E-Mail

info@nuketeroglu.com

بريد إلكتروني

info@nuketeroglu.com

CHAPTER 1 – INTRODUCTION

Introduction

DR. NÜKET EROĞLU (“DR. NÜKET EROĞLU”) is sensitive to the security of your personal data, and it is our priority to process and store all kinds of personal data belonging to all persons associated with us, including our patients, customers and business contacts who benefit from our services, in accordance with the Personal Data Protection Law No. 6698 (“KVKK”).

With this “Personal Data Protection and Processing Policy” (“Policy”), DR. NÜKET EROĞLU regulates the basic principles and principles adopted by DR. NÜKET EROĞLU in the protection, storage, and destruction of personal data and makes it sustainable by implementing it as a corporate policy. 

Purpose

The purpose of this Policy is to provide DR. NÜKET EROĞLU in accordance with the legal legislation that is the basis of this Policy and to determine the procedures and principles regarding the processing, protection, storage, deletion, destruction, and anonymization of the processed personal data and to inform the natural persons whose data are processed by DR. NÜKET EROĞLU to inform the real persons whose data are processed by DR.

Scope

This policy is related to all personal data of our patients, customers, website users, employees, employee candidates, practice officials, visitors, customers, business contacts (authorized, shareholders, and employees of suppliers, contractors, and similar organizations with which we have business relations), and third parties, which is processed automatically or non-automatically provided that they are part of any data recording system. 

In this context, all of this Policy may be applied to the above-mentioned groups of personal data owners, or only some of its provisions may be applied.

Implementation of the Policy and Related Legislation

This Policy has been prepared on the basis of the Personal Data Protection Law No. 6698, the Regulation on the Data Controllers Registry No. 30286 and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data No. 30224.

The relevant regulations in force regarding the processing, protection, and destruction of personal data will primarily apply. In case of incompatibility between the legislation and the Policy, DR. NÜKET EROĞLU accepts that the legislation in force will be applied.

Enforcement of the Policy

DR. NÜKET EROĞLU has published this Policy on DR. NÜKET EROĞLU website and it entered into force on September 4, 2023. Policy, legal changes, DR. NÜKET EROĞLU’s personal data processing processes, or other reasons may be updated from time to time. 

In the event that all or certain articles of the Policy are renewed, the effective date of the Policy will be updated. Policy DR. NÜKET EROĞLU’s website https://nuketeroglu.com/ and is made available to the relevant persons upon the request of the personal data owners.


Definitions

The definitions used in the implementation of this Policy are given below:

Explicit Consent

Consent on a specific subject, based on information, expressed with free will

Buyer Group

the category of natural or legal person to whom the data controller transfers personal data

Anonymization

Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data

Employee(s)

DR. NÜKET EROĞLU and workers in a labor relationship in accordance with the Labor Law and students or graduates undergoing internship (compulsory/optional) training 

Related User

Except for the person or unit responsible for the technical storage, protection and backup of the data, DR. NÜKET EROĞLU organization or DR. Persons who process personal data in line with the authorization and instructions received from DR. NÜKET EROĞLU

Destruction

Irreversible deletion, destruction or anonymization of personal data

Recording Media

Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system,

Personal Data

Any information relating to an identified or identifiable natural person

Contact Person

Natural person whose personal data is processed

Processing of Personal Data

All kinds of operations performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, by fully or partially automatic means or by non-automatic means, provided that they are part of any data recording system,

Personal Data Inventory

Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes of processing personal data, data category, transferred recipient group and data subject group and by explaining the maximum time required for the purposes for which personal data are processed, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security

Personal Data Protection Committee

DR. NÜKET EROĞLU has the authority to take decisions and submit them to the senior management in order to ensure compliance with the legislation on the protection of personal data, to maintain, manage, and improve them, and for this purpose, DR. NÜKET EROĞLU, which provides the necessary coordination within DR. NÜKET EROĞLU and consists of officials from different departments,

Board

Personal Data Protection Board

Institution

Personal Data Protection Authority

KVKK / Law

Law No. 6698 on the Protection of Personal Data

Sensitive Personal Data

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and dress, membership of associations, foundations, or trade unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data

Periodic Disposal

In the event that all of the conditions for processing personal data specified in the law disappear, the deletion, destruction or anonymization process will be carried out ex officio at recurring intervals specified in the personal data processing, storage and destruction policy

Politics

DR. NÜKET EROĞLU regulates the principles adopted in the processing, storage and destruction of personal data in this “Personal Data Protection, Processing and Destruction Policy.”

Deletion

The process of making personal data inaccessible and non-reusable in any way for the relevant users 

Data Processor

A natural and legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller

Data Controller

The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

Data Recording System

Recording system where personal data is structured and processed according to certain criteria

Data Controller Registry

The registry of data controllers kept by the Personal Data Protection Authority and is open to the public

Destruction

The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way 

For definitions not included in this Policy, the definitions of KVKK shall apply.


CHAPTER 2 – GENERAL ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

DR. NÜKET EROĞLU, while carrying out personal data processing activities

General principles

Personal data processing conditions

Special categories of personal data processing conditions 

acts in accordance with the General Principles.

Processing of Personal Data in accordance with General Principles

Processing in accordance with the Law and Good Faith

DR. NÜKET EROĞLU acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our practice conducts its personal data processing activities in accordance with the law, honesty rules, and transparency.

Ensuring that Personal Data is Accurate and Updated When Necessary

DR. NÜKET EROĞLU makes the maximum effort to ensure that the personal data it processes is kept accurate and up-to-date, taking into account the fundamental rights and legitimate interests of personal data owners. In this direction, it takes the necessary administrative and technical measures and provides opportunities for personal data owners to correct and confirm the accuracy of their personal data.

Processing Personal Data for Specific, Explicit and Legitimate Purposes

DR. NÜKET EROĞLU clearly and precisely determines the purpose of personal data processing and carries out data processing activities for clear, legitimate, and lawful purposes. 

Personal Data Being Relevant, Limited and Proportionate to the Purpose of Processing

DR. NÜKET EROĞLU processes personal data in connection with the purposes of data processing and to the extent required by these purposes. It avoids the processing of personal data that is not related to the purpose of data processing or is not needed. 

Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

DR. NÜKET EROĞLU retains personal data only for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. In this context, it first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, and if no period is determined, it keeps personal data for the period required for the purpose for which they are processed. Personal data are deleted, destroyed, or anonymized by us in the event that the period expires or the reasons requiring their processing disappear. Detailed information on this subject is provided in Section 5 of this Policy. 

Processing of Personal Data in accordance with the Processing Conditions

DR. NÜKET EROĞLU carries out its personal data processing activities in accordance with the data processing conditions set forth in the personal data protection legislation. In this context; personal data processing activities are carried out only in the presence of the following data processing conditions:

Obtaining Explicit Consent

By law, personal data cannot be processed without the explicit consent of the data subject. DR. NÜKET EROĞLU requires the data subject to give explicit consent to the processing of personal data “freely, with sufficient information on the subject, with clarity that leaves no room for doubt, and limited to the purpose of data processing” in order to carry out personal data processing activities.

Exceptional Circumstances where Explicit Consent is not Required for the Processing of Personal Data

DR. NÜKET EROĞLU may process personal data without explicit consent in the presence of one of the following conditions in the Law:

Explicitly Stipulated by Law

The personal data of the data subject may be processed in accordance with the law, limited to the relevant legal regulation, if expressly stipulated in the law. 

Failure to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility and Obligation to Process Personal Data

Personal data may be processed without explicit consent if it is necessary for the protection of the life or physical integrity of the person who is unable to disclose his or her consent due to actual impossibility or whose consent is not legally valid. For example, in the event that the person’s explicit consent cannot be obtained due to the person’s unconsciousness, the personal data of the person concerned may be processed during medical intervention for the protection of life or physical integrity. 

The Personal Data Processing Activity is Directly Related to the Establishment or Performance of the Contract

Provided that it is directly related to the conclusion or performance of a contract, personal data may be processed if it is necessary to process the personal data of the parties to the contract.

DR. NÜKET EROĞLU’s Personal Data Processing Activity is Mandatory for the Fulfillment of its Legal Obligation

DR. NÜKET EROĞLU may process the personal data of the data subject if it is mandatory in order to fulfill its legal obligation.

Publication of Personal Data by the Data Subject

Personal data made public by the data subject himself or herself—in other words, personal data disclosed to the public in any way—may be processed without explicit consent.

Data Processing is Mandatory for the Establishment, Exercise or Protection of a Right

If data processing is mandatory for the establishment, exercise, or protection of a right, personal data may be processed without explicit consent. 

DR. NÜKET EROĞLU’s Legitimate Interests: Personal Data Processing is Mandatory

Provided that the fundamental rights and freedoms of the person concerned are not harmed and DR. NÜKET EROĞLU’s legitimate interests are not harmed, personal data may be processed without the requirement of explicit consent.

Processing of Sensitive Personal Data in accordance with the Processing Conditions

Sensitive personal data may only be processed with the explicit consent of the data subject. However, special categories of personal data other than sexual life and personal health data may be processed without the explicit consent of the data subject in cases stipulated by law. Personal data relating to health and sexual life can only be processed without explicit consent for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services, and financing. Therefore, until otherwise stipulated in accordance with the KVKK, personal health data can only be processed within the scope of explicit consent or by Muayenehane officials who are under the obligation to keep secrets. 

DR. NÜKET EROĞLU takes the measures determined by the Board regarding the processing and protection of sensitive personal data. DR. NÜKET EROĞLU shows maximum sensitivity to the protection and security of special categories of personal data and carefully implements the technical and administrative measures taken for the protection of special categories of personal data, and DR. NÜKET EROĞLU carries out the necessary audits. 

Processing of Personal Data in accordance with the Terms of Transfer

DR. NÜKET EROĞLU may transfer the personal and sensitive personal data of the data subject to third parties in line with the purposes of personal data processing and with explicit consent, if any, or otherwise limited to legal reasons and by taking necessary security measures. DR. NÜKET EROĞLU acts in accordance with the personal data transfer conditions stipulated in Articles 8 and 9 of the Law.

Domestic Transfer of Personal Data

DR. NÜKET EROĞLU carries out domestic data transfer activities in accordance with the data processing conditions pursuant to Article 8 of the Law. (See Section Two, Articles 2.1, 2.2 and 2.3)

Transfer of Personal Data Abroad

DR. NÜKET EROĞLU carries out data transfer activities abroad in accordance with the data processing conditions (See Section Two, Articles 2.1, 2.2 and 2.3) in accordance with Article 9 of the Law. In cases where personal data is transferred without explicit consent in accordance with the LPPD, one of the following conditions must also exist in terms of the foreign country to which it will be transferred: 

In the absence of adequate protection, the data controllers in Turkey and the relevant foreign country undertake in writing to provide adequate protection and obtain permission from the Board 

Recipient Groups to whom Personal Data is Transferred

DR. NÜKET EROĞLU may, in accordance with Articles 8 and 9 of the Law, transfer the personal data of data subjects to its business partners, suppliers, contractors, experts, brokers, banks and financial institutions that provide services to DR. NÜKET EROĞLU’s business partners, suppliers, contractors, experts, brokers, banks and financial institutions, consulting and auditing firms that provide services to DR. NÜKET EROĞLU, consulting and auditing firms from which it receives support in similar fields such as law, tax, etc., practice authorities, shareholders, legally authorized public institutions and private persons, DR. NÜKET EROĞLU to service providers that process personal data on behalf of DR. NÜKET EROĞLU in the fields of storage, archiving, information technology support (server, hosting, software, cloud computing, etc.) in Turkey and/or abroad in order to continue its commercial activities and business processes. The classification of the recipient groups to which personal data is transferred is provided in Section 3 of this Policy.

In the case of personal data transfer, DR. NÜKET EROĞLU ensures that third parties to whom it transfers personal data also comply with this Policy. In this context, necessary protective regulations are added to the contracts concluded with the third party, and technical measures are taken. 

CHAPTER 3 – DR. CATEGORIES OF PERSONAL DATA PROCESSED BY DR. NÜKET EROĞLU, PURPOSES OF PROCESSING AND TRANSFER, RECIPIENT GROUPS TO WHOM DATA IS TRANSFERRED

Personal Data Categories

DR. NÜKET EROĞLU’s categories and explanations of personal data processed within the scope of personal data processing activities carried out by NÜKET EROĞLU are set out below:


Personal Data Categories – Description

Identity Data

Data containing information about the identity of the person: name-surname, Turkish ID number, marital status, gender, nationality, parents’ name-surname, place-date of birth, and other identity information; and documents containing this information, such as a driver’s license, identity card, passport, birth certificate, tax number, SSI number, and other information.

Contact Data

Information used for communication purposes, such as phone number, address, e-mail address, fax number, and documents such as residence certificates containing this information.

Personal Data of Family Members and Relatives

Personal data about the family members and relatives of the data subject is collected within the scope of the activities of our practice or in order to protect the legal and other interests of the practice or the data subject. Example: Contact information of family members, identity information, etc.

Financial Data

Personal data refers to information, documents, and records showing all kinds of financial results that arise according to the legal relationship established by our practice with the data subject. Example: Credit card information, income information, IBAN number, etc.

Personal Data

Within the scope of being in a working relationship with our practice, personal data is processed to obtain information that is the basis for the formation of the personal rights of real persons.

Communication and Complaint Management Data

Personal data obtained in the process of receiving and evaluating all kinds of requests or complaints for our practice.

Special Categories of Personal Data

Personal data that is determined by limited enumeration in the law and that carries the risk of discrimination against data subjects if processed. Example: Health data including blood type, biometric data, information about the association of which the data subject is a member, etc.

Transaction Security Data

Personal data is processed to ensure the technical, administrative, legal, and commercial security of both the data subject and our Practice. 

Related Person Categories

Below are the definitions and explanations of our customers, platform users, employees, employee candidates, business contacts (officials, shareholders, and employees of suppliers, agents, brokers, experts, and similar institutions with which we have business relations), and third parties within the scope of this Policy.


Related Person Categories – Description

Customers

Real people who purchase, use, or have used the products and services offered by our practice. 

Website and Social Media Users

https://www.drlidaciteli.com/ etc. belonging to our practice. Our websites, social media accounts, etc. are owned by real people who visit, have visited, or have used our websites, social media accounts, etc. for any purpose.

Employees

Real people who are in a working relationship with our practice. 

Employee Candidates

They are real people who have applied for a job at our practice in any way and submitted their CV and/or job application form and related information to our practice for review.

Practice Authorities

DR. NÜKET EROĞLU’s senior management and/or real persons authorized to represent DR. NÜKET EROĞLU and real persons authorized to represent DR. NÜKET EROĞLU and real persons representatives of legal entities. Board members are considered within this scope. 

Business Contacts (real-person suppliers, contractors, real-person representatives of legal entities, experts)

DR. NÜKET EROĞLU is in a business relationship within the scope of the performance of its activities with real persons, real person representatives of legal entities, employees of these persons, and experts. 

Other Third Parties

Other natural persons who do not fall under any category of relevant person.

DR. Classification of Personal Data Processed by NÜKET EROĞLU according to Data Subjects

In the table below, the categories of personal data subjects mentioned above and the categories of personal data within the scope of the processing activity are matched and detailed:


Personal Data Categories – Description

Identity Data

Patients, Customers, Website and Social Media Users, Employees, Employee Candidates, Contractors and Contractor Employees, Suppliers and Supplier Employees, Adjusters, and Other third parties 

Contact Data

Patients, Customers, Website and Social Media Users, Employees, Employee Candidates, Contractors and Contractor Employees, Suppliers and Supplier Employees, Adjusters, and Other third parties 

Personal Data of Family Members and Relatives

Patients, Employees

Financial Data

Patients, Customers, Employees, Employee Candidates, Contractors and Contractor Employees, Suppliers and Supplier Employees, Adjusters, and Other third parties 

Personal Data

Patients, Employees, and Prospective Employees

Communication and Complaint Management Data

Patients, Customers, Website and Social Media Users, Employees, Employee Candidates, Contractors and Contractor Employees, Suppliers and Supplier Employees, Adjusters, and Other third parties 

Sensitive Personal Data

Patients, Customers, Employees, and other third parties

Transaction Data

Patients, Customers, Websites, and Social Media Users

Marketing Data

Patients, Customers, Websites, and Social Media Users

Process Security Data

Patients, Customers, Website and Social Media Users, Employees, Employee Candidates, Contractors and Contractor Employees, Suppliers and Supplier Employees, Adjusters, and Other third parties


Purposes of Processing Personal Data

DR. NÜKET EROĞLU carries out its personal data processing activities for the purposes set out below. Personal data processing purposes are clearly and in detail determined on the basis of each business unit and process by associating business processes and personal data categories and recorded in DR. NÜKET EROĞLU Personal Data Inventory.

– DR. NÜKET EROĞLU, the necessary planning, evaluation and studies are carried out to ensure that our customers benefit from the services offered by DR. NÜKET EROĞLU business units; 

– DR. NÜKET EROĞLU business units; conducting advertising and marketing activities for the services offered by DR. NÜKET EROĞLU, informing about promotions, promotions, campaigns, offers, events and similar issues, conducting corporate communication activities, customizing products and services according to the tastes, usage habits and needs of the relevant persons;

– Organizing and informing about corporate communication and other events, campaigns and invitations within this scope, conducting market research studies;

– Ensuring corporate security;

– Conducting statistical studies;

– DR. NÜKET EROĞLU patients and customers, and to improve the digital and virtual platforms offered for use by DR. NÜKET EROĞLU patients and customers, and to provide an efficient and personalized experience to website and social media users, to extract the number, type, frequency of visits, behaviors and similar statistics of users, to offer personalized content and advertisements according to the interests and needs of website and social media users;

– Monitoring and evaluating requests, suggestions and complaints received from relevant persons, customer satisfaction management; and implementation of planning, statistics and satisfaction evaluation studies in this context;

– Management of relations with contractors, agencies, experts, suppliers and similar companies in business relations, and execution of business and commercial relations; 

– Subcontracting application and execution of related processes within the scope of subcontracting agreements;

– DR. NÜKET EROĞLU and DR. NÜKET EROĞLU and persons in business relationship with DR. NÜKET EROĞLU (Ensuring the legal and commercial security of DR. NÜKET EROĞLU, customer/contractor/supplier (authorized or employees) evaluation and audit processes, legal compliance process, etc.);

– Exercise of legal rights, use of information on the transaction history after the termination of the legal relationship as evidence in case of dispute;

– DR. NÜKET EROĞLU’s commercial, legal and business strategies;

– DR. NÜKET EROĞLU’s policies regarding financial affairs;

– DR. NÜKET EROĞLU’s human resources policies and recruitment processes, control and supervision of employees, regulation of employee rights, fulfillment of legal obligations arising from the business relationship;

– Planning, auditing and execution of information security processes, management of information technologies infrastructure;

– DR. NÜKET EROĞLU activities, planning, reporting, visitor/customer statistics and similar examinations; 

– Compliance with the relevant domestic legislation, provision of information requested by public institutions and organizations, fulfillment of reporting obligations.

Methods and Reasons for Collection of Personal Data

DR. NÜKET EROĞLU, personal data of data subjects, 

– DR. NÜKET EROĞLU’s website, various social media channels, e-mail, short messages (“SMS”) or multimedia messages (“MMS”) used within the scope of DR. NÜKET EROĞLU activities, e-mail, short messages (“SMS”) or multimedia messages (“MMS”), 

– Through other means of communication, including printed and electronic forms, 

– DR. NÜKET EROĞLU through contracts, policies, commercial offers, printed and electronic forms, documents, and correspondence signed within the scope of business activities, 

– Through business cards and other documents obtained as part of business negotiations, 

– DR. NÜKET EROĞLU collects personal data through third parties such as group practices, business contacts, or companies that supply services or products; through various methods that are fully or partially automated or non-automated as part of any data recording system, whether verbally, in writing, or electronically.

Personal data collected in line with these methods is stored in accordance with the data processing conditions in Section 2 of this Policy and in line with the personal data processing purposes listed above, by complying with the periods required by KVKK and other legislation and taking all necessary administrative and technical measures.

Recipient Groups to whom Personal Data is Transferred

DR. NÜKET EROĞLU may transfer personal data within the scope of this Policy to the recipient groups listed below for the specified purposes in accordance with the KVKK. The recipient groups to whom personal data are transferred and the purposes of transfer have been clearly and in detail determined by associating personal data categories and added to the DR. NÜKET EROĞLU Personal Data Inventory.


Recipient Groups – Purposes of Personal Data Transfer

Contractors and Subcontractors

Limited to the purpose of ensuring the fulfillment of the objectives of the business relationship with the Contractor and Subcontractors.

Suppliers and Business Partners

Limited to the purpose of ensuring the provision of the services provided by our Practice and necessary to fulfill the activities of our Practice.

Legally Authorized Public Institutions and Organizations

Limited to the purpose requested by the relevant public institutions and organizations within the legal authority.

Legally Authorized Private Law Persons

Limited to the purpose requested by the private law persons concerned within their legal competence.

DR. NÜKET EROĞLU acts in accordance with the matters regulated in Section 2 of the Policy for personal data transfers. 

CHAPTER 4 – ISSUES RELATING TO PERSONAL DATA PROTECTION

DR. NÜKET EROĞLU, in accordance with Article 12 of the KVKK, takes the necessary technical and administrative measures to ensure the appropriate level of security within the possibilities and according to the nature of the data to be protected in order to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data, to ensure the preservation of the data, and to carry out or have the necessary audits carried out within this scope.

Ensuring the Security of Personal Data

Technical Measures Taken to Prevent Unlawful Processing of Personal Data, Prevent Unlawful Access to Data and Ensure Data Protection

The main technical measures taken to prevent unlawful processing of personal data, unlawful access to data, and the preservation of data are listed below:

– DR. NÜKET EROĞLU takes technical measures for the protection of personal data to the extent that technology allows, and the measures taken are updated. Audits are carried out at regular intervals for the implementation of the measures taken.

– Software and systems are installed and used to ensure data security. Data recording environments are protected by various software and systems, especially virus protection programs and firewalls, in order to prevent unlawful interference with personal data both inside and outside the practice.

– Authorization to access personal data is limited in line with the determined data processing purpose, and authorizations are regularly reviewed.

– Technical security systems are established for storage areas; security tests and research are carried out to identify security vulnerabilities in information systems; and existing or potential risks identified as a result of the tests and research are eliminated. 

– In order to ensure the secure storage of personal data, systems and backup programs in accordance with technological developments are used in accordance with the law.

– Sensitive personal data transferred from memory sticks, CDs, and DVDs is encrypted. 

Administrative Measures Taken to Prevent Unlawful Processing of Personal Data, Prevent Unlawful Access to Data and Ensure Data Protection

The main administrative measures taken to prevent unlawful processing of personal data, unlawful access to data, and the preservation of data are listed below:

– DR. NÜKET EROĞLU established and activated the “Personal Data Protection Committee” to ensure compliance with the Law and its sustainability. 

– DR. NÜKET EROĞLU employees are regularly informed and trained on the protection and lawful processing of personal data.

– DR. NÜKET EROĞLU’s activities have been analyzed in detail for all business units, and as a result of this analysis, personal data processing activities have been determined and recorded in the personal data inventory for the commercial activities carried out by the relevant business units. NÜKET EROĞLU regularly updates it.

– DR. NÜKET EROĞLU business units, the requirements to be fulfilled in order to ensure compliance with the personal data processing conditions have been determined for each business unit and detailed activity. 

– In order to ensure compliance requirements, awareness is raised, implementation rules are determined for the relevant business units, in-practice policies are implemented, and audits are carried out to ensure the continuity of these issues and implementation. 

– Provisions have been added to the contracts and documents signed with employees and third parties, customers, contractors, subcontractors, experts, and other suppliers in order to ensure the processing and protection of personal data in accordance with the law and data confidentiality. The responsibilities of the parties have been clearly regulated, and sanctions have been imposed for data processing activities contrary to the law and contract. 

Supervision of Measures Taken for the Protection of Personal Data

DR. NÜKET EROĞLU carries out or has the necessary audits carried out within its own organization in accordance with KVKK. The results of these audits are reported to the Personal Data Protection Committee, senior management, and the relevant department within the scope of the internal functioning of the practice. Actions are planned, and the follow-up of the planned actions for the improvement of the measures taken is followed and carried out by the relevant process owners and the Personal Data Protection Committee.

Measures to be taken in cases of unlawful disclosure of personal data

In the event that personal data is illegally obtained or disclosed by others, DR. NÜKET EROĞLU will notify the relevant personal data owner and the Board as soon as possible.

Protection of Special Categories of Personal Data

The Law attaches special importance to certain personal data due to the risk of causing victimization and/or discrimination when processed unlawfully. These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and dress, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data. The protection of special categories of personal data, which are determined as “special categories” by the Law and processed in accordance with the law, has been authorized by DR. NÜKET EROĞLU, which shows utmost sensitivity to the protection of sensitive personal data. 

DR. NÜKET EROĞLU approaches the security of sensitive personal data with the utmost care and provides the necessary audits within the Practice in this regard. 

Protection of Legal Rights of Personal Data Owners

DR. NÜKET EROĞLU observes all legal rights of personal data owners with the implementation of the Policy and the Law and takes all necessary measures to protect these rights. Detailed information on the rights of personal data subjects is provided in Chapter 6 of this Policy.

CHAPTER 5 – STORAGE AND DISPOSAL OF PERSONAL DATA

Recording Media Where Personal Data is Stored and Destroyed

DR. NÜKET EROĞLU may record personal data processed by DR. NÜKET EROĞLU in different environments depending on principles such as the nature of the data, the purposes of processing, and the frequency of use. In this context, personal data belonging to data subjects may be stored securely by DR. NÜKET EROĞLU in the environments listed below in accordance with the relevant legislation, especially the provisions of KVKK. 

Electronic media: 

– Servers: Central server, data center servers

– Software: Third-party software in cloud infrastructure, different software according to data processing purposes, etc.

– Databases

– Electronic Devices: Network Devices, Computers, Laptops, Portable Media Devices (flash memory, hard disk, etc.), Printers, Mobile Phones 

Storage and Duration of Personal Data

DR. NÜKET EROĞLU retains personal data for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. Within this framework, DR. NÜKET EROĞLU primarily acts in accordance with this period if it is stated in the relevant legislation how long the personal data should be kept, and if it is not stated, it keeps it for the period required to be processed depending on the services it provides while processing that data. In the event of the expiration of the period, the request of the data owner, or the disappearance of the purpose requiring the processing of the data, personal data shall be stored by DR. NÜKET EROĞLU deletes, destroys, or anonymizes them. DR. NÜKET EROĞLU provides detailed information on the retention periods of personal data processed by DR. NÜKET EROĞLU in Annex 1 of this Policy.

Legal, Technical and Administrative Reasons Requiring Retention of Personal Data

Personal data: in the event that the purpose of processing personal data expires, the request of the data subject and/or the retention periods determined by the relevant legislation and the practice come to an end, 

– In order to constitute evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense, etc. It can be stored in accordance with the measures stipulated in the laws and / or in accordance with the specified periods in order to fulfill legal responsibilities. In the establishment of the periods regarding this matter, storage periods are determined based on the statute of limitations for the assertion of the right in question. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. 

– Data to be destroyed by deletion, destruction, or anonymization can be stored until the next periodic destruction date at the latest.

After the above-mentioned periods expire, personal data is deleted, destroyed, or anonymized.

Legal, Technical and Administrative Reasons Requiring Destruction of Personal Data

DR. NÜKET EROĞLU, the personal data it stores, 

– The disappearance of all purposes requiring the processing of personal data and the reasons requiring its storage, 

– In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject’s withdrawal of consent, 

– If the data owner requests the destruction of his/her personal data by using his/her rights under the KVKK and specified in section 6 of this Policy and the application made is accepted by DR. NÜKET EROĞLU or the request is approved by the Board as a result of a complaint to the Board upon the rejection of this request, 

– Although the maximum period required for the retention of personal data has expired, there is no condition that would justify the retention of personal data for a longer period of time 

in the event of an emergency.

Secure Storage of Personal Data

DR. NÜKET EROĞLU takes the necessary technical and administrative measures to the extent technologically possible to store the personal data it processes in secure environments and to prevent their destruction, loss or alteration for unlawful purposes. Detailed information on personal data security is provided in Section 4 of this Policy under the heading “Issues Regarding the Protection of Personal Data”. 

Regarding the storage of personal data; DR. NÜKET EROĞLU’s main technical measures are listed below:

– Software and systems to ensure data security are installed and used to store personal data in secure environments.

– Technical security systems are installed for storage areas, security tests and research are conducted to identify security vulnerabilities on information systems, and existing or potential risks identified as a result of the tests and research are eliminated. 

– DR. NÜKET EROĞLU takes technical measures for the protection of personal data to the extent that technology allows, updates the measures taken, and regularly audits the implementation of the measures taken.

– In order to ensure that personal data is stored securely, systems and backup programs in accordance with technological developments are used in accordance with the law.

– Access to the environments where personal data is stored is restricted and only authorized persons are allowed to access this data limited to the purpose for which the personal data is stored.

Regarding the storage of personal data; DR. NÜKET EROĞLU’s main administrative measures are listed below:

– DR. NÜKET EROĞLU employees are regularly informed and trained on the protection, storage and lawful processing of personal data.

– Provisions have been added to the contracts and documents signed with third parties in order to ensure the processing and storage of personal data in accordance with the law and to ensure data security, the responsibilities of the parties to take the necessary security measures have been clearly regulated and sanctions have been imposed for data processing activities contrary to the law and contract. 

Destruction of Personal Data in accordance with the Law

The main technical and administrative measures taken by DR. NÜKET EROĞLU’s main technical and administrative measures are listed below:

– Personal data destruction is carried out under the supervision of an authorized person from the personal data protection committee as well as a technical expert.

– The personal data protection committee is tasked with evaluating and monitoring the personal data inventory on the basis of retention and data destruction periods and coordinating the business units.

– DR. NÜKET EROĞLU informs and trains its employees on the periodic and proper destruction of personal data.

– Audits are conducted and reported on the subject. 

– Provisions regarding the lawful processing, storage and destruction of personal data upon the disappearance of the purpose of processing, expiration of the storage period or upon the request of the data subject have been added to the contracts and documents signed with third parties, and the responsibilities of the parties on the subject have been clearly regulated and provisions imposing sanctions for data processing activities contrary to the law and contract have been implemented. 

General Considerations Regarding the Destruction of Personal Data

Although it has been processed in accordance with the provisions of the Law and other relevant laws, in the event that the purpose requiring the processing and storage of personal data disappears, personal data shall be destroyed by DR. NÜKET EROĞLU shall be destroyed by deletion, destruction or anonymization. 

DR. NÜKET EROĞLU acts in accordance with the technical and administrative measures mentioned above, the provisions of the relevant legislation, the decisions of the Board and this Policy in the deletion, destruction or anonymization of personal data. DR. NÜKET EROĞLU records all transactions regarding the deletion, destruction and anonymization of personal data and such records are kept for at least three years, excluding other legal obligations.

Unless otherwise decided by the Board, DR. NÜKET EROĞLU chooses the appropriate method of deletion, destruction or anonymization for the destruction of personal data. In case of the request of the person concerned, it selects and applies the appropriate method by explaining its justification.

Methods of Destruction of Personal Data

Deletion of Personal Data

Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way for the relevant users. DR. NÜKET EROĞLU may use the following methods to delete personal data depending on the medium in which the data is stored:


Recording Medium – Data Destruction Method

Third-party software in cloud infrastructure, different software according to data processing purposes

Give Delete Command

Different software according to data processing purposes

Deletion via Software

Databases

Delete with Database Command

Databases, Data on servers

Removing the Access Rights of the Related User on the Directory Where the File is Located, Deleting Command

Paper and hard copies

Blackout (the process of cutting out the personal data on the relevant document, where possible, and making it invisible to the relevant users by using fixed ink in a way that cannot be reversed and cannot be read by technological solutions).


Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. DR. NÜKET EROĞLU may use one or more of the following methods to delete personal data, depending on the medium in which the data is stored:


Recording Medium – Data Destruction Method

Media that magnetically records data (tape cartridges, etc.)

De-magnetization (It is the process of subjecting magnetic media to a very high magnetic field by passing it through a special device and distorting the data on it in an unreadable way. 

Media that record data magnetically and optically (DVD, CD, hard disk, etc.), Paper and Printed Copies

Physical Destruction (Melting, incineration or pulverization of optical media and magnetic media; physical destruction of paper and hard copies by paper shredder/shredder or incineration)

Magnetic and rewritable optical media (DVD-r, etc.)

Overwriting (The process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media.)

Media that records data magnetically (tape, abit disk, etc.)

Erasing with “Block Erase” Command

Third-party software in cloud infrastructure

Keeping the recording media encrypted and destroying all copies of the encryption keys upon deletion


Anonymization of Personal Data

Anonymization of personal data means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data. In order for personal data to be anonymized; personal data must be rendered unrelated to an identified or identifiable natural person, even through the use of techniques appropriate for the recording medium and the relevant field of activity, such as retrieval and matching of data with other data by the data controller, recipient or groups of recipients. DR. NÜKET EROĞLU may use one or more of the following methods to anonymize personal data: 

– Removing Variables: It is an anonymization method achieved by removing one or more variables from the table by deleting them completely

– Removing Records: It is a method of strengthening anonymity by removing a row containing a singularity in the personal data set.

– Generalization: The process of converting the relevant personal data from a specific value to a more general value.

– Territorial Concealment: If the combination of values of a particular record creates a very low visibility situation and this situation may cause a high probability of that person becoming distinguishable in the relevant community, it is a method of reducing the risk of predictability by changing the value that creates the exceptional situation to “unknown”.

– Lower and Upper Bound Coding: It is obtained by defining a category for a certain variable in the personal dataset and combining the values within the grouping created by this category.

– Global Coding: It is an anonymization method where a common and new group is created for the selected values and all records in the dataset are replaced with this new definition.

– Sampling: In the sampling method, instead of the whole dataset, a subset taken from the set is explained or shared. 

– Micro-Aggregation: With this method, all records in the dataset are divided into a certain number of subsets, the value of the subset belonging to the specified variable is averaged and the value of that variable of the subset is replaced with the average value.

– Data Exchange: The data exchange method is the record changes obtained by exchanging the values belonging to a variable subset between the pairs selected from the records.

– Noise Addition: Adding or subtracting a selected variable in the dataset in order to achieve a specified degree of distortion.

– Other statistical methods to strengthen anonymization (K-Anonymity, L-Diversity, T-Closeness, etc.)

Periodic Destruction Periods of Personal Data

DR. NÜKET EROĞLU deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.

DR. NÜKET EROĞLU’s periodic destruction period is 6 months; however, DR. NÜKET EROĞLU accepts that the Board may shorten the periods specified in this article and the destruction periods table in the event of irreparable or impossible damages and in the event of a clear violation of the law.

Responsible Unit for Personal Data Storage and Destruction Processes

A “Personal Data Protection Committee” has been established under DR. NÜKET EROĞLU in order to carry out personal data storage and destruction processes and to take necessary actions in accordance with this Policy. NÜKET EROĞLU has established a “Personal Data Protection Committee”. Detailed information on this subject is provided in Section 7 of this Policy. 

The relevant persons in the Personal Data Protection Committee are responsible for fully fulfilling all their obligations regarding the storage and destruction of personal data regulated in this Policy.

CHAPTER 6 – RIGHTS OF THE PERSONS CONCERNED AND MATTERS RELATING TO THE EXERCISE OF THESE RIGHTS

Rights of the Personal Data Owner Pursuant to KVKK

Pursuant to Article 11 of the LPPD, the personal data owner may apply to DR. NÜKET EROĞLU in accordance with Article 11 of the LPPD; 

– To learn whether his/her personal data is being processed or not, 

– Request information if their personal data has been processed, 

– To learn the purpose of processing personal data and whether they are used for their intended purpose, 

– To know the third parties to whom personal data are transferred domestically or abroad, 

– In case personal data are incomplete or incorrectly processed, to request their correction and notification of the transaction made within this scope to third parties to whom personal data are transferred, 

– Although it has been processed in accordance with the provisions of the Law and other relevant legislation, in the event that the reasons requiring its processing disappear, to request the deletion or destruction of personal data and the notification of the transaction made within this scope to third parties to whom personal data is transferred, 

– To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems, 

– In the event that personal data is damaged due to unlawful processing of personal data, it has the right to demand the compensation of the damage. 

Cases where the Personal Data Owner cannot exercise his/her rights

Pursuant to Article 28 of the LPPD, personal data owners cannot assert their rights listed in 6.1. in these matters, since the following cases are excluded from the scope of the Law:

– Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that personal data is not disclosed to third parties and obligations regarding data security are complied with, 

– Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics, 

– Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime, 

– Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security, 

– Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings. 

Pursuant to paragraph 2 of Article 28 of the KVKK, in the following cases, the data owner cannot use his/her rights specified in Article 6.1 of this Policy, except for the right to demand compensation for the damage: 

– Processing of personal data is necessary for the prevention of crime or criminal investigation. 

– Processing of personal data made public by the person concerned. 

– Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law. 

– Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters. 

Exercise of Rights by the Data Subject

The relevant person may exercise his/her rights set forth in Article 6.1 of this Policy by filling out the application form, an example of which is provided in Annex 2 of the Policy and at https://www.drlidaciteli.com/, and submitting it with wet signature or registered electronic mail address, secure electronic signature, mobile signature or DR. NÜKET EROĞLU via the e-mail address previously notified and registered in the systems. The method of the application to be made in the “Application Form within the Scope of the Law on the Protection of Personal Data”, the address of which is provided above, is explained in detail.

In the event that the Data Subject wishes to exercise this right through his/her attorney, the documents certifying his/her identity issued or approved by the competent authorities and the documents supporting the request, if any, shall be attached to the application form. NÜKET EROĞLU as an attachment to the application form.

DR. NÜKET EROĞLU’s Response to Applications

DR. NÜKET EROĞLU will finalize the requests addressed to it free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. In the event that a cost arises due to the fulfillment of the requests, the fees in the tariff determined by the Board may be requested.

DR. NÜKET EROĞLU may accept the request or reject it by explaining the reason; notifies the personal data owner in writing or electronically. If the request in the application is accepted, DR. NÜKET EROĞLU fulfills the requirements of the request. 

Right of the Data Subject to Complain to the Board

In cases where the application is rejected, the response is deemed inadequate, or the application is not responded to in due time; the person concerned has the right to file a complaint to the Board within thirty days from the date of DR. NÜKET EROĞLU’s response within thirty days from the date of receipt and in any case within sixty days from the date of application, the person concerned has the right to file a complaint to the Board.

CHAPTER 7 – GOVERNANCE STRUCTURE FOR PERSONAL DATA PROCESSING, STORAGE, AND DESTRUCTION

Unit Responsible for Processing, Storage and Destruction of Personal Data

DR. NÜKET EROĞLU has established the “Personal Data Protection Committee”, which is authorized to take decisions and present them to the senior management in order to ensure compliance with the legislation on the protection of personal data, to maintain, manage,  and improve them. For this purpose, DR. NÜKET EROĞLU has established the “Personal Data Protection Committee”, which provides the necessary coordination within NÜKET EROĞLU and consists of officials from different departments. 

The duties of this committee are stated below:

– DR. NÜKET EROĞLU to coordinate and manage all activities related to the processing, storage, protection and destruction of personal data on the basis of business units, 

– To prepare basic policies regarding the processing, storage, protection, and destruction of personal data and submit them to senior management for approval.

– Ensuring the implementation of policies on the processing, storage, protection and destruction of personal data, managing the process of compliance with the legislation and the practice policy; and reporting to the senior management 

– DR. To coordinate communication with the relevant data owners within the scope of the activities carried out by NÜKET EROĞLU in the capacity of data controller, to provide the necessary organization for this purpose 

– To make the necessary activities and arrangements within the practice regarding the Board’s requests, complaints,  and notifications, and to organize the processes

– To make the necessary activities and arrangements within the practice regarding the requests, complaints,  and notifications from the relevant persons, to organize the processes

– To update the personal data processing inventory and to monitor, report and report data processing activities, to process them in the inventory and to make the necessary updates in VERBIS (Data Controllers Registry Information System) in case of changes

– Organizing trainings for employee awareness, ensuring the continuity of trainings, and measuring their efficiency

– Regarding the processing, storage, protection and destruction of personal data, DR. NÜKET EROĞLU and within DR. NÜKET EROĞLU and the institutions with which DR. NÜKET EROĞLU cooperates, are raisingawareness and providing information

– To decide how the audit of personal data processing activities will be carried out and to ensure the necessary coordination within this scope

– To determine or ensure the determination of technical and administrative measures taken by third parties processing personal data regarding data security, to conduct or have audits carried out

– To ensure that necessary measures are taken by identifying the risks that may arise in personal data processing activities; to submit action plans and improvement proposals to the senior management for approval and to coordinate their execution

– To organize audits within the practice within the scope of KVKK compliance, to make the necessary arrangements if an outsourced audit is to be received, and to ensure that the measures to be taken for the risks identified are determined and evaluated

– Participating in evaluations and presenting reports by working together with consultant companies regarding the Protection of Personal Data

– To follow the Board’s announcements and legislative developments, to ensure that they are put into practice in the relevant places and to make the necessary notifications

– Manage processes for data privacy breach cases, determine the responsible person or team and their duties, and manage reporting and corrective actions.

CHAPTER 8 – UPDATES, HARMONIZATION AND AMENDMENTS

Update and Adaptation

DR. NÜKET EROĞLU reserves the right to make amendments to this Policy and other policies related to this Policy due to amendments to the Law, in accordance with Board decisions, or in line with developments in the sector or in the field of informatics.

Changes made to this Policy are immediately incorporated into the text, and explanations regarding the changes are explained at the end of the Policy.

Amendments

A personal data processing, protection, and destruction policy has been published.


ANNEX.1: PERSONAL DATA STORAGE AND DESTRUCTION PERIODS TABLE

PROCESS – STORAGE PERIOD – DESTRUCTION PERIOD [1]

Responding to court or executive information requests regarding employees, customers and third parties

10 years following the termination of the employment relationship

Within 180 days

Employee Financing Processes

10 years following the termination of the employment relationship

Within 180 days

Contracts signed with customers, contractors, suppliers and third parties

10 years following the expiration of the contract

Within 180 days

Recruitment and payroll

10 years following the termination of the employment relationship

Within 180 days

Occupational health and safety practices

10 years following the termination of the employment relationship

Within 180 days

Payment processing

10 years following the termination of the employment relationship

Within 180 days

Execution of contract processes

10 years following the termination of the employment relationship

Within 180 days

Creation and preservation of employee personnel file

10 years following the termination of the employment relationship

Within 180 days

Software system accounts created for employees, establishment of transaction security information

1 year following the termination of the employment contract

Within 180 days

Management of customers’ claims, assessment of damage and loss

10 years following the occurrence of the damage 

Within 180 days

[1] DR. NÜKET EROĞLU refers to the period for the destruction of personal data stored by NÜKET EROĞLU after the expiration of the retention period.