Personal Data Retention and Destruction Policy
Article 1 – Purpose
The Personal Data Retention and Destruction Policy has been prepared by ABC Health Services to define the procedures and principles related to the retention and destruction of personal data processed by the company.
Article 2 – Scope
This policy covers the personal data of company employees, job candidates, interns, service users, potential customers, partners, visitors, suppliers, and other third parties.
This policy applies to all data processing environments where personal data is stored and processed, as well as activities related to personal data processing, whether or not they are part of an automated data processing system.
Article 3 – Definitions
- Recipient group: The category of a natural or legal person to whom personal data is transferred by the data controller.
- Explicit consent: Consent that is provided based on being informed, and is given freely with full awareness.
- Anonymization: The process of making personal data irreversibly unidentifiable, even if combined with other data, so that it cannot be related to a specific individual.
- Employee: Company staff.
- Electronic environment: Environments where personal data can be created, read, modified, or written with electronic devices.
- Non-electronic environment: All other written, printed, visual, or similar environments outside electronic ones.
- Service provider: A natural or legal person providing services to the company under a contract.
- Data subject: A natural person whose personal data is processed.
- Related user: Individuals or units within the data controller’s organization, other than those technically responsible for storing, protecting, and backing up data, who process personal data based on the authorization and instructions provided by the data controller.
- Destruction: The deletion, destruction, or anonymization of personal data.
- Law: Personal Data Protection Law No. 6698.
- Data storage environment: Any environment where personal data is stored, whether fully or partially automated, or processed by non-automated means as part of a data recording system.
- Personal data: Any information relating to an identified or identifiable natural person.
- Personal Data Processing Inventory: A detailed inventory prepared by data controllers, relating to personal data processing activities, explaining the purposes, legal bases, data categories, recipient groups, retention periods, international transfers, and security measures related to personal data processing.
- Personal Data Processing: Any operation performed on personal data, such as collection, recording, storage, modification, reorganization, disclosure, transmission, or destruction, whether by automated or non-automated means.
- Board: Personal Data Protection Board.
- Sensitive personal data: Data regarding an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, membership in associations, foundations or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
- Periodic destruction: Deletion, destruction, or anonymization performed at recurring intervals when personal data processing conditions under the Law cease to exist.
- Policy: Personal Data Retention and Destruction Policy.
- Company: ABC Health Services
- Data Processor: A natural or legal person processing personal data on behalf of the data controller, based on the authorization provided by the data controller.
- Data Recording System: A system in which personal data is processed and structured according to specific criteria.
- Data Controller: A natural or legal person responsible for determining the purposes and means of processing personal data and establishing and managing the data recording system.
- Data Controllers Registry Information System (VERBIS): A system created and managed by the Presidency, accessible online, for data controllers to register and manage their operations related to data processing.
- Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published on October 28, 2017, in the Official Gazette.
Article 4 – Responsibilities and Duties
All employees and units of the company provide full and active support to responsible units in obtaining, processing, and storing personal data in compliance with the law. In the implementation of administrative and technical measures taken under this policy, in training unit employees, raising and monitoring employee awareness, preventing unauthorized access to personal data, and ensuring the lawful storage of personal data, all employees and units provide support to responsible units. The distribution of titles, units, and job descriptions of those involved in the personal data retention and destruction process is shown in APPENDIX TABLE: 1.
Article 5 – Data Storage Environments
Personal data is securely stored in environments listed in APPENDIX TABLE: 2 in compliance with the law.
ARTICLE 6 – LEGAL REASONS FOR STORAGE
Personal data processed within the company’s activities are stored for the duration prescribed by the relevant legislation and in accordance with applicable laws and regulations. The reasons that necessitate storage within this scope are as follows:
- Personal data must be stored as they are directly related to the establishment and execution of contracts
- Personal data must be stored for the establishment, use, or protection of a right
- Personal data must be stored for the company’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of individuals
- Personal data must be stored to fulfill any legal obligations of the company
- The storage of personal data is explicitly required by the legislation
- In cases where storage activities require the explicit consent of data subjects, personal data can be stored with the consent of the data subjects
ARTICLE 7 – PURPOSES OF PROCESSING THAT REQUIRE STORAGE
The company may process the personal data of the relevant person or third parties indicated by the relevant person for various purposes, including but not limited to the following:
- To manage human resources processes
- To ensure corporate communication
- To ensure company security
- To conduct statistical studies
- To perform business and transactions as a result of signed contracts and protocols
- To fulfill legal obligations as required or mandated by regulations
- To establish communication with natural/legal persons in business relations with the company
- To perform legal reporting
- To fulfill the obligation of proof in potential legal disputes
- To manage/follow up on the company’s legal affairs
ARTICLE 8 – LEGAL REASONS FOR DESTRUCTION
Personal data is deleted or destroyed by the company upon the request of the relevant person or ex officio under the following circumstances:
- Changes or abolition of the relevant legal provisions that form the basis for processing personal data
- The purpose for processing or storing personal data ceases to exist
- In cases where personal data is processed based solely on explicit consent, when the relevant person withdraws their consent
- Acceptance of the relevant person’s request for the deletion or destruction of their personal data according to Article 11 of the Law
- The maximum storage period for personal data has passed and there are no conditions justifying the continued storage of the data
ARTICLE 9 – TECHNICAL MEASURES
The technical measures taken by the company concerning the personal data processed are as follows:
- Necessary internal controls are conducted within the established systems
- Processes for conducting information technology risk assessments and business impact analysis within the systems are carried out
- Ensures the provision of technical infrastructure to prevent or monitor data leakage outside the company, and creates relevant matrices
- Regularly conducts penetration tests and ensures the control of system vulnerabilities as needed
- Ensures that employees in information technology departments have their access permissions to personal data controlled
- Ensures that the destruction of personal data is irreversible and does not leave an audit trail
- In accordance with Article 12 of the Law, all digital environments where personal data is stored are protected using encrypted or cryptographic methods that meet information security requirements
ARTICLE 10 – ADMINISTRATIVE MEASURES
The administrative measures taken by the company concerning the personal data processed are as follows:
- Limits access to stored personal data to personnel who need access for their job description. The type of data (whether sensitive or not) and its level of importance are also taken into account
- In case personal data is obtained unlawfully by others, the situation is reported to the concerned individual and the Board as soon as possible
- Ensures data security with framework agreements signed with persons who share personal data or by adding clauses to existing agreements concerning the protection of personal data
- Employs personnel knowledgeable and experienced in personal data processing and provides necessary training on personal data protection legislation and data security
- Conducts and ensures audits to ensure compliance with the provisions of the Law within its corporate structure. Resolves any confidentiality and security vulnerabilities identified during audits
ARTICLE 11 – METHODS OF DELETING PERSONAL DATA
Personal data is deleted by the methods specified in APPENDIX TABLE: 3.
ARTICLE 12 – METHODS OF DESTROYING PERSONAL DATA
Personal data is destroyed by the methods specified in APPENDIX TABLE: 4.
ARTICLE 13 – STORAGE AND DESTRUCTION PERIODS
When determining the storage period for personal data by the company, if a period is stipulated in the relevant legislation for the storage of the personal data, this period will be followed. Otherwise, the storage and destruction period table specified in APPENDIX TABLE: 5 will be followed.
ARTICLE 14 – PERIODIC DESTRUCTION PERIOD
The company conducts periodic destruction processes every June and December.
ARTICLE 15 – PUBLICATION, STORAGE, AND UPDATE OF THE POLICY
The policy is published in two different formats, in print (wet signature) and electronically, and is announced to the public on the company’s website. The printed copy is stored within the company. The policy is reviewed as needed, and necessary sections are updated.
ARTICLE 16 – ENTRY INTO FORCE
The policy is considered to have entered into force after it is published on the company’s website. In case of a decision to repeal it, the old printed copies of the policy are canceled (by stamping or writing “canceled”) and signed, and the canceled copies are stored by the company for at least 5 years.
APPENDIX TABLE: 1 – Task Distribution for Storage and Destruction Processes
| Position | Unit | Responsibility |
|---|---|---|
| Company Manager | Company | Responsible for ensuring employees act in accordance with the policy. |
| … | Responsible for preparing, developing, implementing the policy, publishing it, and updating it. | |
| Information Processing Manager | Information Processing Department | Responsible for providing technical solutions needed for the implementation of the policy. |
| Other Units | Responsible for the implementation of the policy according to their duties. |
APPENDIX TABLE: 2 – Personal Data Storage Environments
| Electronic Environments | Non-Electronic Environments |
|---|---|
| Personal computers | Paper |
| Mobile devices | Written and printed materials |
| Optical disks | Visual records |
| Printers, scanners, photocopiers | Manual data recording systems |
| Removable and portable storage devices | |
| Servers | |
| Software | |
| Information security devices |
APPENDIX TABLE: 3 – Methods for Deleting Personal Data
| Data Storage Environment | Deletion Method |
|---|---|
| Servers | For personal data stored on servers that need to be kept for a specified period, the system administrator revokes access permissions for relevant users after the storage period ends, and deletion is performed. |
| Electronic Environment | For personal data stored in the electronic environment that needs to be kept for a specified period, after the storage period ends, it is rendered inaccessible and unusable for users (except the database administrator). |
| Physical Environment | For personal data stored in physical environments that need to be kept for a specified period, after the storage period ends, it is made inaccessible and unusable for other employees, except the unit manager responsible for document archiving. Additionally, the data is rendered unreadable by drawing/painting/scratching out or applying other methods. |
| Removable Media | For personal data stored on flash-based storage devices that need to be kept for a specified period, after the storage period ends, the data is encrypted and stored securely with access granted only to the system administrator, using encryption keys. |
APPENDIX TABLE: 4 – Methods for Destroying Personal Data
| Data Storage Environment | Destruction Method |
|---|---|
| Physical Environment | For personal data stored on paper in physical environments that needs to be kept for a specified period, after the storage period ends, the data is irreversibly destroyed using document destruction machines. |
| Optical or Magnetic Media | For personal data stored on optical or magnetic media that needs to be kept for a specified period, after the storage period ends, it is subjected to destruction procedures such as melting, burning, or grinding. Additionally, magnetic media is exposed to a high magnetic field to render the data unreadable. |
APPENDIX TABLE: 5 – Storage and Destruction Period Table
| Process | Retention Period | Destruction Period |
|---|---|---|
| Occupational health and safety practices | 10 years after the end of the employment relationship | 180 days after the retention period expires |
| Payroll | 10 years after the end of the employment relationship | 180 days after the retention period expires |
| Personnel court/tribunal requests | 10 years after the end of the employment relationship | 180 days after the retention period expires |
| Visitor and patient records | 10 years from the date of regulation and record keeping | 180 days after the retention period expires |
| Filing of training records | 10 years after the training is conducted | 180 days after the retention period expires |
| Emergency preparations | 10 years after the preparation is carried out | 180 days after the retention period expires |
| Log record tracking systems | 10 years from the creation | 180 days after the retention period expires |
| Camera records | 1 year from the recording | 180 days after the retention period expires |