The security and privacy of your personal data are under our legal guarantee. You can review all our legal texts and policies from the tabs below.
DENTALIMPLANT CLINIC TRAKYA SAĞLIK HİZM. LTD. ŞTİ. CLARIFICATION TEXT ON THE PROTECTION AND PROCESSING OF PERSONAL DATA FOR PATIENTS
As the data controller DENTALIMPLANT CLINIC TRAKYA SAĞLIK HİZM. LTD. ŞTİ. (hereinafter referred to as "DentalImplant Clinic"), we would like to inform you about the "Personal Data Protection Law" (KVKK), which regulates personal data, and fulfill our "Obligation to Inform" in this context, in order to protect fundamental rights and freedoms, especially the privacy of private life. Our goal is to inform you in the most transparent way about how your personal data is collected, the purposes of processing, legal reasons, and your rights. You can access more detailed information and our policies such as our clinic's KVKK Policy, Retention and Destruction Policy at www.dentalimplanttrakya.com or from the bulletin boards in our clinic.
PROCESSED PERSONAL DATA
Your personal and special category personal data, primarily your health data belonging to you/your child/the person under your guardianship; your identity information (name, surname, T.R. identity number, signature, etc.), your contact data (address, phone number, e-mail address, etc.), your financial data (payment information, billing information, etc.), your visual data (security camera footage that is constantly recording in common areas), your payer institution information data (your data regarding SSI and private health insurance for the financing and planning of health services), all kinds of personal data related to health information (patient reports, x-rays, examination data, diagnostic data, physician analysis and comments, tomography, appointment information, prescription information, etc.), your health data that you send and/or enter via websites and online services (IP address and other personal data); in short, all kinds of information and documents that serve to make the identity of you, our customers/patients, specific or determinable are within the scope of personal data pursuant to the provision of Article 3/d of the KVKK and can be processed by our company in a balanced and measured manner in connection with the purposes set out in title 2, and can be transferred to the persons, institutions and organizations specified in title 3 within the scope of your explicit consent or the reasons stipulated in the relevant legislation.
PURPOSES AND LEGAL REASONS FOR PROCESSING PERSONAL DATA
Your Personal Data may be processed by DentalImplant Clinic for the following purposes:
To fulfill our legal obligations and the requirements of the employment contract, to carry out fringe benefits and interests processes listed in the Basic Law on Health Services No. 3359, the Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliates, the Regulation on Private Health Institutions Providing Oral and Dental Health Services, the Personal Data Protection Law No. 6698, the Regulation on the Processing of Personal Health Data and Ensuring Privacy, and other relevant legislation,
Identification and verification to prevent your Personal Data from being seized by others, protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and financing,
Planning and managing the internal operations and daily operations of our Dental Clinic, performing management activities, complying with internal policies and principles, supplying custom medicine and/or medical materials and/or devices for you,
Informing you about your appointment, providing information and/or reminding you of your appointment if you make an appointment, sharing information with you through the communication channel you prefer within the scope of treatment and service, determining transaction information,
Fulfilling legal and regulatory requirements, sharing and responding to information acquired with the Ministry of Health and other public institutions and organizations in accordance with the provisions of the legislation, providing necessary information in line with the requests and audits of regulatory and supervisory institutions and official authorities, sharing requested information and verifying identity with contracted institutions/organizations, especially private insurance companies within the scope of financing health services, querying your entitlement with institutions/organizations contracted with our Dental Clinic or providing financial reconciliation regarding the health services offered to you with these institutions,
Realization of your payments, e-invoicing, e-archive invoicing and, if necessary, carrying out return and change transactions, issuing invoices for the services we provide,
Analyzing your use of health services and storing your health data in order to develop and improve the health services we offer you, responding to your questions or complaints regarding our services,
Providing necessary information in line with the requests and audits of regulatory and supervisory institutions and official authorities, preserving the information regarding your health data that must be kept in accordance with the relevant legislation,
Execution and development of medical diagnosis, treatment and care services, planning and management of health services and financing, increasing patient satisfaction, research and related reasons,
Backing up/archiving, storing and keeping the records of the transactions made, complying with the information retention, reporting, information obligations and the execution of our legal obligations in accordance with the relevant legislative provisions.
Your Personal Data obtained and processed in accordance with the relevant legislation will be protected by taking administrative and technical measures, transferred to the physical archives and/or information systems belonging to DentalImplant Clinic, and kept under preservation in both digital and physical environments for the period specified in title 4. Your personal data can be processed in accordance with the provision of Article 5 of the KVKK provided that it is expressly stipulated in the laws, the establishment and execution of a contract, the fulfillment of a legal obligation, your personal data has been made public by you, and the legitimate interests of the data controller, provided that it does not harm your fundamental rights and freedoms, for the purpose of fulfilling legal obligations arising from the legislation.
TRANSFER OF PERSONAL DATA
By ensuring that all necessary technical and administrative measures are taken to ensure the appropriate level of security in accordance with the KVKK and relevant legislation, your Personal Data may be transferred in line with the purposes set out in section 2; to the persons/institutions and/or organizations permitted by the Basic Law on Health Services No. 3359, the Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliates, the Regulation on Private Health Institutions Providing Oral and Dental Health Services, the Regulation on Outpatient Diagnosis and Treatment, the Personal Data Protection Law No. 6698, the Regulation on Personal Health Data and other relevant legislative provisions; to the relevant Banks depending on the payment method you prefer, to online payment systems, to the relevant insurance company, foundation, fund and their intermediary institutions if you have received services within the scope of insurance/foundation/fund, to the infrastructure provider so that we can offer you a better service, to the relevant institutions/organizations and infrastructure providers within the scope of e-invoicing/e-archive invoicing processes, to the server hosting, archiving, storage and software service providers we work with for the backup/storage/archiving/storage of the transaction records made; to the employees of our Company, legal, financial and tax consultants, auditors to resolve your complaints or a problem that arises or for the performance of our legal obligations, and to persons, institutions and organizations permitted by legislative provisions. While your personal data is transferred to the third parties specified in this article, a transfer will only be made to the extent necessary and within its relevance.
METHOD OF COLLECTION AND RETENTION PERIOD OF PERSONAL DATA
Your Personal Data; for the purposes specified in title 2; by DentalImplant Clinic; during and/or before and/or after your arrival; verbally, in writing, visually or electronically, via telecommunication communication means such as telephone, SMS, MMS, etc., online over the Social Security Institution system, from records shared in case of benefiting from a private insurance company, through the records of other health institutions and organizations, through e-mails and similar channels you send, through the website, through audio and video recordings made for security purposes, by automatic or non-automatic methods, in writing, verbally or electronically, and is stored in physical and digital environments. Our Company may store the personal data it obtains by complying with the relevant periods in case there is a period stipulated within the scope of the legislative provisions to which it is subject; if such a period is not foreseen, only for the period necessary for the purpose for which they are processed. In accordance with Article 7/1 of the KVKK, your Personal Data will be deleted, destroyed or anonymized when the purpose requiring its processing disappears and/or when the statute of limitations/retention periods that we strictly require to process your data in accordance with the legislation expire.
RIGHTS OF THE PERSONAL DATA SUBJECT
By applying to our Company in writing or by other methods to be determined by the Board; you have the right to a) learn whether your personal data is processed or not, b) request information if your personal data has been processed, c) learn the purpose of processing your personal data and whether they are used in accordance with their purpose, ç) know the third parties to whom your personal data is transferred domestically or abroad, d) request correction of your personal data if it is incomplete or incorrectly processed, e) request the deletion or destruction of your personal data within the framework of the conditions stipulated in Article 7 of the Law, f) request notification of the transactions made pursuant to subparagraphs (d) and (e) listed above to third parties to whom your personal data has been transferred, g) object to the emergence of a result against you due to the analysis of your personal data exclusively by automated systems, and ğ) request compensation for the damage in case you suffer damage due to the unlawful processing of your personal data.
You can submit your requests regarding personal data; together with the necessary information determining your identity and your explanations regarding your right you want to use: a) by an e-mail you will send to our Company's e-mail address bilgi@dentalimplanttrakya.com, b) by a petition/application letter you will send to Kaleici Mah. Semt Karadeniz Cad. No.14 B Catalca/Istanbul address via return receipt registered mail, notary public or hand delivery method.
I accept and declare that I have read and understood the Clarification Text notified to me, that I have been informed clearly and understandably about the purposes and methods by which the above-mentioned personal data belonging to me/the child under my custody will be processed, and my rights arising from Law No. 6698 and how I will exercise these rights.
DENTALIMPLANT CLINIC TRAKYA SAĞLIK HİZM. LTD. ŞTİ. POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
As the data controller DENTALIMPLANT CLINIC TRAKYA SAĞLIK HİZM. LTD. ŞTİ. (hereinafter referred to as "DentalImplant Clinic"), it is our clinic/company policy to inform you about the "Personal Data Protection Law" (KVKK), which regulates personal data, in order to protect fundamental rights and freedoms, especially the privacy of private life. Our goal is to inform you in the most transparent way about how your personal data is collected, storage methods, destruction methods, purposes of processing, legal reasons, and your rights. You can access more detailed information and our policies such as our clinic's KVKK Policy, Retention and Destruction Policy at www.dentalimplanttrakya.com or from the bulletin boards in our clinic.
You can access the "application form" regarding the applications to be made to our clinic in accordance with the KVKK by clicking here.
In accordance with the Personal Data Protection Law No. 6698 and the regulation on the Processing of Personal Health Data and Ensuring Privacy and related legislation, protecting personal data within the framework of the following basic principles has been adopted as an institutional policy.
Processing personal data in accordance with the law and honesty rules,
Keeping personal data accurate and up-to-date when necessary,
Processing personal data for specific, explicit and legitimate purposes,
Processing personal data limited and measured in connection with the purpose for which they are processed,
Preserving personal data for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed,
Clarifying and informing personal data subjects,
Establishing the necessary system for personal data subjects to exercise their rights,
Taking necessary measures in the protection of personal data,
Acting in accordance with the relevant legislation and KVK Board regulations in the transfer of personal data to third parties in line with the requirements of the processing purpose,
Showing necessary sensitivity to the processing and protection of special category personal data,
Deleting and destroying personal data in the form and time defined in accordance with the law
DEFINITIONS MADE IN ACCORDANCE WITH KVKK
Data Controller: Represents DENTALIMPLANT CLINIC TRAKYA SAĞLIK HİZM. LTD. ŞTİ. Data Subject/Natural Person: Represents the personal data owner, Recording Medium: Represents any environment where personal data is processed wholly or partly by automatic means or by non-automatic means provided that it forms part of a data filing system, Site: Represents the website located at https://www.dentalimplanttrakya.com/index.php/tr/ , Data Processor: Represents the natural or legal person who processes personal data on behalf of the data controller upon its authorization, Data Controller (Main definition): Represents the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system, Visitor: Real persons who have entered the physical areas owned by our Institution for various purposes or visited our websites. Patient: The person who applies to our Institution for examination and treatment and receives outpatient or inpatient treatment, Special Category Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special category personal data, Law No. 6698/KVKK: Represents the Personal Data Protection Law.
PROCESSED PERSONAL DATA
Your personal and special category personal data, primarily your health data belonging to you/your child/the person under your guardianship; your identity information, contact data, financial data, visual data, payer institution information data, all kinds of personal data related to health information, patients, employees and employee candidates sent and entered via websites and online services, in short, all kinds of information and documents that serve to make the identity of you, our customers/patients/employees specific or determinable are within the scope of personal data pursuant to the provision of Article 3/d of the KVKK and can be processed by our company in a balanced and measured manner in connection with the purposes set out in title 2, and can be transferred to the persons, institutions and organizations specified in title 3 within the scope of your explicit consent or the reasons stipulated in the relevant legislation.
You can also access the data processed in accordance with the KVKK in detail by clicking on the "Privacy Notice (Clarification Text)".
PURPOSES AND LEGAL REASONS FOR PROCESSING PERSONAL DATA
Your Personal Data may be processed by DentalImplant Clinic for the following purposes:
To fulfill our legal obligations and the requirements of the employment contract, to carry out fringe benefits and interests processes listed in the Basic Law on Health Services No. 3359, the Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliates, the Regulation on Private Health Institutions Providing Oral and Dental Health Services, the Personal Data Protection Law No. 6698, the Regulation on the Processing of Personal Health Data and Ensuring Privacy, and other relevant legislation,
Identification and verification to prevent your Personal Data from being seized by others, protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and financing,
Planning and managing the internal operations and daily operations of our Dental Clinic, performing management activities, complying with internal policies and principles, supplying custom medicine and/or medical materials and/or devices for you,
Informing you about your appointment, providing information and/or reminding you of your appointment if you make an appointment, sharing information with you through the communication channel you prefer within the scope of treatment and service, determining transaction information,
Fulfilling legal and regulatory requirements, sharing and responding to information acquired with the Ministry of Health and other public institutions and organizations in accordance with the provisions of the legislation, providing necessary information in line with the requests and audits of regulatory and supervisory institutions and official authorities, sharing requested information and verifying identity with contracted institutions/organizations, especially private insurance companies within the scope of financing health services, querying your entitlement with institutions/organizations contracted with our Dental Clinic or providing financial reconciliation regarding the health services offered to you with these institutions,
Realization of your payments, e-invoicing, e-archive invoicing and, if necessary, carrying out return and change transactions, issuing invoices for the services we provide,
Analyzing your use of health services and storing your health data in order to develop and improve the health services we offer you, responding to your questions or complaints regarding our services,
Providing necessary information in line with the requests and audits of regulatory and supervisory institutions and official authorities, preserving the information regarding your health data that must be kept in accordance with the relevant legislation,
Execution and development of medical diagnosis, treatment and care services, planning and management of health services and financing, increasing patient satisfaction, research and related reasons,
Backing up/archiving, storing and keeping the records of the transactions made, complying with the information retention, reporting, information obligations and the execution of our legal obligations in accordance with the relevant legislative provisions.
Making EFT/money transfer transactions in order to realize salary payments.
Your Personal Data obtained and processed in accordance with the relevant legislation will be protected by taking administrative and technical measures, transferred to the physical archives and/or information systems belonging to Dental Implant Clinic, and kept under preservation in both digital and physical environments for the period specified in title 4. Personal data can be processed in accordance with the provision of Article 5 of the KVKK provided that it is expressly stipulated in the laws, the establishment and execution of a contract, the fulfillment of a legal obligation, your personal data has been made public by you, and the legitimate interests of the data controller, provided that it does not harm your fundamental rights and freedoms, for the purpose of fulfilling legal obligations arising from the legislation.
PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES STIPULATED IN THE LEGISLATION
Processing in Accordance with the Law and the Principle of Honesty
Our Institution; acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. Our Institution takes proportionality requirements into consideration in the processing of personal data and does not use personal data out of purpose.
Ensuring Personal Data is Accurate and Up-to-Date When Necessary
Our Institution; takes the necessary measures to ensure that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights and its own legal interests of the personal data subjects.
Processing for Specific, Explicit and Legitimate Purposes
Our Institution clearly and precisely determines the legitimate and lawful purpose of processing personal data. Our Institution processes personal data only as much as is necessary and connected to the service it provides. Our Institution notifies for what purpose the personal data will be processed before the personal data processing activity begins.
Being Connected, Limited and Measured to the Purpose for which they are Processed
Our Institution processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed. For example, a personal data processing activity aimed at meeting potential future needs is not carried out.
Retention for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which they are Processed
Our Institution retains personal data only for the period specified in the relevant legislation or necessary for the purpose for which they are processed. In this context, our Institution first determines whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, it complies with this period, and if a period is not determined, it stores personal data for the period necessary for the purpose for which they are processed. At the end of the period or when the reasons requiring processing disappear, personal data is deleted, destroyed or anonymized by our Institution.
Processing of Special Category Personal Data
In the processing of personal data determined as "special category" by the KVK Law, our Institution acts with sensitivity in compliance with the regulations stipulated in the KVK Law.
In Article 6 of the KVK Law, a number of personal data that carry the risk of causing grievance or discrimination to individuals when processed unlawfully are determined as "special category". These data are; race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics data.
In accordance with the KVK Law, by our Institution; special category personal data (only health data and criminal record) are processed in the following situations, provided that sufficient measures to be determined by the KVK Board are taken:
Special category personal data relating to the health and sexual life of the personal data subject are only processed by persons under the obligation of secrecy or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
TRANSFER OF PERSONAL DATA
By ensuring that all necessary technical and administrative measures are taken to ensure the appropriate level of security in accordance with the KVKK and relevant legislation, your Personal Data may be transferred in line with the purposes set out in section 2; to the persons/institutions and/or organizations permitted by the Labor Law No. 4857, Occupational Health and Safety Law No. 6331, Basic Law on Health Services No. 3359, the Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliates, the Regulation on Private Health Institutions Providing Oral and Dental Health Services, the Regulation on Outpatient Diagnosis and Treatment, the Personal Data Protection Law No. 6698, the Regulation on Personal Health Data and other relevant legislative provisions; to the relevant Banks depending on the payment method you prefer, to online payment systems, to the relevant insurance company, foundation, fund and their intermediary institutions if you have received services within the scope of insurance/foundation/fund, to the infrastructure provider so that we can offer you a better service, to the relevant institutions/organizations and infrastructure providers within the scope of e-invoicing/e-archive invoicing processes, to the server hosting, archiving, storage and software service providers we work with for the backup/storage/archiving/storage of the transaction records made; to the employees of our Company, legal, financial and tax consultants, auditors to resolve your complaints or a problem that arises or for the performance of our legal obligations, and to persons, institutions and organizations permitted by legislative provisions. While personal data is transferred to the third parties specified in this article, a transfer will only be made to the extent necessary and within its relevance.
The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality agreement.
COLLECTION METHOD OF PERSONAL DATA; RETENTION PERIOD and DESTRUCTION METHOD
Your Personal Data; for the purposes specified in title 2; by DentalImplant Clinic; during and/or before and/or after your arrival; verbally, in writing, visually or electronically, via telecommunication communication means such as telephone, SMS, MMS, etc., online over the Social Security Institution system, from records shared in case of benefiting from a private insurance company, through the records of other health institutions and organizations, through e-mails and similar channels you send, through the website, through audio and video recordings made for security purposes, by automatic or non-automatic methods, in writing, verbally or electronically, and is stored in physical and digital environments. Our Company may store the personal data it obtains by complying with the relevant periods in case there is a period stipulated within the scope of the legislative provisions to which it is subject; if such a period is not foreseen, only for the period necessary for the purpose for which they are processed.
In accordance with Article 7/1 of the KVKK, Personal Data will be deleted, destroyed or anonymized when the purpose requiring its processing disappears and/or when the statute of limitations/retention periods that we strictly require to process the data in accordance with the legislation expire.
For our detailed retention and destruction methods and procedures, you can visit our "Retention and Destruction Procedure" page.
TECHNICAL AND ADMINISTRATIVE MEASURES
All administrative and technical measures taken by the Clinic in order to ensure the secure storage of your personal data, prevent unlawful processing and access, and destroy the data in accordance with the law are listed below:
The administrative measures taken and being taken by the Clinic are as follows, but not limited to those listed below:
Personal Data Inventory has been prepared and is updated during the process.
It registers with VERBIS and updates the information in the registry in case of any change.
In the event that the processed personal data is obtained by others through unlawful means, it notifies the relevant person and the Board as soon as possible.
It limits the in-Clinic access to stored personal data to the personnel required to access it by their job description.
The qualifications and technical knowledge/skills of the employees are improved, the unlawful processing of personal data is prevented.
It includes confidentiality obligations and non-disclosure clauses in employment contracts signed with employees.
The Clinic conducts periodic checks, ensuring that the privacy and security vulnerabilities that arise as a result of the control and/or audit are resolved.
Regarding the sharing of personal data, it signs a framework agreement regarding the protection of personal data and data security with the persons with whom personal data is shared, or ensures data security with provisions added to its current contract. Makes confidentiality agreements.
It takes the necessary security measures regarding access to physical environments containing personal data (locked cabinets, etc.) and ensures the security of physical environments against external risks.
Confidential documents such as Employee Personnel Files, Patient Files, Board of Directors decisions will be stored in a lockable cabinet. A copy will be provided electronically in a shared folder.
All Employees will use a document destruction method to destroy confidential documents to ensure that no information is exposed to fraudulent use.
Trainings are provided on preventing unlawful access to Personal Data, ensuring the preservation of personal data, communication techniques and relevant legislation.
A disciplinary procedure is applied for employees who do not comply with security policies and procedures.
The obligation to inform the relevant persons is fulfilled, and periodic and random audits are carried out within the institution.
The technical measures taken and being taken by the Clinic are as follows, but not limited to those listed below:
It carries out the processes of realizing information technologies risk assessment and business impact analysis within the scope of the installed systems.
It ensures the provision of technical infrastructure that will prevent or observe data leakage outside the institution and the creation of related matrices.
It protects any digital environment where personal data is stored with encrypted methods to meet information security requirements.
Provides network security and application security.
Ensures the security of personal data stored on the server.
Ensures the creation of an authorization matrix for employees.
Keeps access logs regularly.
Removes the authorizations of employees whose duties change or who leave their jobs in this field.
Uses up-to-date anti-virus systems.
Takes necessary precautions to prevent Personal Data from being transferred in any way via portable memory, CD, DVD.
RIGHTS OF THE PERSONAL DATA SUBJECT
By applying to our Company in writing or by other methods to be determined by the Board; data subjects have the right to a) learn whether personal data is processed or not, b) request information if personal data has been processed, c) learn the purpose of processing personal data and whether they are used in accordance with their purpose, ç) know the third parties to whom personal data is transferred domestically or abroad, d) request correction of personal data if it is incomplete or incorrectly processed, e) request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law, f) request notification of the transactions made pursuant to subparagraphs (d) and (e) listed above to third parties to whom personal data has been transferred, g) object to the emergence of a result against you due to the analysis of personal data exclusively by automated systems, and ğ) request compensation for the damage in case you suffer damage due to the unlawful processing of personal data.
You can submit your requests regarding personal data; together with the necessary information determining your identity and your explanations regarding your right you want to use: a) by an e-mail you will send to our Company's e-mail address bilgi@dentalimplanttrakya.com, b) by a petition/application letter you will send to Kaleici Mah. Semt Karadeniz Cad. No.14 B Catalca/Istanbul address via return receipt registered mail, notary public or hand delivery method.
For detailed information, you can visit our "Privacy Notice" page.
Entry into Force of the Policy
DENTALIMPLANT CLINIC TRAKYA SAĞLIK HİZM. LTD. ŞTİ. Policy on the Protection and Processing of Personal Data entered into force on 01.03.2021. In case the entire Policy or certain articles are renewed, the effective date of the Policy is the date that article was revised for the renewed article.
The policy is published on the website of our Institution (www.dentalimplanttrakya.com).
DENTALIMPLANT CLINIC TRAKYA SAĞLIK HİZM. LTD. ŞTİ. PERSONAL DATA RETENTION AND DESTRUCTION PROCEDURE
Effective Date: 01.03.2021
1. PURPOSE
The purpose of this procedure is to determine the methods and principles to be complied with within the Clinic and/or by the Clinic in the obligations regarding the retention, deletion, destruction or anonymization of Personal Data of DENTALIMPLANT CLINIC TRAKYA SAĞLIK HİZM. LTD. ŞTİ. ('Clinic') in accordance with the Personal Data Protection Law No. 6698 and the Regulation on the Deletion, Destruction or Anonymization of Personal Data.
2. SCOPE
This Policy covers all activities for Personal Data processed by the Clinic and applies to these activities. Regarding the storage of these Personal Data, the rules regulated by this policy cover all personal data in printed, electronic or other media related to customers/patients, suppliers, employees or other real persons.
3. DEFINITIONS
The definitions contained in this Policy imply the following meanings;
"Personal Data": Means any information relating to an identified or identifiable natural person.
"KVKK": Means the Personal Data Protection Law No. 6698.
"Processing of Personal Data": Means any operation performed upon Personal Data such as obtaining, recording, storing, retaining, altering, re-organizing, disclosing, transferring, taking over, making available, classifying or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system.
"Explicit Consent": Means consent regarding a specific subject, based on information and expressed with free will.
"Electronic Environment": Means the environments where Personal Data can be created, read, changed and written with electronic devices.
"Board": Means the Personal Data Protection Board.
"Anonymization": Means rendering Personal Data impossible to link with an identified or identifiable natural person, even through matching them with other data.
"Destruction": Means irreversibly destroying Personal Data.
"Deletion": Means irreversibly cleaning Personal Data or making them inaccessible for relevant users.
"Data Inventory": Means the inventory containing information regarding the Clinic's Personal Data Processing activities, such as Personal Data Processing processes and methods, Personal Data Processing purposes, data category, third parties to whom Personal Data is transferred, etc.
"Data Controller Contact Person": Means the person who conducts the relations of the Clinic with the Authority and is appointed by the Clinic.
"Data Subjects": Means all real persons whose Personal Data are processed by or on behalf of the Clinic, Employee/Supplier/Customer/Patient.
4. RESPONSIBILITIES
4.1. The deletion, destruction and anonymization of personal data is carried out by the Clinic in accordance with the technical and administrative measures specified in this procedure, the provisions of the relevant legislation, and the decisions of the Personal Data Protection Board ('Board').
4.2. Unless a contrary decision is taken by the Board, the appropriate one of the methods of deleting, destroying or anonymizing personal data ex officio is selected by us. However, upon the request of the Data Subject, the appropriate method will be chosen by explaining the justification.
4.3. All transactions regarding the deletion, destruction, and anonymization of personal data are recorded by the Clinic and these records are kept for the periods described in Article 6, excluding other legal obligations.
4.4. It is the responsibility of all employees and the Data Contact Person to ensure that the Clinic does not hold Personal Data for its activities and to ensure the deletion and/or archiving of Personal Data.
4.5. In the event that all the conditions for processing personal data in Articles 5 and 6 of the Law disappear, personal data is ex officio or upon the request of the relevant person deleted, destroyed or anonymized by the Clinic during periodic destruction times.
In the event that the Data Subject applies to the Clinic regarding this matter; the submitted requests are concluded within a maximum of 30 (thirty) days and the relevant person is informed. In the event that the data subject to the request has been transferred to third parties, this situation is notified to the third party to whom the data is transferred and it is ensured that the necessary actions are taken before the third parties.
5. STORAGE OF PERSONAL DATA
5.1. Personal data belonging to Data Subjects are stored safely by the Clinic in the physical or electronic environments listed above, specifically for the purposes of (i) maintaining health services, (ii) fulfilling legal obligations, (iii) planning and executing employee rights and fringe benefits, and (iv) managing customer/patient relations, within the limits specified in the KVKK and other relevant legislation.
5.2. Reasons requiring storage are as follows: · Retaining personal data because it is directly related to the provision of health services / establishment and performance of contracts, · Retaining personal data for the establishment, exercise or protection of a right, · Retaining personal data for the legitimate interests of the Clinic, provided that it does not harm the fundamental rights and freedoms of individuals, · Retaining personal data for the purpose of fulfilling any legal obligation of the Clinic, · Explicit provision of retaining personal data in the legislation, · Explicit consent of data subjects in terms of retention activities requiring the explicit consent of data subjects.
5.3. Personal Data is kept within the Clinic for the relevant legal retention/statute of limitations periods, and is stored for the period necessary to carry out the activities associated with this data and the purposes specified in this Procedure. Personal Data whose usage purpose has ended and legal retention period/statute of limitations has expired are deleted, destroyed or anonymized by the Clinic in accordance with Article 7 of the KVKK.
6. RETENTION AND DESTRUCTION PERIODS
6.1. The method to be applied in the destruction of the data in question is determined according to the nature of the data and its degree of importance before our Clinic.
6.2. Whether the storage of the data complies with the principles set out in Article 4 of the KVKK is questioned. Data whose storage is determined to be in violation of the principles set out in Article 4 of the KVKK are deleted, destroyed or anonymized.
6.3. It is determined within the scope of which exception(s) foreseen in Articles 5 and 6 of the KVKK the storage of the data can be evaluated. Within the framework of the determined exceptions, the reasonable periods for which the data must be stored are determined. In the event that these periods expire, the data is deleted, destroyed or anonymized.
6.4. In the retention and destruction procedures of your personal data obtained by our Clinic in accordance with the provisions of KVKK and other relevant legislation, if a period is foreseen for the retention of the personal data in question in the Legislation, this period is complied with.
6.5. Personal data whose retention period has expired is destroyed in accordance with the procedures included in this Procedure every year in January and July, in 6-month periods, within the framework of the destruction periods determined by the Clinic.
6.6. All transactions made regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.
6.7. Personal Data retention and destruction periods are as follows.
7. RETENTION AND DESTRUCTION METHODS
7.1. RECORDING MEDIA
DATA TYPE
RETENTION PERIOD
DESTRUCTION PERIOD
Emails and In-Clinic correspondence
10 years
At the first periodic destruction period following the end of the retention period
Contracts
For 10 years following the termination of the contract
At the first periodic destruction period following the end of the retention period
Patient files
For 20 years following the last interaction with the patient (end of treatment)
At the first periodic destruction period following the end of the retention period
Employee Records
During their employment period
At the first periodic destruction period following the end of the retention period
Former Employee Records
For 10 years following their departure from the job
At the first periodic destruction period following the end of the retention period
Accounting and Finance Records
10 years
At the first periodic destruction period following the end of the retention period
Internal Clinic Complaints and Related Documents
10 years
At the first periodic destruction period following the end of the retention period
Legal Records
10 years
At the first periodic destruction period following the end of the retention period
Official Correspondence
Indefinite
At the first periodic destruction period following the end of the retention period
Tax Records
10 years
At the first periodic destruction period following the end of the retention period
Personal data belonging to data subjects are stored safely by the Clinic in the environments listed in the table below, especially in accordance with the provisions of KVKK and relevant legislation and within the framework of international data security principles:
Web Browser Supported Antivirus Program
FILE SERVER
Locked Unit Cabinets
Restricted Access to Units
7.2. TECHNICAL AND ADMINISTRATIVE MEASURES
All administrative and technical measures taken by the Clinic in order to ensure the secure storage of your personal data, prevent unlawful processing and access, and destroy the data in accordance with the law are listed below:
7.2.1. The administrative measures taken and being taken by the Clinic are as follows, but not limited to those listed below:
Prepares a Personal Data Inventory and updates it during the process.
Registers with VERBIS and updates the information in the registry in case of any change.
In the event that processed personal data is obtained by others through unlawful means, notifies the relevant person and the Board as soon as possible.
Limits in-Clinic access to stored personal data to the personnel required to access it by their job description.
Improves the qualifications and technical knowledge/skills of the employees, prevents unlawful processing of personal data.
Includes confidentiality obligations and non-disclosure clauses in employment contracts signed with employees.
The Clinic conducts periodic checks, ensuring that privacy and security vulnerabilities that arise as a result of the control and/or audit are resolved.
Regarding the sharing of personal data, signs a framework agreement regarding the protection of personal data and data security with the persons with whom personal data is shared, or ensures data security with provisions added to its current contract. Makes confidentiality agreements.
Takes the necessary security measures regarding access to physical environments containing personal data (locked cabinets, etc.) and ensures the security of physical environments against external risks.
Confidential documents such as Employee Personnel Files, Patient Files, Board of Directors decisions will be stored in a lockable cabinet. A copy will be provided electronically in a shared folder.
All Employees will use a document destruction method to destroy confidential documents to ensure that no information is exposed to fraudulent use.
Trainings are provided on preventing unlawful access to Personal Data, ensuring the preservation of personal data, communication techniques and relevant legislation.
A disciplinary procedure is applied for employees who do not comply with security policies and procedures.
The obligation to inform the relevant persons is fulfilled, and periodic and random audits are carried out within the institution.
7.2.2. The technical measures taken and being taken by the Clinic are as follows, but not limited to those listed below:
Carries out the processes of realizing information technologies risk assessment and business impact analysis within the scope of installed systems.
Ensures the provision of technical infrastructure that will prevent or observe data leakage outside the institution and the creation of related matrices.
Protects any digital environment where personal data is stored with encrypted methods to meet information security requirements.
Provides network security and application security.
Ensures the security of personal data stored on the server.
Ensures the creation of an authorization matrix for employees.
Keeps access logs regularly.
Removes the authorizations of employees whose duties change or who leave their jobs in this field.
Uses up-to-date anti-virus systems.
Takes necessary precautions to prevent Personal Data from being transferred in any way via portable memory, CD, DVD.
METHODS OF DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA
Personal data obtained by the Clinic in accordance with the KVKK and other relevant legislation will be destroyed by the Clinic ex officio or upon the application of the Data Subject, in accordance with the Law and relevant legislative provisions, using the techniques specified below, in the event that the personal data processing purposes listed in the Law and the Regulation disappear.
8.1. DELETION OF PERSONAL DATA
8.1.1. Secure Deletion from Computer: When data processed wholly or partially and stored in digital environments are deleted; Methods regarding the complete deletion of the data from the relevant computers in a way that it is completely inaccessible and un-reusable for the Relevant Users are used.
However, if the process of deleting personal data will result in not being able to access other data within the system and not being able to use these data, personal data will be considered deleted if they are archived by making them unassociated with the relevant person, provided that the following conditions are met.
Being closed to the access of any other institution, organization or person,
Taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons.
8.1.2. Blacking Out Personal Data in Paper Environment: This is the method of physically cutting out the relevant personal data from the document or closing it, making it invisible by using permanent ink in a way that cannot be reversed and read, in order to prevent non-purposeful use of personal data or to delete the data requested to be deleted.
8.2. DESTRUCTION OF PERSONAL DATA
8.2.1. Destruction in Digital Environment: A system is implemented in which records kept in a computer environment and data obtained through the website are destroyed so that personal data cannot be used later.
8.2.2. Physical Destruction: Personal data can also be processed through non-automatic ways provided that it is a part of any data recording system. While such data is being destroyed, a physical destruction system is applied so that the personal data cannot be used later.
8.3. ANONYMIZATION OF PERSONAL DATA
The Clinic ensures the anonymization of personal data through methods such as extracting records, changing variables, and generalizing.
