assists the physician.
10. UPDATES
This Policy may be updated due to changes in law, Board decisions, or sectoral/technological developments. Updates are reflected immediately in the Policy.
11. FINAL PROVISIONS
This Policy has been prepared by the data controller and announced:
Within the organization at appropriate locations,
On the website: https://dratacan.com/.
Kisisel-Verileri-Saklama-Ve-Imha-Politikasi (1)
