Personal Data Retention and Destruction Policy - Op. Dr. Serpil KIRIM

Personal Data Retention and Destruction Policy

 

  1. INTRODUCTION
    • Policy Objective

Pursuant to Article 20 of the Constitution titled “Privacy of Private Life” and Law No. 6698 on the Protection of Personal Data (“Law“) and the provisions of the regulations and communiqués in force, the processing of personal data obtained by Op. Dr. Serpil Kırım is carried out in accordance with the provisions of the Law on the Protection of Personal Data (“Law“). The purpose of this Policy is to process personal data obtained by Serpil Kırım, to protect the fundamental rights and freedoms of data subjects(employees, employee candidates, patients, patient relatives, suppliers, interns, visitors and other relevant third parties), especially the privacy of private life, and to ensure that the data controller who processes personal data performs data processing activities in accordance with the law, and to determine the principles regarding the protection, storage and destruction of the personal data obtained when necessary.

  • Scope of the Policy

Based on the fact that all kinds of transactions such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of all kinds of information relating to an identified or identifiable natural person as personal data by Op. Dr. Serpil Kırım as the data controller by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system are considered as data processing activities. Dr. Establishing the procedures and principles of the data processing activity carried out by Serpil Kırım determines the scope of this Policy.

  • Implementation of the Policy and Related Legislation

Your personal data and personal health data have been prepared for the purposes described in this policy text and in accordance with the Basic Law on Health Services No. 3359, the Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Affiliated Organizations, the Regulation on Private Hospitals, the Regulation on the Processing and Protection of Privacy of Personal Health Data, the relevant regulations and the rules shown in the regulations, communiqués, decisions and guidelines published by the Board, especially Law No. 6698. In the event that there is a change in the Law or other relevant legislation after the publication date of the Policy by Dr. Serpil Kırım and the Policy becomes incompatible with the said change, the amended provisions and rules will be applied. All communiqués, decisions and guidelines published by the Board are followed by Op. Dr. Serpil Kırım and the rules stipulated by the Policy are kept up to date.

  • Enforcement of the Policy

The policy has been published on Op. Dr. Serpil Kırım’s website http://www.drserpilkirim.com/ and entered into force on the date of publication.

  1. ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

Data controller according to Article 12 of Law No. 6698;

  • To prevent unlawful processing of personal data,
  • To prevent unlawful access to personal data,
  • Ensuring the protection of personal data

to take all necessary administrative and technical measures to ensure the appropriate level of security.

For the reasons explained, Op. Dr. Serpil Kırım implements security measures to prevent unlawful processing of personal data, transfer and disclosure of personal data to third parties, unauthorized access and security deficiencies arising in other ways. Explanations regarding the administrative and technical measures taken VI. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA is located in the section.

2.2. Protection of Sensitive Personal Data

Among the special categories of personal data, health data of data subjects may be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the data subject. In addition, regardless of the type, all special categories of personal data can only be processed in accordance with the law if adequate measures determined by the KVKK are taken.

Op. Dr. Serpil Kırım faaliyetlerimiz kapsamında bizimle paylaştığınız kişisel verileriniz; otomatik ya da otomatik olmayan yöntemler ile Op. Dr. Serpil Kırım for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing; It is collected by obtaining, recording, storing, storing, modifying, rearranging and reorganizing through all channels, including social media applications such as website, survey, social responsibility, and all channels, including social media applications such as website, survey, social responsibility, and verbal, written, visual or electronic media, hotline/call center, website, verbal, written and similar channels. Within the scope of KVKK, any operation performed on the data is accepted as “processing of personal data”.

In addition, your personal data may be processed when you use our hotline or website for information, appointment, complaint or other purposes for service provision, when you visit Op. Dr. Serpil Kırım or our website and when you browse this site.

Data that are sensitive due to their nature and that may cause victimization or discrimination of data subjects if they fall into the hands of third parties are accepted as “Special “Qualified Personal Data” under the Law. Sensitive personal data consists of data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data. Sensitive personal data cannot be processed without the explicit consent of the data subject. Op. Dr. Serpil Kırım takes all necessary measures to protect sensitive personal data and it is essential that such data is not obtained and processed as much as possible.

III. ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Compliance with the Principles Stipulated in the Legislation

Pursuant to Article 4 of the Law, the principles to be applied in the processing of your personal data are as follows:

  • Compliance with the law and good faith,
  • Being accurate and up to date when necessary,
  • Processing for specific, explicit and legitimate purposes,
  • Being relevant, limited and proportionate to the purpose for which they are processed,
  • Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

3.2. Terms of Processing of Personal Data

Personal data obtained by Op. Dr. Serpil Kırım cannot be processed without the explicit consent of the person concerned, except for the exceptions stipulated in the Law. Your personal data may be processed without explicit consent in the cases shown below:

  • Explicitly stipulated in the law,
  • It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
  • It is necessary to process personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of the contract,
  • It is mandatory for the data controller to fulfill its legal obligation,
  • It has been made public by the person concerned,
  • Data processing is mandatory for the establishment, exercise or protection of a right,
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3. Exceptions to the Obligation to Obtain Explicit Consent

  1. Explicitly stipulated in the law

One of the conditions for data processing is that it is explicitly stipulated in the law. The provisions in the laws that personal data may be processed may constitute a data processing condition. In such a case, the explicit consent of the data subject is not required.

  1. Actual impossibility

In cases where it is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, the personal data of the person concerned may be processed without obtaining his/her explicit consent.

  1. Directly related to the conclusion or performance of the contract

In the event that data processing is mandatory in the process of establishing a contract to which the data subject is a party or in the performance of the contract, the processing of personal data without explicit consent may come to the agenda.

  1. Dr. Serpil Kırım to fulfill her legal obligation

Personal data may be processed without obtaining explicit consent in order to fulfill the legal obligations to be fulfilled by Op. Dr. Serpil Kırım as the data controller.

  1. Publicized by the person concerned

Personal data that has been made public by the data subject, in other words, personal data that has been disclosed to the public in any way, can be processed without explicit consent. Even in this case, personal data that has been made public cannot be subject to misuse.

  1. Being mandatory for the establishment, exercise and protection of a right

In cases where it is mandatory for the establishment, exercise or protection of a right, it is possible to process the personal data of the person concerned without his/her explicit consent.

  1. It is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject

If the processing of personal data is mandatory for the data controller and the data processing activity will not harm the fundamental rights and freedoms of the data subject, personal data may be processed without obtaining explicit consent.

The legitimate interest of the data controller is the interest and benefit to be obtained as a result of the processing to be carried out. The benefit to be obtained by the data controller must be related to a legitimate, sufficiently effective, specific and already existing interest that can compete with the fundamental rights and freedoms of the data subject. It must be a transaction that is related to the current activities carried out by the data controller and will benefit the data controller in the near future.

3.4. Processing of Special Categories of Personal Data

Processing of sensitive personal data is subject to Article 6 of the Law and it is prohibited without the explicit consent of the data subject.

Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data. The data within this scope are limited and cannot be expanded through interpretation.

Special categories of personal data are data that, if learned, may cause discrimination and victimization of the data subject. Therefore, they need to be protected much more strictly than other personal data.

  1. Sensitive personal data other than health and sexual life

Special categories of personal data other than personal data relating to health and sexual life may be processed without the explicit consent of the data subject in cases stipulated by law.

  1. Sensitive personal data relating to health and sexual life

Sensitive personal data relating to health and sexual life can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

3.5. Enlightening and Informing the Personal Data Owner

During the collection of personal data, data subjects are informed by Op. Dr. Serpil Kırım in her capacity as data controller or by persons authorized by her. The procedures and principles regarding the information are specified in the Clarification Texts on the Protection of Personal Data published by Op. Dr. Serpil Kırım and the information includes the following elements in summary:

  • Identity of the data controller and its representative, if any,
  • The purpose for which personal data will be processed,
  • To whom and for what purpose personal data may be transferred,
  • The method and legal grounds for collecting personal data,
  • The rights of the person concerned as set out in Article 11 of the Law.
  1. Identity of the data controller and its representative

According to Article 10 of the Law, personal data obtained from data subjects(employees, employee candidates, patients, patients’ relatives, suppliers, pharmacies, visitors, interns and other relevant third parties) are processed by Op. Dr. Serpil Kırım as the data controller and the contact of the relevant unit can be provided via [email protected] e-mail address or http://www.drserpilkirim.com/.

  1. Purposes of processing personal data

The processing of personal data is carried out for specific, explicit and legitimate purposes and is based on the principle of informing the data subjects. The purposes for which your obtained data are processed are defined in the V. CATEGORIZATION AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY OP. DR. SERPİL KIRIM is located in the section.

  1. Persons to whom personal data are transferred and the purposes of transfer

Within the framework of the data controller’s obligation to inform the data subject, the persons to whom personal data are transferred and the purposes of transfer should be clearly stated. Personal data cannot be transferred to third parties without the explicit consent of the data subject. Recipient groups to whom personal data are transferred by Op. Dr. Serpil Kırım and the purposes of transfer IV. TRANSFER OF PERSONAL DATA is shown in the section.

  1. Method and legal grounds for collecting personal data

In accordance with Articles 5 and 6 of the Law, it must be clearly stated by the data controller on the basis of which personal data is processed. The method and means of data collection are determined by the data controller. The conditions for the processing of personal data, i.e. the conditions of lawfulness, are listed in a limited number in the Law (Art. 5-6) and these conditions cannot be expanded.

Data controller Op. Dr. Serpil Kırım evaluates whether the purpose of the personal data processing activity is primarily based on one of the processing conditions other than explicit consent, and if this purpose does not meet at least one of the conditions other than explicit consent specified in the Law, then the explicit consent of the person is obtained for the continuation of the data processing activity.

  1. TRANSFER OF PERSONAL DATA

4.1. Domestic Transfer

Personal data cannot be transferred without the explicit consent of the data subject. However:

  • Article 5, second paragraph,
  • Subject to adequate safeguards, in the third paragraph of Article 6

If one of the specified conditions exists, it may be transferred without seeking the explicit consent of the person concerned.

Accordingly, it is clearly stipulated by law (1), it is necessary for the protection of the life or bodily integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid or of another person (2), it is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract (3), personal data of the data subject may be transferred to third parties without obtaining the explicit consent of the data subject if it is mandatory for the data controller to fulfill its legal obligation (4), if it has been made public by the data subject himself/herself (5), if data processing is mandatory for the establishment, exercise or protection of a right (6), if data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.persons without obtaining their explicit consent.

Your personal data and personal health data for the purposes described in this policy text and within the framework of the Basic Law No. 3359 on Health Services, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Affiliated Organizations, Law No. 6698 on the Protection of Personal Data, Regulation on Private Hospitals, Regulation on the Processing and Protection of Privacy of Personal Health Data and related regulations;

In order to fulfill our contractual and legal obligations and to carry out the administrative, commercial and economic activities of Op. Dr. Serpil Kırım, it is transferred to the Ministry of Health, Social Security Institution, General Directorate of Security and other law enforcement agencies, CİMER, SABİM, Ministry of Labor, General Directorate of Population, courts and enforcement offices, Turkish Pharmacists Association, regulatory and supervisory institutions, insurance companies, representatives authorized by patients, cooperating laboratories and other centers and Electronic Medical Records and Electronic Health Records systems.

Information on the recipient groups to whom your personal data processed by Op. Dr. Serpil Kırım is transferred is provided in Annex 4 – Third Parties to whom Personal Data is Transferred and Purposes of Transfer.

4.2. Transfer Abroad

Personal data cannot be transferred abroad without the explicit consent of the data subject. Provided that, the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the Law and in the foreign country where the personal data will be transferred;

  • Adequate protection,
  • In the absence of adequate protection, the data controllers in Turkey and in the relevant foreign country undertake in writing to provide adequate protection and the Board’s authorization is obtained,

provided that it can be transferred abroad without seeking the explicit consent of the person concerned.

  1. OP. DR. SERPIL KIRIM CATEGORIZATION OF PERSONAL DATA PROCESSED BY US AND PURPOSES OF PROCESSING

Data subject data subjects The data categorization obtained by Op. Dr. Serpil Kırım and the purposes pursued in the processing of personal data are shown in the relevant sections of the clarification texts on our website for each category of data subject.

  1. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

Administrative and technical measures are taken by Op. Dr. Serpil Kırım for the secure storage of personal data and the prevention of unlawful processing and access to personal data.

In order to ensure personal data security, Op. Dr. Serpil Kırım determines the nature of all personal data processed by Op. Dr. Serpil Kırım and the probability of occurrence of the risks that may arise regarding the protection of these data; while determining these risks, it is taken into account whether the personal data is sensitive personal data (1), the degree of confidentiality required by its nature (2), the nature and quantity of the damage that may arise for the person concerned in case of a security breach (3).

After the identification and prioritization of these risks, control and solution alternatives to mitigate or eliminate these risks should be evaluated in line with the principles of cost, feasibility and usefulness, and necessary technical and administrative measures are planned and implemented.

6.1. Administrative Measures

It is of great importance to ensure personal data security that employees make the first intervention even if they have limited knowledge regarding cyber security and attacks that may damage personal data security. For this reason, awareness and information activities are carried out in our internal organization as data controller.

It is ensured that employees are provided with the necessary training on issues such as not disclosing and sharing personal data unlawfully, conducting awareness activities for employees and creating an environment where security risks can be identified; the roles and responsibilities of everyone working for the data controller regarding personal data security, regardless of their position, are determined in their job descriptions and employees are aware of their roles and responsibilities in this regard.

On the other hand, confidentiality agreements are signed as part of the employee recruitment process, and a disciplinary process is in place in case employees fail to comply with security policies and procedures.

In case of any changes in the policies and procedures implemented regarding personal data security, trainings are held to inform and explain the changes to employees and information on data security and security threats are kept up to date.

Personal data must be accurate and up to date when necessary in accordance with Article 4 (b) and (d) of the Law, and must be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed. The data processed within this scope are processed in accordance with the principles and rules to be observed in the data processing activity and kept for the period required for the purpose for which they are processed. The retention periods of personal data processed by Op. Dr. Serpil Kırım are set out in this Policy. VIII. STORAGE AND DESTRUCTION OF PERSONAL DATA is shown in the section.

The table below summarizes the administrative measures taken to ensure data security:

Administrative Measures
Preparation of Personal Data Processing Inventory
Corporate Policies (Access, Information Security, Use, Storage and Destruction, etc.)
Contracts (between Data Controller and Data Controller, Data Controller and Data Processor)
Confidentiality Undertakings
Internal Periodic and/or Random Audits
Risk Analysis
Labor Contract, Disciplinary Regulation (Addition of Provisions in Compliance with the Law)
Corporate Communication (Crisis Management, Board and Relevant Person Information Processes, Reputation Management, etc.)
Training and Awareness Activities (Information Security and Law)
Notification to the Data Controllers Registry Information System (VERBIS)
Personal Data Security Policy and Procedures
Rapid Reporting of Personal Data Security Issues
Monitoring Personal Data Security
Establishing Disciplinary Arrangements with Data Security Provisions for Employees
Reducing Personal Data as Much as Possible
Preparation and Implementation of Corporate Policies on Access, Information Security, Use, Storage and Destruction
Removal of Authorizations in this Area for Employees Who Change Positions or Leave Their Jobs
Including Data Security Provisions in Contracts Signed
Identification of Existing Risks and Threats
Conducting Periodic and/or Random Internal Audits
Protocols and Procedures for the Security of Sensitive Personal Data have been Determined and Implemented
Ensuring Awareness of Data Processing Service Providers on Data Security

6.2. Technical Measures

Firewalls and gateways are used among the measures taken to protect information technology systems containing personal data against unauthorized access and threats by third parties over the internet. With the firewall used, it is ensured that violations of the information network are stopped, and with the gateway, it is ensured that employees’ access to websites or online platforms that pose a threat to personal data security is restricted.

In addition, regular checks are carried out to ensure that the software and hardware are functioning properly and that the security measures taken for the systems are adequate. Access to systems containing personal data is restricted, and in this context, employees are granted access authorization to the extent necessary for their work and duties, authorities and responsibilities, and access to the relevant systems is provided by using a username and password. When creating such passwords, sequences of numbers or letters that are associated with personal information and easily guessed are avoided as much as possible.

Access authorization and control matrices are created within the data controller organization, and products such as antivirus and antispam that regularly scan the information system network and detect hazards are used to protect against malicious software.

In order to ensure data security, necessary measures are taken to ensure that paper documents containing personal data and servers, backup devices, CDs, DVDs, USBs and other similar storage devices are only accessible to authorized personnel and to increase physical security in this regard.

The table below summarizes the administrative measures taken to ensure data security:

Technical Measures
Authority Matrix
Authority Control
Access Logs
User Account Management
Network Security
Application Security
Encryption
Intrusion Detection and Prevention Systems
Data Loss Prevention Software
Backup
Firewalls
Current Anti-Virus Systems
Erasure, Destruction or Anonymization
Key Management

VII. PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT AT ENTRANCES TO BUILDINGS AND FACILITIES AND INSIDE BUILDINGS AND FACILITIES

7.1. Camera Surveillance Activities Carried Out at Building, Facility Entrances and Inside

Within the scope of the Law on Private Security Services, camera surveillance is carried out in order to ensure the security of Op. Dr. Serpil Kırım’s work areas, common areas, parking lot and its surroundings, and to protect the interests of Op. Dr. Serpil Kırım and other persons. Camera surveillance activity is carried out in accordance with the Law and is carried out within the scope of the data processing conditions listed both in the Law and in this Policy.

7.2. Monitoring of Guest Entry and Exit at the Entrances of the Building, Facility and Inside

In order to ensure the security of Op. Dr. Serpil Kırım, the identity information of the guests who visit Op. Dr. Serpil Kırım is subject to personal data processing activity. The personal data processed within the scope of this activity is limited only for the purpose of entering and exiting the guests and the relevant personal data is recorded in the data recording system in electronic or physical environment.

VIII. STORAGE AND DESTRUCTION OF PERSONAL DATA

8.1. Retention Periods of Personal Data

Your personal data kept by Op. Dr. Serpil Kırım are kept for the period required for the data processing activity; In case the obligation to delete, destroy or anonymize personal data arises, it is deleted, destroyed or anonymized within the first periodic destruction period following the date of emergence of this obligation.

Op. Dr. Serpil Kırım acts in accordance with the general principles shown in Article 4 of the Law and the technical and administrative measures shown in Article 12 in the deletion, destruction or anonymization of your personal data.

All transactions regarding the deletion, destruction or anonymization of personal data by us are recorded and kept for at least 30 years during the processing of personal data in accordance with the legal obligation.

The personal data expert personnel assigned by Op. Dr. Serpil Kırım is the person responsible for the execution and supervision of the personal data retention and destruction policy.

8.2. Obligation to Delete, Destroy and Anonymize Personal Data

Personal data processed by Op. Dr. Serpil Kırım are deleted, destroyed or anonymized ex officio or upon the request of the relevant data owner in the event that the reasons requiring their processing disappear in accordance with Article 7 of the Law and the provisions of the “Regulation on Deletion, Destruction or Anonymization of Personal Data” prepared by the Personal Data Protection Board and published in the Official Gazette dated 28 October 2017 and numbered 30224.

  1. Deletion of personal data

Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way for the relevant users.

All necessary technical and administrative measures are taken to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.

  1. Destruction of personal data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and non-reusable by anyone in any way. The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

  1. Anonymization of personal data

Anonymization of personal data means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data.

In order to anonymize your personal data, Op. Dr. Serpil Kırım takes all necessary technical and administrative measures and anonymizes them by applying methods in accordance with our personal data retention and destruction policy.

8.3. Techniques for Deletion, Destruction and Anonymization of Personal Data

The techniques for deleting, destroying or anonymizing personal data processed by Op. Dr. Serpil Kırım are shown below, and which of the techniques will be applied may vary depending on the nature of the personal data processed.

For this purpose, it is necessary to identify the personal data subject to erasure, destruction or anonymization (1), identify the relevant users for each personal data using an access authorization and control matrix or a similar system (2), identify the relevant users’ authorizations and methods such as access, retrieval, reuse (3), close and eliminate the access, retrieval, reuse authorizations and methods of the relevant users within the scope of personal data (4).

The procedure for the deletion of personal data is as follows:

  • Issuing delete commands in cloud or app-type solutions,
  • Blackout, truncation or rendering invisible data on paper media,
  • Erasing data on portable media using appropriate software.

The procedure for the destruction of personal data is as follows:

  • Physical destruction of optical media and magnetic media by melting, burning or pulverizing,
  • Other destruction operations in paper or electronic form.
  1. RIGHTS OF THE PERSONAL DATA OWNER AND EXERCISE OF THESE RIGHTS

9.1. Rights of the Personal Data Subject

Pursuant to Law No. 6698, in the capacity of data owner:

  • Learn whether your personal data is being processed,
  • Request information if your personal data has been processed,
  • To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
  • To know the third parties to whom personal data are transferred domestically or abroad,
  • To request correction of personal data in case of incomplete or incorrect processing,
  • To request the deletion or destruction of your personal data within the framework of the conditions stipulated in the article,
  • In case of incomplete or incorrect processing, to request notification of the correction of these and the transactions regarding the deletion or destruction of the data to third parties to whom personal data are transferred,
  • Object to the occurrence of a result against you by analyzing your processed data exclusively through automated systems,
  • In case of damage due to unlawful processing of your personal data, to demand the compensation of the damage

you have rights.

9.2. Exercising the Rights of the Personal Data Owner

Requests regarding the implementation of the Law by the data subject data owner should be submitted to Op. Dr. Serpil Kırım in writing to the contact e-mail address [email protected] or to Barbaros Hayrettin Paşa Mahallesi 1992 Sokak Vetro City No:16 Kat:1 Daire:34 Esenyurt-İstanbul. “Data Owner Application Form” published by Op. Dr. Serpil Kırım on the website should be used for application requests.

9.3. Op. Dr. Serpil Kırım Responding to Applications

The application is finalized by Op. Dr. Serpil Kırım as soon as possible depending on the nature of the request. This period cannot exceed 30 days from the proper notification of the request to us. However, if the transaction requires any cost, a fee may be charged according to the tariff determined by the Personal Data Protection Board.

 

Annex 1: Definitions

Explicit consent: Consent on a specific subject, based on information and expressed with free will,

Anonymization: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data,

Recipient group: The category of natural or legal person to whom personal data is transferred by the data controller,

Direct identifiers: Identifiers that, by themselves, directly reveal, disclose and make distinguishable the person with whom they are associated,

Indirect identifiers: Identifiers that, in combination with other identifiers, reveal, disclose and make distinguishable the person with whom they are associated,

Relevant person: The natural person whose personal data is processed,

Relevant user: Natural or legal persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data,

Destruction: Deletion, destruction or anonymization of personal data,

Law: Law on the Protection of Personal Data dated 24/3/2016 and numbered 6698,

Blackout Processes such as crossing out, coloring and icing the entirety of personal data in a way that cannot be associated with an identified or identifiable natural person,

Recording medium: Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system,

Personal data: Any information relating to an identified or identifiable natural person,

Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,

Board: Personal Data Protection Board,

Institution Personal Data Protection Authority,

Data processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller,

Data recording system: The recording system in which personal data are structured and processed according to certain criteria,

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

Identity Information: Your name, surname, Turkish ID number, passport number or temporary Turkish ID number, place and date of birth, marital status, gender, insurance or patient protocol number and other identification data that we can identify you;

Contact Information: Your address, telephone number, e-mail address and other contact data, your voice call records kept by customer representatives or patient services in accordance with call center standards, and your personal data obtained when you contact us via e-mail, letter or other means;

Accounting Information: Your financial data such as your bank account number, IBAN number, credit card information, billing information; your data on private health insurance and Social Security Institution data for the purpose of financing and planning of health services; your camera recordings images that are kept for security and audit purposes if you visit our clinic,

Health Information: All kinds of personal data related to health and sexual life obtained during or as a result of the execution of medical diagnosis, treatment and care services, including but not limited to your laboratory results, test results, examination data, appointment information, prescription information, Op. Dr. Serpil Kırım If you apply for a job, your other personal data, including the resume provided in this regard, and any personal data related to your service contract if you are an employee or related employee of Op. Dr. Serpil Kırım.

ANNEX – 2: Personal Data Subjects (Data Subjects)

Data Subject Categories Description
Employee Op. Dr. Serpil Kırım refers to the people working within the organization.
Employee Candidate Refers to real persons who apply for a job by sending a resume to Op. Dr. Serpil Kırım or by other methods.
Intern Op. Dr. Serpil Kırım refers to people who use the profession they are trained in practically to increase their professional knowledge.
Patient It refers to real persons who benefit from the services provided by Op. Dr. Serpil Kırım.
Patient Relative Refers to the companions or relatives of patients who use the services provided by Op. Dr. Serpil Kırım.
Supplier Refers to natural persons and legal entity employees from whom services are procured.
Visitor Refers to the 3rd persons who visited Op. Dr. Serpil Kırım.
Other Related 3rd Parties Refers to persons other than those listed who applied to Op. Dr. Serpil Kırım and communicated with her.

ANNEX – 3: Third Parties to whom Personal Data is Transferred

Transferred Person/Unit Purpose of Transfer
Ministry of Health Transferring the information that should be transferred in accordance with public health and legislation.
Social Security Institution Transferring information to employees, prospective employees and patients in order to carry out transactions within the scope of Social Security.
Authorized Public Institutions and Organizations Sharing/transferring the information and documents requested by the relevant public institutions and organizations from Op. Dr. Serpil Kırım limited to the purpose.
Suppliers Transfer of personal data limited to the provision of services received from suppliers.

ANNEX- 4: Purposes of Transfer of Personal Data

Op. Dr. All kinds of your personal data obtained by Serpil Kırım may be processed for the purposes listed; Confirming your identity, protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, planning and management of the functioning of our clinic and daily operations, supply of medication, informing you about an appointment if you make an appointment, performing risk management and quality improvement activities, making evaluations for the improvement of health services, conducting research, Fulfilling legal and regulatory requirements, confirming your relationship with the institutions contracted with the clinic, invoicing for our health services, sharing the information requested with private insurance companies within the scope of financing health services, sharing the information requested with the Ministry of Health and relevant public institutions and organizations in accordance with the relevant legislation, responding to all your questions and complaints regarding our health services, Taking all necessary technical and administrative measures within the scope of data security of the systems and applications of our clinic, analyzing your use of health services and storing your health data in order to develop and improve the health services we offer, providing the necessary information in line with the requests and audits of regulatory and supervisory institutions and official authorities, training and development of our employees, monitoring abuse and unauthorized transactions, prevention and reversal of transactions, preservation of information regarding your health data that must be kept in accordance with the relevant legislation, financial reconciliation with the institutions we have contracted with regarding the health services provided to you, measurement of patient satisfaction and, without limitation, the execution, development of medical diagnosis, treatment and care services, planning and management of health services and financing, increasing patient satisfaction, research and similar purposes.

 

 

 

 

 

 

 

 

ANNEX-5: Deadlines

Personal Data Category Storage Time Legal Basis
Health Data (Biometric and genetic and examination data, laboratory, test, analysis and examination results, check-up and prescription information patient records and health data including but not limited to patient records and patient relatives’ information obtained when necessary) 30 Years from the end of the personal data processing activity Regulation on Private Hospitals, Turkish Penal Code
All Records of Accounting and Financial Transactions 10 Years Law No. 6102, Law No. 213
Cookies and Log Records 6 Months – Maximum 2 Years Internet Law No. 5651
Traffic Information on Online Visitors 2 Years Law No. 5651
Personal Data Regarding Suppliers 10 Years after the end of the legal relationship Law No. 6102, Law No. 6098 and Law No. 213
Personal Data Protection Board Transactions 10 Years Personal Data Protection Authority Personal Data Storage and Destruction Policy Published by KVKK
Contracts 10 Years from the Termination of the Contract Law No. 6102 and Law No. 6098
Human Resources Processes 10 Years from the Termination of Operations Labor Law No. 4857 and Related Legislation
Visitor Registration 2 Years from the End of the Event Personal Data Protection Authority Personal Data Retention and Destruction Policy Published by KVKK
Data Regarding the Personnel File Stored within the Scope of Labor Law 10 Years from the termination of the Employment Relationship Labor Law No. 4857 and Related Legislation and Turkish Code of Obligations No. 6098
Data collected within the scope of OHS Legislation (Health reports, OHS Trainings, records on Occupational Health and Safety activities, etc.) 15 Years from the termination of the Employment Relationship Law No. 6331 on Occupational Health and Safety and Related Legislation
Data kept within the scope of SSI Legislation (Employment notifications, premium/service documents, etc.) 10 Years from the termination of the Employment Relationship Law No. 5510 on Social Security and General Health Insurance and Related Legislation
Job Application Data on Candidate Applications (CV, Resume, Cover Letter , Application Form, etc.) 1 Year Sectoral customs apply.
Personal Data Processed in Contractual Relationships 10 Years After Contract Expiration Turkish Code of Obligations No. 6098
Personal Data Related to Tax Records 5 Years Tax Procedure Law No. 213
Personal Data Processed for Security Purposes Pursuant to CCTV Cameras (Camera Recordings) 90 Days Sectoral Custom
Traffic Information Processed during the Use of the Muayanehane Internet Network, Internet Access and Remote Connection (IP address, start and end time of the service provided, type of service utilized, amount of data transferred and subscriber identification information, if any, etc.) 2 Years Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through These Publications
Personal Data of a Deceased Person At least 20 years Regulation on Personal Health Data published in the Official Gazette dated 21.06.2018 and numbered 30808

 

Bunlar da ilginizi çekebilir:

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.