The Trusted Name in Healthcare

444 6 112
Contact Us
info@letoonhospital.com.tr
Letoon Private HospitalLetoon Private Hospital

Personal Data Retention, Destruction, and Anonymization Policy

1. PURPOSE

As FETMED ÖZEL SAĞLIK HİZMETLERİ TİCARET A.Ş. (hereinafter referred to as "Private Letoon Hospital"), from the effective date of the Personal Data Protection Law No. 6698 ("KVKK" or the "Law"), we attach great importance to the protection of personal data belonging to all real persons with whom we come into contact during our commercial activities, and to the full fulfillment of the requirements stipulated under the KVKK in this context.

This Personal Data Retention, Destruction, and Anonymization Policy ("Policy") has been prepared to inform you about the processes and principles regarding the collection, use, sharing, retention, and subsequent deletion, destruction, or anonymization of personal data by Private Letoon Hospital.

In this Policy, the principles regarding the processing of personal data belonging to data subjects by Private Letoon Hospital are presented in accordance with the regulatory order set forth in the KVKK. These explanations cover the employees of Private Letoon Hospital, our active and potential customers, our visitors, and other real persons in a relationship with Private Letoon Hospital.

Pursuant to the Regulation, Private Letoon Hospital, as a Data Controller subject to the obligation to register with the Data Controllers Registry (VERBİS), is obliged to prepare a Policy and act in accordance with it to store the personal data under its custody in line with the personal data processing inventory, and to delete, destroy, or anonymize it when necessary.

The following principles shall apply to the retention and destruction of personal data:

  • a) The general principles set forth in Article 4 of the Law shall be complied with.
  • b) Private Letoon Hospital acknowledges that merely drafting this Policy does not inherently mean personal data has been deleted, destroyed, or anonymized in accordance with the Regulation, the Law, and relevant legislation.
  • c) Private Letoon Hospital accepts, declares, and undertakes that while retaining, deleting, destroying, or anonymizing personal data, it will act in compliance with the security measures specified in Article 12 of the Law, the provisions of relevant legislation, the decisions to be taken by the Personal Data Protection Board, and this Policy.
  • d) Private Letoon Hospital undertakes that during the deletion, destruction, or anonymization of personal data within its structure — whether processed fully or partially by automatic means, or by non-automatic means provided that it forms part of a filing system — it will ensure compliance with this Policy and the tools, programs, and processes to be implemented under it.

2. SCOPE

This Policy applies to all operations and processes carried out within Private Letoon Hospital.

3. DEFINITIONS

  • THE LAW: The Personal Data Protection Law No. 6698 (KVKK).
  • THE REGULATION: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data.
  • THE BOARD: The Personal Data Protection Board (KVKK Board).
  • RECORDING MEDIUM: Any environment containing personal data that is processed by fully or partially automated means, or by non-automated means provided that it is part of any data filing system.
  • PERSONAL DATA: Any information relating to an identified or identifiable real person. In this context, a person's name, surname, image, physical characteristics, etc., constitute personal data. Since some of these data contain more sensitive information by nature, they are defined as special categories of personal data (sensitive data). The Law subjects the protection of such data to stricter formal requirements. In this context, health data, educational details, genetic data, etc., are special categories of personal data.
  • DATA PROCESSING INVENTORY: The inventory created and detailed by data controllers by correlating their personal data processing activities, conducted based on their business processes, with the purposes of processing personal data, data categories, transferred recipient groups, and data subject groups.
  • DESTRUCTION: The deletion, destruction, or anonymization of personal data.
  • PERIODIC DESTRUCTION: The deletion, destruction, or anonymization process to be carried out ex officio at repeating intervals specified in the personal data retention and destruction policy, in the event that all the conditions for processing personal data stipulated in the Law cease to exist.
  • REGISTRY: The Registry of Data Controllers (VERBİS) maintained by the Presidency.
  • DATA FILING SYSTEM: Any structured filing system where personal data is processed according to specific criteria.
  • DATA CONTROLLER: The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.
  • RECIPIENT GROUP: The category of real or legal persons to whom personal data is transferred by the data controller.
  • RELEVANT USER: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of data.

Definitions contained within the general Personal Data Protection Policy shall also apply to this Policy.

4. REFERENCES

  • Personal Data Protection Law No. 6698
  • Regulation on the Deletion, Destruction, or Anonymization of Personal Data
  • Regulation on the Data Controllers Registry and other relevant regulations

5. PROCEDURES AND PRINCIPLES REGARDING THE PROTECTION OF PERSONAL DATA

5.1. GENERAL PRINCIPLES REGARDING PROCESSING

Private Letoon Hospital processes personal data in accordance with the procedures and principles stipulated in the KVKK and other relevant laws. In this framework, Private Letoon Hospital fully complies with the following principles set forth in the KVKK during personal data processing operations:

Compliance with the Law and Rules of Good Faith: In accordance with this principle, data processing procedures are carried out within the boundaries required by the relevant legislation, particularly the Constitution and the KVKK, and the rules of good faith.

Being Accurate and, Where Necessary, Up-to-Date: Necessary measures are taken to ensure that the personal data processed by Private Letoon Hospital is accurate and up-to-date, and data subjects are provided with opportunities to update their information to ensure that the processed data reflects the actual situation.

Processing for Specific, Explicit, and Legitimate Purposes: Private Letoon Hospital processes personal data only for explicitly specified, clear, and legitimate purposes, and does not engage in data processing activities outside these purposes. In this context, personal data is processed only in connection with and to the extent necessary for the business relationship established with the data subjects.

Being Relevant, Limited, and Proportionate to the Purposes for Which They Are Processed: Data is processed by Private Letoon Hospital in a manner suitable for achieving the purposes determined by data categories, relevantly and proportionately, in accordance with the KVKK and other relevant legislation; processing of unneeded personal data is strictly avoided.

Retention for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for Which They Are Processed: Personal data processed by Private Letoon Hospital is retained only for the period stipulated in the relevant legislation or required for the purpose of processing. In this scope, Private Letoon Hospital complies with the period if a duration is specified in the legislation; if no such period exists, data is retained only as long as necessary for the purpose of processing. Private Letoon Hospital does not retain data based on the mere possibility of future use.

5.2. CONDITIONS FOR PROCESSING PERSONAL DATA

The conditions for processing personal data are regulated by the KVKK, and personal data is processed by Private Letoon Hospital in accordance with these conditions. Except for the exemptions listed in the Law, Private Letoon Hospital processes personal data only by obtaining the explicit consent of the data subjects. In the presence of the following conditions specified in the Law, personal data may be processed even without the explicit consent of the data subject:

  • It is clearly provided for in the laws.
  • It is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his/her consent or whose consent is not deemed legally valid.
  • Processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of said contract.
  • It is mandatory for the data controller to perform its legal obligation.
  • The personal data has been made public by the data subject himself/herself.
  • Data processing is mandatory for the establishment, exercise, or protection of a right.
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not violate the fundamental rights and freedoms of the data subject.

Private Letoon Hospital demonstrates extreme sensitivity in processing special categories of personal data, which are believed to be of more critical importance for data subjects across various aspects. In this context, such data is not processed without the explicit consent of the data subjects, provided that adequate measures determined by the Board are taken. However, special categories of personal data other than health data may be processed without the explicit consent of the data subject in cases provided for by law. On the other hand, health data can be processed without explicit consent under the condition that adequate measures are taken, only for the following reasons:

  • Protection of public health,
  • Operation of preventive medicine,
  • Medical diagnosis,
  • Execution of treatment and care services,
  • Planning and management of health services and their financing.

5.3. PURPOSES OF PROCESSING PERSONAL DATA

Your personal data obtained by Private Letoon Hospital may be processed within the scope of the purposes explained below:

  • Human resources operations,
  • Creation of personnel files, payroll management,
  • Employee contract process management,
  • Execution of insurance renewal processes,
  • Provision of healthcare services to employees,
  • Execution of power of attorney and signature circular procurement processes,
  • Conducting compliance assessments within the scope of subcontracting,
  • Emergency preparedness and execution of operations,
  • Execution of occupational health and safety processes,
  • Accident and legislation management within the scope of occupational health and safety,
  • Structuring service procurement contract processes,
  • Planning, auditing, and execution of information security processes,
  • Planning and execution of corporate communication activities,
  • Execution and follow-up of paperwork,
  • Continuity of budgeting processes,
  • Provision and management of personnel training,
  • Planning and execution of in-company training and orientation programs,
  • In-company operations,
  • Activities with legal, technical, and administrative consequences,
  • Strategy, planning, and partner/supplier management,
  • Planning and execution of corporate communication activities and events,
  • Planning and execution of internal training programs.

The categories listed above are for informational purposes, and other categories may be added by us to carry out the future commercial and operational activities of Private Letoon Hospital. In such cases, Private Letoon Hospital will continue to update the specified categories in the relevant texts to inform you in the fastest manner possible.

5.4. RETENTION OF PERSONAL DATA

Your personal data is securely retained in physical or electronic environments for the durations stipulated in the relevant legislation.

5.5. TRANSFER OF PERSONAL DATA TO DOMESTIC THIRD PARTIES

Private Letoon Hospital carefully complies with the conditions regulated in the KVKK regarding the sharing of personal data with third parties, without prejudice to the provisions contained in other laws. In this framework, personal data is not transferred to third parties by Private Letoon Hospital without the explicit consent of the data subject. However, in the presence of one of the following conditions regulated by the KVKK, personal data may be transferred by Private Letoon Hospital without obtaining the explicit consent of the data subject:

  • It is clearly provided for in the laws.
  • It is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his/her consent or whose consent is not deemed legally valid.
  • Processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of said contract.
  • It is mandatory for the data controller to perform its legal obligation.
  • The personal data has been made public by the data subject himself/herself.
  • Data processing is mandatory for the establishment, exercise, or protection of a right.
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not violate the fundamental rights and freedoms of the data subject.

Provided that adequate measures are taken; in terms of special categories of personal data related to health, your personal data may be transferred without explicit consent for purposes such as:

  • Protection of public health,
  • Operation of preventive medicine,
  • Medical diagnosis,
  • Execution of treatment and care services,
  • Planning and management of health services and their financing.
  • The conditions specified under the processing terms are also complied with during the transfer of special categories of personal data.

5.6. TRANSFER OF PERSONAL DATA ABROAD

Regarding the transfer of personal data abroad, the explicit consent of the data subject is sought in line with Article 9 of the KVKK. However, in the presence of conditions that permit the processing of personal data (including special categories of personal data) without the explicit consent of the data subject, personal data may be transferred abroad by Private Letoon Hospital without seeking explicit consent, provided that adequate protection is available in the foreign country to which the data will be transferred. If the country of transfer is not designated among those with adequate protection by the Board, Private Letoon Hospital and the data controller/data processor in the respective country shall guarantee adequate protection in writing.

5.7. YOUR RIGHTS PURSUANT TO ARTICLE 11 OF THE PERSONAL DATA PROTECTION LAW NO. 6698

By applying to our Company, you have the right to:

  1. Learn whether your personal data is being processed,
  2. Request information if your personal data has been processed,
  3. Learn the purpose of processing your personal data and whether it is used in accordance with its purpose,
  4. Know the third parties to whom your personal data is transferred domestically or abroad,
  5. Request rectification of your personal data if it has been processed incompletely or inaccurately,
  6. Request deletion or destruction of your personal data within the framework of the conditions stipulated in Article 7 of the Law,
  7. Request notification of the operations performed pursuant to items (e) and (f) above to third parties to whom your personal data has been transferred,
  8. Object to the occurrence of a result against you exclusively through the analysis of processed data by automated systems,
  9. Request compensation for damages in the event that you suffer damage due to the unlawful processing of your personal data.
  10. Data subjects may exercise their above-mentioned rights by submitting a petition in person or via mail/courier to the communication addresses of Private Letoon Hospital.

Private Letoon Hospital will deliver its response to the relevant applications physically or electronically to the data subject. Depending on the nature of the request, Private Letoon Hospital will finalize the request free of charge as soon as possible and within thirty (30) days at the latest. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board will be charged to the relevant parties by Private Letoon Hospital. Furthermore, during the finalization process of data subjects' requests, additional information and/or documentation may be requested from the applicants by Private Letoon Hospital.

5.8. MEASURES TAKEN FOR DATA SECURITY

Private Letoon Hospital takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data. The measures stipulated in Article 12(1) of the KVKK are as follows:

  • To prevent the unlawful processing of personal data,
  • To prevent unlawful access to personal data,
  • To ensure the retention of personal data.

5.9. PROCESSING OF VIDEO/IMAGE RECORDS

For the purpose of ensuring the general and commercial security of the Company's facilities and operations, video records of visitors, employees, and other relevant individuals are taken by Private Letoon Hospital in accordance with the basic principles stipulated in the KVKK and outlined in this Policy. These records are securely stored in physical or electronic media for durations appropriate to their processing purposes.

In locations where video recording takes place, a warning indicating that video recording is active is displayed visibly to inform data subjects. Within the scope of these activities, Private Letoon Hospital acts in compliance with all obligations stipulated in the relevant legislation, primarily the KVKK, regarding the protection of personal data. Monitoring is strictly not conducted in areas where privacy expectations are high.

6. DELETION, DESTRUCTION, OR ANONYMIZATION OF YOUR PERSONAL DATA

Your personal data processed for the purposes specified in this Personal Data Protection Policy shall be deleted, destroyed, or anonymized by us when the purpose requiring processing ceases to exist according to Article 7/1 of Law No. 6698, and when the periods determined by the laws expire.

6.1. DELETION OF PERSONAL DATA

The deletion of personal data processed by fully or partially automated means is the process of making the personal data inaccessible and un-reusable by the relevant users in any way. The data controller explains in its relevant policies and procedures how the conditions specified in the third paragraph are met for personal data to be considered deleted. The deletion of personal data processed by non-automated means provided that it forms part of any data filing system will be carried out by anonymizing unneeded personal data in paper form that has been transferred to electronic environments via scanning or without digitalization.

When Private Letoon Hospital deletes personal data, it shall render the data inaccessible or un-reusable in any way. Private Letoon Hospital guarantees that during this process, the data is inaccessible or un-reusable by any user. This guarantee is under the responsibility of the data controller.

If personal data that should not be deleted is also affected by the deletion carried out and becomes inaccessible and/or unusable, the simultaneous provision of the following methods, which can be implemented by the decision of the KVKK Working Group, will also be evaluated as deletion:

  • a) Archiving personal data in a way that cannot be associated with the data subject,
  • b) Closing personal data to any kind of access,
  • c) Taking all necessary technical and administrative measures to ensure that personal data can only be accessed by authorized persons in necessary cases,
  • d) The specified deletion-deeming methods depend on the Regulation, and it is the Data Controller's responsibility to update them in relevant situations.

6.2. DESTRUCTION OF PERSONAL DATA

The destruction process will be carried out in cases where Private Letoon Hospital processes data in physical recording media, and Private Letoon Hospital is obliged to make this data impossible to retrieve or restore.

During these operations, Private Letoon Hospital employees and relevant departments are obliged to report the data to be destroyed to the KVKK Working Group, after which Private Letoon Hospital will take all necessary technical and administrative measures.

6.3. ANONYMIZATION OF PERSONAL DATA

Anonymization is the process of rendering personal data impossible to associate with an identified or identifiable real person under any circumstances, even if it is matched with other data, in cases where Private Letoon Hospital processes personal data fully or automatically.

Anonymizing personal data is the duty of the data owner business unit within Private Letoon Hospital. The data owner business unit may receive support from different departments of Private Letoon Hospital, provided that the audit for the destruction of data is conducted by itself.

During the anonymization of data, Private Letoon Hospital may use methods such as one-way functions and encryption. In cases where the accuracy of the method to be implemented cannot be verified, the KVKK Working Group should be consulted.

7. METHODS AND PROCESS OF DESTRUCTION OF PERSONAL DATA

For the destruction of personal data, Private Letoon Hospital defines all methods that can be used during destruction in this Policy. The data owner business unit is obliged to determine and implement the appropriate method within this Policy according to the suitable scenario. During the destruction of personal data, Private Letoon Hospital employees select the appropriate method from below to perform the destruction:

7.1. Overwriting

The process of making old data unreadable by writing random data consisting of 0s and 1s at least 8 times using software on magnetic media and rewritable optical media.

7.2. Degaussing

The process of making the data on magnetic media unreadable by subjecting it to physical change in a high-value magnetic field.

7.3. Physical Destruction

The process of physically destroying optical media or magnetic media through melting, powdering, grinding, and similar operations. It can be applied in cases where degaussing or overwriting methods fail.

7.4. Cloud Destruction

The process of destroying all copies of encryption keys of personal data following the notification of destruction of personal data held on cloud systems to the contracted service provider.

7.5. Destruction of Personal Data Contained in Peripheral Systems

The destruction process that must be carried out by applying overwriting, degaussing, or physical destruction on the internal unit, if available, or on the entire device if not, for devices such as printers, fingerprint units, and door entry turnstiles containing personal data. It is mandatory to apply this type of destruction before the devices are subjected to backup, maintenance, and similar operations.

8. RETENTION AND DESTRUCTION PERIODS

8.1. Periodic Destruction and Statutory Retention Periods

Physical and digital data that have completed their statutory retention and destruction periods are destroyed periodically.

Private Letoon Hospital deletes, destroys, or anonymizes personal data in the first periodic destruction process following the date when the obligation to delete, destroy, or anonymize personal data arises.

8.2. Deletion and Destruction Process Upon Request of Data Subjects

In cases where data subjects apply to Private Letoon Hospital and request the deletion or destruction of their personal data, the hospital checks the current status of the personal data processing conditions and takes relevant actions accordingly. If all personal data processing conditions have ceased to exist, it deletes, destroys, or anonymizes the personal data subject to the request. Private Letoon Hospital finalizes the request of the data subject within thirty days at the latest and informs the person.

If all conditions for processing personal data have ceased to exist and the personal data subject to the request has been transferred to third parties, the data controller notifies the third party of this situation and ensures that the necessary operations are carried out before the third party within the scope of the Regulation.

If all conditions for processing personal data have not ceased to exist, Private Letoon Hospital may reject the request by explaining the reasoning to the relevant data subject, and notifies the rejection response to the person in writing or electronically within thirty days at the latest.

9. AMENDMENTS TO THE POLICY

9.1. Following any official amendment to be made to the relevant legislation, amendments may be made to this Policy by Private Letoon Hospital to ensure compatibility with these changes.

9.2. Private Letoon Hospital will announce the changes made to the Policy verbally and will keep them open for review in booklets within the structure of the institution.

KU.YD.109 – Personal Data Retention, Destruction, and Anonymization Policy – Revision (00)
Last Updated: April 17, 2024