DENTEKİZ CLINIC HEALTH
PERSONAL DATA STORAGE AND DISPOSAL POLICY
I. INTRODUCTION
1.1. Purpose of the Policy
The processing of personal data obtained by Dentekiz Clinic pursuant to Arcle 20 of the Constuon
tled “Privacy of Private Life” and the Law on the Protecon of Personal Data No. 6698 (“Law”) and
applicable regulaons and communiqués, data owners (employees, employee candidates, paents,
paent relaves, suppliers, interns, visitors and other relevant third pares) to protect fundamental
rights and freedoms, especially the privacy of private life, and the data controller processing personal
data to perform data processing in accordance with the law, to protect, store and, when necessary,
personal data obtained. Determinaon of the principles regarding the destrucon of these forms the
purpose of this Policy.
1.2. Scope of the Policy
Any informaon relang to an idened or idenable natural person is obtained, recorded, stored,
stored, changed, reused as personal data by Dentekiz Clinic as a data controller fully or parally
automacally or by non-automac means provided that it is a part of any data recording system.
Considering that all kinds of transacons such as the arrangement, disclosure, transfer, takeover,
making available, classicaon or prevenon of use are considered as data processing acvies,
establishing the procedures and principles of the data processing acvity carried out by Dentekiz
Clinic determines the scope of this Policy.
1.3. Implementaon of the Policy and Related Legislaon
Your personal data and personal health data are for the purposes explained in this policy text and
Health Services Basic Law No. 3359, Decree Law No. 663 on the Organizaon and Dues of the
Ministry of Health and Aliates, Regulaon on Private Hospitals, Regulaon on the Processing of
Personal Health Data and Protecon of Privacy, related regulaons and It has been prepared in
accordance with the rules set forth in the regulaons, communiqués, decisions and guides published
by the Board, especially the Law No. 6698. and the rules will nd applicaon. All nocaons,
decisions and guidelines published by the Board are followed by Dentekiz Clinic, and the rules
spulated by the Policy are kept up to date.
1.4. Enforcement of the Policy
The policy was published on the website of Dentekiz Clinic hps://www.dentekiz.com and entered
into force on the date of its publicaon.
II. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
2.1. Ensuring the Security of Personal Data
According to Arcle 12 of the Law No. 6698, the data controller;
● To prevent the unlawful processing of personal data,
● To prevent unlawful access to personal data,
● To ensure the protecon of personal data
It is obliged to take all necessary administrave and technical measures to ensure the appropriate
level of security for the purpose.
For the reasons explained, Dentekiz Clinic implements security measures to prevent unlawful
processing of personal data, transfer and disclosure to third pares, unauthorized access and security
deciencies arising from other means. Explanaons on the administrave and technical measures
taken VI. It is included in the ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL
DATA.
2.2. Protecon of Private Personal Data
Among the sensive personal data, the health data of the persons concerned, without seeking the
explicit consent of the relevant person, but for the purposes of protecng public health, prevenve
medicine, medical diagnosis, treatment and care services, planning health services and nancing and
management purposes, persons or authorized instuons and can be processed by organizaons. In
addion, regardless of the type, all sensive personal data can only be processed in accordance with
the law if adequate measures determined by KVKK are taken.
Your personal data that you share with us within the scope of our clinical acvies; For the purposes
of protecng public health, prevenve medicine, medical diagnosis, treatment and care services
provided by Dentekiz Clinic, with automac or non-automac methods, planning and management of
health services and nancing; Obtaining, recording, storing, changing through all channels including
social media applicaons such as internet site, survey, social responsibility and verbal, wrien, visual
or electronic media, via hotline/call center, internet site, verbal, wrien and similar channels,
collected and rearranged. Any operaon performed on data within the scope of KVKK is considered as
"processing of personal data".
In addion, your personal data may be processed when you use our hotline or internet page for
informaon, appointment, complaint or other purposes for service provision, visit our clinic or
website and browse this site.
The data that is sensive due to its nature and may cause vicmizaon or discriminaon of the data
owner if it is in the hands of third pares is accepted as "Special "Qualied Personal Data" within the
scope of the Law. Sensive personal data includes data related to the person's race, ethnicity, polical
opinion, philosophical belief, religion, sect or other beliefs, clothing, associaon, foundaon or union
membership, health, sexual life, criminal convicon and security measures, and biometric data. and
genec data. Sensive personal data cannot be processed without the explicit consent of the data
subject. All necessary measures are taken by Dentekiz Clinic to protect sensive personal data, and it
is essenal that such data are not obtained and processed as much as possible.
III. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA
3.1. Processing of Personal Data in Compliance with the Principles Established in the Legislaon
The principles to be applied in the processing of your personal data in accordance with Arcle 4 of
the Law are as follows:
● Compliance with the law and the rule of honesty,
● Being accurate and up-to-date when necessary,
● Processing for specic, explicit and legimate purposes,
● Being connected, limited and restrained for the purpose for which they are processed,
● To be kept for as long as required by the relevant legislaon or for the purpose for which they are
processed.
3.2. Personal Data Processing Condions
Personal data obtained by Dentekiz Clinic cannot be processed without the explicit consent of the
person concerned, with the excepon of the excepons spulated in the Law. Your personal data may
be processed without express consent in the following cases:
● It is clearly spulated in the laws,
● It is compulsory for the protecon of the life or physical integrity of the person or another person,
who is unable to express his consent due to actual impossibility or whose consent is not given legal
validity,
● It is necessary to process the personal data of the pares to the contract, provided that it is directly
related to the establishment or performance of a contract,
● It is mandatory for the data controller to fulll its legal obligaon,
● The person concerned has been made public by himself,
● Data processing is mandatory for the establishment, exercise or protecon of a right,
● It is necessary to process data for the legimate interests of the data controller, provided that it
does not harm the fundamental rights and freedoms of the data subject.
3.3. Excepons to Obligaon to Obtain Explicit Consent
a) It is clearly spulated in the laws
One of the data processing condions is that it is expressly spulated in the law. The provisions in the
laws regarding the processing of personal data may create a data processing condion. In such a case,
the explicit consent of the person concerned is not sought.
b) Actual impossibility
The personal data of the person concerned can be processed without his explicit consent in cases
where it is necessary for the protecon of the life or physical integrity of the person or another
person, who is unable to express his consent due to actual impossibility or whose consent is not
legally valid.
c) Being directly related to the establishment or performance of the contract
In the event that data processing is deemed necessary during the conclusion of a contract to which
the data owner is a party or during the performance of the contract, the processing of personal data
may come to the fore without obtaining explicit consent.
d) Dentekiz Clinic fullls its legal obligaons
As a data controller, Dentekiz Clinic can process personal data without obtaining explicit consent for
the purpose of fullling legal obligaons.
e) It has been made public by the person concerned
Personal data made public by the data subject, in other words, personal data disclosed to the public
in any way, can be processed without obtaining explicit consent. Even in this case, the publicized
personal data cannot be used for purposes other than its intended use.
f) Being compulsory for the establishment, use and protecon of a right
In cases where it is necessary for the establishment, exercise or protecon of a right, it is possible to
process the personal data of the person concerned without his explicit consent.
g) Obligatory for the legimate interests of the data controller, provided that it does not harm the
fundamental rights and freedoms of the data subject.
If the processing of personal data is obligatory for the data controller and the data processing will not
harm the fundamental rights and freedoms of the data subject, personal data may be processed
without obtaining explicit consent.
The legimate interest of the data controller is the interest and benet to be obtained as a result of
the processing to be carried out. Benet of the data controller; It must relate to a legimate,
suciently eecve, specic and already exisng interest to compete with the fundamental rights
and freedoms of the person concerned. It should be a process that is related to the current acvies
of the data controller and will benet him in the near future.
3.4. Processing of Private Personal Data
The processing of sensive personal data is subject to Arcle 6 of the Law and it is prohibited to be
processed without the explicit consent of the person concerned.
Data on race, ethnic origin, polical opinion, philosophical belief, religion, sect or other beliefs,
disguise and dress, membership in associaons, foundaons or unions, health, sexual life, criminal
convicons and security measures, and biometric and genec data are of special nature. is personal
data. The data included in this scope is limited and cannot be expanded through interpretaon.
Due to its nature, special quality personal data is data that, if learned, may cause discriminaon and
vicmizaon of the person concerned. Therefore, they need to be protected much more strictly than
other personal data.
a) Special categories of personal data other than health and sexual life
Special categories of personal data other than personal data related to health and sexual life can be
processed without seeking the explicit consent of the person concerned, in cases spulated by the
laws.
b) Personal data of special nature regarding health and sexual life
Special categories of personal data regarding health and sexual life can only be processed by persons
or authorized instuons and organizaons that are under the obligaon of condenality for the
purpose of protecng public health, conducng prevenve medicine, medical diagnosis, treatment
and care services, planning and managing health services and nancing.
3.3. Excepons to Obligaon to Obtain Explicit Consent
a) It is clearly spulated in the laws
One of the data processing condions is that it is expressly spulated in the law. The provisions in the
laws regarding the processing of personal data may create a data processing condion. In such a case,
the explicit consent of the person concerned is not sought.
b) Actual impossibility
The personal data of the person concerned can be processed without his explicit consent in cases
where it is necessary for the protecon of the life or physical integrity of the person or another
person, who is unable to express his consent due to actual impossibility or whose consent is not
legally valid.
c) Being directly related to the establishment or performance of the contract
In the event that data processing is deemed necessary during the conclusion of a contract to which
the data owner is a party or during the performance of the contract, the processing of personal data
may come to the fore without obtaining explicit consent.
d) Dentekiz Clinic fullls its legal obligaons
As a data controller, Dentekiz Clinic can process personal data without obtaining explicit consent for
the purpose of fullling legal obligaons.
e) It has been made public by the person concerned
Personal data made public by the data subject, in other words, personal data disclosed to the public
in any way, can be processed without obtaining explicit consent. Even in this case, the publicized
personal data cannot be used for purposes other than its intended use.
f) Being compulsory for the establishment, use and protecon of a right
In cases where it is necessary for the establishment, exercise or protecon of a right, it is possible to
process the personal data of the person concerned without his explicit consent.
g) Obligatory for the legimate interests of the data controller, provided that it does not harm the
fundamental rights and freedoms of the data subject.
If the processing of personal data is obligatory for the data controller and the data processing will not
harm the fundamental rights and freedoms of the data subject, personal data may be processed
without obtaining explicit consent.
The legimate interest of the data controller is the interest and benet to be obtained as a result of
the processing to be carried out. Benet of the data controller; It must relate to a legimate,
suciently eecve, specic and already exisng interest to compete with the fundamental rights
and freedoms of the person concerned. It should be a process that is related to the current acvies
of the data controller and will benet him in the near future.
3.4. Processing of Private Personal Data
The processing of sensive personal data is subject to Arcle 6 of the Law and it is prohibited to be
processed without the explicit consent of the person concerned.
Data on race, ethnic origin, polical opinion, philosophical belief, religion, sect or other beliefs,
disguise and dress, membership in associaons, foundaons or unions, health, sexual life, criminal
convicons and security measures, and biometric and genec data are of special nature. is personal
data. The data included in this scope is limited and cannot be expanded through interpretaon.
Due to its nature, special quality personal data is data that, if learned, may cause discriminaon and
vicmizaon of the person concerned. Therefore, they need to be protected much more strictly than
other personal data.
a) Special categories of personal data other than health and sexual life
Special categories of personal data other than personal data related to health and sexual life can be
processed without seeking the explicit consent of the person concerned, in cases spulated by the
laws.
b) Personal data of special nature regarding health and sexual life
Special categories of personal data regarding health and sexual life can only be processed by persons
or authorized instuons and organizaons that are under the obligaon of condenality for the
purpose of protecng public health, conducng prevenve medicine, medical diagnosis, treatment
and care services, planning and managing health services and nancing.
4.2. Internaonal Transfer
Personal data cannot be transferred abroad without the explicit consent of the person concerned. In
so far, the existence of one of the condions specied in the second paragraph of Arcle 5 and the
third paragraph of Arcle 6 of the Law and in the foreign country to which the personal data will be
transferred;
● Availability of adequate protecon,
● In the absence of adequate protecon, data controllers in Turkey and in the relevant foreign
country undertake in wring to provide adequate protecon and the Board has permission,
may be transferred abroad without seeking the explicit consent of the person concerned, provided
that the
V. CATEGORIZATION OF PERSONAL DATA PROCESSED BY DENTEKİZ CLINIC AND PURPOSE OF
PROCESSING
Data subject data subjects The data categorizaon obtained by Dentekiz Clinic and the purposes
pursued in the processing of personal data are shown in the relevant secons of the claricaon texts
on our website for each category of data subject.
VI. ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA
Administrave and technical measures are taken by Dentekiz Clinic to securely store personal data, to
prevent unlawful processing and access to personal data.
In order to ensure personal data security, it is determined what all personal data is processed by
Dentekiz Clinic and the probability of the risks that may arise regarding the protecon of this data;
While determining these risks, whether the personal data is sensive personal data (1), what degree
of condenality it requires due to its nature (2), and the nature and quanty of the damage that
may arise in the case of a security breach (3) are taken into account.
Aer dening and priorizing these risks; control and soluon alternaves to reduce or eliminate the
said risks; cost, applicability and usefulness should be evaluated in line with the principles, necessary
technical and administrave measures are planned and put into pracce.
6.1. Administrave Measures
Even if employees have limited informaon about aacks that will harm personal data security and
cyber security, it is of great importance to ensure personal data security. For this reason, awareness
and informaon acvies are carried out in our internal organizaon as a data controller.
Providing necessary training on issues such as not revealing and sharing personal data unlawfully,
conducng awareness acvies for employees and creang an environment where security risks can
be determined; It is ensured that everyone working with the data controller, regardless of their
posion, determines their roles and responsibilies regarding personal data security in their job
descripons and that employees are aware of their roles and responsibilies in this regard.
On the other hand, condenality agreements are signed as part of the recruitment processes of the
employees, and a disciplinary process is carried out if the employees do not comply with the security
policies and procedures.
In case of any change in the policies and procedures regarding personal data security, trainings are
provided to inform and explain the change to the employees, and the informaon about the threats
to data security and security is kept up-to-date.
Personal data should be accurate and up-to-date when necessary in accordance with Arcle 4(b) and
(d) of the Law, and should be kept for as long as required by the relevant legislaon or for the
purpose for which they are processed. In this context, the data processed are processed in
accordance with the principles and rules that must be observed in data processing acvies and are
kept for the period necessary for the purpose for which they are processed. It is shown in the
STORAGE AND DISPOSAL OF PERSONAL DATA.
The table below provides a summary of the administrave measures taken to ensure data security:
Administrative Measures
Preparation of Personal Data Processing Inventory
Corporate Policies (Access, Information Security, Use, Storage and Disposal etc.)
Contracts (Between Data Controller-Data Controller, Data Controller-Data Processor)
Privacy Commitments
In-house Periodic and/or Random Audits
Risk Analysis
Employment Contract, Disciplinary Regulation (Adding Legal Provisions)
Corporate Communication (Crisis Management, Informing the Board and Relevant Person,
Reputation Management, etc.)
Education and Awareness Activities (Information Security and Law)
Notification to Data Controllers Registry Information System (VERBIS)
Personal Data Security Policies and Procedures
Rapid Reporting of Personal Data Security Issues
Monitoring Personal Data Security
Establishing Disciplinary Arrangements Containing Data Security Provisions for Employees
Reducing Personal Data As Much As Possible
Preparation and Implementation of Institutional Policies on Access, Information Security, Use,
Storage and Disposal
Removal of Authorities in this Area of Employees with a Change in Job or Leaving the Job
Including Data Security Provisions in Signed Contracts
Identification of Current Risks and Threats
Conducting In-house Periodic and/or Random Inspections
Protocols and Procedures for Special Quality Personal Data Security have been determined and their
implementation
Raising Awareness of Data Processing Service Providers on Data Security
6.2. Technical Measures
Firewalls and gateways are used among the measures taken to protect my informaon technology
systems containing personal data against unauthorized access and threats by third pares over the
internet. With the rewall used, violaons of the informaon network are stopped, and with the
gateway, employees' access to websites or online plaorms that pose a threat to personal data
security is restricted.
In addion, regular checks are made regarding the proper funconing of the soware and hardware
and whether the security measures taken for the systems are sucient. Access to systems containing
personal data is restricted, and within this scope, employees are granted access to the extent
necessary for their jobs and dues, and their authories and responsibilies, and access to the
relevant systems is provided by using a user name and password. While creang the aforemenoned
passwords, numbers or leer sequences associated with personal informaon that can be easily
guessed are avoided as much as possible.
Access authorizaon and control matrices are created within the data controller organizaon, and
products such as anvirus and anspam, which regularly scan the informaon system network and
detect dangers, are used to protect against malicious soware.
In order to ensure data security, necessary measures are taken to ensure that documents in paper
media containing personal data and servers, backup devices, CD, DVD, USB and other similar storage
devices are only accessible to authorized personnel and to increase physical security in this regard.
In the table below, the administrave measures taken to ensure data security
summary given:
Technical Measures
Authority Matrix
Authority Control
Access Logs
User Account Management
Network Security
Applicaon Security
Encrypon
Intrusion Detecon and Prevenon Systems
Data Loss Prevenon Soware
Backup
Firewalls
Current An-Virus Systems
Deleon, Destrucon, or Anonymizaon
Key Management
VII. BUILDING, FACILITY ENTRANCES AND PERSONAL DATA PROCESSING IN THE BUILDING AND
FACILITY
7.1. Camera Monitoring Acvity at Building, Facility Entrances and Inside
Within the scope of the Law on Private Security Services, camera monitoring is carried out in order to
ensure security in the Dentekiz Clinic building, working areas, common areas, parking lot and its
surroundings, and to protect the interests of Dentekiz Clinic and other persons. The camera
monitoring acvity is carried out in accordance with the Law and is carried out within the scope of
the data processing condions listed both in the Law and in this Policy.
7.2. Monitoring of Guest Entrance and Exit Carried out at Building, Facility Entrances and Inside
Identy informaon of the guests vising Dentekiz Clinic is subject to personal data processing in
order to control and monitor the entrances and exits to the Dentekiz Clinic building and to ensure
security. The personal data processed within the scope of this acvity are only limited to the guests'
entry and exit, and the relevant personal data is recorded in the data recording system in electronic
or physical environment.
VIII. STORAGE AND DISPOSAL OF PERSONAL DATA
8.1. Retenon Periods of Personal Data
Your personal data kept at Dentekiz Clinic is kept for as long as data processing is necessary; In the
event that the obligaon to delete, destroy or anonymize personal data arises, it is deleted, destroyed
or anonymized within the rst periodic destrucon period following the date of occurrence of this
obligaon.
Dentekiz Clinic acts in accordance with the general principles set forth in arcle 4 of the Law and the
technical and administrave measures set forth in arcle 12 in the deleon, destrucon or
anonymizaon of your personal data.
All transacons regarding the deleon, destrucon or anonymizaon of personal data are recorded
by us and are kept during the processing of personal data for at least 30 years in accordance with the
legal obligaon.
Personal data specialist personnel assigned by Dentekiz Clinic regarding the storage and destrucon
of data is the person responsible for the execuon and supervision of the personal data storage and
destrucon policy.
8.2. Obligaon to Delete, Destroy and Anonymize Personal Data
Personal data processed by Dentekiz Clinic are processed in accordance with the provisions of the
"Regulaon on the Deleon, Destrucon or Anonymizaon of Personal Data" published in the Ocial
Gazee dated 28 October 2017 and numbered 30224 prepared by the Law on Arcle 7 and the
Personal Data Protecon Board. In the event of the disappearance of the reasons requiring it, it is
deleted, destroyed or anonymized ex ocio or upon the request of the relevant data owner.
a) Deleon of personal data
Deleon of personal data is the process of making personal data inaccessible and non-reusable for
relevant users.
All necessary technical and administrave measures are taken to ensure that the deleted personal
data cannot be accessed and reused for the relevant users.
b) Destrucon of personal data
Destrucon of personal data is the process of making personal data inaccessible, unrecoverable and
unusable by anyone in any way. The data controller is obliged to take all necessary technical and
administrave measures regarding the destrucon of personal data.
c) Anonymizaon of personal data
Anonymizaon of personal data means that personal data cannot be associated with an idened or
idenable natural person under any circumstances, even if it is matched with other data.
All kinds of technical and administrave measures are taken by Dentekiz Clinic to anonymize your
personal data, and they are anonymized by applying methods in accordance with our personal data
retenon and destrucon policy.
8.3. Deleon, Destrucon and Anonymizaon Techniques of Personal Data
The techniques for deleng, destroying or anonymizing the personal data processed by Dentekiz
Clinic are shown below, and which of the techniques will be applied may vary depending on the
nature of the personal data processed.
For this, rst of all, determining the personal data that is the subject of deleon, destrucon or
anonymizaon (1), idenfying the relevant users for each personal data using the access
authorizaon and control matrix or a similar system (2), accessing the relevant users, It is necessary
to determine the authorizaons and methods such as retrieval and reuse (3), and to close and
eliminate the access, retrieval, reuse authorizaon and methods of the relevant users within the
scope of personal data (4).
The way to delete personal data is as follows:
● Deleon command in cloud or applicaon type soluons,
● Blackening, cung or making invisible data on paper media,
● Deleon of data on removable media using appropriate soware.
The way to destroy personal data is as follows:
● Physical destrucon of opcal media and magnec media by melng, burning or pulverizing,
● Other destrucon on paper or electronic media.
IX. RIGHTS OF THE PERSONAL DATA OWNER AND THE USE OF THESE RIGHTS
9.1. Rights of Personal Data Owner
In accordance with the Law No. 6698, in the capacity of data owner:
● Learning whether your personal data is processed,
● If your personal data has been processed, requesng informaon about it,
● Learning the purpose of processing your personal data and whether they are used in accordance
with the purpose,
● Knowing the third pares to whom personal data is transferred at home or abroad,
● Requesng correcon of personal data in case of incomplete or incorrect processing,
● Requesng the deleon or destrucon of your personal data within the framework of the
condions spulated in Arcle 7,
● Requesng nocaon of the third pares to whom personal data has been transferred, regarding
the correcon, deleon or destrucon of data in case of incomplete or incorrect processing,
● Objecng to the emergence of a result against you by analyzing your processed data exclusively
through automated systems,
● You have the right to demand the compensaon of the damage in case of any damage due to the
unlawful processing of your personal data.
9.2. Exercise of Personal Data Owner's Rights
Requests by the data subject regarding the implementaon of the Law, contact e-mail
info@dentekiz.com or Ataköy 7-8-9-10. It should be sent to Dentekiz Clinic in wring to the address
of Kısım Mahallesi, Çobançeşme E-5 Yanyol Caddesi, No: 20/1, Block A, Floor: 13, Flat: 167, Ataköy
Towers, Bakırköy-İstanbul. For applicaon requests, the "Data Owner Applicaon Form" published by
Dentekiz Clinic on its website should be used.
9.3. Dentekiz Clinic Responding to Applicaons
According to the nature of the applicaon request, Dentekiz Clinic is nalized as soon as possible. This
period cannot exceed 30 days aer the request is properly served to us. In so far, if the transacon
requires any cost, a fee may be charged according to the tari determined by the Personal Data
Protecon Board.
APPENDIX – 1: Denions
Explicit consent: Consent on a specic subject, based on informaon and expressed with free will,
Anonymizaon: Making personal data incapable of being associated with an idened or idenable
natural person in any way, even by matching with other data,
Recipient group: The natural or legal person category to which personal data is transferred by the
data controller,
Direct ideners: ideners that, by themselves, directly reveal, disclose and disnguish the person
with whom they are in a relaonship,
Indirect ideners: Ideners that come together with other ideners, revealing, disclosing and
making the person they are in a relaonship disnguishable,
Relevant person: The real person whose personal data is processed,
Relevant user: Real or legal persons who process personal data within the organizaon of the data
controller or in line with the authorizaon and instrucon received from the data controller,
excluding the person or unit responsible for the technical storage, protecon and backup of the data,
Destrucon: Deleon, destrucon or anonymizaon of personal data,
Law: Law on Protecon of Personal Data No. 6698, dated 24/3/2016,
Blackening: Processes such as scratching, painng and icing all of the personal data in a way that
cannot be associated with an idened or idenable natural person,
Recording medium: Any medium containing personal data that is fully or parally automated or
processed by non-automac means, provided that it is a part of any data recording system,
Personal data: Any informaon relang to an idened or idenable natural person,
Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging,
disclosing, transferring, taking over, making available personal data by fully or parally automac or
non-automac means provided that it is a part of any data recording system, all kinds of operaons
carried out on the data, such as the classicaon or prevenon of its use,
Board: Personal Data Protecon Board,
Instuon: Personal Data Protecon Authority,
Data processor: The natural or legal person who processes personal data on behalf of the data
controller, based on the authority given by the data controller,
Data registraon system: The registraon system in which personal data is processed and structured
according to certain criteria,
Data controller: The natural or legal person who determines the purposes and means of processing
personal data and is responsible for the establishment and management of the data recording
system.
Identy Informaon: Your name, surname, T.C. your identy number, passport number or temporary
T.C. your idencaon number, place and date of birth, marital status, gender, insurance or paent
protocol number and other idencaon data by which we can idenfy you;
Contact Informaon: Your address, telephone number, e-mail address and other communicaon
data, your voice call records kept by customer representaves or paent services in accordance with
call center standards, and your personal data obtained when you contact us via e-mail, leer or other
means;
Accounng Informaon: Your nancial data such as your bank account number, IBAN number, credit
card informaon, billing informaon; your data on private health insurance and your Social Security
Instuon data for the purpose of nancing and planning health services; If you visit our clinic, your
footage of camera recordings kept for security and inspecon purposes,
Health Informaon: Your personal data regarding all kinds of health and sexual life obtained during or
as a result of medical diagnosis, treatment and care services, including but not limited to your
laboratory results, test results, examinaon data, appointment informaon, prescripon informaon.
your other personal data, including the CV provided in this regard, in case you apply, and all kinds of
personal data related to your service contract if you are a Dentekiz Clinic employee or a related
employee.
APPENDIX – 2: Personal Data Owners (Relevant Persons)
Data Subject Categories
Explanation
Worker
It refers to the people working in the clinic.
Employee Candidate
It refers to real persons who apply for a job by sending a CV to the Clinic
or by other methods.
Intern
It refers to the people who use the profession they are trained in the clinic
practically to increase their professional knowledge.
Patient
It refers to the real persons who benefit from the services offered by the
Clinic.
The relatives of the patient
It refers to the companions or relatives of the patients who use the
services offered by the Clinic.
supplier
It refers to natural persons and legal entity employees from whom
services are provided.
Visitor
It refers to the 3rd persons who visit the clinic.
It refers to the 3rd persons
who visit the clinic.
Refers to the people who apply to the clinic, other than those who
communicate.
APPENDIX – 3: Third Pares to whom Personal Data is Transferred
Transferred Person/Unit
Purpose of Transfer
Ministry of Health
Transfer of informaon that needs to be transferred in accordance
with public health and legislaon.
Social Security Instuon
Transferring informaon for the purpose of carrying out the
procedures of the Employees, Employee Candidates and Paents
within the scope of Social Security.
Authorized Public Instuons
and Organizaons
Limited sharing/transfer of informaon and documents requested
by the Clinic by relevant public instuons and organizaons.
suppliers
Transfer of personal data limited to the provision of services
received from suppliers.
Any personal data obtained by Dentekiz Clinic can be processed for the purposes listed; conrming
your identy, protecon of public health, prevenve medicine, medical diagnosis, execuon of
treatment and care services, planning and management of health services and nancing, planning
and management of the operaon of our clinic and daily operaons, supply of medicines, informing
you about the appointment if you make an appointment, risk management and quality improvement
acvies, making evaluaons for the development of health services, conducng research, fullling
legal and regulatory requirements, conrming your relaonship with the instuons contracted with
the clinic, invoicing in return for our health services, informaon requested with private insurance
companies within the scope of nancing health services. sharing the informaon requested with the
Ministry of Health and relevant public instuons and organizaons in accordance with the relevant
legislaon, answering all your quesons and complaints about our health services, taking all
necessary technical and administrave measures within the scope of data security of our clinic's
systems and applicaons, improving the health services we provide and Analyzing your use of health
services and storing your health data in order to improve your health, obtaining necessary
informaon in line with the requests and inspecons of regulatory and supervisory instuons and
ocial authories, training and development of our employees, monitoring, prevenng and reversing
abuse and unauthorized transacons, Preserving informaon about your health data, providing
nancial agreement regarding the health services oered to you with our contracted instuons,
measuring paent sasfacon and carrying out, developing, planning and managing health services
and nancing, increasing paent sasfacon, research and similar purposes.
ANNEX-5: Periods
Personal Data Category
Storage Time
Legal Basis
Health Data (Biometric and genec
and examinaon data, laboratory,
test, analysis and examinaon
results, check-up and prescripon
informaon, paent records and
health data including but not limited
to, and paent close informaon
when necessary)
30 Years from the end
of the personal data
processing activity
Özel Hastaneler Yönetmeliği, Türk
Ceza Kanunu
All Records Related to Accounng
and Financial Transacons
10 years
Law No. 6102, Law No. 213
Cookies and Logs
6 Months –
Maximum 2 Years
Internet Law No. 5651
Trac Informaon on Online Visitors
2 years
Law No. 5651
Personal Data Regarding Suppliers
10 Years after the
legal relationship
ends
Law No. 6102, Law No. 6098 and
Law No. 213
Personal Data Protecon Board
Transacons
10 years
Personal Data Protection Authority
Personal Data Retention and
Destruction Policy Published by
KVKK
Contracts
10 Years From The
Termination Of The
Agreement
Law No. 6102 and Law No. 6098
Human Resources Processes
10 Years From End of
Activity
Labor Law No. 4857 and Related
Legislation
Visitor Registraon
2 Years From Event
Ending
Personal Data Protection Authority
Personal Data Retention and
Destruction Policy Published by
KVKK
Data on Personal Files Stored under the
Labor Law
10 Years from the end
of the Business
Relationship
Labor Law No. 4857 and Related
Legislation and Turkish Code of
Obligations No. 6098
Data on Personal Files Stored under the
Labor Law
15 Years from the end
of the Business
Relationship
Occupational Health and Safety
Law No. 6331 and Related
Legislation
Data Collected under OHS Legislaon
(Health reports, OHS Trainings,
Occupaonal Health and Safety records,
etc.)
10 Years from the end
of the Business
Relationship
Social Insurance and General
Health Insurance Law No. 5510 and
Related Legislation
Data kept within the scope of SGK
Legislaon (Recruitment declaraons,
bonus/service documents, etc.)
1 year
Industry practices apply.
Job Applicaon If Applicaon Is Not
Accepted, Data Regarding Candidate
Applicaons (CV, Curriculum Vitae,
Cover Leer, Applicaon Form etc.)
10 Years After
Contract Termination
Turkish Code of Obligations No.
6098
Personal Data Regarding Tax Records
5 Year
Tax Procedure Law No. 213
Personal Data Processed for Security
Purposes in Accordance with CCTV
Cameras (Camera Records)
90 day
Industry Custom
Traffic Information Processed during
Use of the Office Internet Network,
Internet Login and Remote
Connection (IP address, start and end
time of the service provided, type of
service used, amount of data
transferred and subscriber identity
information, if any, etc.)
2 Year
Law No. 5651 on Regulation of
Broadcasts on the Internet and
Combating Crimes Committed
Through These Broadcasts
Personal Data of a Dead Person
At least 20 Years
Regulation on Personal Health Data
published in the Official Gazette
dated 21.06.2018 and numbered
30808