DENTE ORAL AND DENTAL HEALTH SERVICES LTD. CO. PERSONAL DATA RETENTION AND DISPOSAL POLICY
DENTE ORAL AND DENTAL HEALTH SERVICES LTD. CO.
Address: KÜÇÜKYALI MERKEZ MAHALLESİ BAĞDAT CAD. A BLOK VE B BLOK Apt. NO: 92 C MALTEPE/İSTANBUL
Phone: 0216 366 66 69
Website: http://www.dentevim.com
E-mail: info@dentevim.com
CONTENT
1 INTRODUCTION
1.1 PURPOSE
1.2 SCOPE
1.3 ABBREVIATIONS AND DEFINITIONS
2. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES
4. EXPLANATIONS ON RETENTION AND DISPOSAL
4.1 Remarks on Retention
4.1.1 Legal Reasons for Retention
4.1.2 Processing Purposes Requiring Retention
4.2 Reasons for Disposal
5. TECHNICAL AND ADMINISTRATIVE MEASURES
5.1 Technical Measures
5.2 Administrative Measures
6. PERSONAL DATA DISPOSAL TECHNIQUES
6.1 Deletion of Personal Data
6.2 Disposal of Personal Data
7. RETENTION AND DISPOSAL PERIODS
1 INTRODUCTION
1.1 PURPOSE
The Personal Data Retention and Disposal Policy ("Policy") has been prepared to determine the procedures and principles regarding the work and transactions related to the retention and disposal activities carried out by DENTE ORAL AND DENTAL HEALTH SERVICES LTD. CO.
DENTEVİM has prioritized the processing of personal data of "employees, employee candidates, goods/service providers, customer representatives, and other third parties" under the Constitution of the Republic of Turkey, Law No. 6698 on the Protection of Personal Data (“Law”) and other relevant legislation, and ensuring that the relevant persons exercise their rights effectively.
DENTEVİM carries out work and processes regarding the retention and disposal of personal data under the Policy prepared in this direction.
1.2 SCOPE
Personal data belonging to Data Controller employees, employee candidates, goods/service providers, customers, and other third parties are within the scope of this Policy, and this Policy is applied in all recording environments and personal data processing activities of the personal data processed by the Data Controller.
1.3 ABBREVIATIONS AND DEFINITIONS
Recipient Group: The natural or legal person category to which the data controller transfers personal data.
Explicit Consent: Consent about a specific subject, based on the information and expressed with free will.
Employee: DENTEVIM staff
Electronic Media: Environments where personal data can be created, read, changed, and written with electronic devices.
Non-Electronic Media: All written, printed, visual, and similar media other than electronic media.
Service Provider: A natural or legal person who provides services within the framework of a specific contract with the Personal Data Protection Authority.
Relevant Person: The real person whose personal data is processed.
Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical retention, protection, and backup of the data.
Disposal: Deletion, disposal or anonymization of personal data.
Law: Law on Protection of Personal Data No. 6698.
Recording Media: Any environment in which personal data is wholly or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Data Processing Inventory: The inventory that the data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes and legal reason for processing the personal data, the data category, the group of recipients transferred, and the group of persons subject to the data, and the maximum retention period required for the purposes for which the personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security are detailed.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, storing, changing, rearranging, disclosure, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Sensitive Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, association membership, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic Disposal: The deletion, disposal, or anonymization process that will be carried out at repetitive intervals as specified in the personal data retention and disposal policy, in case all the conditions for processing personal data in the Law are eliminated.
Policy: Personal Data Retention and Disposal Policy
Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the Authority given by the data controller.
Data Registration System: A registration system in which personal data is processed and structured according to specific criteria.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Controllers Reg. Info System: An information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in their application to the Registry and other related transactions.
VERBİS: Data Controllers Registry Information System
Regulation: Regulation on the Deletion, Disposal or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.
2. DISTRIBUTION OF RESPONSIBILITIES AND DUTIES
All DENTEVİM employees actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed for the following purposes:
The distribution of the titles, units, and job descriptions of those involved in the retention and disposal processes of personal information is given in Table 1.
Table 1: Task distribution of retention and disposal processes
TITLE |
UNIT |
JOB DESCRIPTION |
Human Resources Manager |
Human Resources |
Responsible for Employees to Act under the Policy and responsible for the preparation, development, execution, publication, and updating of the Policy. |
Accounting Manager |
Accounting |
Responsible for the execution of the Policy under its duties. |
IT expert |
IT |
Responsible for providing the technical solutions needed in the implementation of the Policy. |
Table 2: Personal data retention environments
Electronic |
Non-Electronic |
Servers (Domain, backup, e-mail, database, web, file sharing, etc.) Software (office software, portal, EBYS, VERBIS.) Information security devices (firewall, intrusion detection, and prevention, log file, antivirus, etc.) Personal computers (Desktop, laptop) Mobile devices (phone, tablet, etc.) Optical discs (CD) Removable memories (USB, Memory Card, etc.) Printer, scanner, copier, Electronic scoring system. |
Paper Manual data recording systems (survey forms, Application forms, etc.) Written, printed, and visual media. |
4. EXPLANATIONS ON RETENTION AND DISPOSAL
Personal data of employees, employee candidates, third parties, visitors and customers, institutions or organizations that are in contact as goods and service providers by DENTEVİM are stored and destroyed under the Law.
In this context, detailed explanations regarding retention and disposal are given below.
4.1 Remarks on Retention
The concept of processing personal data is defined in Article 3 of the Law. It is stated in Article 4 that the personal data processed should be related to the purpose for which they are processed, limited, and measured and should be kept for the period required for the purpose for which they are processed or stipulated in the relevant legislation. Articles 5 and 6 list the processing conditions of personal data.
4.1.1 Legal Reasons for Retention
Accordingly, within the framework of DENTEVİM activities, personal data is stored for a period stipulated in the relevant legislation and suitable for our processing purposes. In this context, personal information is stored for the retention period specified within the framework of the following laws and other secondary regulations under other legislation.
4.1.2 Processing Purposes Requiring Retention
The Company stores the personal data it processes within the framework of its activities for the following purposes.
4.2 Reasons for Disposal
Personal data is deleted, disposed or anonymized by DENTEVİM at the request of the person concerned or ex officio in the following cases:
5. TECHNICAL AND ADMINISTRATIVE MEASURES
To store personal data securely, prevent unlawful processing and access to personal data, and destroy personal data per the Law, Article 12 of the Law, and Article 6 of the Law. Under the fourth paragraph of the article, technical and administrative measures are taken by DENTEVİM within the framework of the adequate measures determined and announced by the Board for personal data of special nature.
5.1 Technical Measures
The technical measures taken by DENTEVİM regarding the personal data it processes are listed below:
5.2 Administrative Measures
Administrative measures taken by DENTEVİM regarding the personal data it processes are listed below:
6. PERSONAL DATA DISPOSAL TECHNIQUES
At the end of the retention period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, the personal data is destroyed by the Institution ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, with the following techniques.
6.1 Deletion of Personal Data
Personal data is deleted with the methods given in Table-3
Table 3: Deletion of Personal Data
Data Recording Media |
Description |
Personal Data on Servers |
The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period has expired. |
Personal Data in Electronic Media |
Among the personal data in the electronic environment, those whose period has expired are rendered inaccessible and non-reusable for other employees (related users) except the database administrator. |
Personal Data in Physical Environment |
Personal data kept in the physical environment is made inaccessible and non-reusable for other employees, except for the unit manager responsible for the document archive, for those whose period has expired. In addition, the blackening process is applied by drawing, painting, and wiping in a way that cannot be read. |
Personal Data in Portable Media |
Of the personal data kept in flash-based retention media, the expired personal data is encrypted by the system administrator, and the access authorization is given only to the system administrator and is stored in secure environments with encryption keys. |
6.2 Disposal of Personal Data
DENTEVİM disposes of personal data with the methods given in Table-4.
Table 4: Disposal of Personal Data
Data Recording Media |
Description |
Personal Data in Physical Environment |
Of the personal data in the paper medium, the ones that need to be kept, which have expired, are irreversibly destroyed in the paper clipping machines. |
Personal Data in Optical / Magnetic Media |
The physical disposal of the personal data in optical media and magnetic media, such as melting, burning, or pulverizing, is applied. In addition, magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable. |
7. RETENTION AND DISPOSAL PERIODS
Regarding the personal data being processed by DENTEVİM within the scope of its activities;
If necessary, updates are made by DENTEVİM on the said retention periods.
DENTEVİM performs ex-officio deletion, disposal, or anonymization of personal data whose retention period has expired.
Table 5: Process-based retention and disposal times table
PROCESS |
RETENTION PERIOD |
DISPOSAL PERIOD |
Recruitment (Except for documents containing health data) |
10 years from the expiry of the contract |
At the first periodic disposal period following the end of the retention period |
Personnel File (Except for documents containing health data) |
10 years from the expiry of the contract |
At the first periodic disposal period following the end of the retention period |
Incoming Documents (Except for documents containing health data) |
10 years from the expiry of the contract |
At the first periodic disposal period following the end of the retention period |
Financial Activities |
10 years from the date of transaction |
At the first periodic disposal period following the end of the retention period |
Security Activities |
30 days from the registration date |
At the first periodic disposal period following the end of the retention period |
Representation of Legal Entity |
10 years from the end of representation |
At the first periodic disposal period following the end of the retention period |
Management |
10 years from the end of the decision book |
At the first periodic disposal period following the end of the retention period |
General Assembly |
10 years from the end of the decision book |
At the first periodic disposal period following the end of the retention period |
Publication |
10 years from the date of publication |
At the first periodic disposal period following the end of the retention period |
Fulfillment of Contractual Obligation |
10 years from the expiry of the contract |
At the first periodic disposal period following the end of the retention period |
Follow-up of Legal Affairs (Except for documents containing health data) |
10 years from the expiry of the contract and/or the finalization of the decision |
At the first periodic disposal period following the end of the retention period |
Operational Processes |
10 years from contract expiry and/or transaction date |
At the first periodic disposal period following the end of the retention period |
Data Security Process |
10 years from the expiry of the contract and/or the date of disposal |
At the first periodic disposal period following the end of the retention period |
Employee Health File |
15 years from the expiry of the contract |
At the first periodic disposal period following the end of the retention period |
Communication Activities |
2 years from the date of registration |
At the first periodic disposal period following the end of the retention period |
Patient File |
15 years from the last activity |
At the first periodic disposal period following the end of the retention period |
8. PERIODIC DISPOSAL TIME
Under Article 11 of the regulation, DENTEVİM has determined the period of periodic disposal as 6 (six) months. Accordingly, periodic disposal is carried out in DENTEVİM in February and July.
9. PUBLICATION AND RETENTION OF THE POLICY
The Policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is kept in the file at DENTEVİM company headquarters.
10. UPDATE PERIOD OF THE POLICY
The Policy is reviewed as needed, and the necessary sections are updated.
11. ENFORCEMENT AND ANNOUNCEMENT OF THE POLICY
The Policy is deemed to have entered into force after its publication on the DENTEVIM website. If it is decided to be abolished, the old copies of the Policy with wet signatures are canceled and signed (with an annulment stamp or written cancellation) and kept for at least 5 years
Free Consultation