PERSONAL DATA STORAGE AND DESTRUCTION POLICY

INTRODUCTION

Within the scope of Law No. 6698 on the Protection of Personal Data and the Deletion, Destruction or Anonymisation of Personal Data, we would like to inform the data owners whose personal data we process how long their data is kept in our system and the conditions and periods of destruction. The data controller, LOKMAN HEKİM ÖZEL SAĞLIK HİZMETLERİ A.Ş. will apply the said destruct

1. DEFINITIONS

Recipient Group: The category of real or legal person to whom personal data is transferred by the data controller

Explicit Consent: Consent regarding a specific subject, based on information and expressed with free will.

Data Processor: Persons who process personal data within the organisation of the data controller or in accordance with the authority and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.

Data Recording System: The recording system in which personal data is structured and processed according to certain criteria.

VERBIS: Data Controllers Registry Information System.

Destruction: Deletion, destruction  or anonymisation of personal data.

Recording Environment: Any environment in which personal data is processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Regulation: Regulation on Deletion, Destruction or Anonymisation of Personal Data published in the Official Gazette dated 28 October 2017.

Policy: Personal Data storage and Destruction Policy

Personal Data: Any information relating to an identified or identifiable real person.

Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Anonymisation of Personal Data: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Deletion of Personal Data: Making personal data inaccessible and non-reusable in any way for the relevant users.

Destruction of Personal Data: The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way.

Board: Personal Data Protection Board.

Periodic Destruction: The process of deletion, destruction or anonymisation to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy in the event that all of the conditions for processing personal data specified in the Law disappear.

Data Subject: The natural person whose personal data is processed.

Personal Data Inventory: The inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes and legal reason for processing personal data, data category, transferred recipient group and data subject group, and detail the maximum data retention period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.

2. PRINCIPLES

First of all, as DATA RESPONSIBLE, we would like to state that we use a data storage method and tool in accordance with the requirements.

A destruction policy contrary to Law No. 6698 and regulations and 108+ contract and Personal Data Protection Board Decisions has not been adopted.

Appropriate security measures have been taken to protect personal data contained in automated data files against accidental or unauthorised destruction as well as unauthorised access, modification or publication.

Appropriate measures have been taken to protect the files against both natural hazards such as accidental loss or destruction and human-induced hazards such as unauthorised access, fraudulent misuse of data or infection by computer viruses.

Your personal data that we collect in the areas specified in our personal data protection policy and clarification text are recorded and stored in a secure area and stored for at least 3 years, except for our storage activity in accordance with legal obligations.

The Law No. 6698 and the Regulation give us the right to choose and manage the process of the method of destruction of personal data. According to the type of personal data, the data controller will determine the method of destruction itself. If the data subject requests, the appropriate method will be selected by explaining the reason. Before destroying the data, the data controller will notify the registered e-mail address or registered address of the data subject and inform the method by which the data will be destroyed.

While destroying personal data, necessary administrative and technical measures will be taken in this process. After destruction, it will be recorded and stored in a secure environment for at least 3 years. The time provisions to be kept due to legal obligations are reserved.

Customer, employee candidate, employee, subcontractor and supplier data that are not active in our company will be destroyed immediately, except for the periods of retention in the law, and the information about the destruction and the method of destruction will be notified to the relevant person by the appropriate method.

In the event that all of the conditions for processing personal data specified in Articles 5 and 6 of the Law are no longer applicable, personal data are deleted, destroyed or anonymised by the DATA RESPONSIBLE ex officio or upon the request of the data subject.

The data subject may also request the deletion of his/her data from the DATA RESPONSIBLE. In this case, the company will respond to the application within 30 days at the latest and the groups to which the data are transferred will be informed about the application and the data will be deleted if the conditions for deletion are met. If the conditions for deletion are not met, the data subject will be responded to with a justified reason as to why the personal data is not deleted and the information about when it will be deleted will be explained in detail.

3. EXPLANATIONS ON THE REASONS REQUIRING STORAGE AND DESTRUCTION

The storage of personal data shall not exceed the period stipulated for the storage obligations arising from the law. The personal data of the data subject are processed and stored for the following purposes:

1. To receive your appointment requests, manage and complete the transportation, payment and settlement processes
2. To manage your treatment processes, to manage a sustainable patient / hospital policy
3. To manage private hospital organisation processes,
4. To transfer to the relevant units,
5. To be able to communicate,
6. To give information about our products, campaigns, promotions,
7. To provide you with customised services,
8. To transfer the necessary personal data on your behalf to the insurance companies via e-mail,
9. To analyse,
10. To ensure the legal and commercial security of our company and the persons who are in business relationship with our company,
11. To organiseadministrative operations,
12. To ensure the physical security and supervision of the company's departments,
13. To use in business partner / customer / supplier / employee / employee candidate / subcontractor evaluation processes,
14. To determine and implement the commercial business strategies of our company,
15. To ensure the execution of our company's human resources policy,
16. To enable you to better participate in the services we offer you,
17. To fulfil the purposes of processing compulsorily in line with the request of the Ministry of Health,
18. To be able to respond to your requests,
19. To implement your requests for doctor choice,
20. To manage the processes of consultation or management of treatment processes between doctors,
21. To convey you your laboratory test results
22. To transfer you to another health facility,
23. To ensure that your medical treatment costs are covered by SGK (the National Health Services),
24. To ensure that your medical expenses are paid by private health insurances,
25. To carry out advertising and marketing activities (for the promotion of the doctors)
26. To manage and follow up all your treatment processes,
27. To prevent and report crime,
28. To protect the confidentiality of personal data,
29. To ensure privacy in medical intervention,
30. To refer you to the patient rights unit,
31. To make your appointments,
32. to conduct your treatment without interruption and thouroughly,
33. To ensure corporate objectives,
34. To fulfil the legal obligations determined by the relevant legislation and to provide information in line with the requirements of the contractual relationship and the request of the authorised institutions and organisations,

For this purpose the following points are taken into consideration

Storage of personal data directly related to the establishment and performance of contracts

Storing personal data for the purpose of establishing, exercising or protecting a right,

It is mandatory to keep personal data for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of individuals,

Storage of personal data in order for the Company to fulfil any legal obligation

The legislation clearly stipulates the storage of personal data,

Explicit consent of data subjects in terms of storage activities that require the explicit consent of data subjects.

Your data will be deleted and destroyed;

If the storage period has expired or if the obligation has disappeared due to changes in storage conditions due to legislation,

If the purpose of processing is eliminated,

If the conditions requiring the processing of personal data in Articles 5 and 6 of the Law are anihilated,

For personal data processed with the explicit consent of the relevant person, if the relevant person has withdrawn his/her explicit consent,

If the application made by the relevant person within the scope of Personal Data Protection Law  article 11 is accepted,

If the data controller has rejected the application made by the relevant person requesting the deletion, destruction or anonymization of personal data,

if the response given by the relevant person is found insufficient or if the response is not given within the period stipulated in the Law;

By making a complaint to the Board and with the recommendation of the Board, if the maximum period requiring the storage of personal data has passed.

4. STORAGE AND DESTRUCTION PERIODS

While determining the storage and destruction periods, the Company evaluates the following criteria within the scope of the Regulation and Law No. 6698:

The period accepted as per general custom in the relevant sector,

The period during which the legal relationship established with the person concerned, which necessitates the processing, will continue,

The period during which the legitimate interest to be obtained by the data controller will be valid in accordance with the law and integrity rules,

The period during which the risks, costs and responsibilities of storage will continue legally,

Whether the maximum period to be determined is suitable for keeping the relevant data category accurate and updated when necessary,

The period for which the data controller is obliged to store the personal data in the relevant data category in accordance with its legal obligation,

Limitation period to assert a right based on personal data.

Personal data which storage period has expired shall be anonymised, deleted or destroyed in accordance with the procedures set out in this Policy every 6-month periods, taking into account the destruction periods. All transactions regarding the deletion, destruction and anonymisation of personal data are recorded and such records are kept for at least 3 (three) years, excluding other legal obligations.

5.  ADMINISTRATIVE AND TECHNICAL MEASURES FOR STORAGE AND DESTRUCTION OF PERSONAL DATA

Administrative Measures:

Within the scope of the administrative measures the Company;

Limits the internal access to stored personal data to the personnel who are required to access it by their job description. Whether the data is of special nature and the degree of importance are also taken into consideration in limiting the access,

Regarding the sharing of personal data, it signs a framework contract regarding the protection of personal data and data security with the persons with whom the personal data is shared, or ensures data security by adding provisions to the existing contract.

It employs knowledgeable and experienced personnel regarding the processing of personal data and provides its personnel with the necessary training within the scope of personal data protection legislation and data security.

It carries out the necessary inspections and has them carried out in order to ensure the implementation of the provisions of the Law within its own legal entity. It eliminates privacy and security vulnerabilities that arise as a result of audits.

Ensures that adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken according to the environment where personal data is located and prevents unauthorised entry and exit to these environments.

Technical Measures:

Within the scope of the technical measures the company ;

Through infiltration (penetration) tests, risks, threats, vulnerabilities and deficiencies, if any, regarding our Institution's information systems are revealed and necessary precautions are taken. As a result of real-time analysis with information security incident management, precautions are taken against risks and threats that will affect the continuity of information systems.

In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorised personnel to enter the system room, 24/7 monitoring system, ensuring the physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, malware prevention systems, etc.) precautions are taken.

Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks and technical controls are carried out for the precautions taken.

Access procedures are established within the institution and reporting and analysis studies regarding access to personal data are carried out.

Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control. The Institution takes the necessary measures to ensure that deleted personal data are inaccessible and unusable for relevant users.

In case personal data is obtained by others unlawfully, an appropriate system and infrastructure has been created by the Authority to notify the relevant person and the Board.

Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up to date.

In electronic environments where personal data is processed strong passwords are used.

Secure record keeping (logging) systems are used in the electronic environments where personal data is processed. Data backup programs are used to ensure safe storage for personal data.

A separate policy has been determined for the security of sensitive personal data. Trainings on the security of sensitive personal data have been provided for employees involved in the processing of sensitive personal data, confidentiality agreements have been made, and the authorisations of users who are authorised to access the data have been defined. Electronic media where sensitive personal data are processed, stored and/or accessed are protected using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are constantly monitored, necessary security tests are regularly carried out / performed, and test results are recorded. Adequate security measures are taken for the physical environments where sensitive personal data are processed, stored and/or accessed, and unauthorised entries and exits are prevented by ensuring physical security. If sensitive personal data need to be transferred via e-mail, they are transferred encrypted with a corporate e-mail address or using a KEP account.

If it needs to be transferred via media such as portable memory, CD or DVD, it is encrypted using cryptographic methods and the cryptographic key is kept in a different environment. If transfer is made between servers in different physical environments, data transfer is made between the servers by establishing a VPN or using the sFTP method. If transfer via paper media is required, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in "confidential" format.

6.  THE DUTIES AND AUTHORITIES OF THE PERSONAL DATA PROTECTION UNIT

The Personal Data Protection Unit announces the Policy and other information on the Protection of Personal Data to the units and monitors the development of the units in this regard. Periodically plans training processes and carries out audits. It follows the legislative changes regarding the subject and ensures that the Policy and texts are updated according to the legislation. Follows the board's decisions regularly.

7.  IMPLEMENTATION OF THE POLICY, VIOLATIONS AND SANCTIONS

This Policy will come into force by being announced to all employees and will be binding for all business units, consultants, external service providers and anyone who processes personal data. It was updated on 21.5.2024.

In case of any violation of the policy, the relevant unit supervisor directly informs the data controller and the contact person appointed by the data controller and takes the necessary measures to ensure the implementation of the policy.

The Personal Data Protection Unit is also informed about the behaviour contrary to the policy.

Necessary action is taken as soon as possible against those who violate the policy.

Personal data will be stored for the periods specified in the table below, taking into account the issues specified in Article 4 of the policy, and will be anonymised or destroyed at the end of the period:

The Company reserves its rights regarding the data that need to be kept for longer than the periods specified above and explains the conditions of deletion together with the justification upon the request of the person concerned. Expired personal data will be destroyed ex officio and records of destruction will be kept for 3 years. The method of destruction will be determined by the Data Controller according to the nature of each personal data in the most appropriate method.