CHAPTER 1 – INTRODUCTION
Introduction
DR. NÜKET EROĞLU (“DR. NÜKET EROĞLU”) is sensitive to the security of your personal data, and it is our priority to process and store all kinds of personal data belonging to all persons associated with us, including our patients, customers and business contacts who benefit from our services, in accordance with the Personal Data Protection Law No. 6698 (“KVKK”).
With this “Personal Data Protection and Processing Policy” (“Policy”), DR. NÜKET EROĞLU regulates the basic principles and principles adopted by DR. NÜKET EROĞLU in the protection, storage, and destruction of personal data and makes it sustainable by implementing it as a corporate policy.
Purpose
The purpose of this Policy is to provide DR. NÜKET EROĞLU in accordance with the legal legislation that is the basis of this Policy and to determine the procedures and principles regarding the processing, protection, storage, deletion, destruction, and anonymization of the processed personal data and to inform the natural persons whose data are processed by DR. NÜKET EROĞLU to inform the real persons whose data are processed by DR.
Scope
This policy is related to all personal data of our patients, customers, website users, employees, employee candidates, practice officials, visitors, customers, business contacts (authorized, shareholders, and employees of suppliers, contractors, and similar organizations with which we have business relations), and third parties, which is processed automatically or non-automatically provided that they are part of any data recording system.
In this context, all of this Policy may be applied to the above-mentioned groups of personal data owners, or only some of its provisions may be applied.
Implementation of the Policy and Related Legislation
This Policy has been prepared on the basis of the Personal Data Protection Law No. 6698, the Regulation on the Data Controllers Registry No. 30286 and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data No. 30224.
The relevant regulations in force regarding the processing, protection, and destruction of personal data will primarily apply. In case of incompatibility between the legislation and the Policy, DR. NÜKET EROĞLU accepts that the legislation in force will be applied.
Enforcement of the Policy
DR. NÜKET EROĞLU has published this Policy on DR. NÜKET EROĞLU website and it entered into force on September 4, 2023. Policy, legal changes, DR. NÜKET EROĞLU’s personal data processing processes, or other reasons may be updated from time to time.
In the event that all or certain articles of the Policy are renewed, the effective date of the Policy will be updated. Policy DR. NÜKET EROĞLU’s website https://nuketeroglu.com/ and is made available to the relevant persons upon the request of the personal data owners.
Definitions
The definitions used in the implementation of this Policy are given below:
Explicit Consent
Consent on a specific subject, based on information, expressed with free will
Buyer Group
the category of natural or legal person to whom the data controller transfers personal data
Anonymization
Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data
Employee(s)
DR. NÜKET EROĞLU and workers in a labor relationship in accordance with the Labor Law and students or graduates undergoing internship (compulsory/optional) training
Related User
Except for the person or unit responsible for the technical storage, protection and backup of the data, DR. NÜKET EROĞLU organization or DR. Persons who process personal data in line with the authorization and instructions received from DR. NÜKET EROĞLU
Destruction
Irreversible deletion, destruction or anonymization of personal data
Recording Media
Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system,
Personal Data
Any information relating to an identified or identifiable natural person
Contact Person
Natural person whose personal data is processed
Processing of Personal Data
All kinds of operations performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, by fully or partially automatic means or by non-automatic means, provided that they are part of any data recording system,
Personal Data Inventory
Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes of processing personal data, data category, transferred recipient group and data subject group and by explaining the maximum time required for the purposes for which personal data are processed, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security
Personal Data Protection Committee
DR. NÜKET EROĞLU has the authority to take decisions and submit them to the senior management in order to ensure compliance with the legislation on the protection of personal data, to maintain, manage, and improve them, and for this purpose, DR. NÜKET EROĞLU, which provides the necessary coordination within DR. NÜKET EROĞLU and consists of officials from different departments,
Board
Personal Data Protection Board
Institution
Personal Data Protection Authority
KVKK / Law
Law No. 6698 on the Protection of Personal Data
Sensitive Personal Data
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and dress, membership of associations, foundations, or trade unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data
Periodic Disposal
In the event that all of the conditions for processing personal data specified in the law disappear, the deletion, destruction or anonymization process will be carried out ex officio at recurring intervals specified in the personal data processing, storage and destruction policy
Politics
DR. NÜKET EROĞLU regulates the principles adopted in the processing, storage and destruction of personal data in this “Personal Data Protection, Processing and Destruction Policy.”
Deletion
The process of making personal data inaccessible and non-reusable in any way for the relevant users
Data Processor
A natural and legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller
Data Controller
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
Data Recording System
Recording system where personal data is structured and processed according to certain criteria
Data Controller Registry
The registry of data controllers kept by the Personal Data Protection Authority and is open to the public
Destruction
The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way
For definitions not included in this Policy, the definitions of KVKK shall apply.
CHAPTER 2 – GENERAL ISSUES REGARDING THE PROCESSING OF PERSONAL DATA
DR. NÜKET EROĞLU, while carrying out personal data processing activities
General principles
Personal data processing conditions
Special categories of personal data processing conditions
acts in accordance with the General Principles.
Processing of Personal Data in accordance with General Principles
Processing in accordance with the Law and Good Faith
DR. NÜKET EROĞLU acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our practice conducts its personal data processing activities in accordance with the law, honesty rules, and transparency.
Ensuring that Personal Data is Accurate and Updated When Necessary
DR. NÜKET EROĞLU makes the maximum effort to ensure that the personal data it processes is kept accurate and up-to-date, taking into account the fundamental rights and legitimate interests of personal data owners. In this direction, it takes the necessary administrative and technical measures and provides opportunities for personal data owners to correct and confirm the accuracy of their personal data.
Processing Personal Data for Specific, Explicit and Legitimate Purposes
DR. NÜKET EROĞLU clearly and precisely determines the purpose of personal data processing and carries out data processing activities for clear, legitimate, and lawful purposes.
Personal Data Being Relevant, Limited and Proportionate to the Purpose of Processing
DR. NÜKET EROĞLU processes personal data in connection with the purposes of data processing and to the extent required by these purposes. It avoids the processing of personal data that is not related to the purpose of data processing or is not needed.
Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed
DR. NÜKET EROĞLU retains personal data only for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. In this context, it first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, and if no period is determined, it keeps personal data for the period required for the purpose for which they are processed. Personal data are deleted, destroyed, or anonymized by us in the event that the period expires or the reasons requiring their processing disappear. Detailed information on this subject is provided in Section 5 of this Policy.
Processing of Personal Data in accordance with the Processing Conditions
DR. NÜKET EROĞLU carries out its personal data processing activities in accordance with the data processing conditions set forth in the personal data protection legislation. In this context; personal data processing activities are carried out only in the presence of the following data processing conditions:
Obtaining Explicit Consent
By law, personal data cannot be processed without the explicit consent of the data subject. DR. NÜKET EROĞLU requires the data subject to give explicit consent to the processing of personal data “freely, with sufficient information on the subject, with clarity that leaves no room for doubt, and limited to the purpose of data processing” in order to carry out personal data processing activities.
Exceptional Circumstances where Explicit Consent is not Required for the Processing of Personal Data
DR. NÜKET EROĞLU may process personal data without explicit consent in the presence of one of the following conditions in the Law:
Explicitly Stipulated by Law
The personal data of the data subject may be processed in accordance with the law, limited to the relevant legal regulation, if expressly stipulated in the law.
Failure to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility and Obligation to Process Personal Data
Personal data may be processed without explicit consent if it is necessary for the protection of the life or physical integrity of the person who is unable to disclose his or her consent due to actual impossibility or whose consent is not legally valid. For example, in the event that the person’s explicit consent cannot be obtained due to the person’s unconsciousness, the personal data of the person concerned may be processed during medical intervention for the protection of life or physical integrity.
The Personal Data Processing Activity is Directly Related to the Establishment or Performance of the Contract
Provided that it is directly related to the conclusion or performance of a contract, personal data may be processed if it is necessary to process the personal data of the parties to the contract.
DR. NÜKET EROĞLU’s Personal Data Processing Activity is Mandatory for the Fulfillment of its Legal Obligation
DR. NÜKET EROĞLU may process the personal data of the data subject if it is mandatory in order to fulfill its legal obligation.
Publication of Personal Data by the Data Subject
Personal data made public by the data subject himself or herself—in other words, personal data disclosed to the public in any way—may be processed without explicit consent.
Data Processing is Mandatory for the Establishment, Exercise or Protection of a Right
If data processing is mandatory for the establishment, exercise, or protection of a right, personal data may be processed without explicit consent.
DR. NÜKET EROĞLU’s Legitimate Interests: Personal Data Processing is Mandatory
Provided that the fundamental rights and freedoms of the person concerned are not harmed and DR. NÜKET EROĞLU’s legitimate interests are not harmed, personal data may be processed without the requirement of explicit consent.
Processing of Sensitive Personal Data in accordance with the Processing Conditions
Sensitive personal data may only be processed with the explicit consent of the data subject. However, special categories of personal data other than sexual life and personal health data may be processed without the explicit consent of the data subject in cases stipulated by law. Personal data relating to health and sexual life can only be processed without explicit consent for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services, and financing. Therefore, until otherwise stipulated in accordance with the KVKK, personal health data can only be processed within the scope of explicit consent or by Muayenehane officials who are under the obligation to keep secrets.
DR. NÜKET EROĞLU takes the measures determined by the Board regarding the processing and protection of sensitive personal data. DR. NÜKET EROĞLU shows maximum sensitivity to the protection and security of special categories of personal data and carefully implements the technical and administrative measures taken for the protection of special categories of personal data, and DR. NÜKET EROĞLU carries out the necessary audits.
Processing of Personal Data in accordance with the Terms of Transfer
DR. NÜKET EROĞLU may transfer the personal and sensitive personal data of the data subject to third parties in line with the purposes of personal data processing and with explicit consent, if any, or otherwise limited to legal reasons and by taking necessary security measures. DR. NÜKET EROĞLU acts in accordance with the personal data transfer conditions stipulated in Articles 8 and 9 of the Law.
Domestic Transfer of Personal Data
DR. NÜKET EROĞLU carries out domestic data transfer activities in accordance with the data processing conditions pursuant to Article 8 of the Law. (See Section Two, Articles 2.1, 2.2 and 2.3)
Transfer of Personal Data Abroad
DR. NÜKET EROĞLU carries out data transfer activities abroad in accordance with the data processing conditions (See Section Two, Articles 2.1, 2.2 and 2.3) in accordance with Article 9 of the Law. In cases where personal data is transferred without explicit consent in accordance with the LPPD, one of the following conditions must also exist in terms of the foreign country to which it will be transferred:
In the absence of adequate protection, the data controllers in Turkey and the relevant foreign country undertake in writing to provide adequate protection and obtain permission from the Board
Recipient Groups to whom Personal Data is Transferred
DR. NÜKET EROĞLU may, in accordance with Articles 8 and 9 of the Law, transfer the personal data of data subjects to its business partners, suppliers, contractors, experts, brokers, banks and financial institutions that provide services to DR. NÜKET EROĞLU’s business partners, suppliers, contractors, experts, brokers, banks and financial institutions, consulting and auditing firms that provide services to DR. NÜKET EROĞLU, consulting and auditing firms from which it receives support in similar fields such as law, tax, etc., practice authorities, shareholders, legally authorized public institutions and private persons, DR. NÜKET EROĞLU to service providers that process personal data on behalf of DR. NÜKET EROĞLU in the fields of storage, archiving, information technology support (server, hosting, software, cloud computing, etc.) in Turkey and/or abroad in order to continue its commercial activities and business processes. The classification of the recipient groups to which personal data is transferred is provided in Section 3 of this Policy.
In the case of personal data transfer, DR. NÜKET EROĞLU ensures that third parties to whom it transfers personal data also comply with this Policy. In this context, necessary protective regulations are added to the contracts concluded with the third party, and technical measures are taken.
CHAPTER 3 – DR. CATEGORIES OF PERSONAL DATA PROCESSED BY DR. NÜKET EROĞLU, PURPOSES OF PROCESSING AND TRANSFER, RECIPIENT GROUPS TO WHOM DATA IS TRANSFERRED
Personal Data Categories
DR. NÜKET EROĞLU’s categories and explanations of personal data processed within the scope of personal data processing activities carried out by NÜKET EROĞLU are set out below:
Personal Data Categories – Description
Identity Data
Data containing information about the identity of the person: name-surname, Turkish ID number, marital status, gender, nationality, parents’ name-surname, place-date of birth, and other identity information; and documents containing this information, such as a driver’s license, identity card, passport, birth certificate, tax number, SSI number, and other information.
Contact Data
Information used for communication purposes, such as phone number, address, e-mail address, fax number, and documents such as residence certificates containing this information.
Personal Data of Family Members and Relatives
Personal data about the family members and relatives of the data subject is collected within the scope of the activities of our practice or in order to protect the legal and other interests of the practice or the data subject. Example: Contact information of family members, identity information, etc.
Financial Data
Personal data refers to information, documents, and records showing all kinds of financial results that arise according to the legal relationship established by our practice with the data subject. Example: Credit card information, income information, IBAN number, etc.
Personal Data
Within the scope of being in a working relationship with our practice, personal data is processed to obtain information that is the basis for the formation of the personal rights of real persons.
Communication and Complaint Management Data
Personal data obtained in the process of receiving and evaluating all kinds of requests or complaints for our practice.
Special Categories of Personal Data
Personal data that is determined by limited enumeration in the law and that carries the risk of discrimination against data subjects if processed. Example: Health data including blood type, biometric data, information about the association of which the data subject is a member, etc.
Transaction Security Data
Personal data is processed to ensure the technical, administrative, legal, and commercial security of both the data subject and our Practice.
Related Person Categories
Below are the definitions and explanations of our customers, platform users, employees, employee candidates, business contacts (officials, shareholders, and employees of suppliers, agents, brokers, experts, and similar institutions with which we have business relations), and third parties within the scope of this Policy.
Related Person Categories – Description
Customers
Real people who purchase, use, or have used the products and services offered by our practice.
Website and Social Media Users
https://www.drlidaciteli.com/ etc. belonging to our practice. Our websites, social media accounts, etc. are owned by real people who visit, have visited, or have used our websites, social media accounts, etc. for any purpose.
Employees
Real people who are in a working relationship with our practice.
Employee Candidates
They are real people who have applied for a job at our practice in any way and submitted their CV and/or job application form and related information to our practice for review.
Practice Authorities
DR. NÜKET EROĞLU’s senior management and/or real persons authorized to represent DR. NÜKET EROĞLU and real persons authorized to represent DR. NÜKET EROĞLU and real persons representatives of legal entities. Board members are considered within this scope.
Business Contacts (real-person suppliers, contractors, real-person representatives of legal entities, experts)
DR. NÜKET EROĞLU is in a business relationship within the scope of the performance of its activities with real persons, real person representatives of legal entities, employees of these persons, and experts.
Other Third Parties
Other natural persons who do not fall under any category of relevant person.
DR. Classification of Personal Data Processed by NÜKET EROĞLU according to Data Subjects
In the table below, the categories of personal data subjects mentioned above and the categories of personal data within the scope of the processing activity are matched and detailed:
Personal Data Categories – Description
Identity Data
Patients, Customers, Website and Social Media Users, Employees, Employee Candidates, Contractors and Contractor Employees, Suppliers and Supplier Employees, Adjusters, and Other third parties
Contact Data
Patients, Customers, Website and Social Media Users, Employees, Employee Candidates, Contractors and Contractor Employees, Suppliers and Supplier Employees, Adjusters, and Other third parties
Personal Data of Family Members and Relatives
Patients, Employees
Financial Data
Patients, Customers, Employees, Employee Candidates, Contractors and Contractor Employees, Suppliers and Supplier Employees, Adjusters, and Other third parties
Personal Data
Patients, Employees, and Prospective Employees
Communication and Complaint Management Data
Patients, Customers, Website and Social Media Users, Employees, Employee Candidates, Contractors and Contractor Employees, Suppliers and Supplier Employees, Adjusters, and Other third parties
Sensitive Personal Data
Patients, Customers, Employees, and other third parties
Transaction Data
Patients, Customers, Websites, and Social Media Users
Marketing Data
Patients, Customers, Websites, and Social Media Users
Process Security Data
Patients, Customers, Website and Social Media Users, Employees, Employee Candidates, Contractors and Contractor Employees, Suppliers and Supplier Employees, Adjusters, and Other third parties
Purposes of Processing Personal Data
DR. NÜKET EROĞLU carries out its personal data processing activities for the purposes set out below. Personal data processing purposes are clearly and in detail determined on the basis of each business unit and process by associating business processes and personal data categories and recorded in DR. NÜKET EROĞLU Personal Data Inventory.
– DR. NÜKET EROĞLU, the necessary planning, evaluation and studies are carried out to ensure that our customers benefit from the services offered by DR. NÜKET EROĞLU business units;
– DR. NÜKET EROĞLU business units; conducting advertising and marketing activities for the services offered by DR. NÜKET EROĞLU, informing about promotions, promotions, campaigns, offers, events and similar issues, conducting corporate communication activities, customizing products and services according to the tastes, usage habits and needs of the relevant persons;
– Organizing and informing about corporate communication and other events, campaigns and invitations within this scope, conducting market research studies;
– Ensuring corporate security;
– Conducting statistical studies;
– DR. NÜKET EROĞLU patients and customers, and to improve the digital and virtual platforms offered for use by DR. NÜKET EROĞLU patients and customers, and to provide an efficient and personalized experience to website and social media users, to extract the number, type, frequency of visits, behaviors and similar statistics of users, to offer personalized content and advertisements according to the interests and needs of website and social media users;
– Monitoring and evaluating requests, suggestions and complaints received from relevant persons, customer satisfaction management; and implementation of planning, statistics and satisfaction evaluation studies in this context;
– Management of relations with contractors, agencies, experts, suppliers and similar companies in business relations, and execution of business and commercial relations;
– Subcontracting application and execution of related processes within the scope of subcontracting agreements;
– DR. NÜKET EROĞLU and DR. NÜKET EROĞLU and persons in business relationship with DR. NÜKET EROĞLU (Ensuring the legal and commercial security of DR. NÜKET EROĞLU, customer/contractor/supplier (authorized or employees) evaluation and audit processes, legal compliance process, etc.);
– Exercise of legal rights, use of information on the transaction history after the termination of the legal relationship as evidence in case of dispute;
– DR. NÜKET EROĞLU’s commercial, legal and business strategies;
– DR. NÜKET EROĞLU’s policies regarding financial affairs;
– DR. NÜKET EROĞLU’s human resources policies and recruitment processes, control and supervision of employees, regulation of employee rights, fulfillment of legal obligations arising from the business relationship;
– Planning, auditing and execution of information security processes, management of information technologies infrastructure;
– DR. NÜKET EROĞLU activities, planning, reporting, visitor/customer statistics and similar examinations;
– Compliance with the relevant domestic legislation, provision of information requested by public institutions and organizations, fulfillment of reporting obligations.
Methods and Reasons for Collection of Personal Data
DR. NÜKET EROĞLU, personal data of data subjects,
– DR. NÜKET EROĞLU’s website, various social media channels, e-mail, short messages (“SMS”) or multimedia messages (“MMS”) used within the scope of DR. NÜKET EROĞLU activities, e-mail, short messages (“SMS”) or multimedia messages (“MMS”),
– Through other means of communication, including printed and electronic forms,
– DR. NÜKET EROĞLU through contracts, policies, commercial offers, printed and electronic forms, documents, and correspondence signed within the scope of business activities,
– Through business cards and other documents obtained as part of business negotiations,
– DR. NÜKET EROĞLU collects personal data through third parties such as group practices, business contacts, or companies that supply services or products; through various methods that are fully or partially automated or non-automated as part of any data recording system, whether verbally, in writing, or electronically.
Personal data collected in line with these methods is stored in accordance with the data processing conditions in Section 2 of this Policy and in line with the personal data processing purposes listed above, by complying with the periods required by KVKK and other legislation and taking all necessary administrative and technical measures.
Recipient Groups to whom Personal Data is Transferred
DR. NÜKET EROĞLU may transfer personal data within the scope of this Policy to the recipient groups listed below for the specified purposes in accordance with the KVKK. The recipient groups to whom personal data are transferred and the purposes of transfer have been clearly and in detail determined by associating personal data categories and added to the DR. NÜKET EROĞLU Personal Data Inventory.
Recipient Groups – Purposes of Personal Data Transfer
Contractors and Subcontractors
Limited to the purpose of ensuring the fulfillment of the objectives of the business relationship with the Contractor and Subcontractors.
Suppliers and Business Partners
Limited to the purpose of ensuring the provision of the services provided by our Practice and necessary to fulfill the activities of our Practice.
Legally Authorized Public Institutions and Organizations
Limited to the purpose requested by the relevant public institutions and organizations within the legal authority.
Legally Authorized Private Law Persons
Limited to the purpose requested by the private law persons concerned within their legal competence.
DR. NÜKET EROĞLU acts in accordance with the matters regulated in Section 2 of the Policy for personal data transfers.
CHAPTER 4 – ISSUES RELATING TO PERSONAL DATA PROTECTION
DR. NÜKET EROĞLU, in accordance with Article 12 of the KVKK, takes the necessary technical and administrative measures to ensure the appropriate level of security within the possibilities and according to the nature of the data to be protected in order to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data, to ensure the preservation of the data, and to carry out or have the necessary audits carried out within this scope.
Ensuring the Security of Personal Data
Technical Measures Taken to Prevent Unlawful Processing of Personal Data, Prevent Unlawful Access to Data and Ensure Data Protection
The main technical measures taken to prevent unlawful processing of personal data, unlawful access to data, and the preservation of data are listed below:
– DR. NÜKET EROĞLU takes technical measures for the protection of personal data to the extent that technology allows, and the measures taken are updated. Audits are carried out at regular intervals for the implementation of the measures taken.
– Software and systems are installed and used to ensure data security. Data recording environments are protected by various software and systems, especially virus protection programs and firewalls, in order to prevent unlawful interference with personal data both inside and outside the practice.
– Authorization to access personal data is limited in line with the determined data processing purpose, and authorizations are regularly reviewed.
– Technical security systems are established for storage areas; security tests and research are carried out to identify security vulnerabilities in information systems; and existing or potential risks identified as a result of the tests and research are eliminated.
– In order to ensure the secure storage of personal data, systems and backup programs in accordance with technological developments are used in accordance with the law.
– Sensitive personal data transferred from memory sticks, CDs, and DVDs is encrypted.
Administrative Measures Taken to Prevent Unlawful Processing of Personal Data, Prevent Unlawful Access to Data and Ensure Data Protection
The main administrative measures taken to prevent unlawful processing of personal data, unlawful access to data, and the preservation of data are listed below:
– DR. NÜKET EROĞLU established and activated the “Personal Data Protection Committee” to ensure compliance with the Law and its sustainability.
– DR. NÜKET EROĞLU employees are regularly informed and trained on the protection and lawful processing of personal data.
– DR. NÜKET EROĞLU’s activities have been analyzed in detail for all business units, and as a result of this analysis, personal data processing activities have been determined and recorded in the personal data inventory for the commercial activities carried out by the relevant business units. NÜKET EROĞLU regularly updates it.
– DR. NÜKET EROĞLU business units, the requirements to be fulfilled in order to ensure compliance with the personal data processing conditions have been determined for each business unit and detailed activity.
– In order to ensure compliance requirements, awareness is raised, implementation rules are determined for the relevant business units, in-practice policies are implemented, and audits are carried out to ensure the continuity of these issues and implementation.
– Provisions have been added to the contracts and documents signed with employees and third parties, customers, contractors, subcontractors, experts, and other suppliers in order to ensure the processing and protection of personal data in accordance with the law and data confidentiality. The responsibilities of the parties have been clearly regulated, and sanctions have been imposed for data processing activities contrary to the law and contract.
Supervision of Measures Taken for the Protection of Personal Data
DR. NÜKET EROĞLU carries out or has the necessary audits carried out within its own organization in accordance with KVKK. The results of these audits are reported to the Personal Data Protection Committee, senior management, and the relevant department within the scope of the internal functioning of the practice. Actions are planned, and the follow-up of the planned actions for the improvement of the measures taken is followed and carried out by the relevant process owners and the Personal Data Protection Committee.
Measures to be taken in cases of unlawful disclosure of personal data
In the event that personal data is illegally obtained or disclosed by others, DR. NÜKET EROĞLU will notify the relevant personal data owner and the Board as soon as possible.
Protection of Special Categories of Personal Data
The Law attaches special importance to certain personal data due to the risk of causing victimization and/or discrimination when processed unlawfully. These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and dress, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data. The protection of special categories of personal data, which are determined as “special categories” by the Law and processed in accordance with the law, has been authorized by DR. NÜKET EROĞLU, which shows utmost sensitivity to the protection of sensitive personal data.
DR. NÜKET EROĞLU approaches the security of sensitive personal data with the utmost care and provides the necessary audits within the Practice in this regard.
Protection of Legal Rights of Personal Data Owners
DR. NÜKET EROĞLU observes all legal rights of personal data owners with the implementation of the Policy and the Law and takes all necessary measures to protect these rights. Detailed information on the rights of personal data subjects is provided in Chapter 6 of this Policy.
CHAPTER 5 – STORAGE AND DISPOSAL OF PERSONAL DATA
Recording Media Where Personal Data is Stored and Destroyed
DR. NÜKET EROĞLU may record personal data processed by DR. NÜKET EROĞLU in different environments depending on principles such as the nature of the data, the purposes of processing, and the frequency of use. In this context, personal data belonging to data subjects may be stored securely by DR. NÜKET EROĞLU in the environments listed below in accordance with the relevant legislation, especially the provisions of KVKK.
Electronic media:
– Servers: Central server, data center servers
– Software: Third-party software in cloud infrastructure, different software according to data processing purposes, etc.
– Databases
– Electronic Devices: Network Devices, Computers, Laptops, Portable Media Devices (flash memory, hard disk, etc.), Printers, Mobile Phones
Storage and Duration of Personal Data
DR. NÜKET EROĞLU retains personal data for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. Within this framework, DR. NÜKET EROĞLU primarily acts in accordance with this period if it is stated in the relevant legislation how long the personal data should be kept, and if it is not stated, it keeps it for the period required to be processed depending on the services it provides while processing that data. In the event of the expiration of the period, the request of the data owner, or the disappearance of the purpose requiring the processing of the data, personal data shall be stored by DR. NÜKET EROĞLU deletes, destroys, or anonymizes them. DR. NÜKET EROĞLU provides detailed information on the retention periods of personal data processed by DR. NÜKET EROĞLU in Annex 1 of this Policy.
Legal, Technical and Administrative Reasons Requiring Retention of Personal Data
Personal data: in the event that the purpose of processing personal data expires, the request of the data subject and/or the retention periods determined by the relevant legislation and the practice come to an end,
– In order to constitute evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense, etc. It can be stored in accordance with the measures stipulated in the laws and / or in accordance with the specified periods in order to fulfill legal responsibilities. In the establishment of the periods regarding this matter, storage periods are determined based on the statute of limitations for the assertion of the right in question. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute.
– Data to be destroyed by deletion, destruction, or anonymization can be stored until the next periodic destruction date at the latest.
After the above-mentioned periods expire, personal data is deleted, destroyed, or anonymized.
Legal, Technical and Administrative Reasons Requiring Destruction of Personal Data
DR. NÜKET EROĞLU, the personal data it stores,
– The disappearance of all purposes requiring the processing of personal data and the reasons requiring its storage,
– In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject’s withdrawal of consent,
– If the data owner requests the destruction of his/her personal data by using his/her rights under the KVKK and specified in section 6 of this Policy and the application made is accepted by DR. NÜKET EROĞLU or the request is approved by the Board as a result of a complaint to the Board upon the rejection of this request,
– Although the maximum period required for the retention of personal data has expired, there is no condition that would justify the retention of personal data for a longer period of time
in the event of an emergency.
Secure Storage of Personal Data
DR. NÜKET EROĞLU takes the necessary technical and administrative measures to the extent technologically possible to store the personal data it processes in secure environments and to prevent their destruction, loss or alteration for unlawful purposes. Detailed information on personal data security is provided in Section 4 of this Policy under the heading “Issues Regarding the Protection of Personal Data”.
Regarding the storage of personal data; DR. NÜKET EROĞLU’s main technical measures are listed below:
– Software and systems to ensure data security are installed and used to store personal data in secure environments.
– Technical security systems are installed for storage areas, security tests and research are conducted to identify security vulnerabilities on information systems, and existing or potential risks identified as a result of the tests and research are eliminated.
– DR. NÜKET EROĞLU takes technical measures for the protection of personal data to the extent that technology allows, updates the measures taken, and regularly audits the implementation of the measures taken.
– In order to ensure that personal data is stored securely, systems and backup programs in accordance with technological developments are used in accordance with the law.
– Access to the environments where personal data is stored is restricted and only authorized persons are allowed to access this data limited to the purpose for which the personal data is stored.
Regarding the storage of personal data; DR. NÜKET EROĞLU’s main administrative measures are listed below:
– DR. NÜKET EROĞLU employees are regularly informed and trained on the protection, storage and lawful processing of personal data.
– Provisions have been added to the contracts and documents signed with third parties in order to ensure the processing and storage of personal data in accordance with the law and to ensure data security, the responsibilities of the parties to take the necessary security measures have been clearly regulated and sanctions have been imposed for data processing activities contrary to the law and contract.
Destruction of Personal Data in accordance with the Law
The main technical and administrative measures taken by DR. NÜKET EROĞLU’s main technical and administrative measures are listed below:
– Personal data destruction is carried out under the supervision of an authorized person from the personal data protection committee as well as a technical expert.
– The personal data protection committee is tasked with evaluating and monitoring the personal data inventory on the basis of retention and data destruction periods and coordinating the business units.
– DR. NÜKET EROĞLU informs and trains its employees on the periodic and proper destruction of personal data.
– Audits are conducted and reported on the subject.
– Provisions regarding the lawful processing, storage and destruction of personal data upon the disappearance of the purpose of processing, expiration of the storage period or upon the request of the data subject have been added to the contracts and documents signed with third parties, and the responsibilities of the parties on the subject have been clearly regulated and provisions imposing sanctions for data processing activities contrary to the law and contract have been implemented.
General Considerations Regarding the Destruction of Personal Data
Although it has been processed in accordance with the provisions of the Law and other relevant laws, in the event that the purpose requiring the processing and storage of personal data disappears, personal data shall be destroyed by DR. NÜKET EROĞLU shall be destroyed by deletion, destruction or anonymization.
DR. NÜKET EROĞLU acts in accordance with the technical and administrative measures mentioned above, the provisions of the relevant legislation, the decisions of the Board and this Policy in the deletion, destruction or anonymization of personal data. DR. NÜKET EROĞLU records all transactions regarding the deletion, destruction and anonymization of personal data and such records are kept for at least three years, excluding other legal obligations.
Unless otherwise decided by the Board, DR. NÜKET EROĞLU chooses the appropriate method of deletion, destruction or anonymization for the destruction of personal data. In case of the request of the person concerned, it selects and applies the appropriate method by explaining its justification.
Methods of Destruction of Personal Data
Deletion of Personal Data
Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way for the relevant users. DR. NÜKET EROĞLU may use the following methods to delete personal data depending on the medium in which the data is stored:
Recording Medium – Data Destruction Method
Third-party software in cloud infrastructure, different software according to data processing purposes
Give Delete Command
Different software according to data processing purposes
Deletion via Software
Databases
Delete with Database Command
Databases, Data on servers
Removing the Access Rights of the Related User on the Directory Where the File is Located, Deleting Command
Paper and hard copies
Blackout (the process of cutting out the personal data on the relevant document, where possible, and making it invisible to the relevant users by using fixed ink in a way that cannot be reversed and cannot be read by technological solutions).
Destruction of Personal Data
Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. DR. NÜKET EROĞLU may use one or more of the following methods to delete personal data, depending on the medium in which the data is stored:
Recording Medium – Data Destruction Method
Media that magnetically records data (tape cartridges, etc.)
De-magnetization (It is the process of subjecting magnetic media to a very high magnetic field by passing it through a special device and distorting the data on it in an unreadable way.
Media that record data magnetically and optically (DVD, CD, hard disk, etc.), Paper and Printed Copies
Physical Destruction (Melting, incineration or pulverization of optical media and magnetic media; physical destruction of paper and hard copies by paper shredder/shredder or incineration)
Magnetic and rewritable optical media (DVD-r, etc.)
Overwriting (The process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media.)
Media that records data magnetically (tape, abit disk, etc.)
Erasing with “Block Erase” Command
Third-party software in cloud infrastructure
Keeping the recording media encrypted and destroying all copies of the encryption keys upon deletion
Anonymization of Personal Data
Anonymization of personal data means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data. In order for personal data to be anonymized; personal data must be rendered unrelated to an identified or identifiable natural person, even through the use of techniques appropriate for the recording medium and the relevant field of activity, such as retrieval and matching of data with other data by the data controller, recipient or groups of recipients. DR. NÜKET EROĞLU may use one or more of the following methods to anonymize personal data:
– Removing Variables: It is an anonymization method achieved by removing one or more variables from the table by deleting them completely
– Removing Records: It is a method of strengthening anonymity by removing a row containing a singularity in the personal data set.
– Generalization: The process of converting the relevant personal data from a specific value to a more general value.
– Territorial Concealment: If the combination of values of a particular record creates a very low visibility situation and this situation may cause a high probability of that person becoming distinguishable in the relevant community, it is a method of reducing the risk of predictability by changing the value that creates the exceptional situation to “unknown”.
– Lower and Upper Bound Coding: It is obtained by defining a category for a certain variable in the personal dataset and combining the values within the grouping created by this category.
– Global Coding: It is an anonymization method where a common and new group is created for the selected values and all records in the dataset are replaced with this new definition.
– Sampling: In the sampling method, instead of the whole dataset, a subset taken from the set is explained or shared.
– Micro-Aggregation: With this method, all records in the dataset are divided into a certain number of subsets, the value of the subset belonging to the specified variable is averaged and the value of that variable of the subset is replaced with the average value.
– Data Exchange: The data exchange method is the record changes obtained by exchanging the values belonging to a variable subset between the pairs selected from the records.
– Noise Addition: Adding or subtracting a selected variable in the dataset in order to achieve a specified degree of distortion.
– Other statistical methods to strengthen anonymization (K-Anonymity, L-Diversity, T-Closeness, etc.)
Periodic Destruction Periods of Personal Data
DR. NÜKET EROĞLU deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.
DR. NÜKET EROĞLU’s periodic destruction period is 6 months; however, DR. NÜKET EROĞLU accepts that the Board may shorten the periods specified in this article and the destruction periods table in the event of irreparable or impossible damages and in the event of a clear violation of the law.
Responsible Unit for Personal Data Storage and Destruction Processes
A “Personal Data Protection Committee” has been established under DR. NÜKET EROĞLU in order to carry out personal data storage and destruction processes and to take necessary actions in accordance with this Policy. NÜKET EROĞLU has established a “Personal Data Protection Committee”. Detailed information on this subject is provided in Section 7 of this Policy.
The relevant persons in the Personal Data Protection Committee are responsible for fully fulfilling all their obligations regarding the storage and destruction of personal data regulated in this Policy.
CHAPTER 6 – RIGHTS OF THE PERSONS CONCERNED AND MATTERS RELATING TO THE EXERCISE OF THESE RIGHTS
Rights of the Personal Data Owner Pursuant to KVKK
Pursuant to Article 11 of the LPPD, the personal data owner may apply to DR. NÜKET EROĞLU in accordance with Article 11 of the LPPD;
– To learn whether his/her personal data is being processed or not,
– Request information if their personal data has been processed,
– To learn the purpose of processing personal data and whether they are used for their intended purpose,
– To know the third parties to whom personal data are transferred domestically or abroad,
– In case personal data are incomplete or incorrectly processed, to request their correction and notification of the transaction made within this scope to third parties to whom personal data are transferred,
– Although it has been processed in accordance with the provisions of the Law and other relevant legislation, in the event that the reasons requiring its processing disappear, to request the deletion or destruction of personal data and the notification of the transaction made within this scope to third parties to whom personal data is transferred,
– To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
– In the event that personal data is damaged due to unlawful processing of personal data, it has the right to demand the compensation of the damage.
Cases where the Personal Data Owner cannot exercise his/her rights
Pursuant to Article 28 of the LPPD, personal data owners cannot assert their rights listed in 6.1. in these matters, since the following cases are excluded from the scope of the Law:
– Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that personal data is not disclosed to third parties and obligations regarding data security are complied with,
– Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,
– Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime,
– Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,
– Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
Pursuant to paragraph 2 of Article 28 of the KVKK, in the following cases, the data owner cannot use his/her rights specified in Article 6.1 of this Policy, except for the right to demand compensation for the damage:
– Processing of personal data is necessary for the prevention of crime or criminal investigation.
– Processing of personal data made public by the person concerned.
– Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
– Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.
Exercise of Rights by the Data Subject
The relevant person may exercise his/her rights set forth in Article 6.1 of this Policy by filling out the application form, an example of which is provided in Annex 2 of the Policy and at https://www.drlidaciteli.com/, and submitting it with wet signature or registered electronic mail address, secure electronic signature, mobile signature or DR. NÜKET EROĞLU via the e-mail address previously notified and registered in the systems. The method of the application to be made in the “Application Form within the Scope of the Law on the Protection of Personal Data”, the address of which is provided above, is explained in detail.
In the event that the Data Subject wishes to exercise this right through his/her attorney, the documents certifying his/her identity issued or approved by the competent authorities and the documents supporting the request, if any, shall be attached to the application form. NÜKET EROĞLU as an attachment to the application form.
DR. NÜKET EROĞLU’s Response to Applications
DR. NÜKET EROĞLU will finalize the requests addressed to it free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. In the event that a cost arises due to the fulfillment of the requests, the fees in the tariff determined by the Board may be requested.
DR. NÜKET EROĞLU may accept the request or reject it by explaining the reason; notifies the personal data owner in writing or electronically. If the request in the application is accepted, DR. NÜKET EROĞLU fulfills the requirements of the request.
Right of the Data Subject to Complain to the Board
In cases where the application is rejected, the response is deemed inadequate, or the application is not responded to in due time; the person concerned has the right to file a complaint to the Board within thirty days from the date of DR. NÜKET EROĞLU’s response within thirty days from the date of receipt and in any case within sixty days from the date of application, the person concerned has the right to file a complaint to the Board.
CHAPTER 7 – GOVERNANCE STRUCTURE FOR PERSONAL DATA PROCESSING, STORAGE, AND DESTRUCTION
Unit Responsible for Processing, Storage and Destruction of Personal Data
DR. NÜKET EROĞLU has established the “Personal Data Protection Committee”, which is authorized to take decisions and present them to the senior management in order to ensure compliance with the legislation on the protection of personal data, to maintain, manage, and improve them. For this purpose, DR. NÜKET EROĞLU has established the “Personal Data Protection Committee”, which provides the necessary coordination within NÜKET EROĞLU and consists of officials from different departments.
The duties of this committee are stated below:
– DR. NÜKET EROĞLU to coordinate and manage all activities related to the processing, storage, protection and destruction of personal data on the basis of business units,
– To prepare basic policies regarding the processing, storage, protection, and destruction of personal data and submit them to senior management for approval.
– Ensuring the implementation of policies on the processing, storage, protection and destruction of personal data, managing the process of compliance with the legislation and the practice policy; and reporting to the senior management
– DR. To coordinate communication with the relevant data owners within the scope of the activities carried out by NÜKET EROĞLU in the capacity of data controller, to provide the necessary organization for this purpose
– To make the necessary activities and arrangements within the practice regarding the Board’s requests, complaints, and notifications, and to organize the processes
– To make the necessary activities and arrangements within the practice regarding the requests, complaints, and notifications from the relevant persons, to organize the processes
– To update the personal data processing inventory and to monitor, report and report data processing activities, to process them in the inventory and to make the necessary updates in VERBIS (Data Controllers Registry Information System) in case of changes
– Organizing trainings for employee awareness, ensuring the continuity of trainings, and measuring their efficiency
– Regarding the processing, storage, protection and destruction of personal data, DR. NÜKET EROĞLU and within DR. NÜKET EROĞLU and the institutions with which DR. NÜKET EROĞLU cooperates, are raisingawareness and providing information
– To decide how the audit of personal data processing activities will be carried out and to ensure the necessary coordination within this scope
– To determine or ensure the determination of technical and administrative measures taken by third parties processing personal data regarding data security, to conduct or have audits carried out
– To ensure that necessary measures are taken by identifying the risks that may arise in personal data processing activities; to submit action plans and improvement proposals to the senior management for approval and to coordinate their execution
– To organize audits within the practice within the scope of KVKK compliance, to make the necessary arrangements if an outsourced audit is to be received, and to ensure that the measures to be taken for the risks identified are determined and evaluated
– Participating in evaluations and presenting reports by working together with consultant companies regarding the Protection of Personal Data
– To follow the Board’s announcements and legislative developments, to ensure that they are put into practice in the relevant places and to make the necessary notifications
– Manage processes for data privacy breach cases, determine the responsible person or team and their duties, and manage reporting and corrective actions.
CHAPTER 8 – UPDATES, HARMONIZATION AND AMENDMENTS
Update and Adaptation
DR. NÜKET EROĞLU reserves the right to make amendments to this Policy and other policies related to this Policy due to amendments to the Law, in accordance with Board decisions, or in line with developments in the sector or in the field of informatics.
Changes made to this Policy are immediately incorporated into the text, and explanations regarding the changes are explained at the end of the Policy.
Amendments
A personal data processing, protection, and destruction policy has been published.
ANNEX.1: PERSONAL DATA STORAGE AND DESTRUCTION PERIODS TABLE
PROCESS – STORAGE PERIOD – DESTRUCTION PERIOD [1]
Responding to court or executive information requests regarding employees, customers and third parties
10 years following the termination of the employment relationship
Within 180 days
Employee Financing Processes
10 years following the termination of the employment relationship
Within 180 days
Contracts signed with customers, contractors, suppliers and third parties
10 years following the expiration of the contract
Within 180 days
Recruitment and payroll
10 years following the termination of the employment relationship
Within 180 days
Occupational health and safety practices
10 years following the termination of the employment relationship
Within 180 days
Payment processing
10 years following the termination of the employment relationship
Within 180 days
Execution of contract processes
10 years following the termination of the employment relationship
Within 180 days
Creation and preservation of employee personnel file
10 years following the termination of the employment relationship
Within 180 days
Software system accounts created for employees, establishment of transaction security information
1 year following the termination of the employment contract
Within 180 days
Management of customers’ claims, assessment of damage and loss
10 years following the occurrence of the damage
Within 180 days
[1] DR. NÜKET EROĞLU refers to the period for the destruction of personal data stored by NÜKET EROĞLU after the expiration of the retention period.