SOLARIS IMAGING CENTER TRADE A.Sh.
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
1.entry
1.1 Purpose
Personal Data Storage and Destruction Policy (“Policy”), Established in Turkey, Headquarters; Ataköy 8-8-9-10 Section Mah. Çobançeşme E5 Side Road No:16/1 A Inner Door No: 20 Located at Ataköy-Bakırköy-Istanbul, 0773073379200001 mersis no, Bakırköy Tax Office, taxpayer Solaris Imaging Center Trade A no: 7730733792 .Sh. it has been prepared in order to determine the procedures and principles regarding the works and transactions related to the storage and disposal activities carried out by the COMPANY (referred to as the “COMPANY”).
THE COMPANY; With its sensitive approach to the protection of personal data, T of the personal data belonging to COMPANY employees, employee candidates, suppliers, visitors and other third parties.C. The Constitution, international conventions, the Law on the Protection of Personal Data numbered 6698 (the “Law”) and other relevant legislation in accordance with the processing and ensuring the effective use of the rights of the persons concerned has determined as a priority.
The works and operations related to the storage, deletion, destruction, anonymization and destruction of personal data are carried out in accordance with the Policy prepared by the COMPANY in this direction.
1.2 Scope
Personal data belonging to COMPANY employees, employee candidates, service providers, suppliers, patients, visitors and other third parties are covered by this Policy and this Policy is applied to all recording environments and personal data processing activities owned or managed by the COMPANY in which personal data are processed.
1.3 Abbreviations and Definitions
Recipient Group : The category of natural or legal person to whom personal data is transferred by the data controller.
Explicit Consent : Consent related to a specific topic, based on information and explained by free will.
Anonymization : Making personal data that cannot be associated with an identified or identifiable real person under any circumstances, even by matching it with other data.
Employee : Company personnel.
Electronic Environment: Environments where personal data can be created, read, modified and written with electronic devices.
Non-Electronic Media : All written, printed, visual, etc. that are outside the electronic media. other environments.
Service Provider : A natural or legal person who provides services within the framework of a specific contract with the COMPANY.
Contact Person : The real person whose personal data is processed.
Related User: Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of data.
Destruction : Deletion, destruction or anonymization of personal data.
Law : Law No. 6698 on the Protection of Personal Data.
Recording Environment: Any environment in which personal data is processed by non-automatic means, provided that it is fully or partially automatic or part of any data recording system.
Personal Data : Any kind of information related to an identified or identifiable real person.
Personal Data Processing Inventory: An inventory in which data controllers detail the personal data processing activities they perform depending on their business processes, the purposes of processing personal data and the legal reason, the data category, the recipient group transferred and the contact group of the data subject, explaining the maximum retention period required for the purposes for which personal data are processed, the personal data envisaged for transfer to foreign countries and the measures taken for data security.
Processing of Personal Data: All kinds of operations performed on data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, inheriting, making available, classifying or preventing the use of personal data by means that are fully or partially automatic or non-automatic provided that they are part of any data recording system.
Board : Personal Data Protection Board
Special Categories of Personal Data: Race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs of persons, clothing and clothing, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures related data, as well as biometric and genetic data.
Periodic Destruction: The process of erasure, destruction or anonymization of personal data to be performed on your own at December intervals specified in the retention and destruction policy in case all of the conditions for processing personal data contained in the law disappear.
Policy : Personal Data Storage and Destruction Policy
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Recording System: A recording system in which personal data is processed by being structured according to certain criteria.
Data Controller: The natural or legal person responsible for the establishment and management of the data recording system, who determines the purposes and means of processing personal data.
Data Controllers Registry Information System: An information system that data controllers will use to apply to the Registry and other related transactions related to the Registry, accessible via the Internet, created and managed by the Presidency.
VERBIS : Data Controllers Registry Information System
Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.
2.DISTRIBUTION OF RESPONSIBILITIES AND DUTIES
All units and employees of the COMPANY actively support the responsible units in the proper implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy, increasing the training and awareness of the unit employees, monitoring and continuous supervision, and taking technical and administrative measures to ensure data security in all environments where personal data are processed in order to prevent illegal processing of personal data, prevent illegal access to personal data, and ensure the legal storage of personal data.
Table 1: Storage and disposal processes task distribution
TITLE
unit
task
general manager
General Directorate
It is responsible for the employees to act in accordance with the personal data protection legislation and the policy, to prepare, execute, publish and update the Policy in the relevant environments.
Department Chiefs
Departments Within the Company
In the department where he is located, he is responsible for ensuring the compliance of the processes within his scope of duty with the storage period and managing the personal data destruction process in accordance with the periodic destruction period.
3.RECORDING MEDIA
Personal data is stored securely by the COMPANY in accordance with the law in the environments listed in Table 2.
Table 2: Personal data storage environments Electronic Environments Electronic
Electronic Media
Non-Electronic Environments
Servers (Domain, backup, e-mail, database, web, file sharing, etc.)
Software (office software, operating system software, CMS, etc.)
Information security devices (firewall, intrusion detection and prevention, log file, antivirus, firewall, etc. )
Mobile devices (phone, tablet, etc.)
Optical discs (CD, DVD, etc.)
Removable memory (USB, Memory Card, etc.)
Printer, scanner, copier
Camera recordings
Web Page and portal
Paper
Manual data recording systems (incoming -outgoing document book, etc.)
Written, printed, visual media
4. EXPLANATIONS RELATED TO STORAGE AND DISPOSAL
Personal data belonging to employees of employees, employee candidates, visitors, suppliers, patients and employees of third parties, institutions or organizations with which the COMPANY has relations as a service provider are stored and destroyed by the COMPANY in accordance with the Law. In this context, detailed explanations related to storage and disposal are given below, respectively.
4.1 Explanations Related to Storage
The concept of processing of personal data is defined in Article 3 of the Law, it is stated in article 4 that the personal data processed must be related, limited and measured for the purposes for which they are processed and must be stored for the period required for the purpose stipulated in the relevant legislation or processed, and the conditions for processing personal data are listed in articles 5 and 6.
Accordingly, within the framework of the COMPANY’s activities, personal data is stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.
The COMPANY stores the personal data it processes within the framework of its activities for the purposes specified in the PERSONAL DATA PROTECTION AND PROCESSING POLICY.
4.1.1 Legal Reasons Requiring Retention
The personal data processed in the COMPANY within the framework of its activities are kept for the period stipulated in the relevant legislation. In this context, personal data;
Personal Data Protection Law No. 6698,
Turkish Code of Obligations No. 6098,
Turkish Commercial Code No. 6102,
Social Insurance and General Health Insurance Law No. 5510,
Occupational Health and Safety Law No. 6331,
Labor Law No. 4857,
Tax Procedure Law No. 3475,
Retiree Health Law No. 5434,
Law No. 5188 on Private Security Services,
Social Services Law No. 2828,
Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
Basic Law of Health Services No. 3359,
Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliated Organizations,
Regulation on the Processing of Personal Health Data and Protection of Privacy,
Regulations and Ministry of Health regulations on Personal Health Data, etc. provisions of the legislation