Phone : +90 252 363 06 16
info@czdent.com.tr
Phone : +90 252 363 06 16
info@czdent.com.tr
Private CZ Dent Oral and Dental Health Service. Ltd. Sti. We attach great importance to the Protection of Personal Data. Protection of personal data is among the most important priorities of our company. The most important pillar of this issue is managed by this Policy; Protection and processing of personal data of our customers, clients, employees, employee candidates, visitors and third parties. The activities we carry out regarding the protection of personal data of our employees are also managed in line with the principles in this policy. According to the Constitution of the Republic of Turkey, everyone has the right to demand the protection of their personal data. Regarding the protection of personal data, which is a constitutional right, our company is governed by this Policy; pays due attention to the protection of all personal data and makes this a policy. In this context, all necessary administrative and technical measures are taken by our company for the protection of personal data processed in accordance with the relevant legislation.
The purpose of this Personal Data Protection, Storage, Disposal and Compliance policy (policy); In the protection and processing of personal data in accordance with the purpose of the law, to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, and to protect the real persons who process them and to Private CZ Dent Oral and Dental Health Services. Ltd. Sti.'s obligations and principles to be followed in accordance with the relevant law and other legal regulations.
This Policy; It applies to real persons whose data are processed in accordance with the provisions of the Law, and to natural and legal persons who process this data fully or partially automatically or non-automatically, provided that they are part of any data recording system.
From the implementation of this policy, Private CZ Dent Oral and Dental Health Service. Ltd. Sti. is responsible.
Explicit consent: Consent on a specific subject, based on information and expressed with free will,
Anonymization: Making personal data unable to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data,
Ministry: Ministry of Health
General Directorate: Health General Directorate of Information Systems
Relevant person: Real person whose personal data is processed,
Personal Health Record System:The system established in accordance with e-government applications that provides access to the health data of the data subjects themselves or the third parties they authorize,
Personal data: All kinds of information regarding an identified or identifiable natural person,
Personal Health Data: All kinds of health care related to an identified or identifiable natural person processing of
personal data:Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. Processing of
Personal Health Data:
Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or retrieving personal health data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. all kinds of operations carried out on health data such as preventing its use,
Commission: Personal Health Data Commission established within the Ministry
Board: Personal Data Protection Board,
Institution: Personal Data Protection Authority,
Central Health Data System: Data system created by the Ministry to collect personal health data,
Data processor: Real or legal person who processes personal data on behalf of the data controller based on the authority given to him,
Undersecretary: Undersecretary of the Ministry of Health,
Health service provider: Real persons who provide or produce health services and public law and private law legal entities,
USVS: National Health Data Dictionary published by the Ministry,
Directive: Information Security Policies Directive published by the Ministry,
Data Controller: The natural or legal person who determines the purposes and means of processing of Personal Data and is responsible for the establishment and management of the data recording system,
Law/KVKK: Law on Protection of Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette dated 7 April 2016 and numbered 29677. KVK
Board: Personal Data Protection Board
KVK Agency: Personal Data Protection Agency
Policy: Personal Data Processing and Protection Policy
Recipient group:The category of natural or legal persons to whom personal data is transferred by the data controller,
Relevant user: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for technical storage, protection and backup of the data,
Destruction : Deletion, destruction or anonymization of personal data,
Law: Law on Protection of Personal Data No. 6698 of 24/3/2016,
Recording medium:All kinds of environments containing personal data that are fully or partially automated or processed by non-automatic means, provided that they are part of any data recording system,
Personal data processing inventory: Personal data processing activities carried out by data controllers depending on their business processes; Personal data storage and destruction, Personal data storage and destruction ,
Personal data storage and destruction policy:The policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed and the process of deletion, destruction and anonymization,
Board: Personal Data Protection Board,
Periodic destruction: In case all the processing conditions of personal data in the law are eliminated The deletion, destruction or anonymization process specified in the personal data storage and destruction policy and to be carried out ex officio at repetitive intervals,
Registry: The registry of data controllers kept by the Presidency of the Personal Data Protection Authority,
Data recording system:
Data controller: means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
.
For definitions not included in this Policy, the definitions in the Law apply.
a.Constitution
b.Personal Data Protection Law-
No.6698 c.Regulation on the Working Procedures and Principles of the Personal Data Protection Board
d.Regulation on the Amendment of the Regulation on the Processing of Personal Health Data and Ensuring the Confidentiality
e. Regulation on the
Data Controllers Registry
A. Article 20 of the 1982 Constitution
"Everyone has the right to demand the protection of personal data relating to him/
herself
" Confidentiality of Private Life, Collection and Protection of Personal Data"
Provisions of the E. Labor Law directly related to the Protection of Personal Data of the worker
F. Occupational Health and Safety Law Article 15/5
"Health information is kept confidential in order to protect the private life and reputation of the employee who has undergone a health examination."
Law No. 6705 on the approval of the relevant protocol
Personal data, Private CZ Dent Oral and Dental Health Service. Ltd. Sti. and company employees within the scope of the following principles;
a. Compliance with the law and the rules of honesty,
b.
Keeping accurate and up-to-date when necessary,-
c. Processing for specific, clear and legitimate purposes, d. Processing in
connection with the purpose for which they are processed, limited and measured,
e. Necessary for the purpose for which they are processed or stipulated in the relevant legislation. storage for as long as
f. Enlightening and informing the
personal data owners, g. Establishing the necessary system for the personal data owners to exercise their rights,
h.
Taking the necessary measures for the protection of personal data,
I. Acting in
accordance with the regulations of the KVK Board,
j. Private CZ Dent Oral and Dental Health Service. Ltd. Şti. to inform and train its employees about the law on the protection of personal data and the processing of personal data in accordance with the law,
k. Complying with the decisions of the KVK Board,
l. Putting the necessary clauses in the contracts and keeping them up to date.
Private CZ Dent Oral and Dental Health Service. Ltd. Sti. and company employees act within the framework of the following principles in the storage and destruction of personal data;
a. In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law and the technical and administrative measures specified in the relevant articles of this Policy, which must be taken within the scope of Article 12, the provisions of the relevant legislation, Board decisions and this Policy are fully complied with.
b. All transactions regarding the deletion, destruction and anonymization of personal data are carried out by Private CZ Dent Oral and Dental Health Services. Ltd. Sti. and these records are kept for at least 10 years + 6 months (taking into account the 10-year general statute of limitations set in the TCO and delays that may occur in notifications), excluding other legal obligations. Exceptionally, this period is 7 days for security camera recordings.
c. Unless a contrary decision is taken by the Board, the appropriate method of deletion, destruction or anonymization of personal data ex officio is chosen by us. However, upon the request of the Relevant Person, the appropriate method will be chosen by explaining the reason. Private CZ Dent Oral and Dental Health Service of personal data included in Articles 5 and 6 of the Law. Ltd. Sti. It is deleted, destroyed or anonymized by the Company ex officio or upon the request of the person concerned. In case of application by the person concerned in this regard;
c.1. Requests submitted are finalized within 30 (thirty) days at the latest and the relevant person is informed,
c.2. In case the data subject to the request has been transferred to third parties, this situation is notified to the third party to which the data is transferred and necessary actions are taken before the third parties.
A. GENERAL QUALIFIED PERSONAL DATA PROCESSING CONDITIONS
Personal data will not be processed without the explicit consent of the person. Personal data is only processed without seeking explicit consent in the presence of the following conditions.
a. It is clearly stipulated in the
laws,
b. It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to an actual impossibility or whose consent is not given legal validity,
c. It is necessary
to process the personal data of the parties to the contract, provided that it
is
directly related to the establishment or performance of a contract
, data processing is mandatory,
g. Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
B. CONDITIONS OF PROCESSING OF SPECIAL QUALITY PERSONAL DATA Data about
the person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data are special personal data.
The issues in Article 8 of this policy are also valid for sensitive personal data. However, special quality personal data related to health can be obtained from Private CZ Dent Oral and Dental Health Hiz. Ltd. Sti. only by 6/3 of KVKK. It is processed in accordance with the provisions of the article or other legal regulations.
A-REGISTRATION MEDIA
Personal data of the data owners, Private CZ Dent Oral and Dental Health Hiz. Ltd. Sti. are stored securely in the form of physical files and digitally, in accordance with the relevant legislation, especially the provisions of the KVKK, and within the framework of international data security principles: Electronic media: Customer data kept digitally. Physical environments: Lockers and Archive.
B. SAFETY PRECAUTIONS
As the data controller, Private CZ Dent Oral and Dental Health Service takes adequate technical and administrative measures to ensure the protection of personal data being processed in accordance with Article 12 of the KVK Law. Ltd. Sti. has to take. Data Supervisor Private CZ Dent Oral and Dental Health Service. Ltd. Ltd. Şti. is obliged to carry out or have the inspections necessary for the implementation of the Law. The data controller and the data processor cannot disclose the personal data they have learned in violation of the provisions of this law and cannot use them for purposes other than processing. This obligation continues after they leave their duties. In the event that this data falls into the hands of others through illegal means, the data controller shall notify the relevant person and the Board as soon as possible. In order to keep personal data safe, to prevent unlawful processing-access and to destroy data in accordance with the law, within the framework of the principles of Article 12 of the KVKK, Private CZ Dent Oral and Dental Health Services. Ltd. Sti. All the administrative and technical measures taken by the company are listed below;
a.Administrative Measures
a.1. Internal access to stored personal data is limited to the personnel required to access it as per the job description. In limiting access, whether the data is of a special nature and its importance are also taken into account.
a.2. In case the processed personal data is obtained by others unlawfully, it notifies the person concerned and the Board as soon as possible.
a.3. With regard to the sharing of personal data, a framework agreement is signed with the persons to whom personal data is shared, regarding the protection of personal data and data security, or data security is ensured by the provisions added to the existing agreement.
a.4. Personnel who are knowledgeable and experienced about the processing of personal data are employed and necessary trainings are given to the personnel within the scope of personal data protection legislation and data security. In this context, a confidentiality agreement is made with all employees.
a.5. In order to ensure the implementation of the provisions of the law within the company, the necessary audits are made or made by the data controller. Confidentiality and security vulnerabilities revealed as a result of audits are promptly resolved.
b.Technical Measures
Special CZ Dent Oral and Dental Health Service. Ltd. Şti., as the data controller, will take the following technical measures:
b.1. It ensures that the physical files in which personal data are recorded are kept in locked cabinets and that the key is only available to him and to the authorized personnel. It takes other physical measures to prevent unauthorized access to the files in question.
b.2. It ensures that the personal data stored digitally can be accessed only by itself as the data controller and the personnel authorized in this regard, by putting a password on the computers, it ensures login with the registered user name and password, and takes the necessary cryptographic measures. It backs up a copy of digital data via storage devices in case of fire, flood and loss and encrypts the device in question so that only authorized personnel can access it. Takes other necessary measures to prevent unauthorized access.
b.3. Makes the necessary inspections to test the effectiveness of the technical measures taken.
b.4. It ensures that the processes of destruction of personal data stored in physical and digital media are non-recyclable and leave no audit trail.
C-STORAGE AND DISPOSAL
Personal data belonging to data owners, Private CZ Dent Oral and Dental Health Service. Ltd. Sti. It is stored securely in the physical or electronic media listed above, within the limits specified in the KVKK and other relevant legislation, in order to maintain the health services provided by the Company, to fulfill legal obligations, to protect and fulfill the rights of customers and other persons, and to manage customer relations. The reasons for keeping it are as follows:
a.
Storing personal data because it is directly related to the establishment and performance of contracts,
b. For the establishment, use or protection of a right of
personal data,
c. Private CZ Dent Oral and Dental Health Services, provided that personal data does not harm the fundamental rights and freedoms of individuals. Ltd. Şti . for its legitimate interests,
d.Personal data is kept by Private CZ Dent Oral and Dental Health Services. Ltd. Sti. to fulfill any legal obligation arising from a legal or contractual agreement with third parties,
e. Legislation expressly stipulates the storage of personal data,
f. Explicit consent of the data owners in terms of storage activities that require the explicit consent of the data owners. In accordance with the Regulation, the personal data of the data owners in the cases listed below, Private CZ Dent Oral and Dental Health Service. Ltd. Sti. It is deleted, destroyed or anonymized ex officio or upon request.
a. Changing or repealing the provisions of the relevant legislation, which is the basis for the processing or storage of personal data,
b. The disappearance of the purpose that requires the processing or storage of personal data,
c. Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law.
D. In cases where the processing of personal data takes place only on the basis of express consent, the data subject withdraws his consent,
e. The data controller accepts the application made by the data subject regarding the deletion, destruction or anonymization of his personal data within the framework of his rights in subparagraphs (e) and (f) of Article 11 of the Law,
f. In cases where the data controller rejects the application made by the data subject with the request for the deletion, destruction or anonymization of his personal data, his response is found to be insufficient or he does not respond within the time stipulated in the Law; Complaining to the Board and approval of this request by the Board,
g. Although the maximum period for keeping personal data has passed, there is no condition to justify keeping personal data for a longer period of time,
D- DISPOSAL PROCEDURES
Private CZ Dent Oral and Dental Health Service. Ltd. Sti. In the event that the personal data processing purposes listed in the Law and the Regulation disappear, ex officio or upon the application of the Relevant Person, the personal data obtained in accordance with the KVKK and other relevant legislation, in accordance with the provisions of the Law and the relevant legislation, with the following techniques, Private CZ Dent Mouth and Dental Health Service. Ltd. Sti. will be destroyed by
a. Personal Data Deletion and Destruction Techniques
a.1. Destruction of Physically Stored Personal Data: Physically stored personal data is irreversibly destroyed by the method of blackening (burning, tearing, cutting, ink covering, etc.) is destroyed.
a.2. Destruction of Digitally Stored Personal Data: Personal data stored digitally will be destroyed by being irreversibly deleted from the relevant database after the specified period (10 years + 6 months) or in other cases that require the destruction of personal data. Security camera recordings are automatically deleted after 7 days.
Pursuant to Article 28 of the KVKK, if personal data is processed for purposes such as research, planning and statistics by anonymizing with official statistics, this situation will be outside the scope of the Law and express consent will not be required.
E. STORAGE PERIOD OF PERSONAL DATA
Private CZ Dent Oral and Dental Health Service. Ltd. Sti. The period of storage and destruction of personal data obtained from customers and employees in accordance with the provisions of the KVKK and other relevant legislation; It has been determined as 10 years + 6 months, taking into account the “10-year general statute of limitations” regulated in Article 146 of the Turkish Code of Obligations No. 6098 and delays that may occur in notifications. At the end of this period, personal data will be irreversibly destroyed using the methods mentioned above. As a result; Private CZ Dent Oral and Dental Health Service. Ltd. Sti. Periodic destruction period of all personal data without exception is arranged as 10 years + 6 months. Exceptionally, this period is 7 days for security camera recordings.
F. TRANSFER OF PERSONAL DATA
a. Transfer of General Personal Data Private CZ Dent Oral and Dental Health Services. Ltd. Şti. may transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, group companies, third real and legal persons) by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. Private CZ Dent Oral and Dental Health Service. Ltd. Sti. In this context, it acts in accordance with the regulations stipulated in Article 8 of the KVKK. Personal data are processed by group companies for legitimate and lawful personal data processing purposes.
b.Transfer of Special Qualified Personal Data Private CZ Dent Oral and Dental Health Services. Ltd. Şti., by showing due diligence, taking the necessary security measures and adequate measures prescribed by the board; In accordance with the legitimate and lawful personal data processing purposes, the personal data owner may transfer the sensitive data of the personal data owner to third parties in the following cases.
Private CZ Dent Oral and Dental Health Service. Ltd. Sti. A personal data inventory will be created in accordance with business processes. The following information will be included in the personal data inventory;
a.Personal data processing purpose
b.Data Category
c.Transferred recipient group
d.Data subject person group
e.Maximum period
to keep personal data
f. Personal data to be transferred to foreign countries g.
Measures taken regarding data security
All personal data processed in this regard will be processed within the scope of the relevant legislation and KVKK.
A- PERSONAL DATA OWNER'S RIGHTS
Personal data owners have the following rights: a.
To learn whether personal data is processed,
b. To request information about it if their
personal data has been processed, c. To
learn the purpose of processing personal data and whether they are used in accordance with its purpose,
d. Knowing the third parties to whom personal data is transferred at home or abroad,
e. Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to third parties to whom personal data has been transferred
, to request the destruction or destruction of the process and to notify the third parties to whom the personal data has been transferred,
g. Objecting
to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
B. CIRCUMSTANCES WHERE THE PERSONAL DATA OWNER CANNOT AGREE THEIR RIGHTS
Personal data owners cannot claim their rights in the following matters, since the following cases are excluded from the scope of KVKK in accordance with Article 28 of the KVKK;
a. Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
b. Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
c. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that are authorized by law to ensure national defense, national security, public safety, public order or economic security.
d. Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
Pursuant to article 28/2 of KVKK; In the cases listed below, personal data owners cannot claim their other rights, except for the right to demand the compensation of the damage;
a. The processing of personal data is necessary for the prevention of crime or for criminal investigation.
b. Processing of personal data made public by the personal data owner.
c. If personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution, based on the authority given by the law.
d. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
C. RESPONSE TO APPLICATIONS MADE BY THE PERSONAL DATA OWNER
, Private CZ Dent Oral and Dental Health Hiz. Ltd. Şti. to use its legal rights; Private CZ Dent Oral and Dental Health Service. Ltd. Sti. will conclude this request free of charge as soon as possible and within 30 days at the latest, depending on its nature. The request will either be accepted or rejected on the condition that the reason is given. If the application requires cost, the fee in the tariff determined by the Board will be requested from the applicant.
a. Information that can be requested from the Applicant
Private CZ Dent Oral and Dental Health Service. Ltd. Şti. may request information and documents from the person concerned in order to determine whether the applicant is the owner of personal data. Private CZ Dent Oral and Dental Health Service. Ltd. Şti., in order to clarify the issues in the application of the personal data owner, may ask questions about the application of the personal data owner.
b. Refusal of the Application
Private CZ Dent Oral and Dental Health Service. Ltd. Şti. may reject the application of the applicant in the following cases by explaining the reason;
a. Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
b. Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
c. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that are authorized by law to ensure national defense, national security, public safety, public order or economic security.
d. Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
e. The processing of personal data is necessary for the prevention of crime or for criminal investigation.
f. Processing of personal data made public by the personal data owner.
g. If personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution, based on the authority given by the law.
h. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
i. The request of the personal data owner is likely to impede the rights and freedoms of other persons.
j. Demands that require disproportionate effort have been made.
k. The requested information is publicly available information.
This policy enters into force as of the signature date stated below and until a new one is made or Private CZ Dent Oral and Dental Health Services. Ltd. Şti.'s activity or until the legal repeal of this policy text remains in effect.
Private CZ Dent Oral and Dental Health Service. Ltd. Sti. The authorized person performs all kinds of inspections, with or without prior notice of the personnel, in order to determine whether the principles determined by this policy are respected within the company. It checks the documents and records, makes the necessary organization, takes the necessary measures for the related documents to be read, understood and signed by the person concerned, and performs other inspections and controls that it deems necessary, provides the necessary training to the personnel or ensures that it is given by third parties.
1-Personnel Title Unit and Task List
2-Personal Data Retention and Disposal Periods Table
ANNEX-1. PERSONNEL TITLE UNIT AND TASK LIST
STAFF STAFF RESPONSIBLE
Company Officer: He is the primary responsible for the implementation of this policy text. In this context, it takes all kinds of measures, gives the necessary instructions to the personnel and performs audits to ensure that the company's operation complies with the legal regulations on the protection of personal data and the principles set forth in this policy text.
Personnel: While performing their duties within the company, they are obliged to comply with the principles and procedures specified in all legal legislation on the subject, especially the KVK Law No. 6698, as well as the principles and principles set forth in this policy text. He is obliged to fulfill the instructions given to him during the processing, storage and destruction of personal data.
ANNEX-2. PERSONAL DATA STORAGE AND DISPOSAL TIMES TABLE Provided
that it is not contrary to the periods stipulated in other laws;
| STAFF/PERSONAL FILE | It is deleted, destroyed or anonymized within 180 days following the end of the 10 years + 6 months storage period following the termination of the business relationship. |
| PAYROLL | It is deleted, destroyed or anonymized within 180 days following the end of the 10 years + 6 months storage period following the termination of the business relationship. |
| OCCUPATIONAL HEALTH AND SAFETY PRACTICES | It is deleted, destroyed or anonymized within 180 days following the end of the storage period of 10 years + 6 months following the end of the business relationship. |
| SECURITY CAMERA SYSTEMS | Security camera recordings are kept for 7 days and are automatically deleted at the end of this period. |
| STAFF FINANCE PROCESSES | It is deleted, destroyed or anonymized within 180 days following the end of the storage period of 10 years + 6 months following the end of the business relationship. |
| FILE OF TRAINING RECORDS | It is deleted, destroyed or anonymized within 180 days following the end of the 10-year storage period and within 30 days following the application of the data owner. |
| FILES AND INFORMATION RELATING TO CUSTOMER FILES AND OTHER SPECIAL LEGAL PERSONS CONTRACTED | It is deleted, destroyed or anonymized within 180 days following the expiry of the 10 years + 6 months storage period following the expiry of the contract. |