Ames Health

Personal Data Storage And Disposal Policy

Policy On Storage And Destruction Of Personal Data for Amerikan Estetik ve Sağlık Hizmetleri Ticaret Limited Şirketi (Private American Surgical Medical Center)

1. Introduction

1.1 Purpose

This Personal Data Storage and Destruction Policy ("Policy") is applicable for Amerikan Estetik ve Sağlık Hizmetleri Ticaret Limited Şirketi (hereinafter referred to as "Medical Center") in its entirety within framework of the applicable legislation and based on the nationally recognized basic principles in connection with destruction of personal data. This Policy contains framework and principles regarding destruction activities as required under the relevant legislation. Paragraph three, article 7 of the Law on Protection of Personal Data ("Law") contains the following provision: "The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by a legislation." Pursuant to the foregoing provision and clause (a), paragraph one, article 22 of the Law, the Personal Data Protection Board ("Board") prepared a Regulation on Deletion, Destruction and Anonymization of Personal Data ("Regulation"), which was promulgated in the issue of the Official Gazette of October 28, 2017 and numbered 30224. Based on the aforesaid regulation, purpose of this Policy is determination of procedures and principles regarding deletion, destruction and anonymization of personal data processed throughout operations of the Medical Center in accordance with the Regulation.

1.2 Scope

This Policy covers personal data pertaining to employees, prospective employees, suppliers, suppliers' officials, suppliers' employees, individuals procuring products or services, potential purchaser of product or service, shareholders/partners, visitors, third parties and third parties' employees with whom the Medical Center has a legal relation and this Policy is applicable for all environments of recording owned by our Medical Center or managed by our Medical Center wherein personal data is processed and activities intended to process personal data.

1.3. Abbreviations and Definitions

Concept Definition
Recipient Group Means the real person or legal entity category, to which personal data is transferred by the Data Controller
Explicit Consent Explicit Consent means the consent that is expressed in respect of a specific issue after being informed and based on free will.
Anonymization Means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data
Electronic Medium Means media wherein personal data can be created, read, modified and written by means of electronic devices
Non-Electronic Environment Means all printed, written, visual and other similar environments other than the electronic media.
Related Person Means the natural person whose personal data is being processed
Relevant User Means persons who process the personal data either within the organization of the data controller, or pursuant to the power and instruction respectively bestowed by the data controller, other than the person or unit that is responsible from the technical storage, protection, and back-up of the data,
Destruction Means deletion, destruction or anonymization of personal data
Law Means the Law on Protection of Personal Data numbered 6698
Recording Medium Means any medium containing the personal data processed by fully or partially automatic means or non-automated means provided that it is part of any data recording system.
Personal Data Means any information relating to an identified or identifiable natural person
Personal data subject Means the natural person whose personal data is being processed
Processing of personal data Means any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system
Personal data processing inventory Means the inventory whereby data controllers explain and detail out activities of personal data processing conducted in connection with business processes, purposes for personal data processing by linking the same with the data category, group of receivers to whom data is transmitted and group of persons who are subject of the data and the maximum period for which personal data is necessary in connection with the purpose for which it is processed and the personal data intended for transmittance to foreign countries and measures taken for data security.
Board Means the Personal Data Protection Board
Authority Means the Personal Data Protection Authority
Sensitive Personal Data Means personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and biometric and genetic data.
Periodical destruction Means deletion, destruction or anonymization operations stipulated in the policy on storage and destruction of personal data which are to take place directly on a periodic basis in the event that conditions for processing of personal data have ceased to exist in their entirety
Policy Means the policy which data controllers take as basis for determining the maximum period required for processing purpose of personal data as well as for the operation of deletion, destruction and anonymization.
Registry Means data controllers' registry kept by the Personal Data Protection Authority
Data Processor Means a natural person or legal entity that processes personal data on behalf of the data controller on the basis of the authority vested by the latter
Data recording system Means the recording system in which the personal data is registered upon being structured according to certain criteria
Data Controller Means a natural or legal person, who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the data registry system.
Regulation means the Regulation on the Deletion, Destruction or Anonymization of Personal Data that came into office after being promulgated in the issue of the Official Gazette dated 28.10.2017 and numbered 30224.

2. Distribution OF Responsibilities and Duties:

All units and employees of the Medical Center actively support responsible units in connection with technical and administrative measures intended to assure data security in all environments wherein personal data is processed taken with a view to properly implementing technical and administrative measures taken by responsible units under this Policy, increasing, monitoring and constantly controlling awareness and training of units' employees as well as preventing illegal use of personal data, preventing illegal access to personal data and ensuring that personal data is legally stored.
Below is the distribution related to titles, units and job descriptions of those tasked with storage and destruction processes of personal data.

Table 1: Distribution of duties for storage and destruction processes

Title Unit Job Description
IT Officer Data Processing Ensuring that processes included in her/his job are consistent with storage period, managing periodic destruction process, and conducting audit and controls with a view to responding to requests of Data Subjects
Accounting Officer Accounting Ensuring that processes included in her/his job are consistent with the storage process, management of periodic destruction process, control of whether or not obligations of retaining documents and books under TCC numbered 6100 and the Tax Legislation are in force and whether or not such obligations have ceased to exist
Human Resources Officer Human Resources Ensuring compliance with storage periods for personal data, management of periodic destruction process, and receipt and responding employees' requests of clarification in connection with their rights available in the Law
Purchasing Officer Purchasing Ensuring that processes included in her/his job are consistent with the storage process, management of periodic destruction process, control of whether or not obligations have ceased to exist
OHS Officer OHS Ensuring that processes included in her/his job are consistent with the storage process, management of periodic destruction process, control of whether or not obligations have ceased to exist

3. RECORDING MEDIA

Personal data is legally stored by the Organization securely in the media listed in Table 2.

Table 2: Personal data processing media

Electronic Media Non-Electronic Media
Servers (domain, back-up, e-mail, database, web, file sharing, etc.) Paper
Pieces of Software (office software) Manual data recording systems
Information security device (firewall, daily log file, anti-virus, etc.) Printed, written, visual media
Mobile devices (phone, tablet, etc.) Folders
Optic discs (CD, DVD etc.) Files
Removable memories (USB, Memory Card, etc.)
Printer, scanner, copier machine
Removable memories such as USB, hard disk
Desktop computer and laptop computer

4. EXPLANATIONS ON STORAGE AND DESTRUCTION

The Medical Center stores and destroys personal data of natural persons including employees, prospective employees, suppliers, suppliers' officials, suppliers' employees, individuals procuring products or services, potential purchaser of product or service, shareholders/partners, visitors and other third parties in accordance with LPPD. Below are detailed explanations in connection with storage and destruction.

4.1 Explanations on Storage

Article 3 of the Law defines the concept of personal data processing, article 4 of the same law provides for that personal data must be connected with purpose of processing, must be limited and moderate and personal data must be stored for a period stipulated in the relevant legislation or a period required for their purpose of processing, whereas articles 5 and 6 list conditions for processing of the personal data. Accordingly, personal data is stored for periods stipulated in the relevant legislation or for periods consistent with our processing purposes within framework of the Medical Center's activities.

4.1.1 Legal Reasons Requiring Storage

The Medical Center stores personal data processed within framework of its activities for periods stipulated in the relevant legislation. In this framework, personal data is stored for periods stipulated in the secondary legislation, notably,

  • Tax Procedure Law numbered 213
  • Law on Private Hospitals numbered 2219
  • Law on Identification numbered 1774
  • Fundamental Law on Healthcare Services numbered 3359
  • Labor Law numbered 4857
  • Social Security and General Health Insurance Law numbered 5510
  • Law on Regulating Broadcasting in the Internet and Fighting Against Crimes Committed through Internet Broadcasting numbered 5651
  • Turkish Code of Obligations numbered 6098
  • Turkish Commercial Code numbered 6102
  • Occupational Health and Safety Law numbered 6361
  • Law on Protection of Personal Data numbered 6698
  • Legislative Decree on Organization and Duties of the Ministry of Health and Affiliated Institutions numbered 663.
  • Regulation on Private Hospitals, Implementation Communiqué on Health, Regulation on Patient Rights.

4.1.2. Purposes of Processing Requiring Storage

The Medical Center stores personal data processed by it in line with its activities in accordance with following purposes:

  • Carrying out emergency management processes
  • Carrying out information security processes
  • Carrying out processes for selection and placement of prospective employee / intern / student
  • Carrying out application process for prospective employees
  • sharing with private insurers information so demanded within scope of entitlement inquiry,
  • Fulfillment of the obligations arising from employment contract and legislation for employees
  • Carrying out fringe benefits and interests processes for employees
  • Executing audit / ethic activities
  • Execution of training activities
  • Carrying out Access Authorizations
  • Conducting activities in accordance with the legislation
  • Carrying out finance and accounting transactions
  • Assuring physical space security
  • Execution of assignment processes
  • Pursuit and conducting legal affairs
  • Carrying out communication activities
  • Carrying out human resources processes
  • Execution/audit of Business Operations
  • Execution of occupational health/safety activities
  • Obtaining and Assessing the Suggestions for Improvement of the Business Processes
  • Carrying out activities intended for business continuity
  • Execution of goods / service production and operation processes
  • Carrying out goods/service purchasing processes
  • Carrying out goods/services sales processes
  • Carrying out Customer Relations Management Processes
  • Execution of Customer Satisfaction Activities
  • Managing Organization and Event
  • Carrying out Performance Evaluation Processes
  • Execution of Appointment Transactions
  • Execution of Risk Management Processes
  • arrying out Retention and Archiving Activities
  • Conducting the contractual processes
  • Conducting Strategic Planning Activities
  • Follow-up of Demands / Complaints
  • Securing movable goods and resources
  • Execution of supply chain management processes
  • xecution of salary policy
  • Execution of marketing processes related to products or services
  • Assuring the security of the data controller's operations
  • Informing authorized persons, institutions and organizations
  • Carrying out management activities

4.2. Reasons Requiring Destruction

Personal data is, upon demand of the related person, deleted, destroyed and anonymized or directly deleted, destroyed or anonymized by the Medical Center if:

  • Amendment or abolishment of relevant legislation provisions constituting the basis for processing of personal data,
  • The purpose for which personal data is processed has ceased to exist,
  • The related person has withdrawn his/her consent in cases where processing of personal data takes place only with the explicit consent,
  • application filed for deletion or destruction of personal data within framework of related person's rights under article 11 of LPPD is accepted,
  • a complaint is filed at the Board and the Board finds such request fit in the event that the Medical Center declines the application filed by the Related Person at the Company for deletion or destruction of personal data, reply given by the Medical Center is deemed insufficient or no reply is given within the time laid down in LPPD, and
  • Maximum period for the storage of personal data has expired and there are no conditions that would justify the storage of personal data for a longer period

5. TECHNICAL AND ADMINISTRATIVE MEASURES

The Medical Center takes technical and administrative measures to securely store personal data, prevent illegal processing of and access to personal data and to lawfully destroy personal data within framework of sufficient measures determined and announced by the Board for sensitive personal data as per article 12 and paragraph 4, article 6 of LPPD.

5.1. Technical Measures

Measures taken by the Medical Center in connection with personal data processed by it are listed below;

  • Network and application security is assured.
  • Security measures are taken within the scope of procurement, development and maintenance of the information technology systems.
  • The security of the personal data stored in cloud is assured.
  • Training and awareness activities on data security are conducted for employees at regular intervals.
  • Authorization matrix has been established for employees.
  • Access logs are kept regularly.
  • The authorizations in this field of the employees who have resigned or been assigned to another position are revoked.
  • Up-to-date antivirus systems are in place.
  • Firewalls are in use.
  • Personal data is backed up and the security of the backed up personal data is also assured.
  • User account management and authorization control system are applied and these are also followed up.
  • Log records are kept without user intervention.
  • Intrusion detection and prevention systems are used.
  • Penetration test is applied
  • Cyber security measures have been taken and its implementation is continuously monitored.
  • Encryption is made.
  • Software for preventing the data loss is used.

5.2. Administrative Measures

Measures taken by the Medical Center in connection with personal data processed by it are listed below;

  • Confidentiality commitments are executed.
  • Necessary security measures are taken for entering and exiting physical environments containing personal data.
  • Physical environments containing personal data are protected against external risks (fire, flood, etc.)
  • Media containing personal data are secured.
  • Regulation on Processing and Assuring Privacy of Personal Health Data,
  • Personal data is reduced to the extent possible.

6. DESTRUCTION METHODS OF PERSONAL DATA

Upon expiry of the period stipulated in the relevant legislation or period required for purpose of processing, personal data is destroyed by the Medical Center directly or upon application of the related person in accordance with provisions of the relevant legislation, using following techniques.

6.1. Deletion of Personal Data

Personal data is deleted using methods listed in Table-3. Table 3: Deletion of

Personal Data

Data Recording Medium Description
Personal data in physical environment Personal data in physical medium is deleted using blackening method or by retention of the document in a secure medium making it impossible for related users to access to the document.
Personal Data Stored in Servers Personal Data Stored in Servers The personal data in servers whose storage period has expired are erased by revoking the access authorities of the relevant users by the system administrator.
Personal Data Stored in Databases The related user is denied access to personal data stored in the database through assignment of role and authorization.
Personal data stored in portable devices (USB, Hard Disk, CD, DVD) The related user is denied access to the file

6.2 Destruction of Personal Data

Methods used by us, as the Medical Center, for lawful destruction of personal data are as follows:

Table 4: Destruction of Personal Data

Data Recording Medium Description
Personal data in physical environment Those personal data stored in hard copy whose period of storage has expired shall be destroyed using shredder in a irrecoverable manner.
Personal data is stored in peripheral (network devices, flash -based media, optic systems, etc.) and local systems Devices containing personal data are destroyed through physical methods such as burning, disintegration, melting. Also, personal data stored on the device is rendered unreadable by way of demagnetizing and destruction operation is carried out. However, destruction operation is implemented by randomly entering data on existing data by using special software, thereby, making old data impossible to recover.

6.3 Anonymization of Personal Data

Anonymization of personal data is rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data; In order to anonymize personal data, the personal data must be rendered impossible to associate with a specific or identifiable natural person, even by using the suitable techniques for the recording medium and relevant field of activity, such as the return of data by the data controller or third parties and/or matching the data to other data.

7. STORAGE AND DESTRUCTION PERIODS

With regards to personal data processed by the Medical Center in connection within scope of its activities;

  • storage periods based on personal data in connection with all personal data covered by activities carried out based on processes are specified in Personal Data Processing Inventory;
  • storage periods on the basis of data categories are specified in VERBİS (Data Controller Registry Information System);
  • storage periods based on process are specified in this Policy on Personal Data Storage and Destruction.

Destruction process for personal data is conducted by the Medical Center in line with storage periods established for every relationship, taking into account the relevant legislation. Personal data for which storage period has expire is deleted, destroyed or anonymized within periodic destruction periods as set by the Medical Center.

Table 5: Table of Process Based Storage and Destruction Periods

PROCESS STORAGE PERIOD DESTRUCTION PERIOD
Conducting human resources employee processes 15 years after the employee leaves the company During the periodic destruction period of the first 6 months following expiry of the storage period
Conducting processes associated with prospective employees 1 year following acceptance of the application During the periodic destruction period of the first 6 months following expiry of the storage period
Execution of contractual relationships 10 years following expiry of contract During the periodic destruction period of the first 6 months following expiry of the storage period
Camera Records Automatically destroyed upon expiry of 1-month Recording Period following the recording Automatically destroyed upon expiry of Recording Period
Enforcement of Accounting and Financial Processes 10 years following recording During the periodic destruction period of the first 6 months following expiry of the storage period
Execution of Patient File Processes Oluşturulmasından İtibaren 10 Yıl During the periodic destruction period of the first 6 months following expiry of the storage period

For personal data whose storage period has expired, operation of direct deletion, destruction or anonymization is performed by departments listed under the heading “2. RESPONSIBILITY AND DISTRIBUTION OF DUTIES”.

8. PERIODIC DESTRUCTION PERIOD

As per article 11 of the Regulation, the period destruction period has been set by the Medical Center as [6] months. Accordingly, the Medical Center performs periodic destruction operation every June and every December.

9. PUBLISHING AND STORING OF THE POLICY

This Policy is published in two different ways, i.e. (printed paper) with wet signature and softcopy, and is made public at the web page. The printed paper copy is retained in a file at the Human Resources Department.

10. UPDATING PERIOD OF THE POLICY

The policy is updated when necessary and in case of amendments to processes.

11. EFFECTIVE DATE OF THE POLICY and ABOLISHMENT

This Policy is deemed to have come into force after it is posted in the website of the Medical Center. In the event that it is decided to abolish this Policy, former copies with wet signature of this Policy are cancelled with the company's seal and signature of the company's authorized signatory (by applying cancellation stamp or by writing "cancelled" thereon) and signed and retained by the Human Resources Department for a period of 5 years.