Personal Data Destruction Policy

As the data controller, the private practice of Assoc. Prof. Dr. Güncel Öztürk stores and disposes of your personal data in accordance with the general principles and regulations specified in this Personal Data Retention and Destruction Policy, which has been prepared in compliance primarily with the Constitution, Law No. 6698 on the Protection of Personal Data, the Regulation on the Deletion, Destruction or Anonymization of Personal Data, and other relevant legislation.

With this Policy, the Practice aims to set out the general principles and procedures regarding the retention and destruction of natural person data subject to personal data processing activities within the scope of KVKK, and to fulfill the obligations stipulated by legislation.

Explicit Consent: Consent regarding a specific matter, based on being informed, and declared with free will,

Recipient Group:The category of natural or legal persons to whom personal data are transferred by the data controller,

Anonymization : Rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even if matched with other data.

Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data,

Destruction:Deletion, destruction, or anonymization of personal data,
Personal Data:Any information relating to an identified or identifiable natural person (e.g., name-surname, Turkish ID number (TCKN), e-mail, address, date of birth, credit card number, bank account number

Data Subject: The natural person whose personal data are processed,

Processing of Personal Data: Any operation performed on data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making accessible, classifying, or preventing the use of personal data, fully or partially by automated means or, provided that it is part of a data recording system, by non-automated means,

Special Category Personal Data: Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,

Periodic Destruction: The deletion, destruction, or anonymization process to be carried out ex officio at recurring intervals specified in this Policy when all conditions for processing personal data set out in KVKK cease to exist,

RECORDING MEDIA REGULATED BY THE POLICY

It covers all personal data subject to data processing activities within the scope of KVKK. In addition, the documents referred to by the Policy cover both physical and digital copies.

All personal data subject to data processing activities within the scope of KVKK, processed fully or partially by automated means or, provided that it is part of a data recording system, by non-automated means, are stored in the media specified below:

Practice computers, e-mail accounts, desktop computers, employees’ devices (e.g., mobile phones), backup areas, paper files, folders, visitor logbook, CD,DVD, USB, hard disks, printers, photocopy machines, etc.

REASONS REQUIRING THE RETENTION AND DESTRUCTION OF PERSONAL DATA

The following principles are taken as basis in personal data processing activities:

• Compliance with the law and the rule of good faith,
  •Ensuring that personal data are accurate and, when necessary, kept up to date,
  •Processing for specific, explicit, and legitimate purposes,
  •Being relevant, limited, and proportionate to the purpose for which they are processed,
  •Retaining for the period stipulated in relevant legislation or required for the purpose of processing.

Our practice retains and uses personal data for the purposes of personal data processing and based on the conditions for processing personal data set out in Articles 5 and 6 of KVKK; and in the event that all of these conditions cease to exist, it destroys personal data ex officio or upon the request of the personal data owner:

The Data Subject’s Explicit Consent Exists: The first condition for processing personal data is the data subject’s explicit consent.

Explicitly Prescribed by Laws: The data subject’s personal data may be processed lawfully without obtaining explicit consent if explicitly prescribed by laws.

Inability to Obtain the Data Subject’s Explicit Consent Due to Actual Impossibility: The data subject’s personal data may be processed if it is mandatory to process such data to protect the life or physical integrity of the data subject or another person where the data subject is unable to declare consent due to actual impossibility or where consent cannot be deemed valid.

Directly Related to the Establishment or Performance of a Contract: Personal data may be processed if it is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of that contract.

Legal Obligation: The data subject’s data may be processed if processing is mandatory for our Company to fulfill its legal obligations.

The Data Subject Has Made Their Personal Data Public: If the data subject has made their personal data public, the relevant personal data may be processed limited to the purpose of making it public.

Processing Is Mandatory for the Establishment or Protection of a Right: The data subject’s personal data may be processed if processing is mandatory for the establishment, exercise, or protection of a right.

Processing Is Mandatory for Our Company’s Legitimate Interest: The data subject’s personal data may be processed if processing is mandatory for our Company’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.

DELETION, DESTRUCTION, OR ANONYMIZATION OF PERSONAL DATA

Personal data are deleted, destroyed, or anonymized by the Company upon the data subject’s request, or are deleted, destroyed, or anonymized ex officio in cases where the provisions of relevant legislation forming the basis for processing are amended or repealed, the purpose requiring processing or retention ceases to exist, in cases where processing is based solely on explicit consent and the data subject withdraws explicit consent, the maximum retention period requiring the retention of personal data has elapsed, and there is no condition justifying retaining personal data for a longer period.

Unless otherwise decided by the Personal Data Protection Board, our Company chooses the appropriate method among ex officio deletion, destruction, or anonymization methods according to technological possibilities and implementation costs. If requested by the personal data owner, the justification for the chosen appropriate method is explained. Necessary technical and administrative measures are taken in each of these processes.

TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN

In accordance with Article 12 of KVKK and the provisions of the Regulation, the general principles stated above, this Policy, and the decisions of the Personal Data Protection Board, our practice takes the necessary technical and administrative measures, considering technological possibilities and implementation costs, regarding the issues listed below:

• Necessary software and hardware have been determined. Strong passwords are used on computers and e-mail accounts.
• Items that must be protected in terms of protecting patient information have been communicated to our personnel through trainings, and responsibilities have been set out in writing through employment contracts. (Confidentiality Agreements) This obligation continues even after the relevant persons leave their positions.
• The necessary infrastructure has been established for the purpose of backing up all data.
• Employees who can access data on computers have been determined.
• Customer files and information are provided only to the data subjects themselves, to their relatives for whom they have given written approval, to relevant public institutions and organizations within the framework of legislation, and to competent judicial authorities in judicial cases.
• Before starting personal data processing, the institution fulfills its obligation to inform the relevant persons.
• A personal data processing inventory has been prepared.

RETENTION AND DESTRUCTION PERIODS

Our practice retains and destroys personal data only for the period stipulated in the legislation it is obliged to comply with or required for the purpose for which they are processed.

If the personal data owner applies to our Company and requests the destruction of their personal data:

If all conditions for processing personal data have ceased to exist: The Practice finalizes the request within thirty days at the latest, informs the personal data owner, and if the personal data subject to the request have been transferred to third parties, it notifies the third party and ensures that necessary actions are taken before the third party.

If all conditions for processing personal data have not ceased to exist: The Practice may reject the request by explaining the reason in accordance with the third paragraph of Article 13 of KVKK, and notifies the rejection to the personal data owner in writing or electronically within thirty days at the latest.

PERIODIC DESTRUCTION PERIODS

Personal data are destroyed in the first periodic destruction process following the date on which the obligation to destroy personal data arises. In this context, if the obligation to destroy personal data arises, they are subject to destruction at 6-month intervals.