Data controller Serkan Balta (serkanbalta.com), hereby Personal Data Retention and Destruction Policy, prepared in accordance with the Constitution, the Law on Protection of Personal Data No. 6698, the Regulation on the Deletion, Destruction or Anonymization of Personal Data and other relevant legislation. It is stored and disposed of in accordance with the general principles and regulations specified in
With this Policy, the Company aims to set forth the general principles and principles regarding the storage and destruction of real person data subject to personal data processing activities within the scope of KVKK and to fulfill the obligations determined by the legislation.
Explicit Consent: Consent on a specific subject, based on information and expressed with free will,
Recipient Group: The natural or legal person category to which personal data is transferred by the data controller,
Anonymization: Making personal data cannot be associated with an identified or identifiable natural person in any way, even by matching with other data.
Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,
Destruction: Deletion, destruction or anonymization of personal data,
Personal Data: Any information relating to an identified or identifiable natural person (e.g. name-surname, TCKN, e-mail, address, date of birth, credit card number, bank account number)
Relevant Person: The real person whose personal data is processed,
Processing of Personal Data: Acquiring, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data fully or partially automatically or non-automatically provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use,
Sensitive Personal Data: Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data data,
Periodic Destruction: Deletion, destruction or anonymisation, which will be carried out ex officio at repetitive intervals and specified in this Policy, in the event that all of the personal data processing conditions in the KVKK are eliminated,
REGISTRATION ENVIRONMENTS REGULATED BY POLICY
It covers all personal data subject to data processing activities within the scope of KVKK. In addition, the documents referred to by the Policy cover both physical and digital copies.
It stores all personal data subject to data processing activities within the scope of KVKK in the following environments where personal data is fully or partially automated or processed by non-automatic means provided that it is a part of any data recording system:
Company computers, e-mail accounts, desktop computers, employees’ tools (e.g. mobile phone), backup areas, paper files, folders, guestbook, CD, DVD, USB, Hard disks, printer, copier, etc.
REASONS REQUESTING THE STORAGE AND DISPOSAL OF PERSONAL DATA
Personal data processing activities are based on the following principles:
Compliance with the law and the rule of honesty,
Ensuring that personal data is accurate and up-to-date when necessary,
Processing for specific, explicit and legitimate purposes,
Being connected, limited and restrained with the purpose for which they are processed,
Storage for the period required by the relevant legislation or for the purpose for which they are processed.
Our company stores and uses personal data for the purposes of personal data processing and in accordance with the processing conditions of personal data in Articles 5 and 6 of the KVKK stated below. destroys at the request of the personal data owner:
Finding the Explicit Consent of the Personal Data Owner: The first of the personal data processing conditions is the explicit consent of the owner.
Explicitly Provided in Laws: The personal data of the data owner may be processed in accordance with the law without obtaining his explicit consent, provided that it is expressly stipulated in the Laws.
Failure to Obtain the Explicit Consent of the Personal Data Owner due to Actual Impossibility: If the personal data of the person who is unable to express his/her consent due to actual impossibility or whose consent cannot be validated is required to be processed in order to protect the life or bodily integrity of himself or another person, the personal data of the data owner may be processed.
Direct Interest in the Establishment or Performance of the Contract: Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process the personal data of the parties to the contract.
Legal Obligation: If data processing is necessary for our company to fulfill its legal obligations, the data of the personal data owner may be processed.
Making Personal Data Public by the Personal Data Owner: If the data owner has made his personal data public by himself, the relevant personal data may be processed limited to the publicization.
Obligatory Data Processing for the Establishment or Protection of a Right: If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.
Obligatory Data Processing for the Legitimate Interest of Our Company: Provided that the fundamental rights and freedoms of the personal data owner are not harmed, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of our company.
DELETING, DISPOSAL OR MAKING PERSONAL DATA ANONYMOUS
Personal data is subject to change or repeal of the provisions of the relevant legislation, which is the basis for processing, the disappearance of the purpose that requires processing or storage, in cases where the processing of personal data takes place only on the basis of express consent, the person concerned withdraws their explicit consent, the maximum period requiring the storage of personal data has passed and the personal data is processed. In the absence of any conditions justifying keeping the data for a longer period of time, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the company at the request of the person concerned.
Unless a contrary decision is taken by the Personal Data Protection Board, our Company chooses the appropriate method of deletion, destruction or anonymization of personal data ex officio, according to technological possibilities and application cost. At the request of the personal data owner, the rationale for the appropriate method is explained. Necessary technical and administrative measures are taken in each of these transactions.
TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN
Our company takes the necessary technical and administrative measures according to the technological possibilities and implementation costs regarding the following issues in accordance with the provisions of Article 12 of the KVKK and the provisions of the Regulation, the general principles stated above and the decisions of this Policy and Personal Data Protection Board:
Required software and hardware have been determined. Strong passwords are used on computers and e-mail accounts.
What needs to be protected in terms of protecting customer information has been conveyed to our personnel through trainings, and their responsibilities with employment contracts have been put into writing. (Confidentiality Agreements) This obligation continues even after the persons concerned leave their positions.
Necessary infrastructure has been created for the backup of all data.
Employees who can access data on computers have been determined.
Customer files and information are only given to the persons concerned, to their relatives to whom they have given written consent, to the relevant public institutions and organizations within the framework of their legislation, and to the competent judicial authorities in judicial cases.
Before starting to process personal data, the Authority fulfills the obligation to inform the relevant persons.
Personal data processing inventory has been prepared.
STORAGE AND DISPOSAL TIMES
Our company preserves and destroys personal data only for the period specified in the legislation it is obliged to comply with or for the period required for the purpose for which they are processed.
If the personal data owner requests the destruction of his personal data by applying to our company:
If all the conditions for processing personal data have been removed: Finalizes the personal data owner’s request within thirty days at the latest and informs the personal data owner, and notifies the third party if the personal data subject to the request has been transferred to third parties; ensures that the necessary actions are taken before the third party.
If all the conditions for processing personal data have not disappeared: The request of the personal data owner may be rejected by explaining the reason in accordance with the third paragraph of Article 13 of the KVKK and the personal data owner is notified of the rejection in writing or digitally within thirty days at the latest.
PERIODIC DISPOSAL TIMES
In the first periodical destruction process following the date on which the obligation to destroy personal data arises, personal data is destroyed. In this context, if the obligation to destroy personal data arises, it is subject to destruction in 6-month periods.
PERIOD | STORAGE PERIOD | DISPOSAL TIME |
Preparation of Contracts | 10 years from the end of the contract | At the first periodic disposal period following the end of the storage period |
Execution of Human Resources Processes | 10 years from the end of the activity | At the first periodic disposal period following the end of the storage period |
Execution of Hardware and Software Access Processes | 5 years | At the first periodic disposal period following the end of the storage period |
Registration of Visitors and Meeting Participants | 5 years | At the first periodic disposal period following the end of the storage period |
Personal Health Data Record | for the period specified in the legislation. | At the first periodic disposal period following the end of the storage period |
Identity data | for the period specified in the legislation. | At the first periodic disposal period following the end of the storage period |
Camera images | It is kept for at least 2 months in accordance with the Private Hospitals Regulation. | At the first periodic disposal period following the end of the storage period |
This Policy is deemed to have entered into force after its publication on the website.