Skip to main contentSkip to footer
info@nebiyetufekci.com
Kartal / Istanbul
Contact Us
0 (533) 203 20 20

Data Retention and Destruction Policy

E-mail:

info@nebiyetufekci.com

Phone:

0 (533) 203 20 20

  1. INTRODUCTION

1.1 Purpose

The Personal Data Retention and Destruction Policy (“Policy”) has been prepared to determine the procedures and principles regarding the retention and destruction activities carried out by “Op. Dr. Nebiye Tüfekçi Varer Medical Office” (“Institution”).

The Institution prioritizes processing personal data belonging to employees, employee candidates, patients, suppliers, service providers, visitors, and other third parties in accordance with the Constitution of the Republic of Türkiye, international conventions, the Personal Data Protection Law No. 6698 (“Law”), and other relevant legislation, and ensuring that the rights of the data subjects are effectively exercised. All processes and procedures related to the retention and destruction of personal data are carried out in accordance with this Policy prepared by the Institution.

1.2 Scope

Personal data belonging to the Institution’s employees, employee candidates, patients, suppliers, service providers, visitors, and other third parties are within the scope of this Policy. This Policy applies to all recording environments in which personal data owned or managed by the Institution are processed and to all activities related to personal data processing.

1.3 Abbreviations and Definitions

Recipient Group: The category of natural or legal persons to whom personal data are transferred by the data controller.
Explicit Consent: Consent that is related to a specific subject, based on information, and given freely.
Anonymization: Rendering personal data incapable of being associated with an identified or identifiable natural person in any manner, even by matching with other data.
Employee: Personnel of the “Op. Dr. Nebiye Tüfekçi Varer Medical Office”.
Patient: A person who receives health and medical treatment services from the Medical Office.
Electronic Environment: Environments where personal data can be created, read, modified, and written via electronic devices.
Non-Electronic Environment: All written, printed, visual, and similar environments other than electronic environments.
Service Provider: A natural or legal person providing services within a specific contractual framework.
Data Subject: The natural person whose personal data are processed.
Relevant User: Persons who process personal data within the data controller’s organization or in line with the authority and instructions received from the data controller, excluding those responsible for technical storage, protection, and backup of the data.
Destruction: Deletion, destruction, or anonymization of personal data.
Law: Personal Data Protection Law No. 6698.
Recording Environment: Any environment where personal data processed fully or partially automatically or as part of any data recording system are stored.
Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory: An inventory detailing personal data processing activities carried out by data controllers in connection with their business processes, including processing purposes, legal grounds, data categories, recipient groups, data subject groups, maximum retention periods, transfers abroad, and security measures.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, retaining, altering, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of data, whether fully or partially automatic or as part of a data recording system.
Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association membership, health, sexual life, criminal convictions and security measures, biometric and genetic data.
Periodic Destruction: The deletion, destruction, or anonymization of personal data at recurring intervals specified in the retention and destruction policy when all legal grounds for processing personal data cease to exist.
Policy: Personal Data Retention and Destruction Policy.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Recording System: A recording system where personal data are structured and processed according to certain criteria.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data Controllers Registry Information System (VERBIS): An online information system created and managed by the Authority for registry applications and related processes of data controllers.
Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.

  1. RESPONSIBILITIES AND DISTRIBUTION OF DUTIES

All units and employees of the Institution actively support the responsible units in implementing technical and administrative measures under the Policy, increasing awareness and training of unit employees, monitoring and continuous auditing, preventing unlawful processing and access to personal data, and ensuring lawful retention of personal data. The distribution of titles, units, and job descriptions of those involved in retention and destruction processes is provided below:

Data Manager: Responsible for ensuring employees act in compliance with the Policy.
Data Manager: Responsible for preparing, developing, executing, publishing, updating, and archiving the Policy and canceling it upon institutional decision.
Data Security Officer: Responsible for providing the technical solutions required for the implementation of the Policy.
Other Units: Responsible for executing the Policy in accordance with their duties and internal directives.

  1. RECORDING ENVIRONMENTS

Personal data are stored securely and lawfully by the Institution in the following environments:

Electronic Environments

  • Servers (domain, backup, email, database, web, file sharing, etc.)
  • Software (office software, portals, EBYS, VERBIS)
  • Information security devices (firewalls, intrusion detection and prevention systems, log records, antivirus, etc.)
  • Personal computers (desktop, laptop)
  • Mobile devices (phones, tablets, etc.)
  • Optical disks (CD, DVD, etc.)
  • Removable storage devices (USB, memory cards, etc.)
  • Printers, scanners, photocopiers

Non-Electronic Environments

  • Paper-based manual recording systems (survey forms, visitor logs)
  • Written, printed, and visual media
  1. EXPLANATIONS ON RETENTION AND DESTRUCTION

The Institution retains and destroys personal data belonging to employees, employee candidates, patients, suppliers, visitors, and service providers in accordance with the Law. Detailed explanations regarding retention and destruction are provided below.

4.1 Explanations on Retention

According to Articles 3, 4, 5, and 6 of the Law, personal data must be processed for specific, explicit, and legitimate purposes and retained for the period stipulated by the relevant legislation or required for the purpose of processing. Within the scope of its activities, the Institution retains personal data for the duration specified in the relevant legislation or necessary for processing purposes.

4.1.1 Legal Grounds Requiring Retention

Personal data processed within the Institution’s activities are retained in accordance with the following legislation, among others:

  • Personal Data Protection Law No. 6698
  • Turkish Code of Obligations No. 6098
  • Turkish Commercial Code No. 4721
  • Labor Law No. 4857
  • Social Insurance and General Health Insurance Law No. 5510
  • Occupational Health and Safety Law No. 6331
  • Patient Rights Regulation and related legislation
  • Private Health Insurance Regulation
  • Archive Services Regulation
  • Other applicable secondary regulations

4.1.2 Processing Purposes Requiring Retention

The Institution retains personal data for the following purposes:

  • Provision of healthcare services
  • Billing processes
  • Execution of human resources processes
  • Ensuring institutional communication
  • Institutional security and auditing
  • Data security
  • Physical security of the institution
  • Staff training
  • Fulfillment of contractual obligations and protocols
  • Legal compliance and fulfillment of legal obligations
  • Communication with real and legal persons in business relations
  • Informational purposes on social media
  • Sending SMS and electronic communications, responding to inquiries and complaints within healthcare services
  • Receiving financial and legal consultancy services
  • Evidence in potential legal disputes

4.2 Reasons Requiring Destruction

Personal data shall be deleted, destroyed, or anonymized by the Institution upon request of the data subject or ex officio in the following cases:

  • Amendment or repeal of relevant legislation forming the legal basis of processing
  • Elimination of the purpose requiring processing or retention
  • Withdrawal of explicit consent where processing is based solely on consent
  • Acceptance of the data subject’s request for deletion or destruction
  • Approval of the complaint by the Personal Data Protection Authority
  • Expiry of the maximum retention period and absence of any legitimate reason for further retention
  1. TECHNICAL AND ADMINISTRATIVE MEASURES

The Institution adopts technical and administrative measures in accordance with Article 12 of the Law to ensure secure storage of personal data, prevent unlawful processing and access, and ensure lawful destruction.

5.1 Technical Measures

  • Conducting penetration tests to identify risks and vulnerabilities
  • Real-time monitoring of information security incidents
  • Ensuring physical security of IT systems, software, and data
  • Use of firewalls, antivirus software, logging systems, and network access control
  • Restricting access to personal data storage areas and recording access logs
  • Strong password usage in electronic environments
  • Data backup systems
  • Encryption in data transfer when necessary
  • VPN or secure transfer methods between servers
  • Measures to ensure deleted data are inaccessible and unrecoverable

5.2 Administrative Measures

  • Internal training on personal data protection
  • Confidentiality agreements with employees and suppliers
  • Disciplinary actions for non-compliance with security policies
  • Preparation of KVKK policies, internal directives, and application forms
  • Fulfillment of the obligation to inform data subjects
  • Preparation of consent and disclosure forms
  • Periodic and random internal audits
  • Information security trainings for employees
  • Protection of physical environments containing personal data against external risks (fire, flood, etc.)
  • Data minimization practices
  1. PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the retention period stipulated by legislation or required for the purpose of processing, personal data are destroyed ex officio or upon request in accordance with the legislation through the following methods:

6.1 Deletion of Personal Data

Personal data are deleted by removing access authorizations and making them inaccessible and unusable for relevant users.

6.2 Destruction of Personal Data

  • Physical documents are destroyed irreversibly
  • Optical and magnetic media are melted, burned, pulverized, or demagnetized

6.3 Anonymization of Personal Data

Personal data are rendered incapable of being associated with an identified or identifiable natural person, even when matched with other data.

  1. RETENTION AND DESTRUCTION PERIODS

Retention periods for personal data processed within the Institution’s activities are specified in:

  • Personal Data Processing Inventory (data-based)
  • VERBIS records (category-based)
  • This Policy (process-based)

For example:

  • Patient diagnosis and treatment records: 20 years
  • Contracts and communication activities: 10 years
  • Accounting processes: 10 years
  • HR processes: 5–10 years depending on the document
  • Log records: 2 years
  • Camera recordings: 1 month
  • Cookies: 13 months
  1. PERIODIC DESTRUCTION PERIOD

In accordance with the Regulation, the Institution has determined the periodic destruction period as 6 months. Accordingly, periodic destruction is carried out every year in June and December.

  1. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Special categories of personal data are processed with extra care due to their sensitive nature. Such data are processed in compliance with the Law and with adequate measures determined by the Board, under the following conditions:

  • Presence of explicit consent of the data subject, or
  • Where explicitly stipulated by law, or
  • For the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, and planning and management of healthcare services by authorized persons under confidentiality obligations.
  1. TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA

Special categories of personal data obtained lawfully are not transferred to third parties in line with data processing purposes.

  1. PUBLICATION AND STORAGE OF THE POLICY

The Policy is published in both signed hard copy and electronic formats and disclosed on the website. The hard copy is stored by the Data Manager.

  1. POLICY UPDATE PERIOD

The Policy is reviewed as needed and updated when necessary.

  1. ENFORCEMENT AND ABOLITION OF THE POLICY

The Policy is deemed to have entered into force on the specified date. In case of abolition, signed hard copies of previous versions are canceled, signed, and retained by the Data Manager for at least 5 years.