EN TR lang
EN TR lang

We use cookies to improve your experience on our website and enhance our services. For more information, please review our Cookie Policy.

Accept

Personal Data Retention and Destruction Policy

CCN Holding Personal Data Retention and Destruction Policy

Ccn Yatırım Holding Anonim Şirketi Kişisel Veri Saklama Ve İmha Politikası

I. INTRODUCTION 2

1- Purpose of the Policy  2
2- Scope of the Policy 3
3- Implementation of the Policy and Applicable Legislation  3
4- Effective Date of the Policy 3

Definitions  3

II. PROTECTION OF PERSONAL DATA  5

1- Security  5
2- Audit  5
3- Confidentiality  5
4- Unauthorized Access to Personal Data  5
5- Respecting the Legal Rights of Data Subjects  6
6-  Protection of Special Categories of Personal Data 6

III. PERSONAL DATA DESTRUCTION POLICY AND RETENTION PERIODS 7

Methods for the Deletion, Destruction, and Anonymization of Personal Data 9
b. Methods for Anonymizing Personal Data 9
Personal Data Retention and Periodic Destruction Periods  9

IV. CATEGORIZATION OF DATA SUBJECTS AND MAPPING OF PERSONAL DATA 10

I. INTRODUCTION

Law No. 6698 on the Protection of Personal Data (the “Law”) entered into force on April 7, 2016 and sets out the regulations on the processing of any information relating to an “identified or identifiable” natural person (“data subject”). As CCN Hastane Hizmetleri ve İşletme Anonim Şirketi (the “Company”), we attach utmost importance to the lawful processing and protection of personal data as required by the Law, and we act with this diligence in all our planning and activities. With this awareness, the Company takes all necessary organizational and technical measures for the protection and processing of personal data. The most essential pillar of this matter is the protection of the personal data of our Employees, Employee Candidates, Company Shareholders, Company Officers, Visitors, Employees, Shareholders and Officers of Institutions with which We Cooperate, and Third Parties, which is governed by this Personal Data Processing and Protection Policy (the “Policy”).

Pursuant to Article 20 of the Turkish Constitution, every individual is entitled to request the protection of their personal data. In relation to the protection of personal data, which is a constitutional right, the Company exercises due care for the protection of the personal data of Employee Candidates, Company Shareholders, Company Officers, Visitors, and the Employees, Shareholders, and Officers of Institutions with which It Cooperates, as well as Third Parties, as governed by this Policy, and incorporates this into its corporate policy.

This Policy sets out detailed information on the fundamental principles adopted by the Company in the processing of personal data, as listed below:

• Processing personal data in accordance with applicable law and the principles of good faith;
• Keeping personal data accurate and, where necessary, up to date;
• Processing personal data for specific, explicit, and legitimate purposes;
• Processing personal data that is relevant, limited, and proportionate to the purpose for which they are processed;
• Retention of personal data for the period prescribed in the applicable legislation or required for the purpose for which they are processed;
• Informing and notifying personal data subjects;
• Establishing the necessary system to enable personal data subjects to exercise their rights;
• Taking the necessary measures for the preservation of personal data;
• Transferring personal data to third parties in line with the requirements of the processing purpose, in compliance with the applicable legislation and the regulations of the Personal Data Protection Board (the “Board”); and
• Exercising the necessary diligence in the processing and protection of special categories of personal data.

 
1. Purpose of the Policy


The purpose of this Policy is to inform personal data subjects—including, in particular, our Employees, Employee Candidates, Company Shareholders, Company Officers, Visitors, and the Employees, Shareholders, and Officers of Institutions with which We Cooperate, as well as Third Parties—about the obligations of our Company arising from the Law and the applicable legislation, and about the procedures and principles to be observed under the Law, and to ensure, in line with the purpose of the Law, the utmost protection of individuals’ fundamental rights and freedoms—first and foremost the right to privacy under the relevant article of the Constitution—in the processing and protection of personal data. In line with the purpose of this Policy, we aim to ensure full compliance with the applicable legislation in the Company’s personal data processing and protection activities, and to safeguard the data subjects’ rights to privacy and data security.

The purpose of the Personal Data Retention and Destruction Policy is to set out the procedures and principles regarding the security of personal data and their deletion, destruction, and anonymization in relation to the personal data processed within various processes carried out by the Company.

 
2. Scope of the Policy

This Policy applies to all personal data of our Employees, Employee Candidates, Company Shareholders, Company Officers, Visitors, and the Employees, Shareholders, and Officers of Institutions with which We Cooperate, as well as Third Parties, processed through automated means or non-automated means provided that they form part of a data recording system.

Accordingly, all provisions of the Policy may apply to the personal data subjects listed above, or only certain provisions may apply.

This Policy covers all forms of processing carried out on the personal data of data subjects—such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use—whether by fully or partially automated means or by non-automated means provided that they form part of any data recording system, as well as the administrative and technical measures taken to ensure the security of personal data.

 
3. Implementation of the Policy and Applicable Legislation

This Policy has been formulated by concretizing and setting out the rules established under the applicable legislation within the scope of the Company’s practices. Within this scope, the applicable legal provisions in force regarding the processing and protection of personal data shall take precedence.

In the event of any inconsistency between the applicable legislation and the Policy, the Company acknowledges that the applicable legislation shall prevail.

As a Company, we carry out the necessary preparations and implement the required systems to act in accordance with the effective dates prescribed in the Law.

 
4. Effective Date of the Policy

This Policy was issued by the Company and entered into force on April 8, 2016. The Policy is published on our Company’s website at www.ccnholding.com.

 
5. Definitions

The following terms used in this Policy refer to:

a. Explicit consent: Refers to consent that is specific to a particular matter, informed, and freely given;
b. Anonymization: Refers to rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching it with other data;
c. Data subject: Refers to the natural person whose personal data is processed;
d. Relevant user: Refers to persons who process personal data within the data controller’s organization or in line with the authorization and instructions received from the data controller, excluding those who are technically responsible for storing, protecting, and backing up the data;
e. Destruction: Refers to the deletion, destruction, or anonymization of personal data;
f. The Law: Refers to the Law on the Protection of Personal Data No. 6698, dated March 24, 2016;
g. Personal data: Refers to any information relating to an identified or identifiable natural person;
h. Processing of personal data: Refers to any operation performed on personal data, such as their collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use, whether in whole or in part by automated means or by non-automated means provided that they form part of a data recording system;
i. Personal data processing inventory: Refers to the inventory created by data controllers by associating their personal data processing activities carried out in connection with their business processes with the purposes of processing, data categories, recipient groups to whom the data is transferred, and categories of data subjects, and which details the maximum retention periods required for the purposes for which the personal data is processed, the personal data envisaged to be transferred abroad, and the measures taken regarding data security;
j. Personal data retention and destruction policy: Refers to the policy that data controllers rely on when determining the maximum retention period required for the purposes for which personal data is processed, as well as for carrying out deletion, destruction, and anonymization processes;
k. Board: Refers to the Personal Data Protection Board;
l. Authority: Refers to the Personal Data Protection Authority;
m. Periodic destruction: Refers to the ex officio deletion, destruction, or anonymization of personal data, carried out at recurring intervals specified in the personal data retention and destruction policy, when all conditions for processing personal data under the Law no longer exist;
n. Registry: Refers to the data controllers’ registry maintained by the Personal Data Protection Authority;
o. Data processor: Refers to the natural or legal person that processes personal data on behalf of the data controller based on the authority granted by the data controller;
p. Data recording system: Refers to the recording system in which personal data is processed by being structured according to specific criteria;
q. Data controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system;
r. Third party: Refers to the individual/patient who applies to the hospitals/integrated health facilities served by the Company for examination or treatment and receives outpatient or inpatient care.

 
RECORDING MEDIA

The recording media in which personal data are stored by the Company include computers and software used on behalf of the Company, cloud systems, shared or non-shared disk drives used for data storage on the network, paper, departmental cabinets, and archives. The Company shall also include any additional recording media it may use within the scope of the Destruction Policy.

 
II. PROTECTION OF PERSONAL DATA

To ensure data security, the Company takes the following measures and precautions pursuant to Article 12 of the Law.

1. Security

The Company takes all necessary technical and organizational measures to ensure an appropriate level of security in order to prevent the unlawful access to and processing of personal data and to ensure their preservation, in accordance with the Law.

2. Audit

The Company conducts or commissions the necessary audits to ensure the establishment of the data security measures described above and to maintain their regularity and continuity. Within this scope, a team has been formed within the Company with representatives from the HR, IT, and Legal departments, and external support is also obtained.

3. Confidentiality

The Company takes all necessary technical and organizational measures, taking into account technological capabilities and implementation costs, to ensure that relevant data controllers and data processors do not disclose personal data to others or use them for purposes other than processing, in violation of the Law and the provisions of the Policy. Within this scope, our Company employees receive information and training on the Law and the Policy.

4. Unauthorized Access to Personal Data

If personal data processed by the Company are obtained by others through unlawful means, the Company carries out the necessary procedures to notify the data subject and the Board of this incident as soon as possible. If deemed necessary by the Board, this incident may also be announced on the Board’s website or through another method deemed appropriate by the Board.

5. Respecting the Legal Rights of Data Subjects

The Company respects all legal rights of data subjects regarding the implementation of the Policy and the Law and takes all necessary measures to ensure the protection of these rights.

6. Protection of Special Categories of Personal Data

Pursuant to Article 6 of the Law, data relating to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are defined as special categories of personal data.

Special categories of personal data are data that, if processed, carry the risk of causing discrimination or victimization of data subjects and therefore must be protected far more strictly than other personal data.

Therefore, although the Company’s main principle is not to collect such data, all necessary measures are taken with due diligence to protect such personal data when they are processed lawfully.

 
SECURITY OF PERSONAL DATA

The Company takes all necessary technical and organizational measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure their preservation.

Within this scope, the Company conducted an initial review to identify the personal data it processes, taking into account whether special categories of personal data are involved; the potential risks to the protection of such data were identified, and the necessary technical and organizational measures were implemented to mitigate or eliminate those risks.

To ensure the security of personal data, and to prevent their unlawful disclosure, sharing, or transfer while raising awareness of the Law, regular trainings are provided to employees and managers.

In addition, employees involved in personal data processing activities are required to sign confidentiality agreements as part of their job processes, and where employees are found to act in breach of security/privacy policies and procedures, the necessary disciplinary process is carried out.

Access to personal data involved in processing activities has been restricted on a personnel basis, and only a limited number of employees have been granted access authorization to personal data relevant to their job processes. Data processing activities carried out by personnel are logged.

Throughout the Company, careful adherence is paid to the principle of “Everything is Prohibited Unless Explicitly Authorized” with respect to access to personal data.

To prevent the unlawful processing of personal data and unlawful access to such data, technical systems have been established to monitor and audit personal data processing activities. Regular internal audits are conducted to prevent the unlawful processing of personal data and unlawful access to such data.

To prevent unlawful access to personal data and ensure their storage in secure media, technical methods with an appropriate level of security are employed, and such methods are updated in line with state-of-the-art developments.

In the event of an internal or external attack on the Company’s data recording system, the IT network is regularly monitored to detect early signs and enable timely intervention by checking which software and services are running and whether there is any intrusion or anomalous activity, and all user activity logs are maintained on a regular basis.

 
III. PERSONAL DATA DESTRUCTION POLICY AND RETENTION PERIODS
1. Reasons Requiring the Retention and Destruction of Personal Data
The Company may process your personal data if one or more of the following conditions exist:

• Explicit Consent of the Data Subject Has Been Obtained;
• Explicitly Provided for by Law; Inability to Obtain the Data Subject’s Explicit Consent Due to Actual Impossibility; Being Directly Related to the Establishment or Performance of a Contract;
• Required for the Fulfillment of the Company’s Legal Obligations;
• Personal Data Has Been Made Public by the Data Subject;
• Required for the Establishment, Exercise, or Protection of a Right; and
• Required for the Company’s Legitimate Interests.

For detailed information on the processing of personal data, you may review the Personal Data Protection Policy available at www.ccnholding.com.

The personal data of data subjects are destroyed during the first periodic destruction following the cessation of the personal data processing reasons listed above. All actions carried out regarding the deletion, destruction, and anonymization of personal data are logged, and such records are retained for at least three (3) years.

2. Deletion, Destruction, or Anonymization of Personal Data

The Company deletes, destroys, or anonymizes personal data ex officio or upon the request of the data subject when the reasons requiring their processing cease to exist, even if such data have been processed in accordance with the applicable legal provisions, as set forth in Article 138 of the Turkish Penal Code No. 5237, Article 7 of the Law, and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data (the “Regulation”), published in the Official Gazette dated October 28, 2017, provided that the relevant provisions of other applicable laws on the deletion, destruction, or anonymization of personal data are reserved.

On the other hand, all actions carried out in connection with the deletion, destruction, or anonymization of personal data pursuant to Article 7 titled “Principles” of the Regulation are documented by the Company, and such records are retained for a minimum period of three (3) years, provided that the Company’s other legal obligations are reserved.

Upon the deletion of personal data, such data are rendered completely inaccessible and unusable for the relevant users. Accordingly, as the data controller, the Company takes all necessary technical and organizational measures to ensure that deleted personal data are inaccessible and cannot be reused by the relevant users.

During the deletion process, the personal data subject to deletion are identified, the relevant users who have access authorization to such personal data and their specific permissions are determined, and the relevant users’ access, retrieval, and reuse authorizations for the personal data in question are removed.

Personal data in paper form are deleted using the redaction method (blacking out the information). Redaction is the process of rendering personal data on the relevant document invisible to the relevant users—by permanently obscuring them with indelible ink or by cutting them out—so that they cannot be recovered or read through technological means.

In databases containing personal data, the relevant rows in which the personal data reside are deleted using database commands (such as DELETE). For personal data stored in the file operating system, deletion is carried out either by using the operating system’s file-deletion command or by removing the relevant user’s access rights to the file or the directory in which the file is located.

Destruction of data refers to rendering information irretrievable and unusable by destroying the materials in which the data are stored—such as documents, files, CDs, diskettes, or hard disks—in a manner that makes recovery impossible.

For the destruction of personal data, all copies of the data are identified and, depending on the type of system in which they are stored, the appropriate method is used: for data on magnetic media, degaussing; for optical and magnetic media, melting, incineration, pulverization, or processing through an industrial metal shredder; and for personal data in paper form, shredding.

Anonymization of personal data means rendering personal data incapable of being associated with an identified or identifiable natural person in any manner whatsoever, even when matched with other data.

The purpose of anonymization is to sever the link between the data and the individual to whom the data relate. Methods such as automatic or manual grouping, masking, derivation, generalization, and randomization applied to records in the data recording system are among the anonymization methods.

3. Methods for the Deletion, Destruction, and Anonymization of Personal Data

a. Methods for the Deletion and Destruction of Personal Data

The Company may delete or destroy personal data, either at its own discretion or upon the data subject’s request, where the reasons requiring the processing no longer exist, even if the data has been processed in compliance with the applicable legal provisions.

The Company may use the following methods for deletion and destruction:

• Physical Destruction: Personal data may also be processed by the Company through non-automated means, provided that it forms part of a data recording system. When such data is destroyed, a physical destruction method is applied to ensure that the personal data cannot be subsequently accessed, used, or recovered by anyone.
• Sending to a Specialist for Secure Deletion: In certain cases, the Company may engage a specialist to destroy personal data on its behalf. In such cases, the personal data may be securely destroyed by the specialist.

b. Methods for Anonymizing Personal Data

Anonymization of personal data means rendering personal data incapable of being associated with an identified or identifiable natural person in any manner whatsoever, even when matched with other data.

In accordance with Article 28 of the Law, anonymized personal data may be processed for purposes such as research, planning, and statistics. Such processing falls outside the scope of the Law, and the data subject’s explicit consent shall not be required; the anonymization methods specified by the Authority may be used.

4. Personal Data Retention and Periodic Destruction Periods

The Company retains personal data for the periods prescribed under applicable laws and other legislation. Where no retention period is stipulated under applicable laws or other legislation, personal data is processed for as long as necessary to fulfill the purpose for which it is processed within the scope of the activity carried out by the Company at the time of processing.

These data are deleted, destroyed, or anonymized on the first periodic destruction date and during the first destruction process following the date on which the obligation to dispose of them arises.

The personal data of data subjects are destroyed during the first periodic destruction following the cessation of the personal data processing reasons listed above. All actions carried out regarding the deletion, destruction, and anonymization of personal data are logged, and such records are retained for at least three (3) years.

 
IV. CATEGORIZATION OF DATA SUBJECTS AND MAPPING OF PERSONAL DATA

1. Categorization of Data Subjects

Only natural persons benefit from the protection provided under this Policy and the Law pursuant to Article 3 of the Law; in this context, data subjects are categorized as follows:

Employee Candidate: Refers to natural persons who have applied for a job with the Company through any means or have made their résumé and related information available for the Company’s review.

Company Customer: Refers to individuals whose personal data is obtained through the Company.

Company Business Partner; Shareholder, Authorized Representative, or Employee of Business Partners: Refers to all natural persons with whom the Company is in any form of business relationship, as well as all natural persons working for, being shareholders of, or authorized to represent real or legal persons (such as business partners or suppliers) with whom the Company is in any form of business relationship.

Company Customer: Refers to natural persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.

Potential Customer: Refers to natural persons who have requested or shown interest in using our products and services, or who are assessed—pursuant to commercial practice and good-faith principles—as potentially having such interest.

Company Employee: Refers to natural persons employed by the Company and its subsidiaries.

Company Shareholder: Refers to persons who are shareholders of the Company and its subsidiaries.

Company Official: Refers to members of the board of directors and other authorized persons of the Company and its subsidiaries.

Third party: Refers to other persons who do not fall within the scope of the Company Policy prepared for Company Employees and who do not fall under any data subject category in this Policy. For example, patients, companions, etc.

Visitor: Refers to all natural persons who enter the Company’s physical premises for various purposes or who visit our websites for any purpose.

2. Matching Personal Data with Data Subjects, Data Controllers, and Data Processors

The matching of the categorized personal data defined above with the data subject groups is presented below.

Matching of Personal Data Categories and Data Subject Groups