This Personal Data Storage and Destruction Policy ("Policy") is applicable for Amerikan Estetik ve Sağlık Hizmetleri Ticaret Limited Şirketi (hereinafter referred to as "Medical Center") in its entirety within framework of the applicable legislation and based on the nationally recognized basic principles in connection with destruction of personal data. This Policy contains framework and principles regarding destruction activities as required under the relevant legislation. Paragraph three, article 7 of the Law on Protection of Personal Data ("Law") contains the following provision: "The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by a legislation." Pursuant to the foregoing provision and clause (a), paragraph one, article 22 of the Law, the Personal Data Protection Board ("Board") prepared a Regulation on Deletion, Destruction and Anonymization of Personal Data ("Regulation"), which was promulgated in the issue of the Official Gazette of October 28, 2017 and numbered 30224. Based on the aforesaid regulation, purpose of this Policy is determination of procedures and principles regarding deletion, destruction and anonymization of personal data processed throughout operations of the Medical Center in accordance with the Regulation.
This Policy covers personal data pertaining to employees, prospective employees, suppliers, suppliers' officials, suppliers' employees, individuals procuring products or services, potential purchaser of product or service, shareholders/partners, visitors, third parties and third parties' employees with whom the Medical Center has a legal relation and this Policy is applicable for all environments of recording owned by our Medical Center or managed by our Medical Center wherein personal data is processed and activities intended to process personal data.
|Recipient Group||Means the real person or legal entity category, to which personal data is transferred by the Data Controller|
|Explicit Consent||Explicit Consent means the consent that is expressed in respect of a specific issue after being informed and based on free will.|
|Anonymization||Means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data|
|Electronic Medium||Means media wherein personal data can be created, read, modified and written by means of electronic devices|
|Non-Electronic Environment||Means all printed, written, visual and other similar environments other than the electronic media.|
|Related Person||Means the natural person whose personal data is being processed|
|Relevant User||Means persons who process the personal data either within the organization of the data controller, or pursuant to the power and instruction respectively bestowed by the data controller, other than the person or unit that is responsible from the technical storage, protection, and back-up of the data,|
|Destruction||Means deletion, destruction or anonymization of personal data|
|Law||Means the Law on Protection of Personal Data numbered 6698|
|Recording Medium||Means any medium containing the personal data processed by fully or partially automatic means or non-automated means provided that it is part of any data recording system.|
|Personal Data||Means any information relating to an identified or identifiable natural person|
|Personal data subject||Means the natural person whose personal data is being processed|
|Processing of personal data||Means any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system|
|Personal data processing inventory||Means the inventory whereby data controllers explain and detail out activities of personal data processing conducted in connection with business processes, purposes for personal data processing by linking the same with the data category, group of receivers to whom data is transmitted and group of persons who are subject of the data and the maximum period for which personal data is necessary in connection with the purpose for which it is processed and the personal data intended for transmittance to foreign countries and measures taken for data security.|
|Board||Means the Personal Data Protection Board|
|Authority||Means the Personal Data Protection Authority|
|Sensitive Personal Data||Means personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and biometric and genetic data.|
|Periodical destruction||Means deletion, destruction or anonymization operations stipulated in the policy on storage and destruction of personal data which are to take place directly on a periodic basis in the event that conditions for processing of personal data have ceased to exist in their entirety|
|Policy||Means the policy which data controllers take as basis for determining the maximum period required for processing purpose of personal data as well as for the operation of deletion, destruction and anonymization.|
|Registry||Means data controllers' registry kept by the Personal Data Protection Authority|
|Data Processor||Means a natural person or legal entity that processes personal data on behalf of the data controller on the basis of the authority vested by the latter|
|Data recording system||Means the recording system in which the personal data is registered upon being structured according to certain criteria|
|Data Controller||Means a natural or legal person, who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the data registry system.|
|Regulation||means the Regulation on the Deletion, Destruction or Anonymization of Personal Data that came into office after being promulgated in the issue of the Official Gazette dated 28.10.2017 and numbered 30224.|
All units and employees of the Medical Center actively support responsible units in connection with technical and administrative measures intended to assure data security in all environments wherein personal data is processed taken with a view to properly implementing technical and administrative measures taken by responsible units under this Policy, increasing, monitoring and constantly controlling awareness and training of units' employees as well as preventing illegal use of personal data, preventing illegal access to personal data and ensuring that personal data is legally stored.
Below is the distribution related to titles, units and job descriptions of those tasked with storage and destruction processes of personal data.
|IT Officer||Data Processing||Ensuring that processes included in her/his job are consistent with storage period, managing periodic destruction process, and conducting audit and controls with a view to responding to requests of Data Subjects|
|Accounting Officer||Accounting||Ensuring that processes included in her/his job are consistent with the storage process, management of periodic destruction process, control of whether or not obligations of retaining documents and books under TCC numbered 6100 and the Tax Legislation are in force and whether or not such obligations have ceased to exist|
|Human Resources Officer||Human Resources||Ensuring compliance with storage periods for personal data, management of periodic destruction process, and receipt and responding employees' requests of clarification in connection with their rights available in the Law|
|Purchasing Officer||Purchasing||Ensuring that processes included in her/his job are consistent with the storage process, management of periodic destruction process, control of whether or not obligations have ceased to exist|
|OHS Officer||OHS||Ensuring that processes included in her/his job are consistent with the storage process, management of periodic destruction process, control of whether or not obligations have ceased to exist|
Personal data is legally stored by the Organization securely in the media listed in Table 2.
|Electronic Media||Non-Electronic Media|
|Servers (domain, back-up, e-mail, database, web, file sharing, etc.)||Paper|
|Pieces of Software (office software)||Manual data recording systems|
|Information security device (firewall, daily log file, anti-virus, etc.)||Printed, written, visual media|
|Mobile devices (phone, tablet, etc.)||Folders|
|Optic discs (CD, DVD etc.)||Files|
|Removable memories (USB, Memory Card, etc.)|
|Printer, scanner, copier machine|
|Removable memories such as USB, hard disk|
|Desktop computer and laptop computer|
The Medical Center stores and destroys personal data of natural persons including employees, prospective employees, suppliers, suppliers' officials, suppliers' employees, individuals procuring products or services, potential purchaser of product or service, shareholders/partners, visitors and other third parties in accordance with LPPD. Below are detailed explanations in connection with storage and destruction.
Article 3 of the Law defines the concept of personal data processing, article 4 of the same law provides for that personal data must be connected with purpose of processing, must be limited and moderate and personal data must be stored for a period stipulated in the relevant legislation or a period required for their purpose of processing, whereas articles 5 and 6 list conditions for processing of the personal data. Accordingly, personal data is stored for periods stipulated in the relevant legislation or for periods consistent with our processing purposes within framework of the Medical Center's activities.
The Medical Center stores personal data processed within framework of its activities for periods stipulated in the relevant legislation. In this framework, personal data is stored for periods stipulated in the secondary legislation, notably,
The Medical Center stores personal data processed by it in line with its activities in accordance with following purposes:
Personal data is, upon demand of the related person, deleted, destroyed and anonymized or directly deleted, destroyed or anonymized by the Medical Center if:
The Medical Center takes technical and administrative measures to securely store personal data, prevent illegal processing of and access to personal data and to lawfully destroy personal data within framework of sufficient measures determined and announced by the Board for sensitive personal data as per article 12 and paragraph 4, article 6 of LPPD.
Measures taken by the Medical Center in connection with personal data processed by it are listed below;
Measures taken by the Medical Center in connection with personal data processed by it are listed below;
Upon expiry of the period stipulated in the relevant legislation or period required for purpose of processing, personal data is destroyed by the Medical Center directly or upon application of the related person in accordance with provisions of the relevant legislation, using following techniques.
Personal data is deleted using methods listed in Table-3. Table 3: Deletion of
|Data Recording Medium||Description|
|Personal data in physical environment||Personal data in physical medium is deleted using blackening method or by retention of the document in a secure medium making it impossible for related users to access to the document.|
|Personal Data Stored in Servers||Personal Data Stored in Servers The personal data in servers whose storage period has expired are erased by revoking the access authorities of the relevant users by the system administrator.|
|Personal Data Stored in Databases||The related user is denied access to personal data stored in the database through assignment of role and authorization.|
|Personal data stored in portable devices (USB, Hard Disk, CD, DVD)||The related user is denied access to the file|
Methods used by us, as the Medical Center, for lawful destruction of personal data are as follows:
|Data Recording Medium||Description|
|Personal data in physical environment||Those personal data stored in hard copy whose period of storage has expired shall be destroyed using shredder in a irrecoverable manner.|
|Personal data is stored in peripheral (network devices, flash -based media, optic systems, etc.) and local systems||Devices containing personal data are destroyed through physical methods such as burning, disintegration, melting. Also, personal data stored on the device is rendered unreadable by way of demagnetizing and destruction operation is carried out. However, destruction operation is implemented by randomly entering data on existing data by using special software, thereby, making old data impossible to recover.|
Anonymization of personal data is rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data; In order to anonymize personal data, the personal data must be rendered impossible to associate with a specific or identifiable natural person, even by using the suitable techniques for the recording medium and relevant field of activity, such as the return of data by the data controller or third parties and/or matching the data to other data.
With regards to personal data processed by the Medical Center in connection within scope of its activities;
Destruction process for personal data is conducted by the Medical Center in line with storage periods established for every relationship, taking into account the relevant legislation. Personal data for which storage period has expire is deleted, destroyed or anonymized within periodic destruction periods as set by the Medical Center.
|PROCESS||STORAGE PERIOD||DESTRUCTION PERIOD|
|Conducting human resources employee processes||15 years after the employee leaves the company||During the periodic destruction period of the first 6 months following expiry of the storage period|
|Conducting processes associated with prospective employees||1 year following acceptance of the application||During the periodic destruction period of the first 6 months following expiry of the storage period|
|Execution of contractual relationships||10 years following expiry of contract||During the periodic destruction period of the first 6 months following expiry of the storage period|
|Camera Records||Automatically destroyed upon expiry of 1-month Recording Period following the recording||Automatically destroyed upon expiry of Recording Period|
|Enforcement of Accounting and Financial Processes||10 years following recording||During the periodic destruction period of the first 6 months following expiry of the storage period|
|Execution of Patient File Processes||Oluşturulmasından İtibaren 10 Yıl||During the periodic destruction period of the first 6 months following expiry of the storage period|
For personal data whose storage period has expired, operation of direct deletion, destruction or anonymization is performed by departments listed under the heading “2. RESPONSIBILITY AND DISTRIBUTION OF DUTIES”.
As per article 11 of the Regulation, the period destruction period has been set by the Medical Center as  months. Accordingly, the Medical Center performs periodic destruction operation every June and every December.
This Policy is published in two different ways, i.e. (printed paper) with wet signature and softcopy, and is made public at the web page. The printed paper copy is retained in a file at the Human Resources Department.
The policy is updated when necessary and in case of amendments to processes.
This Policy is deemed to have come into force after it is posted in the website of the Medical Center. In the event that it is decided to abolish this Policy, former copies with wet signature of this Policy are cancelled with the company's seal and signature of the company's authorized signatory (by applying cancellation stamp or by writing "cancelled" thereon) and signed and retained by the Human Resources Department for a period of 5 years.