Storage Destruction Policy

1- Effective Date of the Policy

This Personal Data Retention and Destruction Policy (“Policy”) came into effect on 20/03/2021. Any changes to this Policy will be made in accordance with the procedures set out in Article 18 titled "Changes" of this Policy.

2- Introduction

Dr. Fatma Horasan Clinic is committed to complying with the applicable laws in the collection and use of personal data. Dr. Fatma Horasan Clinic encourages the collection and use of personal data that is relevant and reasonably necessary for legitimate commercial purposes in accordance with the implemented privacy policy/notice or consent form.

This Policy adheres to the following basic principles regarding the storage and destruction of personal data as required by relevant legislation:

Processing personal data in accordance with the law and principles of honesty,

Keeping personal data accurate and up-to-date when necessary,

Processing personal data for specific, explicit, and legitimate purposes,

Processing personal data in a manner that is relevant, limited, and proportionate to the purposes for which they are processed,

Storing personal data only for as long as necessary for the purposes specified by the relevant legislation or the purpose for which they are processed,

Informing and educating data subjects,

Establishing a system to allow data subjects to exercise their rights,

Implementing necessary measures for the protection of personal data,

Complying with the relevant legislation and Board regulations regarding the transfer of personal data to third parties in accordance with the requirements of the purpose of processing,

Showing necessary sensitivity in processing and protecting sensitive personal data.

3- Purpose and Scope of the Personal Data Retention and Destruction Policy

Purpose

This Policy has been prepared to determine the maximum retention period for personal data processed by Dr. Fatma Horasan Clinic and to serve as a basis for the deletion, destruction, and anonymization of personal data. The Policy includes explanations about the personal data processing activities conducted in compliance with the law and the systems adopted for the protection of personal data. Within this scope, the Policy aims to ensure transparency by informing individuals whose personal data is processed by Dr. Fatma Horasan Clinic, including employees, authorized persons, patients, providers, and third parties; to check the existence of valid reasons for storing processed personal data, and to provide information about the destruction of personal data when valid reasons for storage no longer exist.

Scope

This Policy applies to all personal data processed by Dr. Fatma Horasan Clinic through automated or non-automated means, whether or not part of a data recording system, related to its employees, patients, and third parties.

The application scope of this Policy for the categories of personal data subjects mentioned above may be the entire Policy or only certain provisions (e.g., only employees).

4- Principles

Dr. Fatma Horasan Clinic acts within the framework of the following principles in the process of storing and destroying personal data:

In the deletion, destruction, and anonymization of personal data, the Clinic complies with the principles stated in Article 4 of the Law, the measures required under Article 12, the technical and administrative measures specified in Article 9 of this Policy, relevant legal regulations, Board decisions, and this Policy.

All actions related to the deletion, destruction, and anonymization of personal data are recorded by Dr. Fatma Horasan Clinic.

In cases where all conditions for processing personal data stated in Articles 5 and 6 of the Law are removed, personal data is deleted, destroyed, or anonymized either ex officio by Dr. Fatma Horasan Clinic or upon the request of the data subject. Unless otherwise decided by the Board, the appropriate method for ex officio deletion, destruction, or anonymization of personal data will be chosen by Dr. Fatma Horasan Clinic. The rationale for the chosen method will be explained if requested by the data subject. Upon the data subject’s application to Dr. Fatma Horasan Clinic;

Requests are concluded within 30 (thirty) days at the latest, and the data subject is informed. If the personal data subject to the request has been transferred to third parties, this situation is notified to the third parties, and necessary actions are ensured with respect to the third parties.

5- TERMS/DEFINITIONS

Recipient Group	The category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit Consent	Consent that is based on information about a specific topic and is expressed freely.
Anonymization	Making personal data irreversibly unidentifiable with any identifiable or identifiable natural person, even when combined with other data.

Disclosure Obligation	The information provided by the data controller or authorized person to data subjects during the collection of personal data. In this scope, the data controller or authorized person informs the data subject about the following: – The identity of the data controller and, if applicable, its representative, – The purpose of processing personal data, – To whom and for what purpose the processed personal data will be transferred, – Information about the rights of the data subject as specified in Article 11 of the Law, – The method and legal basis of personal data collection,
Employee	Staff of Dr. Fatma Horasan Clinic.
Electronic Environment	Environments where personal data can be created, read, modified, and written using electronic devices.
Non-Electronic Environment	All written, printed, visual, etc., environments other than electronic environments.
Service Provider	A natural or legal person providing services to Dr. Fatma Horasan Clinic within the framework of a specific contract.
Data Subject	The natural person whose personal data is being processed.
Destruction	The deletion, destruction, or anonymization of personal data.
Law/KVKK	Personal Data Protection Law
Recording Environment	All environments where personal data is processed through automatic or non-automatic means, either wholly or partially, or as part of any data recording system.
Recording System	Any system that is wholly or partially automatic or non-automatic, or part of any data recording system.
Personal Data	Any information relating to an identified or identifiable natural person.
Processing of Personal Data	Any operation performed on personal data, whether by automatic or non-automatic means, including collection, recording, storage, preservation, modification, rearrangement, disclosure, transfer, acquisition, making available, classification, or restriction of use.
Personal Data Processing Inventory	An inventory created by data controllers detailing their personal data processing activities based on business processes, including purposes and legal grounds for processing, data categories, recipient groups, maximum retention periods for personal data required for processing purposes, personal data transferred to foreign countries, and measures taken for data security.
Anonymization of Personal Data	Making personal data irreversibly unidentifiable with any identifiable or identifiable natural person through appropriate technical means, even if the data is matched with other data by the data controller, recipient, or recipient groups.
Deletion of Personal Data	Making personal data inaccessible and unusable in any way.
Destruction of Personal Data	The process of making personal data inaccessible, unrecoverable, and unusable by anyone.
Board	Personal Data Protection Board
Authority	Personal Data Protection Authority
Special Categories of Personal Data	Data related to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction	The process of deletion, destruction, or anonymization of personal data carried out ex officio at recurring intervals, as specified in the personal data retention and destruction policy, when all conditions for processing personal data as stated in the Law have been removed.
Policy	Personal Data Retention and Destruction Policy
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by them.
Data Controller	A natural or legal person who determines the purposes and means of processing personal data, and is responsible for establishing and managing the data recording system.
Data Controllers Registry	A mandatory registration system that data controllers must register with according to the Law, and is publicly maintained by the Personal Data Protection Authority.
Regulation	Regulation on the Deletion, Destruction, or Anonymization of Personal Data

5-Recording Environments Regulated by Policy

Personal data belonging to data subjects is securely stored by Dr. Fatma Horasan’s Clinic in the following environments, in accordance with the provisions of the Law and relevant legislation, as well as international data security principles:

Electronic storage of data is not implemented.

Physical Environments

Paper,
Manual data recording systems (e.g., survey forms),
Written, printed, visual.

6-Data Categorization

Personal Data Type	Description
Identity Information	Data related to a person's identity processed either fully or partially automatically, or non-automatically as part of the data recording system. This includes information such as name, ID number, parent’s names, nationality, place/date of birth, gender, as well as documents like driver's license, identity card, passport, tax number, social security number, signature, vehicle license plate, etc.
Contact Information	Data related to contact details processed either fully or partially automatically, or non-automatically as part of the data recording system. This includes information such as phone number, address, email address, fax number, IP address, etc.
Financial Information	Data related to financial outcomes, documents, and records processed either fully or partially automatically, or non-automatically as part of the data recording system. This includes information such as credit card details, bank account number, IBAN, etc.
Special Categories of Personal Data	Data concerning a person's race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, dress and appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
Patient Information	Data related to health services and the information produced and obtained about the person as a result of the operations conducted by relevant units within the scope of health service activities, processed either fully or partially automatically, or non-automatically as part of the data recording system.
Employee Personal Information	Data related to employees processed either fully or partially automatically, or non-automatically as part of the data recording system, including information essential for the formation of their position and salary rights.
Job Applicant Information	Data related to individuals who have applied for employment or whose resumes and related information have been opened for review by the Human Resources Department of Dr. Fatma Horasan’s Clinic, processed either fully or partially automatically, or non-automatically as part of the data recording system.

7-Groups Managed by the Policy

White Collar Employees

Data of individuals employed under an employment relationship at Dr. Fatma Horasan’s Clinic can be processed by Dr. Fatma Horasan’s Clinic in accordance with the conditions specified in this Policy.

Job Applicants

Data of individuals who have applied for a job or have submitted their resumes and relevant information for review to Dr. Fatma Horasan’s Clinic can be processed by Dr. Fatma Horasan’s Clinic in accordance with the conditions specified in this Policy.

Potential Patients

Personal data of any individual who is a patient at Dr. Fatma Horasan’s Clinic can be processed under the conditions specified in this Policy.

Explanation Regarding Legal, Technical, or Other Reasons for Storing and Destroying Personal Data

Dr. Fatma Horasan’s Clinic processes and stores personal data for reasons such as providing services, delivering patient services, understanding patient needs better, improving patient relationships, complying with legal processes, and monitoring legal rights; managing recruitment processes; fulfilling obligations within the employment contract between staff and Dr. Fatma Horasan’s Clinic.

According to the Regulation, personal data of data subjects will be deleted, destroyed, or anonymized by Dr. Fatma Horasan’s Clinic either ex officio or upon request in the following cases:

Amendment or repeal of the relevant legal provisions that form the basis for the processing or storage of personal data,
Disappearance of the purpose that necessitates the processing or storage of personal data,
Elimination of the conditions required for processing personal data under Articles 5 and 6 of the Law,
In cases where processing of personal data is based solely on explicit consent, withdrawal of the data subject’s consent,
Acceptance of the data subject’s request for deletion, destruction, or anonymization of personal data by the Data Controller in accordance with the rights specified in Articles 11(e) and (f) of the Law,
Rejection of the request for deletion, destruction, or anonymization of personal data by the Data Controller, inadequate response, or failure to respond within the period stipulated by the Law; complaints to the Board and approval of the request by the Board,
In the absence of any conditions justifying the retention of personal data beyond the maximum retention period.

8-Technical and Administrative Measures Taken to Ensure the Secure Storage of Personal Data and Prevent Unauthorized Processing and Access

All administrative and technical measures taken by Dr. Fatma Horasan’s Clinic to ensure the secure storage of personal data and to prevent unauthorized processing and access, within the framework of the principles set out in Article 12 of the Law and technological possibilities, are listed below.

In this regard, Dr. Fatma Horasan’s Clinic implements the following administrative measures:

Restricts access to stored personal data to necessary employees only.
Employs knowledgeable and experienced staff regarding the processing of personal data and provides them with necessary training on personal data protection regulations and data security. Employees are trained to prevent attacks that may compromise personal data security, cyber security, and to ensure that personal data is not unlawfully disclosed or shared. Awareness programs are conducted for them.

The roles and responsibilities of employees regarding personal data security are defined in their job descriptions, and employees are made aware of their roles and responsibilities in this regard.

Confidentiality agreements are signed with employees regarding personal data protection legislation and data security.

If personal data is obtained unlawfully by others, this situation is reported to the relevant parties and the Board as soon as possible.

Contracts are signed with persons to whom personal data is shared, including provisions on personal data protection and data security.

To ensure the implementation of the Law within its own legal entity, necessary audits are carried out and rectifications are made for any identified confidentiality and security vulnerabilities.

A Personal Data Processing Inventory is prepared.

Institutional Policies (Access, Information Security, Use, Storage, and Destruction, etc.) are prepared.

Periodic and/or random audits are conducted for data security purposes.

In this context, Dr. Fatma Horasan’s Clinic takes the following technical measures:

Technical measures are taken in accordance with technological advancements, and these measures are periodically updated and renewed.

Up-to-date antivirus programs are used.

Necessary internal controls are conducted within the established systems.

Regular security scans are performed to identify and close security vulnerabilities in environments where personal data is stored.

Necessary security measures are taken in physical environments where personal data is stored.

9-Technical and Administrative Measures for the Legal Destruction of Personal Data

Personal data obtained by Dr. Fatma Horasan’s Clinic in accordance with the KVKK and other relevant legislation is deleted, destroyed, or anonymized by Dr. Fatma Horasan’s Clinic ex officio or upon the request of the Data Subject in accordance with the Law and relevant legislation when the purposes of processing personal data specified in the Law and Regulation cease to exist.

Deletion of Personal Data

Deletion of personal data is the process of rendering the personal data inaccessible and unusable for relevant users in any way. Personal data, which can be stored in various record environments, is deleted using methods suitable for these environments. The deletion techniques are described in Article 10.1.1.

Techniques for Deleting Personal Data

Secure Deletion from Software: When deleting data processed fully or partially automatically and stored in digital environments, methods are used to ensure that the data is deleted from the relevant software in a way that it becomes inaccessible and unusable for relevant users.

Deletion of data in cloud systems by issuing a delete command; removal of access rights of the relevant user on the file or directory in the central server; deletion of relevant rows in databases using database commands; or deletion of data on portable media such as flash drives using appropriate software are included. However, if the deletion of personal data results in the inability to access and use other data within the system, personal data will also be considered deleted if archived in a manner that cannot be associated with the relevant person under the conditions below.

Secure Deletion by a Specialist: In some cases, a specialist may be hired to delete personal data on behalf of the organization. In this case, personal data is securely deleted by the specialist in a manner that makes it inaccessible and unusable for relevant users.

Redaction of Personal Data on Paper: To prevent unauthorized use of personal data or to delete requested data, the method involves physically cutting out the relevant personal data from the document or rendering it unreadable and irretrievable with permanent ink or technological solutions.

10-Sensitive Personal Data

Sensitive personal data includes an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data.

Dr. Fatma Horasan’s Clinic does not process Sensitive Personal Data without the explicit consent of the relevant person.

Except for health and sexual life, Sensitive Personal Data may be processed without the explicit consent of the relevant person in cases provided by the laws.

Personal data related to health and sexual life can only be processed without the explicit consent of the relevant person by individuals or authorized institutions bound by confidentiality obligations for purposes such as protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of healthcare services and financing.

11-Data Transfer to Third Parties/Transferred Party Categories

Data Transfer

Dr. Fatma Horasan’s Clinic may transfer personal data within the framework of the conditions and purposes specified in Articles 8 and 9 of the Law. Dr. Fatma Horasan’s Clinic can transfer personal data to the third parties listed below, based on one or more of the conditions for processing personal data specified in Article 5 of the KVKK, and in accordance with the purposes of personal data processing it adopts:

The explicit consent of the data subject
Explicitly prescribed by laws
Necessary for the protection of the life or bodily integrity of a person who is unable to express consent due to physical impossibility or whose consent is not legally valid
Directly related to the establishment or performance of a contract, provided that the processing of personal data of the parties to the contract is necessary
Necessary for the data controller to fulfill its legal obligations
Personal data made public by the data subject themselves
Necessary for the establishment, exercise, or protection of a right
Necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject

Dr. Fatma Horasan’s Clinic, by taking the necessary security measures and ensuring the sufficient precautions required by the Board, may transfer sensitive personal data of the data subject to third parties in the following cases:

The explicit consent of the data subject
If the data subject’s explicit consent is not available:

Sensitive personal data other than health and sexual life (such as race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, membership in associations, foundations, or unions, criminal convictions, security measures, biometric and genetic data) may be transferred in cases prescribed by laws.
Sensitive personal data related to health and sexual life can only be transferred by individuals or authorized institutions bound by confidentiality obligations for purposes such as protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of healthcare services and financing.

12-Transferred Party Categories

Dr. Fatma Horasan’s Clinic, in accordance with Articles 8 and 9 of the Law, may transfer the personal data of the relevant individuals to the following categories of persons:

Persons to Whom Personal Data May Be Transferred	Description	Purpose
Authorized Public Institutions and Organizations	Public institutions and organizations authorized to receive personal data from Dr. Fatma Horasan’s Clinic according to relevant legislation.	Transferred within the limits of the legal authority of the authorized public institution or organization for the purpose requested.
Private Law Entities	Private law entities authorized to receive personal data from Dr. Fatma Horasan’s Clinic according to relevant legislation.	Transferred within the limits of the legal authority of the authorized private law entity for the purpose requested.

13-Table Showing Retention and Destruction Periods

The retention and destruction periods of personal data obtained by Dr. Fatma Horasan’s Clinic in accordance with KVKK and other relevant regulations are determined using the criteria specified below:

If a retention period for the personal data is prescribed by the legislation, this period is adhered to.

If there is no retention period specified by the legislation or if the specified period has expired:

Personal data is classified as personal data and sensitive personal data based on the definition in Article 6 of KVKK. All personal data identified as sensitive will be destroyed. The method of destruction is determined based on the nature of the data and its importance to Dr. Fatma Horasan’s Clinic.

It is checked whether the storage of data complies with the principles specified in Article 4 of KVKK, such as whether Dr. Fatma Horasan’s Clinic has a legitimate purpose for storing the data. Data found to violate the principles in Article 4 of KVKK is deleted, destroyed, or anonymized.

It is assessed which of the exceptions specified in Articles 5 and 6 of KVKK applies to the data. Based on the identified exceptions, reasonable retention periods are determined. Upon the expiration of these periods, data is deleted, destroyed, or anonymized. The retention, destruction, and periodic destruction periods determined by Dr. Fatma Horasan’s Clinic can be found in the "Personal Data Retention and Destruction Periods Table" in Annex-1 of this Policy. Personal data whose retention period has expired will be destroyed in accordance with the "Annex-1" in this Policy in 6-month periods according to the destruction periods specified.

The retention, destruction, and periodic destruction periods determined by Dr. Fatma Horasan’s Clinic can be found in the "Personal Data Retention and Destruction Periods Table" in Annex-1 of this Policy.

14-Periodic Destruction Periods

Dr. Fatma Horasan’s Clinic performs periodic destruction as described in Annex-2 of this Policy when all conditions for processing personal data under the Law are removed. Dr. Fatma Horasan’s Clinic will delete, destroy, or anonymize personal data in the first periodic destruction operation following the date when the obligation to delete, destroy, or anonymize the data arises.

The retention, destruction, and periodic destruction periods determined by Dr. Fatma Horasan’s Clinic can be found in the "Periodic Destruction Periods Table" in Annex-1 of this Policy.

15-Rights of Data Subjects

In addition to the information provided in this document, please be reminded of the following rights:

a. To learn whether your personal data is processed or not,
b. To request access to and information about your personal data,
c. To ensure the correction of personal data if it is inaccurate or incomplete,
d. To know third parties to whom personal data is transferred, whether domestically or internationally,
e. To request the deletion or destruction of personal data when the reasons for processing have ceased, even if it is processed in accordance with Law No. 6698 and other relevant laws,
f. To request the notification of your data correction or deletion to third parties to whom the data was disclosed,
g. To object to decisions that affect you negatively based solely on automated processing,
h. To claim compensation for damages incurred due to unlawful processing of personal data.

16-Changes

This Policy is effective from 20/03/2021. The data controller is responsible for any changes to the Policy and how it will be enforced. This Policy will be reviewed every 3 months.

17-Contact with Data Controller

You can contact Dr. Fatma Horasan’s Clinic by regular mail or through a notary at Şair Eşref Bulvarı Şair Apt. No:82/1 K.2 D.5 Alsancak – İzmir.

Annexes:

Annex-1: Personal Data Retention and Destruction Periods Table

Annex-2: Changes and Updates to the Policy