• Op. Dr. Songül Dursun - Kişisel Web Sitesi
İletişim Numarası: +90 554 996 95 67
Pazartesi - Cumartesi: 09:00 - 20:00
Make An Appointment

Terms of Use

Home
Terms of Use

Personal Data Retention and Destruction Policy

Data controller Law No. 6698 on the Protection of Personal Data, Regulation on the Erasure, Destruction, or Anonymization of Personal Data and other relevant legislation.

The purpose of this policy is to establish the general principles and guidelines regarding the storage, erasure, destruction, or anonymization of personal data belonging to natural persons subject to personal data processing activities conducted by our clinic.

Definitions

Explicit Consent: Consent that is specific to a particular matter, based on information provided, and freely given.

Recipient Group: A category of natural or legal persons to whom the data controller transfers personal data.

Anonymization: The process of rendering personal data such that it cannot be associated with any identified or identifiable natural person, even if combined with other data.

Relevant User: These are individuals who process personal data within the data controller’s organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.

Destruction: The deletion, destruction, or anonymization of personal data.

B Personal Data:B /strong Any information relating to an identified or identifiable natural person. Information such as first and last name, Turkish ID number, email address, phone number, address, date of birth, and bank account details falls under the scope of personal data.

Data Subject: A natural person whose personal data is processed.

Processing of Personal Data: Any operation performed on personal data, such as the collection, recording, storage, retention, modification, transfer, classification, erasure, or restriction of use of such data.

Special Category Personal Data: Primarily health data; race, ethnic origin, political opinions, philosophical beliefs, religion, denomination, attire, membership in associations/foundations/unions, sexual life, criminal convictions, and data related to security measures, as well as biometric and genetic data.

Periodic Destruction: This refers to the process of deleting, destroying, or anonymizing personal data at the intervals specified in this policy when all conditions for processing personal data under the KVKK have ceased to exist.

Records Covered by the Policy

This policy covers all personal data subject to data processing activities within the scope of the KVKK. Documents evaluated under this policy include both physical and digital record environments.

Personal data processed by our clinic may be stored in the following environments:

Clinical computers,
  • Email accounts,
  • Digital patient record systems,
  • Desktop and laptop computers,
  • Work-related devices belonging to authorized staff,
  • Backup storage areas,
  • Paper patient records,
  • Folders and archives,
  • Visitor logs,
  • Portable data storage media such as CDs, DVDs, USB drives, and external hard drives,
  • Printers, photocopiers, and similar technical equipment.

    • Reasons Requiring the Storage and Destruction of Personal Data

    The following fundamental principles are followed in personal data processing activities:

    • Ensuring that personal data is accurate and, where necessary, up-to-date,
    • Processing for specific, explicit, and legitimate purposes,
    • Retaining personal data for the period prescribed by applicable legislation or as necessary for the purpose of processing.

    Our clinic stores and uses personal data based on the conditions for processing personal data specified in Articles 5 and 6 of the Personal Data Protection Law (KVKK). If all of these conditions cease to exist, personal data is deleted, destroyed, or anonymized.

    The conditions for the processing and retention of personal data may arise in the following cases:

    Existence of Explicit Consent: The data subject’s explicit consent to the processing of their personal data.

    Explicit Provision in Laws: The processing of personal data in situations explicitly specified by law.

    Actual Impossibility: The necessity of data processing to protect the life or physical integrity of the individual who is unable to express consent or of another person.

    B Conclusion or Performance of a Contract: The necessity of processing personal data for the conclusion or performance of a contract.

    Legal Obligation: The necessity of data processing for our clinic to fulfill its legal obligations.

    Public Disclosure of Data: The data subject has made their personal data publicly available themselves.

    Establishment or Protection of a Right: The necessity of data processing for the establishment, exercise, or protection of a right.

    B Legitimate Interest:B /strong> The necessity of data processing for the legitimate interests of our clinic, provided that this does not infringe upon the data subject’s fundamental rights and freedoms.

    Erasure, Destruction, or Anonymization of Personal Data

    Personal data;

  • Changes to or the repeal of the legal provisions governing its processing,
  • In cases where personal data is processed solely based on explicit consent, the data subject withdrawing their explicit consent,
  • The expiration of the maximum period for which personal data must be stored,
  • The absence of a legal basis requiring the retention of data for a longer period,

    • in such cases, the data is deleted, destroyed, or anonymized by our clinic.

    Unless the Personal Data Protection Board decides otherwise, the appropriate method for deleting, destroying, or anonymizing personal data is determined by our clinic, taking into account technological capabilities, data structure, and implementation costs.

    Upon the data subject’s request, the rationale for the disposal method applied may be explained to them. All necessary technical and administrative measures are taken during all disposal processes.

    Technical and Administrative Measures Taken

    Our clinic takes the necessary technical and administrative measures to ensure the security of personal data in accordance with Article 12 of the Personal Data Protection Law (KVKK) and the relevant regulations.

    In this context:

    • Authorized individuals who may access personal data are identified.
    • Patient records and personal health data are stored in a manner accessible only to authorized personnel.
    • Patient information may only be disclosed to the patient themselves, their close relatives with written consent, public institutions authorized under the law, or judicial authorities.
    • Employees and service providers are informed of their confidentiality obligations.
    • Confidentiality agreements and contracts are established as necessary.
    • The necessary infrastructure is provided for backing up digital data.
    • The relevant individuals are provided with the necessary information before personal data processing begins.
    • Personal data processing procedures are conducted in compliance with the law.
    • Physical archives and digital records are protected against unauthorized access.

    Retention and Destruction Periods

    If all conditions for processing personal data have ceased to exist, the request is resolved within 30 days at the latest, and the data subject is informed. If the personal data subject to the request has been transferred to third parties, this situation is notified to the relevant third parties, and the necessary actions are ensured.

    If the conditions for processing personal data have not completely ceased to exist, the request may be rejected with an explanation of the grounds under Article 13 of the KVKK. The rejection notice is communicated to the data subject in writing or via digital means within 30 days at the latest. “ data-end=”8057″>30 days in writing or via digital means to the data subject.

    Periodic Destruction Periods

    When the obligation to destroy personal data arises, personal data is deleted, destroyed, or anonymized during the first periodic destruction process.

    Periodic disposal procedures at our clinic are carried out in 6-month intervals.

    At the first periodic destruction period following the end of the retention period
    ProcessRetention PeriodDisposal Period
    Preparation of contracts10 years from the end of the contractDuring the first periodic destruction period following the end of the retention period
    Conducting human resources processesHardware and software access processes5 yearsDuring the first periodic destruction period following the end of the retention period
    Visitor and meeting participant records5 yearsDuring the first periodic destruction period following the expiration of the retention period
    Personal health dataFor the period specified in the relevant legislation
    Identity dataFor the period specified in the relevant legislationDuring the first periodic destruction period following the end of the retention period
    Camera footageFor the duration required by applicable legislationDuring the first periodic destruction period following the expiration of the retention period

    Effective Date

    This policy is deemed to have entered into effect as of the date it was published on the drsongul.com website.

    Op. Dr. Songül Dursun Clinic reserves the right to make changes to this policy as deemed necessary. The current version of the policy becomes effective as soon as it is published on the website.