Data Retention and Disposal Policy

DENTE ORAL AND DENTAL HEALTH SERVICES LTD. CO. PERSONAL DATA RETENTION AND DISPOSAL POLICY

DENTE ORAL AND DENTAL HEALTH SERVICES LTD. CO.

Address: KÜÇÜKYALI MERKEZ MAHALLESİ BAĞDAT CAD. A BLOK VE B BLOK Apt. NO: 92 C MALTEPE/İSTANBUL

Phone: 0216 366 66 69

Website: http://www.dentevim.com

E-mail: info@dentevim.com

CONTENT

1 INTRODUCTION

1.1 PURPOSE

1.2 SCOPE

1.3 ABBREVIATIONS AND DEFINITIONS

2. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES

4. EXPLANATIONS ON RETENTION AND DISPOSAL

4.1 Remarks on Retention

4.1.1 Legal Reasons for Retention

4.1.2 Processing Purposes Requiring Retention

4.2 Reasons for Disposal

5. TECHNICAL AND ADMINISTRATIVE MEASURES

5.1 Technical Measures

5.2 Administrative Measures

6. PERSONAL DATA DISPOSAL TECHNIQUES

6.1 Deletion of Personal Data

6.2 Disposal of Personal Data

7. RETENTION AND DISPOSAL PERIODS

 

1 INTRODUCTION

1.1 PURPOSE

The Personal Data Retention and Disposal Policy ("Policy") has been prepared to determine the procedures and principles regarding the work and transactions related to the retention and disposal activities carried out by DENTE ORAL AND DENTAL HEALTH SERVICES LTD. CO.

DENTEVİM has prioritized the processing of personal data of "employees, employee candidates, goods/service providers, customer representatives, and other third parties" under the Constitution of the Republic of Turkey, Law No. 6698 on the Protection of Personal Data (“Law”) and other relevant legislation, and ensuring that the relevant persons exercise their rights effectively.

DENTEVİM carries out work and processes regarding the retention and disposal of personal data under the Policy prepared in this direction.

 

1.2 SCOPE

Personal data belonging to Data Controller employees, employee candidates, goods/service providers, customers, and other third parties are within the scope of this Policy, and this Policy is applied in all recording environments and personal data processing activities of the personal data processed by the Data Controller.

 

1.3 ABBREVIATIONS AND DEFINITIONS

Recipient Group: The natural or legal person category to which the data controller transfers personal data.

Explicit Consent: Consent about a specific subject, based on the information and expressed with free will.

Employee: DENTEVIM staff

Electronic Media: Environments where personal data can be created, read, changed, and written with electronic devices.

Non-Electronic Media: All written, printed, visual, and similar media other than electronic media.

Service Provider: A natural or legal person who provides services within the framework of a specific contract with the Personal Data Protection Authority.

Relevant Person: The real person whose personal data is processed.

Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical retention, protection, and backup of the data.

Disposal: Deletion, disposal or anonymization of personal data.

Law: Law on Protection of Personal Data No. 6698.

Recording Media: Any environment in which personal data is wholly or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.

Personal Data: Any information relating to an identified or identifiable natural person.

Data Processing Inventory: The inventory that the data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes and legal reason for processing the personal data, the data category, the group of recipients transferred, and the group of persons subject to the data, and the maximum retention period required for the purposes for which the personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security are detailed.

 

Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, storing, changing, rearranging, disclosure, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

 

Sensitive Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, association membership, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

 

Periodic Disposal: The deletion, disposal, or anonymization process that will be carried out at repetitive intervals as specified in the personal data retention and disposal policy, in case all the conditions for processing personal data in the Law are eliminated.

 

Policy: Personal Data Retention and Disposal Policy

 

Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the Authority given by the data controller.

 

Data Registration System: A registration system in which personal data is processed and structured according to specific criteria.

 

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

 

Controllers Reg. Info System: An information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in their application to the Registry and other related transactions.

 

VERBİS: Data Controllers Registry Information System

 

Regulation: Regulation on the Deletion, Disposal or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.

 

2. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES

All DENTEVİM employees actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed for the following purposes:

  • Proper implementation of the technical and administrative actions taken by the responsible units within the scope of the Policy,
  • To prevent the illegal processing of personal data by increasing the training and awareness of the unit employees, monitoring and continuous inspection,
  • Preventing unlawful access to personal data, and
  • Ensuring that personal data is stored under the Law

The distribution of the titles, units, and job descriptions of those involved in the retention and disposal processes of personal information is given in Table 1.

Table 1: Task distribution of retention and disposal processes

TITLE 

UNIT

JOB DESCRIPTION

Human Resources Manager

Human Resources

Responsible for Employees to Act under the Policy and responsible for the preparation, development, execution, publication, and updating of the Policy. 

Accounting Manager

Accounting

Responsible for the execution of the Policy under its duties.

IT expert

IT

Responsible for providing the technical solutions needed in the implementation of the Policy.

 

Table 2: Personal data retention environments

Electronic

Non-Electronic

Servers (Domain, backup, e-mail, database, web, file sharing, etc.) Software (office software, portal, EBYS, VERBIS.)

Information security devices (firewall, intrusion detection, and prevention, log file, antivirus, etc.) Personal computers (Desktop, laptop)

Mobile devices (phone, tablet, etc.)

Optical discs (CD) Removable memories (USB, Memory Card, etc.)

Printer, scanner, copier,

Electronic scoring system.

Paper

Manual data recording systems (survey forms, Application forms, etc.)

Written, printed, and visual media.

 

4. EXPLANATIONS ON RETENTION AND DISPOSAL

Personal data of employees, employee candidates, third parties, visitors and customers, institutions or organizations that are in contact as goods and service providers by DENTEVİM are stored and destroyed under the Law.

In this context, detailed explanations regarding retention and disposal are given below.

 

4.1 Remarks on Retention

The concept of processing personal data is defined in Article 3 of the Law. It is stated in Article 4 that the personal data processed should be related to the purpose for which they are processed, limited, and measured and should be kept for the period required for the purpose for which they are processed or stipulated in the relevant legislation. Articles 5 and 6 list the processing conditions of personal data.

 

4.1.1 Legal Reasons for Retention

Accordingly, within the framework of DENTEVİM activities, personal data is stored for a period stipulated in the relevant legislation and suitable for our processing purposes. In this context, personal information is stored for the retention period specified within the framework of the following laws and other secondary regulations under other legislation.

  • Protection of Personal Data Law No. 6698,
  • Turkish Code of Obligations No. 6098,
  • Social Insurance and General Health Insurance Law No. 5510,
  • Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts,
  • Occupational Health and Safety Law No. 6331,
  • Labor Law No. 4857,
  • Turkish Commercial Code No. 6102
  • Tax Procedure Law No. 213
  • Execution and Bankruptcy Law No. 2004

 

4.1.2 Processing Purposes Requiring Retention

The Company stores the personal data it processes within the framework of its activities for the following purposes.

  • Execution of candidate and intern selection and placement processes
  • Establishment of the Contract for the Employee and fulfillment of the obligations arising from the legislation
  • Managing Human Resources Processes
  • Providing information to authorized persons, institutions, and organizations
  • Execution/supervision of business activities
  • Execution of access authorizations
  • Execution of assignment processes
  • Follow-up and implementation of legal affairs
  • Conducting communication activities
  • Implementation of service sales processes
  • Execution of occupational health and safety activities
  • Implementation of supply chain management processes
  • Execution of logistics activities
  • Conducting educational activities
  • Execution of contract processes
  • Implementation of emergency management processes
  • Execution of activities under the legislation
  • Foreign personnel work and residence permit procedures
  • Performance of finance and accounting works
  • Execution of goods service purchasing and sales processes
  • Ensuring business continuity and conducting business activities
  • Managing customer relationship management processes
  • Execution of management activities
  • Implementation of the information security process
  • Ensuring physical space security
  • Management and follow-up of activities for customer satisfaction
  • Execution of product/service marketing processes

 

4.2 Reasons for Disposal

Personal data is deleted, disposed or anonymized by DENTEVİM at the request of the person concerned or ex officio in the following cases:

  • Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing,
  • The disappearance of the purpose requiring its processing or retention,
  • In cases where the processing of personal data takes place only based on express consent, the data subject withdraws his explicit consent,
  • Under Article 11 of the Law, the application made by the Authority regarding the deletion and disposal of personal data within the framework of the rights of the person concerned,
  • If the Institution rejects the application made by the person concerned with the request for the deletion, disposal, or anonymization of his personal data, finds the answer insufficient, or does not respond within the time stipulated in the Law, they make a complaint to the Board and this request is approved by the Board,
  • The maximum period for keeping personal data has passed, and there are no conditions to justify keeping personal data for longer.

 

5. TECHNICAL AND ADMINISTRATIVE MEASURES

To store personal data securely, prevent unlawful processing and access to personal data, and destroy personal data per the Law, Article 12 of the Law, and Article 6 of the Law. Under the fourth paragraph of the article, technical and administrative measures are taken by DENTEVİM within the framework of the adequate measures determined and announced by the Board for personal data of special nature.

 

5.1 Technical Measures

The technical measures taken by DENTEVİM regarding the personal data it processes are listed below:

  • As a result of real-time analyzes with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
  • Access to information systems and authorization of users is done through the access and authorization matrix.
  • Necessary measures are taken for the physical security of the Institution's information systems equipment, software, and data.
  • To ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, systems that prevent malware, etc.) are taken.

 

  • Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and technical controls are carried out for the actions taken.
  • Inappropriate access or access attempts are kept under control by recording the access to the retention areas where personal data is stored.
  • The Institution takes the necessary measures to make the deleted personal data inaccessible and reusable for the relevant users.
  • If personal data is obtained by others unlawfully, the Authority has established a system and infrastructure to notify the relevant person and the Board.
  • Security vulnerabilities are followed, appropriate security patches are installed, and information systems are kept up-to-date.
  • Strong passwords are used in electronic environments where personal data is processed.
  • Secure record-keeping (logging) systems are used in electronic environments where personal data is processed.
  • Data backup programs are used to keep personal data safe.
  • Access to personal data stored in electronic or non-electronic media is limited according to access principles.
  • Access to the DENTEVİM web page is encrypted with the SHA 256 Bit RSA algorithm using a secure protocol (HTTPS).
  • Special quality personal data security training has been provided for employees involved in special quality personal data processing, confidentiality agreements have been made, and the authorizations of users with access to data have been defined.
  • Electronic environments where sensitive personal data are processed, stored, and/or accessed are protected using cryptographic methods. Cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are constantly monitored, and the procedures for regularly performing/performing the necessary security tests and recording the test results have been completed.
  • Adequate security measures are taken for physical environments where sensitive personal data is processed, stored, and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
  • If sensitive personal data needs to be transferred via e-mail, it is transmitted in encrypted form with a corporate e-mail address or by using a KEP account. Suppose it needs to be shared via media such as portable memory, CD, or DVD. In that case, it is encrypted with cryptographic methods, and the cryptographic key is kept in a different environment. If transferring is carried out between servers in different physical environments, data transfer is done by establishing a VPN between servers or using the sFTP method.
  • Suppose it is required to be transferred via paper media. In that case, necessary precautions are taken against risks such as theft, loss, or viewing of the document by unauthorized persons, and the document is sent in a "confidential" format.

 

5.2 Administrative Measures

Administrative measures taken by DENTEVİM regarding the personal data it processes are listed below:

  • Training is provided on the prevention of illegal processing of personal data, illegal access to personal data, protection of personal data, communication techniques, technical knowledge, skills, and relevant legislation to improve the quality of employees.
  • Confidentiality agreements are signed by employees and other institutions regarding the activities carried out by DENTEVİM.
  • A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
  • Before starting to process personal data, the Authority fulfills the obligation to inform the relevant persons.
  • Personal data processing inventory has been prepared.
  • Periodic and random audits are carried out within the Institution.
  • Information security training is provided for employees.

 

6. PERSONAL DATA DISPOSAL TECHNIQUES

At the end of the retention period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, the personal data is destroyed by the Institution ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, with the following techniques.

6.1 Deletion of Personal Data

Personal data is deleted with the methods given in Table-3

 

Table 3: Deletion of Personal Data

Data Recording Media

Description

Personal Data on Servers

The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period has expired.

Personal Data in Electronic Media

Among the personal data in the electronic environment, those whose period has expired are rendered inaccessible and non-reusable for other employees (related users) except the database administrator.

Personal Data in Physical Environment

Personal data kept in the physical environment is made inaccessible and non-reusable for other employees, except for the unit manager responsible for the document archive, for those whose period has expired. In addition, the blackening process is applied by drawing, painting, and wiping in a way that cannot be read.

Personal Data in Portable Media

Of the personal data kept in flash-based retention media, the expired personal data is encrypted by the system administrator, and the access authorization is given only to the system administrator and is stored in secure environments with encryption keys.

 

6.2 Disposal of Personal Data

DENTEVİM disposes of personal data with the methods given in Table-4.

 

Table 4: Disposal of Personal Data

Data Recording Media

Description

Personal Data in Physical Environment

Of the personal data in the paper medium, the ones that need to be kept, which have expired, are irreversibly destroyed in the paper clipping machines.

Personal Data in Optical / Magnetic Media

The physical disposal of the personal data in optical media and magnetic media, such as melting, burning, or pulverizing, is applied. In addition, magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.

7. RETENTION AND DISPOSAL PERIODS

Regarding the personal data being processed by DENTEVİM within the scope of its activities;

  • Personal data-based retention periods for all personal data within the scope of activities carried out in connection with processes are included in the Personal Data Processing Inventory.
  • Retention periods based on data categories are recorded in VERBIS.
  • Process-based retention periods are included in the Personal Data Retention and Disposal Policy.

If necessary, updates are made by DENTEVİM on the said retention periods.

DENTEVİM performs ex-officio deletion, disposal, or anonymization of personal data whose retention period has expired.

 

Table 5: Process-based retention and disposal times table

PROCESS

RETENTION PERIOD 

DISPOSAL PERIOD 

Recruitment (Except for documents containing health data)

10 years from the expiry of the contract

At the first periodic disposal period following the end of the retention period

Personnel File (Except for documents containing health data)

10 years from the expiry of the contract

At the first periodic disposal period following the end of the retention period

Incoming Documents (Except for documents containing health data)

10 years from the expiry of the contract

At the first periodic disposal period following the end of the retention period

Financial Activities

10 years from the date of transaction

At the first periodic disposal period following the end of the retention period

Security Activities

30 days from the registration date

At the first periodic disposal period following the end of the retention period

Representation of Legal Entity

10 years from the end of representation

At the first periodic disposal period following the end of the retention period

Management

10 years from the end of the decision book

At the first periodic disposal period following the end of the retention period

General Assembly

10 years from the end of the decision book

At the first periodic disposal period following the end of the retention period

Publication

10 years from the date of publication

At the first periodic disposal period following the end of the retention period

Fulfillment of Contractual Obligation

10 years from the expiry of the contract

At the first periodic disposal period following the end of the retention period

Follow-up of Legal Affairs (Except for documents containing health data)

10 years from the expiry of the contract and/or the finalization of the decision

At the first periodic disposal period following the end of the retention period

Operational Processes

10 years from contract expiry and/or transaction date

At the first periodic disposal period following the end of the retention period

Data Security Process

10 years from the expiry of the contract and/or the date of disposal

At the first periodic disposal period following the end of the retention period

Employee Health File

15 years from the expiry of the contract

At the first periodic disposal period following the end of the retention period

Communication Activities

2 years from the date of registration

At the first periodic disposal period following the end of the retention period

Patient File

15 years from the last activity

At the first periodic disposal period following the end of the retention period

 

8. PERIODIC DISPOSAL TIME

Under Article 11 of the regulation, DENTEVİM has determined the period of periodic disposal as 6 (six) months. Accordingly, periodic disposal is carried out in DENTEVİM in February and July.

9. PUBLICATION AND RETENTION OF THE POLICY

The Policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is kept in the file at DENTEVİM company headquarters.

10. UPDATE PERIOD OF THE POLICY

The Policy is reviewed as needed, and the necessary sections are updated.

11. ENFORCEMENT AND ANNOUNCEMENT OF THE POLICY

The Policy is deemed to have entered into force after its publication on the DENTEVIM website. If it is decided to be abolished, the old copies of the Policy with wet signatures are canceled and signed (with an annulment stamp or written cancellation) and kept for at least 5 years