NASMED PRIVATE HEALTH SERVICES TRADE INC.
(PRIVATE EGEPOL HOSPITALS GROUP)
PERSONAL DATA RETENTION AND DESTRUCTION POLICY
ARTICLE 1- PURPOSE
The Personal Data Retention and Destruction Policy has been prepared to determine the procedures and principles regarding the retention and destruction of personal data processed by PRIVATE EGEPOL HOSPITALS GROUP.
ARTICLE 2- SCOPE
Personal data belonging to company employees, employee candidates, interns, product and service recipients, potential customers, partners, visitors, suppliers and other third parties are covered by this policy.
This policy is applied to all recording medium owned or managed by the company where personal data is processed and to activities involving the processing of personal data.
ARTICLE 3 – DEFINITIONS
Recipient group: The category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit consent: Consent based on information and expressed with free will concerning a specific issue.
Anonymization: The process of making personal data impossible to link with an identified or identifiable natural person, even by matching it with other data.
Employee: Company personnel.
Electronic environment: Environments where personal data can be created, read, modified, and written using electronic devices.
Non-electronic environment: All written, printed, visual, and other environments outside the electronic environment.
Service provider: A natural or legal person providing services under a specific contract with the company.
Data subject: The natural person whose personal data is processed.
Relevant user: Persons processing personal data within the data controller’s organization or under the authority and instruction received from the data controller, excluding those responsible for the technical storage, protection, and backup of data.
Destruction: The deletion, destruction, or anonymization of personal data.
Law: The Law on the Protection of Personal Data No. 6698.
Recording medium: Any medium where personal data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system.
Personal data: Any information relating to an identified or identifiable natural person.
Personal data processing inventory: An inventory created by data controllers, detailing the personal data processing activities based on their business processes, personal data processing purposes and legal reasons, data category, recipient group to whom the data is transferred, and the group of data subjects. It explains the maximum retention periods required for the purposes for which the personal data is processed, the personal data projected to be transferred to foreign countries, and the measures taken regarding data security.
Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automatic means or by non-automatic means, provided that it is part of any data recording system.
Board: The Personal Data Protection Board.
Special categories of personal data: Data related to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic destruction: The deletion, destruction, or anonymization of personal data at recurring intervals as specified in the personal data retention and destruction policy when all the conditions for processing personal data in the law are eliminated.
Policy: The Personal Data Retention and Destruction Policy.
Company: NASMED PRIVATE HEALTH SERVICES TRADE INC.
Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Data recording system: The recording system where personal data is processed by structuring according to specific criteria.
Data controller: The natural or legal person who determines the purposes and means of processing personal data, and is responsible for establishing and managing the data recording system.
Data Controllers Registry Information System: The information system created and managed by the Presidency, accessible via the internet, to be used by data controllers in their application to the Registry and other related processes.
VERBIS: Data Controllers Registry Information System.
Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette on October 28, 2017.
ARTICLE 4 – RESPONSIBILITIES AND DUTIES
All employees and units of the company provide full and active support to the responsible units in obtaining, processing, and retaining personal data in compliance with the law. All employees and units assist the responsible units in implementing the administrative and technical measures taken within the scope of the policy, training unit employees, ensuring, increasing, and monitoring employee awareness, preventing unlawful access to personal data, and lawfully retaining personal data. The distribution of titles, units, and job descriptions of those involved in the processes of retaining and destroying personal data is shown in ANNEX TABLE: 1.
ARTICLE 5 – RECORDING MEDIUM
Personal data is securely retained by the company in the medium listed in ANNEX TABLE: 2 in compliance with the law.
ARTICLE 6 – LEGAL REASONS FOR RETENTION
Personal data processed within the framework of the company’s activities is retained for the duration stipulated in the relevant legislation and under the law and relevant legislation. The reasons for retention in this context are as follows:
1. Retaining personal data due to its direct relevance to the establishment and performance of contracts.
2. Retaining personal data for the establishment, exercise, or protection of a right.
3. Retaining personal data as it is necessary for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of individuals.
4. Retaining personal data to fulfill any legal obligation of the company.
5. Retaining personal data as explicitly stipulated in the legislation.
6. Retaining personal data with the explicit consent of the data subjects for activities that require obtaining explicit consent from the data subjects.
ARTICLE 7 – PURPOSES REQUIRING RETENTION
The company may process personal data of the relevant person or third parties indicated by the relevant person for various purposes, including but not limited to the following:
1. Conducting human resources processes
2. Ensuring corporate communication
3. Ensuring company security
4. Conducting statistical studies
5. Executing business and transactions as a result of signed contracts and protocols
6. Fulfilling legal obligations as required or mandated by legal regulations
7. Maintaining contact with real/legal persons with whom the company has a business relationship
8. Conducting legal reporting
9. Fulfilling the burden of proof in future legal disputes
10. Conducting and following up on company legal affairs
ARTICLE 8 – LEGAL REASONS REQUIRING DESTRUCTION
Personal data will be deleted or destroyed by the company either upon the request of the relevant person or ex officio by the company in the presence of the following situations:
1. Amendment or annulment of the relevant legislation provisions which constitute the basis for the processing of personal data
2. Elimination of the purpose requiring the processing or retention of personal data
3. In cases where the processing of personal data is based solely on the condition of explicit consent, the relevant person withdrawing their explicit consent
4. Acceptance of the relevant person’s request for the deletion or destruction of their personal data by the data controller within the framework of the rights of the relevant person as per Article 11 of the Law
5. Expiration of the maximum period requiring the retention of personal data and the absence of any conditions justifying further retention of personal data
ARTICLE 9 – TECHNICAL MEASSURES
The technical measures taken by the company regarding the personal data it processes are as follows:
1. Performs necessary internal controls within the established systems.
2. Conducts IT risk assessment and business impact analysis processes within the established systems.
3. Ensures the provision of technical infrastructure to prevent or monitor data leakage outside the company and creates relevant matrices.
4. Regularly and as needed, obtains penetration testing services to check for system vulnerabilities.
5. Ensures that the access rights of employees in the IT departments to personal data are kept under control.
6. Ensures that personal data is destroyed in a way that it cannot be recovered and leaves no audit trail.
7. According to Article 12 of the Law, protects all digital environments where personal data is stored by using encrypted or cryptographic methods that meet information security requirements.
ARTICLE 10 – ADMINISTRATIVE MEASURES
The administrative measures taken by the company regarding the personal data it processes are as follows:
1. Limits internal access to stored personal data to personnel who need to access it based on their job descriptions. The sensitivity and importance of the data are considered in limiting access.
2. Informs the relevant person and the Board as soon as possible if personal data is unlawfully obtained by others.
3. Signs framework agreements on the protection and security of personal data with persons to whom personal data is shared or includes provisions on data security in existing contracts.
4. Employs knowledgeable and experienced personnel in personal data processing and provides necessary training on data protection legislation and data security to its personnel.
5. Conducts and ensures necessary audits within its legal entity to ensure the application of the provisions of the Law. It addresses confidentiality and security vulnerabilities identified as a result of these audits.
ARTICLE 11 – METHODS FOR DELETION OF PERSONAL DATA
Personal data is deleted using the methods specified in ANNEX TABLE: 3.
ARTICLE 12 – METHODS FOR DESTRUCTION OF PERSONAL DATA
Personal data is destroyed using the methods specified in ANNEX TABLE: 4.
ARTICLE 13 – RETENTION AND DESTRUCTION PERIODS
When determining the retention period of personal data by the company, if a period for retaining the personal data is stipulated in the legal regulations, this period is adhered to. Otherwise, the retention and destruction period table specified in ANNEX TABLE: 5 is followed.
ARTICLE 14 – PERIODIC DESTRUCTION PERIOD
The company conducts periodic destruction operations every year in June and December.
ARTICLE 15 – PUBLICATION, RETENTION, AND UPDATING OF THE POLICY
The policy is published in two different medium, as a wet-ink signed (printed paper) and electronic format, and is announced to the public on the website. The printed paper copy is retained within the company. The policy is reviewed as needed and updated in necessary sections.
ARTICLE 16 – EFFECTIVE DATE
The policy is considered effective after it is published on the company’s website. If a decision is made to annul the policy, the old wet-ink signed copies of the policy are canceled (by stamping or writing “canceled”) and signed, and retained by the company for at least 5 years.
ANNEX TABLE: 1 Retention and Destruction Process Task Distribution
|
TITLE |
UNIT |
DUTY |
|
Company Manager |
Company |
Responsible for ensuring employees comply with the policy. |
|
… |
… |
Responsible for preparing, developing, executing, publishing, and updating the policy. |
|
IT Manager |
IT Department |
Responsible for providing the technical solutions needed to implement the policy. |
|
All Other Units |
|
Responsible for executing the policy in accordance with their duties. |
ANNEX TABLE: 2 Personal Data Retention Medium
|
ELECTRONIC MEDIUM |
NON-ELECTRONIC MEDIUM |
|
Personal computers |
Papers |
|
Mobile devices |
Written and printed medium |
|
Optical disks |
Visual recordings |
|
Printers, scanners, photocopiers |
Manual data recording systems |
|
Removable and portable memories |
|
|
Servers |
|
|
Software |
|
|
Information security devices |
|
ANNEX TABLE: 3 Methods for Deletion of Personal Data
|
DATA RECORDING MEDIUM |
DELETION METHOD |
|
Servers |
Personal data on servers that no longer need to be retained are deleted by the system administrator by removing access rights of relevant users. |
|
Electronic environment |
Personal data in electronic environments that no longer need to be retained are made inaccessible and unusable for other employees (relevant users) except the database administrator. |
|
Physical environment |
Personal data in physical environments that no longer need to be retained are made inaccessible and unusable for other employees except the unit manager responsible for the document archive. Additionally, they are obscured by marking, painting, or erasing them so they cannot be read. |
|
Portable medium |
Personal data in flash-based storage medium that no longer need to be retained are encrypted by the system administrator and stored in secure environments with access rights only to the system administrator. |
ANNEX TABLE: 4 Methods for Destruction of Personal Data
|
DATA RECORDING MEDIUM |
DESTRUCTION METHOD |
|
Physical environment |
Personal data in paper form that no longer need to be retained are irreversibly destroyed in paper shredders. |
|
Optical or magnetic medium |
Personal data in optical or magnetic medium that no longer need to be retained are physically destroyed by melting, burning, or pulverizing. Additionally, magnetic medium are rendered unreadable by passing them through a device exposing them to a high-intensity magnetic field. |
ANNEX TABLE: 5 Retention and Destruction Period Table
|
PROCESS |
RETENTION PERIOD |
DESTRUCTION PERIOD |
|
Occupational health and safety practices |
10 years following the end of the employment relationship |
180 days following the end of the retention period |
|
Payroll |
10 years following the end of the employment relationship |
180 days following the end of the retention period |
|
Responding to personnel court/judicial requests |
10 years following the end of the employment relationship |
180 days following the end of the retention period |
|
Visitor and patient records |
10 years from the date of organization and registration |
180 days following the end of the retention period |
|
Filing of training records |
10 years after the organization of the training |
180 days following the end of the retention period |
|
Emergency preparedness |
10 years following the preparation |
180 days following the end of the retention period |
|
Log record tracking systems |
10 years from creation |
180 days following the end of the retention period |
|
Camera recordings |
1 year from recording |
180 days following the end of the retention period |