1. INTRODUCTION

1.1 Objective

Personal Data Retention and Destruction Policy (“Policy”),

Title of data controller : Maslak Physical Therapy

Data controller address : Maslak Meydan Sk. Beybi Giz Plaza No:1 D:2 Sarıyer - Istanbul

Data controller phone : 0530 226 40 20
Data controller e-mail : info@maslakfiziktedavi.com

Data controller website : maslakphysicaltreatment.com

It has been prepared in order to determine the procedures and principles regarding the works and procedures regarding the personal data storage and destruction activities carried out by the data controller.

Our business; In line with the mission, vision and basic principles in accordance with the law, our business has prioritized the processing of personal data that we process in accordance with the Constitution of the Republic of Turkey, international conventions, the Law No. 6698 on the Protection of Personal Data (“Law”) and other relevant legislation and ensuring that the relevant persons use their rights effectively.

Businesses and transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared in this direction.

1.2 Scope

Personal data belonging to patients, companions, personnel, personnel candidates and service providers are within the scope of this Policy and this Policy is applied in all recording environments where personal data managed by our enterprise are processed and in activities for personal data processing.

1.3 Abbreviations and Definitions

Legal and technical terms used in this Policy;

Buyer Group	The category of natural or legal person to whom personal data is transferred by the data controller
Open Consent	Consent to a specific subject matter, based on information and freely given,
Anonymization	The process of making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data,
Employee	Business personnel,
EBYS	Electronic Document Management System,
Electronic Media	Environments where personal data can be created, read, changed and written with electronic devices
Non-Electronic Environment	All written, printed, visual, etc. media other than electronic media,
Service Provider	A natural or legal person who provides services within the framework of a specific contract with our organization
Contact Person	The natural person whose personal data is processed,
Related User	Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data,
Destruction	Deletion, destruction or anonymization of personal data,
Law	Law No. 6698 dated 24.3.2016 on the Protection of Personal Data,
Recording media	Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system,
Personal Data	Any information relating to an identified or identifiable natural person,
Personal Data Processing Inventory	By explaining the personal data processing activities carried out by data controllers depending on their business processes; the purposes and legal reason for processing personal data, the data category, the transferred recipient group and the data subject group, the maximum retention period required for the purposes for which personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security their detailed inventory,
Personal Data Processing	All kinds of operations performed on personal data, such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system,
Board	Personal Data Protection Board,
Special Qualified Personal Data	Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,
Periodic Disposal	In the event that all of the conditions for processing personal data specified in the law disappear, the deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy,
Politics	Personal Data Retention and Destruction Policy,
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller,
Data Recording System	A recording system where personal data is structured and processed according to certain criteria,
VERBIS	Data Controllers Registry Information System,
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
Regulation	Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017,

Expression.

2. EXPLANATIONS ON STORAGE AND DISPOSAL

Personal data processed by our business is stored in accordance with the Law and destroyed at the end of the retention period.

2.1 Explanations on Safekeeping

Article 3 of the Law defines the concept of processing personal data, Article 4 states that the personal data processed must be relevant, limited and proportionate to the purpose for which they are processed and must be retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and Articles 5 and 6 list the conditions for processing personal data.

Accordingly, personal data are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

2.1.1 Legal Grounds for Storing Personal Data

Processed personal data are processed and stored in the presence of at least one of the following legal reasons.

Explicitly stipulated in the law
Processing of the parties' data is necessary for the performance of the contract
It is mandatory for the data controller to fulfill its legal obligation
Data processing is mandatory for the establishment, exercise or protection of a right
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject
Carrying out preventive medicine, medical diagnosis, treatment and care services
Open Consent

2.1.2 Processing Purposes Requiring Retention

Personal data are processed and stored for the purposes set out below.

Carrying out the application processes of employee candidates
Fulfillment of employment contractual and legislative obligations for employees
Execution of fringe benefits and benefits processes for employees
Conducting training activities
Execution of access authorizations
Execution of activities in accordance with the legislation
Conducting finance and accounting affairs
Ensuring physical space security
Execution of assignment processes
Follow-up and execution of legal affairs
Conducting communication activities
Planning of human resources processes
Conducting occupational health and safety activities
Receiving and evaluating suggestions for improving business processes
Conducting performance evaluation processes
Carrying out storage and archive activities
Execution of contract processes
Follow-up of requests and complaints
Ensuring the security of movable property and resources
Ensuring the security of data controller operations
Informing authorized persons, institutions and organizations
Conducting promotional activities

2.2 Reasons for Destruction

Personal data;

Amendment or abolition of the relevant legislation provisions that constitute the basis for processing,
The purpose requiring processing or storage disappears,
In cases where the processing of personal data takes place only on the basis of explicit consent, the relevant

the person withdraws their explicit consent,

Pursuant to Article 11 of the Law, the application made by the person concerned regarding the deletion and destruction of his personal data within the framework of his rights is accepted by our business,
In cases where our Company rejects the application made by the person concerned with the request for deletion, destruction or anonymization of his/her personal data, finds the answer insufficient or does not respond within the period stipulated in the Law; to file a complaint to the Board and this request is approved by the Board,
The maximum period for which personal data should be retained has elapsed and there are no circumstances that would justify retaining personal data for a longer period of time,

In such cases, it shall be deleted, destroyed or ex officio deleted, destroyed or anonymized by our enterprise upon the request of the person concerned.

3. TECHNICAL AND ADMINISTRATIVE MEASURES

Technical and administrative measures shall be taken within the framework of adequate measures determined and announced by the Board for special categories of personal data in accordance with Article 12 of the Law and Article 6, paragraph four of the Law for the safe storage of personal data, prevention of unlawful processing and access and destruction of personal data in accordance with the law.

3.1 Technical Measures

The technical measures taken in relation to the processed personal data are listed below:

Network security and application security are ensured.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
Employees who are reassigned or leave their jobs are no longer authorized in this area.
Up-to-date anti-virus systems are used.
Firewalls are used.
Employees with access to sensitive personal data are periodically subject to authorization checks.
Security updates for the environments where the data are stored are constantly monitored, necessary security tests are regularly performed or commissioned and test results are recorded.
Security tests of software that accesses sensitive personal data are regularly conducted and test results are recorded.
For personal data stored in digital media, deletion, destruction or anonymization operations are performed periodically.

3.2 Administrative Measures

The administrative measures taken regarding the processed personal data are listed below:

There are disciplinary regulations for employees that include data security provisions.
Training and awareness raising activities on data security are carried out for employees at regular intervals.
Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
Confidentiality commitments are made.
The signed contracts contain data security provisions.
Extra security measures are taken for personal data transferred via paper and the relevant document is sent in the format of a confidential document.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly.
Personal data security is monitored.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
Security of environments containing personal data is ensured.
Personal data is minimized as much as possible.
Internal periodic and/or random audits are conducted and commissioned.
Protocols and procedures for the security of sensitive personal data have been determined and implemented.
If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using a KEP or corporate mail account.
The scope and duration of authorization of users authorized to access sensitive personal data are clearly defined.
Inventory allocated to employees who change their positions or leave their jobs is returned.
A personal data inventory was prepared.
Periodic deletion, destruction or anonymization operations are performed.

4. STORAGE AND DESTRUCTION PERIODS

Regarding the personal data processed by our business within the scope of its activities; retention periods are included in the Personal Data Retention and Destruction Policy.

These retention periods shall be updated if necessary.

For personal data whose retention periods have expired, the process of ex officio deletion, destruction or anonymization is carried out in the first periodic destruction period following the end of the retention period.

4.1 Table of Storage Periods

PROCESSED DATA	RELEVANT PERSON CATEGORY	STORAGE TIME
Identity Information	Employee	15 years after the active employment relationship ends
	Employee Candidate	Not kept in case of negative results of the job application
	Patient	20 years from the end of treatment
	Companion	During the service period
	Natural Persons Providing External Services	10 years from end of service
Contact Information	Employee	15 years after the active employment relationship ends
	Employee Candidate	Not kept in case of negative results of the job application
	Patient	20 years from the end of treatment
	Companion	During the service period
	Natural Persons Providing External Services	10 years from end of service
Personal Health Data	Employee	15 years after the active employment relationship ends
	Employee Candidate	Not kept in case of negative results of the job application
	Patient	20 years from the end of treatment
Criminal Conviction and Security Measures Information	Employee	10 years after the active employment relationship ends
Criminal Conviction and Security Measures Information	Employee Candidate	Not kept in case of negative results of the job application
Personnel	Employee	10 years after the active employment relationship ends
Personnel	Employee Candidate	Not kept in case of negative results of the job application
Legal Action	Employee and Patient	10 years from the end of the legal process
Process Security	Employee and Patient	2 years
Customer Transaction	Patient	20 years
Customer Transaction	Natural Persons Providing External Services	10 years from end of service
Finance	Patient	20 years
	Employee	10 years
Camera Recordings	For All Groups of People	2 months
Professional Experience	Employee	10 years after the active employment relationship ends
Professional Experience	Employee Candidate	Not stored if the job application process is negative
Audio and Visual Recordings	Employee	15 years after the active employment relationship ends
	Patient	20 years from the end of treatment
	Employee Candidate	Not stored if the job application process is negative

4.2 Destruction Periods

Our business deletes, destroys or anonymizes personal data ex officio in accordance with the principles and procedures set out in this Policy in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises under the provisions of the Law and Regulation.

In the event that the data controller duly applies to us using the right to request the deletion of personal data specified in Article 13 of the Law;

If all the conditions for processing personal data have disappeared; Personal data subject to the request shall be deleted, destroyed or anonymized by appropriate destruction method within 30 (thirty) days from the day the request is received.
If all the conditions for processing personal data have not disappeared, the request may be rejected by explaining the reason in accordance with the third paragraph of Article 13 of the Law and the rejection response shall be notified to the data subject in writing or electronically within 30 (thirty) days at the latest.

5. PERIODIC DESTRUCTION PERIODS

Pursuant to Article 11 of the Regulation, the periodic destruction period is set as 6 months. Accordingly, periodic destruction is carried out every year on ........... and ...........DESTRUCTION METHODS

At the end of the period stipulated in the relevant legislation or at the end of the retention period required for the purpose for which they are processed, personal data are destroyed ex officio or upon the application of the person concerned, in accordance with the provisions of the relevant legislation, by the following techniques.

5.1 Deletion of Personal Data

Personal data is deleted by the methods given below.

Data Recording Environment	Description
Personal Data on Servers	For the personal data on the servers, deletion is made by the system administrator by removing the access authorization of the relevant users for those whose retention period has expired.
Personal Data in Electronic Media	The personal data stored in electronic media that expire after the period of time required for their retention are rendered inaccessible and non-reusable in any way for employees (relevant users) other than the database administrator.
Personal Data in Physical Environment	For the personal data kept in physical environment, those whose period of storage has expired are made inaccessible and non-reusable in any way for other employees, except for the unit manager responsible for the document archive. In addition, the blackout process is also applied by scratching/painting/erasing in such a way that it cannot be read.
Personal Data on Portable Media	The personal data kept in Flash-based storage media and those whose retention period has expired are encrypted by the system administrator and access authorization is given only to the system administrator and stored in secure environments with encryption keys.

5.2 Destruction of Personal Data

Personal data is destroyed by the methods given below.

Data Recording Environment	Description
Personal Data in Physical Environment	The personal data on paper media that expire after the expiration of the retention period are irreversibly destroyed in paper shredding machines.
Personal Data in Optical / Magnetic Media	Physical destruction of personal data on optical media and magnetic media, such as melting, incineration or pulverization, is applied to those whose retention period has expired. In addition, the magnetic media is passed through a special device and the data on it is rendered unreadable by exposing it to a high magnetic field.
Personal Data in the Digital Environment	Personal data in digital media whose retention period has expired shall be irreversibly destroyed together with all log and background transaction records and backups.

5.3 Anonymization of Personal Data

Anonymization of personal data means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data.

In order for personal data to be anonymized; personal data must be rendered unassociated with an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of personal data by the data controller or third parties and/or matching the data with other data.

While anonymizing personal data, our company performs anonymization in accordance with the standards mentioned above. After the anonymization of personal data, personal data cannot be associated with an identified or identifiable natural person under any circumstances.

6. MEASURES TAKEN TO ENSURE THE LAWFULNESS OF DESTRUCTION

Destruction operations performed ex officio upon request and in periodic destruction processes are carried out in accordance with the Law, Regulation and this Policy. The technical and administrative measures taken within this scope are shown separately below.

6.1 Technical Measures

The authorization of employees working in information technology units to access personal data is kept under control.
Destruction of personal data is ensured in such a way that the data cannot be recycled and leaves no audit trail.

6.2 Administrative Measures

Personnel are trained on personal data protection legislation, data security and destruction.
Destruction processes are audited at regular intervals. Necessary measures are taken to eliminate the security gaps detected.

7. RECORDING MEDIA

Personal data are stored in accordance with the provisions of laws, regulations and other relevant legislation. The recording media of personal data stored in this context are shown in the table below.

Electronic Media

Non-Electronic Media

Servers (Domain, backup, e-mail, database, web, file sharing, etc.)

ü Software (Meddata Software, office software, portal.)

ü Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)

ü Computers (Desktop, laptop)

ü Mobile devices (phones, tablets, etc.)

ü Optical disks (CD, DVD, etc.)

ü Removable memories (USB, Memory Card, etc.)

ü Printer, scanner, copier, Medical devices

ü Paper

ü Manual data recording systems

ü Written, printed and visual media

8. MEASURES TAKEN FOR PERSONAL DATA SECURITY

8.1 Technical Measures

The technical measures taken in relation to the processed personal data are listed below:

Network security and application security are ensured.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
Up-to-date anti-virus systems are used.
Firewalls are used.
Deletion, destruction or anonymization is performed
Data loss prevention software is used.

8.2 Administrative Measures

The administrative measures taken regarding the processed personal data are listed below:

There are disciplinary regulations for employees that include data security provisions.
Training and awareness raising activities on data security are carried out for employees at regular intervals.
Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
Employees who are reassigned or leave their jobs are no longer authorized in this area.
Personal data security policies and procedures have been determined.
Personal data security is monitored.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
Security of environments containing personal data is ensured.
Personal data is minimized as much as possible.
Internal periodic and/or random audits are conducted and commissioned.

9. STAFF TITLE, UNIT AND TASK DISTRIBUTION

All units and employees actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law, by properly implementing the technical and administrative measures taken by the responsible units within the scope of the Policy, training and raising awareness of unit employees, monitoring and continuous auditing.

The distribution of the titles and job descriptions of those involved in the storage and destruction of personal data is given in the table below.

OFFICER

JOB DESCRIPTION

Practice Owner Physician

It is responsible for ensuring that the processed Personal data storage and destruction processes are carried out in accordance with this policy, ensuring coordination between units, conducting the necessary audits, developing the policy, publishing and updating it in relevant media.

Secretary/Assistant

To ensure that employees act in accordance with the policy, to carry out the necessary inspections and to fulfill other duties assigned by the practicing physician.

Responsible for providing technical solutions needed for the implementation of the Policy.

10. UPDATES TO THE POLICY

This Personal Data Storage and Destruction Policy may be amended due to changes in the legislation, in accordance with the decisions of the Board or in line with the developments in the sector or in the field of informatics. Changes made within this scope are immediately incorporated into the text and explanations regarding the changes are added to the updates table below.

Updates Table

...............................

Personal Data Processing and Destruction Policy has entered into force.

11. FINAL PROVISIONS

This Personal Data Storage and Destruction Policy is prepared by the data controller;

at appropriate locations within the enterprise
maslakphysicaltreatment.com on our website

and announced to the relevant persons.

Personal Data Retention and Destruction Policy