MASLAK HEALTH GROUP
PERSONAL DATA STORAGE AND DISPOSAL POLICY
The processing of personal data obtained by Maslak Health Group pursuant to Article 20 of the Constitution titled “Privacy of Private Life” and the Law No. 6698 on the Protection of Personal Data (“Law”) and applicable regulations and communiqués , , patients, relatives, suppliers, interns, visitors and other relevant third parties ) protection of fundamental rights and freedoms, especially the privacy of private life, and that the data controller who processes personal data performs data processing activities in accordance with the law, protection, storage and processing of personal data obtained. The purpose of this Policy is to determine the principles for its destruction when necessary.
Obtaining, recording, storing, preserving, changing all kinds of information relating to an identified or identifiable natural person as personal data by Maslak Health Group as a data controller fully or partially automatically or non-automatically provided that it is a part of any data recording system, Since all kinds of transactions such as reorganization, disclosure, transfer, takeover, making available, classification or prevention of use are considered as data processing activities, establishing the procedures and principles of the data processing activity carried out by Maslak Health Group determines the scope of this Policy.
Your personal data and personal health data are for the purposes explained in this policy text and Health Services Basic Law No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Affiliates, Regulation on Private Hospitals, Regulation on the Processing of Personal Health Data and Protection of Privacy, related regulations and It has been prepared in accordance with the rules set forth in the regulations, communiqués, decisions and guides published by the Board, especially the Law No. 6698. provisions and rules will find application area. All communiqués published by the Board,
The policy was published on the website of Maslak Health Group https://www.maslaksaglik.com and entered into force on the date of its publication.
2.1. Ensuring the Security of Personal Data
According to Article 12 of the Law No. 6698, the data controller;
It is obliged to take all necessary administrative and technical measures to ensure the appropriate level of security for the purpose.
For the reasons explained, Maslak Health Group implements security measures to prevent unlawful processing of personal data, transfer and disclosure to third parties, unauthorized access and security deficiencies arising through other means. Explanations on the administrative and technical measures taken VI. It is included in the ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA.
2.2. Protection of Private Personal Data
Among the sensitive personal data, the health data of the persons concerned, without seeking the explicit consent of the relevant person, but for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning health services and financing and management purposes, persons or authorized institutions and can be processed by organizations. In addition, regardless of the type, all sensitive personal data can only be processed in accordance with the law if adequate measures determined by KVKK are taken.
Your personal data that you share with us within the scope of our clinical activities; For the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services provided by Maslak Health Group, with automatic or non-automatic methods, planning and management of health services and financing; Obtaining, recording, storing, changing through all channels including social media applications such as internet site, survey, social responsibility and verbal, written, visual or electronic media, via hotline/call center, internet site, verbal, written and similar channels, collected and rearranged. Any operation performed on data within the scope of KVKK is considered as “processing of personal data”.
In addition, your personal data may be processed when you use our hotline or internet page for information, appointment, complaint or other purposes, when you visit our clinic or website, and when you browse this site.
The data that is sensitive due to its nature and may cause victimization or discrimination of the data owner if it is in the hands of third parties is accepted as “Special “Qualified Personal Data” within the scope of the Law. Sensitive personal data includes data related to the person’s race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric data. and genetic data. Special categories of personal data cannot be processed without the explicit consent of the data subject. All necessary measures are taken by Maslak Health Group to protect sensitive personal data, and it is essential that such data are not collected and processed as much as possible.
III. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA
3.1. Processing of Personal Data in Compliance with the Principles Established in the Legislation
The principles to be applied in the processing of your personal data in accordance with Article 4 of the Law are as follows:
3.2. Personal Data Processing Conditions
Personal data obtained by Maslak Healthcare Group cannot be processed without the explicit consent of the person concerned, with the exception of the exceptions stipulated in the Law. Your personal data may be processed without express consent in the following cases:
3.3. Exceptions to Obligation to Obtain Explicit Consent
expressly stipulated in the law
One of the data processing conditions is that it is expressly stipulated in the law. The provisions in the laws regarding the processing of personal data may create a data processing condition. In such a case, the explicit consent of the person concerned is not sought.
actual impossibility
The personal data of the person concerned can be processed without explicit consent in cases where it is necessary for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid.
Being directly related to the establishment or performance of the contract
In the event that data processing is deemed necessary during the conclusion of a contract to which the data owner is a party or during the performance of the contract, the processing of personal data may come to the fore without obtaining explicit consent.
Maslak Health Group fulfilling its legal obligations
Maslak Health Group, as the data controller, may process personal data without obtaining explicit consent for the purpose of fulfilling legal obligations.
Being made public by the person concerned
Personal data made public by the data subject, in other words, personal data disclosed to the public in any way, can be processed without express consent. Even in this case, the publicized personal data cannot be used for purposes other than its intended use.
Obligatory for the establishment, use and protection of a right
In cases where it is necessary for the establishment, exercise or protection of a right, it is possible to process the personal data of the person concerned without his explicit consent.
Obligatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
If the processing of personal data is obligatory for the data controller and the data processing will not harm the fundamental rights and freedoms of the data subject, personal data may be processed without obtaining explicit consent.
The legitimate interest of the data controller is the interest and benefit to be obtained as a result of the processing to be carried out. Benefit of the data controller; It must relate to a legitimate, sufficiently effective, specific and already existing interest to compete with the fundamental rights and freedoms of the person concerned. It should be a process that is related to the current activities of the data controller and will benefit him in the near future.
3.4. Processing of Private Personal Data
The processing of sensitive personal data is subject to Article 6 of the Law, and it is prohibited to be processed without the explicit consent of the person concerned.
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are of special nature. is personal data. The data included in this scope is limited and cannot be expanded through interpretation.
Due to its nature, special quality personal data is data that, if learned, may cause discrimination and victimization of the person concerned. Therefore, they need to be protected much more strictly than other personal data.
Special categories of personal data other than health and sexual life
Special categories of personal data other than personal data related to health and sexual life can be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws.
Special categories of personal data regarding health and sexual life
Special categories of personal data regarding health and sexual life can only be processed by persons or authorized institutions and organizations that are under the obligation of confidentiality for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.
3.5. Clarifying and Informing the Personal Data Owner
During the acquisition of personal data, data owners are informed by Maslak Health Group as data controller or by persons authorized by it. The procedures and principles regarding the information provided are specified in the Clarification Texts on the Protection of Personal Data published by Maslak Health Group, and the information includes the following elements in brief:
According to Article 10 of the Law, personal data obtained from data owners (employees, employee candidates, patients, patient relatives, suppliers, pharmacies, visitors, interns and other relevant third parties) are processed by Maslak Health Group in the capacity of data controller, and the communication of the relevant unit It can be obtained from the [email protected] e-mail address or https://www.maslaksaglik.com.
The processing of personal data is carried out for specific, clear and legitimate purposes and is based on informing the data owners. The purposes for which your collected data are processed are included in the V. CATEGORIZATION AND PROCESSING PURPOSE OF PERSONAL DATA PROCESSED BY MASLAK HEALTH GROUP of the Policy.
Persons to whom personal data are transferred and the purposes for which they are transferred
Within the framework of the data controller’s obligation to inform the data owner, the persons to whom personal data are transferred and the purposes for which they are transferred should be clearly stated. Personal data cannot be transferred to third parties without the explicit consent of the data owner. Recipient groups to whom personal data is transferred by Maslak Health Group and the purpose of transfer IV. It is shown in the section TRANSFERRING PERSONAL DATA.
Method and legal reason for personal data collection
In accordance with Articles 5 and 6 of the Law, the data controller must clearly state on which basis the personal data processing conditions are based. Data collection method and mediation are determined by the data controller. The processing conditions of personal data, that is, the conditions of compliance with the law, are listed in a limited number in the Law (art. 5-6) and these conditions cannot be extended.
The data controller, Maslak Health Group, evaluates whether the purpose of the personal data processing activity is primarily based on one of the processing conditions other than express consent, if this purpose does not meet at least one of the conditions other than the express consent specified in the Law, then the explicit consent of the person for the continuation of the data processing activity is taken. going.
TRANSFERRING PERSONAL DATA
4.1. Domestic Transfer
Personal data cannot be transferred without the explicit consent of the person concerned. However:
If one of the conditions specified is present, it can be transferred without seeking the explicit consent of the person concerned.
Accordingly, provided that it is clearly stipulated in the law (1), is compulsory for the protection of the life or bodily integrity of a person or another person whose consent is not legally valid or who is unable to express his consent due to actual impossibility (2), and is directly related to the establishment or performance of a contract. It is necessary to process the personal data of the parties (3), it is mandatory for the data controller to fulfill its legal obligation (4), the data subject has been made public by himself (5), the data processing is mandatory for the establishment, exercise or protection of a right (6), Provided that it does not harm the fundamental rights and freedoms of the data subject, the personal data of the data subject is required without the express consent of the data controller, if data processing is necessary for the legitimate interests of the data controller.can be transferred to individuals.
Your personal data and personal health data are for the purposes explained in this policy text and Health Services Basic Law No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Affiliates, Law on Protection of Personal Data No. 6698, Regulation on Private Hospitals, Processing of Personal Health Data and Within the framework of the Privacy Protection Regulation and related regulations;
Ministry of Health, Social Security Institution, General Directorate of Security and other law enforcement agencies, CIMER, SABİM, Ministry of Labor, General Directorate of Population, courts and enforcement offices, Turkish Pharmacists Association for the purpose of fulfilling our contractual and legal obligations and carrying out administrative, commercial and economic activities of our clinic. , regulatory and supervisory institutions, insurance companies, representatives authorized by patients, cooperated laboratories and other centers and Electronic Medical Records and Electronic Health Records systems.
Information on the recipient groups to which your personal data processed by Maslak Healthcare Group is transferred, is included in the Annex 4 – Third Parties to which Personal Data are Transferred and Purposes of Transfer of this Policy.
4.2. International Transfer
Personal data cannot be transferred abroad without the explicit consent of the person concerned. In so far, the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the Law and in the foreign country to which the personal data will be transferred;
may be transferred abroad without seeking the explicit consent of the person concerned, provided that the
CATEGORIZATION OF PERSONAL DATA PROCESSED BY MASLAK HEALTH GROUP AND PURPOSE OF PROCESSING
Data subject data subjects The data categorization obtained by Maslak Health Group and the purposes pursued in the processing of personal data are shown in the relevant sections of the clarification texts on our website for each category of data subject.
ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA
Administrative and technical measures are taken by Maslak Health Group in order to keep personal data safe and to prevent unlawful processing and access to personal data.
In order to ensure personal data security, all personal data processed by Maslak Health Group is determined and the probability of the risks that may arise regarding the protection of this data are determined; While determining these risks, whether the personal data is sensitive personal data (1), what degree of confidentiality it requires due to its nature (2), and the nature and quantity of the damage that may arise in the case of a security breach (3) are taken into account.
After defining and prioritizing these risks; control and solution alternatives to reduce or eliminate the said risks; cost, applicability and usefulness should be evaluated in line with the principles, necessary technical and administrative measures are planned and put into practice.
6.1. Administrative Measures
Even if employees have limited information about attacks that will harm personal data security and cyber security, it is of great importance to ensure personal data security. For this reason, awareness and information activities are carried out in our internal organization as a data controller.
Providing necessary training on issues such as not revealing and sharing personal data unlawfully, conducting awareness activities for employees and creating an environment where security risks can be determined; It is ensured that everyone working with the data controller, regardless of their position, determines their roles and responsibilities regarding personal data security in their job descriptions and that employees are aware of their roles and responsibilities in this regard.
On the other hand, confidentiality agreements are signed as part of the recruitment processes of the employees, and a disciplinary process is carried out if the employees do not comply with the security policies and procedures.
In case of any change in the policies and procedures regarding personal data security, trainings are provided to inform and explain the change to the employees, and the information about the threats to data security and security is kept up-to-date.
Personal data should be accurate and up-to-date when necessary in accordance with Article 4(b) and (d) of the Law, and should be kept for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, the data processed are processed in accordance with the principles and rules that must be observed in data processing activities and are kept for the period required for the purpose for which they are processed. It is shown in the STORAGE AND DISPOSAL OF PERSONAL DATA.
The table below provides a summary of the administrative measures taken to ensure data security:
Administrative Measures |
Preparation of Personal Data Processing Inventory |
Corporate Policies (Access, Information Security, Use, Storage and Disposal etc.) |
Contracts (Between Data Controller-Data Controller, Data Controller-Data Processor) |
Privacy Commitments |
In-house Periodic and/or Random Audits |
Risk Analysis |
Employment Contract, Disciplinary Regulation (Adding Legal Provisions) |
Corporate Communication (Crisis Management, Informing the Board and Relevant Person, Reputation Management, etc.) |
Education and Awareness Activities (Information Security and Law) |
Notification to Data Controllers Registry Information System (VERBIS) |
Personal Data Security Policies and Procedures |
Rapid Reporting of Personal Data Security Issues |
Monitoring Personal Data Security |
Establishing Disciplinary Arrangements Containing Data Security Provisions for Employees |
Reducing Personal Data As Much As Possible |
Preparation and Implementation of Institutional Policies on Access, Information Security, Use, Storage and Disposal |
Removal of Authorities in this Area of Employees with a Change in Job or Leaving the Job |
Including Data Security Provisions in Signed Contracts |
Identification of Current Risks and Threats |
Conducting In-house Periodic and/or Random Inspections |
Protocols and Procedures for Special Quality Personal Data Security have been determined and their implementation |
Raising Awareness of Data Processing Service Providers on Data Security |
6.2. Technical Measures
Firewalls and gateways are used among the measures taken to protect my information technology systems containing personal data against unauthorized access and threats by third parties over the internet. With the firewall used, violations of the information network are stopped, and with the gateway, employees’ access to websites or online platforms that pose a threat to personal data security is restricted.
In addition, regular checks are made regarding the proper functioning of the software and hardware and whether the security measures taken for the systems are sufficient. Access to systems containing personal data is restricted, and within this scope, employees are granted access to the extent necessary for their jobs and duties, and their authorities and responsibilities, and access to the relevant systems is provided by using a user name and password. While creating the aforementioned passwords, numbers or letter sequences associated with personal information that can be easily guessed are avoided as much as possible.
Access authorization and control matrices are created within the data controller organization, and products such as antivirus and antispam, which regularly scan the information system network and detect dangers, are used to protect against malicious software.
In order to ensure data security, necessary measures are taken to ensure that documents in paper media containing personal data and servers, backup devices, CD, DVD, USB and other similar storage devices are only accessible to authorized personnel and to increase physical security in this regard.
In the table below, the administrative measures taken to ensure data security
summary given:
Technical Measures |
Authority Matrix |
Authority Control |
Access Logs |
User Account Management |
Network Security |
Application Security |
Encryption |
Intrusion Detection and Prevention Systems |
Data Loss Prevention Software |
Backup |
Firewalls |
Current Anti-Virus Systems |
Deletion, Destruction, or Anonymization |
Key Management |
VII. BUILDING, FACILITY ENTRANCES AND PERSONAL DATA PROCESSING IN THE BUILDING AND FACILITY
7.1. Camera Monitoring Activity at Building, Facility Entrances and Inside
Within the scope of the Law on Private Security Services, camera monitoring is carried out in order to ensure security in the Maslak Health Group building, working areas, common areas, parking lot and its surroundings, and to protect the interests of ensuring the safety of Maslak Health Group and other persons. The camera monitoring activity is carried out in accordance with the Law and is carried out within the scope of the data processing conditions listed both in the Law and in this Policy.
7.2. Monitoring of Guest Entrance and Exit Carried out at Building, Facility Entrances and Inside
Identity information of guests visiting Maslak Health Group is subject to personal data processing in order to control and monitor entrances and exits to Maslak Health Group building and to ensure security. The personal data processed within the scope of this activity are only limited to the guests’ entry and exit, and the relevant personal data is recorded in the data recording system in electronic or physical environment.
VIII. STORAGE AND DISPOSAL OF PERSONAL DATA
8.1. Retention Periods of Personal Data
Your personal data held by Maslak Health Group are kept for as long as the data processing activity is necessary; In the event that the obligation to delete, destroy or anonymize personal data arises, it is deleted, destroyed or anonymized within the first periodic destruction period following the date of occurrence of this obligation.
Maslak Health Group acts in accordance with the general principles set forth in article 4 of the Law and the technical and administrative measures set forth in article 12 in the deletion, destruction or anonymization of your personal data.
All transactions regarding the deletion, destruction or anonymization of personal data are recorded by us and are kept during the processing of personal data for at least 30 years in accordance with the legal obligation.
Personal data specialist personnel assigned by Maslak Health Group regarding the storage and destruction of data is the person responsible for the execution and supervision of the personal data storage and destruction policy.
8.2. Obligation to Delete, Destroy and Anonymize Personal Data
Personal data processed by Maslak Health Group are in accordance with the provisions of the “Regulation on the Deletion, Destruction or Anonymization of Personal Data” published in the Official Gazette dated 28 October 2017 and numbered 30224 prepared by the Law on Article 7 and the Personal Data Protection Board. In the event that the reasons for its processing disappear, it is deleted, destroyed or anonymized ex officio or upon the request of the relevant data owner.
Deletion of personal data
Deletion of personal data is the process of making personal data inaccessible and non-reusable for relevant users.
All necessary technical and administrative measures are taken to ensure that the deleted personal data cannot be accessed and reused for the relevant users.
Destruction of personal data
Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.
Anonymization of personal data
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.
All kinds of technical and administrative measures are taken by Maslak Health Group to anonymize your personal data, and they are anonymized by applying methods in accordance with our personal data retention and destruction policy.
8.3. Deletion, Destruction and Anonymization Techniques of Personal Data
The techniques for deletion, destruction or anonymization of personal data processed by Maslak Health Group are shown below, and which of the techniques to apply may vary depending on the nature of the personal data processed.
For this, first of all, determining the personal data that is the subject of deletion, destruction or anonymization (1), identifying the relevant users for each personal data using an access authorization and control matrix or a similar system (2), accessing the relevant users, It is necessary to determine the authorizations and methods such as retrieval and reuse (3), and to close and eliminate the access, retrieval, reuse authorization and methods of the relevant users within the scope of personal data (4).
The way to delete personal data is as follows:
The way to destroy personal data is as follows:
9.1. Rights of Personal Data Owner
In accordance with the Law No. 6698, in the capacity of data owner:
9.2. Exercise of Personal Data Owner’s Rights
Requests by the data subject regarding the implementation of the Law, contact e-mail [email protected] or Ayazağa, Mustafa Kemal Atatürk Cd 1-2, 34396 Sarıyer/İstanbul
address to Maslak Health Group in written form. For application requests, the “Data Owner Application Form” published on the website of Maslak Health Group should be used.
9.3. Maslak Health Group Responding to Applications
Depending on the nature of the application request, Maslak Health Group is finalized as soon as possible. This period cannot exceed 30 days after the request is properly served to us. In so far, if the transaction requires any cost, a fee may be charged according to the tariff determined by the Personal Data Protection Board.
APPENDIX – 1: Definitions
Explicit consent: Consent on a specific subject, based on information and expressed with free will,
Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data,
Recipient group: The natural or legal person category to which personal data is transferred by the data controller,
Direct identifiers: identifiers that, by themselves, directly reveal, disclose and distinguish the person with whom they are in a relationship,
Indirect identifiers : Identifiers that come together with other identifiers, revealing, disclosing and making distinguishable the person they are in a relationship with,
Relevant person: The real person whose personal data is processed,
Relevant user: Real or legal persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,
Destruction: Deletion, destruction or anonymization of personal data,
Law: Law on Protection of Personal Data No. 6698, dated 24/3/2016,
Blackening: Processes such as scratching, painting and icing all of the personal data in a way that cannot be associated with an identified or identifiable natural person,
Recording medium: Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system,
Personal data: Any information relating to an identified or identifiable natural person,
Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as the classification or prevention of its use,
Board : Personal Data Protection Board,
Institution : Personal Data Protection Authority,
Data processor : The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
Data registration system: The registration system in which personal data is processed and structured according to certain criteria,
Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Identity Information : Your name, surname, TC identity number, passport number or temporary TC identity number, place and date of birth, marital status, gender, insurance or patient protocol number and other identification data by which we can identify you;
Contact Information : Your address, telephone number, e-mail address and other communication data, your voice call records kept by customer representatives or patient services in accordance with call center standards, and your personal data obtained when you contact us via e-mail, letter or other means;
Accounting Information : Your financial data such as your bank account number, IBAN number, credit card information, billing information; your data on private health insurance and your Social Security Institution data for the purpose of financing and planning health services; If you visit our clinic, your footage of camera recordings kept for security and inspection purposes,
Health Information: Your personal data regarding all kinds of health and sexual life obtained during or as a result of medical diagnosis, treatment and care services, including but not limited to your laboratory results, test results, examination data, appointment information, prescription information Maslak Health Group If you apply for a job, your other personal data, including the CV provided in this regard, and any personal data related to your service contract if you are a Maslak Health Group employee or related employee.
APPENDIX – 2: Personal Data Owners (Relevant Persons)
Data Subject Categories | Explanation |
Worker | It refers to the people working in the clinic. |
Employee Candidate | It refers to real persons who apply for a job by sending a CV or other methods to the Klinik. |
Intern | It refers to the people who use the profession they are trained in the clinic practically to increase their professional knowledge. |
Patient | It refers to the real persons who benefit from the services offered by the Clinic. |
The relatives of the patient | It refers to the companions or relatives of the patients who use the services offered by the Clinic. |
supplier | It refers to natural persons and legal entity employees from whom services are provided. |
Visitor | Refers to the 3rd person visiting the Clinic. |
Other Related Third Parties | Refers to the people who apply to the Clinic, other than those who communicate. |
APPENDIX – 3: Third Parties to whom Personal Data is Transferred
Transferred Person/Unit | Purpose of Transfer |
Ministry of Health | Transfer of information that needs to be transferred in accordance with public health and legislation. |
Social Security Institution | Transferring information for the purpose of realizing the transactions of the Employees, Employee Candidates and Patients within the scope of Social Security. |
Authorized Public Institutions and Organizations | Limited sharing/transfer of information and documents requested by the Clinic by relevant public institutions and organizations. |
suppliers | Transfer of personal data limited to the provision of services received from suppliers. |
Any personal data obtained by Maslak Health Group can be processed for the purposes listed; confirming your identity, protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and financing, planning and management of the operation of our clinic and daily operations, supply of medicines, informing you about the appointment if you make an appointment, risk management and quality improvement activities, making evaluations in order to improve health services, conducting research, fulfilling legal and regulatory requirements, confirming your relationship with the institutions contracted with the clinic, billing for our health services,
ANNEX-5: Periods
Personal Data Category | Storage Time | Legal Basis |
Health Data (Biometric and genetic and examination data, laboratory, test, analysis and examination results, check-up and prescription information, patient records and health data including but not limited to, and patient close information when necessary) | 30 Years from the end of the personal data processing activity | Private Hospitals Regulation, Turkish Penal Code |
All Records Related to Accounting and Financial Transactions | 10 years | Law No. 6102, Law No. 213 |
Cookies and Logs | 6 Months – Maximum 2 Years | Internet Law No. 5651 |
Traffic Information on Online Visitors | 2 years | Law No. 5651 |
Personal Data Regarding Suppliers | 10 Years after the legal relationship ends | Law No. 6102, Law No. 6098 and Law No. 213 |
Personal Data Protection Board Transactions | 10 years | Personal Data Protection Authority Personal Data Retention and Destruction Policy Published by KVKK |
Contracts | 10 Years From The Termination Of The Agreement | Law No. 6102 and Law No. 6098 |
Human Resources Processes | 10 Years From End of Activity | Labor Law No. 4857 and Related Legislation |
Visitor Registration | 2 Years From Event Ending | Personal Data Protection Authority Personal Data Retention and Destruction Policy Published by KVKK |
Data on Personal Files Stored under the Labor Law | 10 Years from the end of the Business Relationship | Labor Law No. 4857 and Related Legislation and Turkish Code of Obligations No. 6098 |
Data Collected under OHS Legislation (Health reports, OHS Trainings, Occupational Health and Safety records, etc.) | 15 Years from the end of the Business Relationship | Occupational Health and Safety Law No. 6331 and Related Legislation |
Data kept within the scope of SGK Legislation (Recruitment declarations, bonus/service documents, etc.) | 10 Years from the end of the Business Relationship | Social Insurance and General Health Insurance Law No. 5510 and Related Legislation |
Job Application If Application Is Not Accepted, Data Regarding Candidate Applications (CV, Curriculum Vitae, Cover Letter, Application Form etc.) | 1 year | Industry practices apply. |
Personal Data Processed in Contractual Relationships | 10 Years After Contract Termination | Turkish Code of Obligations No. 6098 |
Personal Data Regarding Tax Records | 5 years | Tax Procedure Law No. 213 |
Personal Data Processed for Security Purposes in Accordance with CCTV Cameras (Camera Records) | 90 Days | Industry Custom |
Traffic Information Processed during Use of the Office Internet Network, Internet Login and Remote Connection (IP address, start and end time of the service provided, type of service used, amount of data transferred and subscriber identity information, if any, etc.) | 2 years | Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts |
Personal Data of a Dead Person | At least 20 Years | Regulation on Personal Health Data published in the Official Gazette dated 21.06.2018 and numbered 30808 |
