Personal Data Destruction Policy

DATA RETENTION AND DESTRUCTION POLICY

The data controller, Dr. Merdan Çelik Clinic, processes, retains, and disposes of your personal data in compliance with the Constitution, the Personal Data Protection Law No. 6698 (KVKK), the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, and other related legislation, as per the principles and regulations outlined in this Personal Data Retention and Destruction Policy.

This Policy aims to outline the general principles and rules regarding the retention and destruction of personal data subject to processing activities under KVKK, and to fulfill the obligations stipulated by the relevant legislation.

Definitions

• Explicit Consent: Consent that is based on information and freely given concerning a specific matter.
• Recipient Group: Categories of real or legal persons to whom personal data is transferred by the data controller.
• Anonymization: Rendering personal data impossible to associate with an identifiable or identifiable real person, even when combined with other data.
• Relevant User: Persons who process personal data within the organization of the data controller, except for those responsible for technical storage, protection, and backup of data, or those acting under the authorization of the data controller.
• Destruction: Deletion, destruction, or anonymization of personal data.
• Personal Data: Any information relating to an identified or identifiable natural person (e.g., name, surname, ID number, email, address, date of birth, credit card number, bank account number).
• Data Subject: The individual whose personal data is processed.
• Processing of Personal Data: Any operation performed on personal data, such as collection, recording, storage, alteration, retrieval, disclosure, transfer, or erasure, whether automated or non-automated and part of a data recording system.
• Special Categories of Personal Data: Data concerning race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, membership in associations or trade unions, health, sexual life, criminal convictions, security measures, biometric or genetic data.
• Periodic Destruction: Recurring deletion, destruction, or anonymization processes performed at intervals specified in this Policy when all conditions for processing personal data under KVKK are no longer met.

RECORDING ENVIRONMENTS COVERED BY THIS POLICY

This Policy applies to all personal data subject to processing activities under KVKK, whether stored in physical or digital formats. Personal data stored in the following environments are included:

• Clinic computers, email accounts, desktop computers, employee devices (e.g., mobile phones), backup areas, paper files, folders, visitor logs, CDs, DVDs, USB drives, hard disks, printers, copiers, etc.

REASONS FOR RETENTION AND DESTRUCTION OF PERSONAL DATA

The following principles are fundamental to personal data processing activities:

• Compliance with the law and fairness.
• Ensuring data accuracy and keeping it up-to-date when necessary.
• Processing for specific, clear, and legitimate purposes.
• Limiting data processing to relevant and necessary purposes.
• Retaining data only for the duration required by law or the purpose of processing.

The clinic retains and processes personal data based on the data processing conditions specified in Articles 5 and 6 of KVKK. If these conditions no longer apply, the clinic will delete, destroy, or anonymize the data, either automatically or upon the data subject’s request.

LEGAL BASES FOR DATA PROCESSING

1. Consent of the Data Subject: Personal data can be processed with explicit consent.
2. Legal Obligation: Data processing is permissible without consent if required by law.
3. Protection of Life or Physical Integrity: In cases where consent cannot be obtained due to physical impossibility, data can be processed to protect an individual’s life or physical integrity.
4. Contractual Necessity: Data processing is necessary for establishing or fulfilling a contract.
5. Legal Obligations: Data processing is required to fulfill the clinic’s legal obligations.
6. Publicized Data: Data that has been made public by the data subject can be processed accordingly.
7. Establishment or Protection of Rights: Data processing is essential for exercising or protecting legal rights.
8. Legitimate Interests: Processing is necessary for legitimate interests, provided it does not infringe the data subject’s fundamental rights and freedoms.

METHODS OF DELETION, DESTRUCTION, OR ANONYMIZATION

Personal data will be deleted, destroyed, or anonymized under the following circumstances:

• When the legal basis for processing is amended or repealed.
• When the purpose of processing or retention is no longer valid.
• When data processing relies solely on consent and the consent is withdrawn.
• When the maximum retention period has expired without justification for longer retention.

The appropriate method (deletion, destruction, or anonymization) will be chosen based on technological capabilities and cost considerations, as determined by the clinic. The rationale for the selected method will be explained upon request.

TECHNICAL AND ADMINISTRATIVE MEASURES

The clinic implements the following measures to safeguard personal data:

• Strong passwords are used for computers and email accounts.
• Employees are trained and bound by confidentiality agreements regarding data protection. These obligations extend beyond their employment period.
• Necessary infrastructure is established for data backup.
• Access to data is restricted to authorized personnel.
• Data subjects are informed before data processing begins.
• A personal data processing inventory is maintained.

RETENTION AND DESTRUCTION PERIODS

The clinic retains personal data only for the duration specified by the law or as required for the purposes of processing. Upon request, the clinic will:

1. Delete, destroy, or anonymize personal data if all conditions for data processing no longer apply, and inform the data subject within 30 days.
2. Notify third parties to whom the data has been transferred and ensure that they take necessary actions.
3. If data processing conditions still apply, reject the data subject’s request with justification and inform them within 30 days.

PERIODIC DESTRUCTION

Personal data subject to destruction will be deleted, destroyed, or anonymized in the first periodic destruction process following the emergence of the obligation to destroy. The destruction process is performed every six months.