Destruction Policy

ETHICS HEALTH SERVICES AND TRADE INTERLIVA TYPE CENTER PERSONAL DATA RETENTION AND DESTRUCTION POLICY

TABLE OF CONTENTS

  1. PURPOSE AND SCOPE OF THE POLICY
  2. DEFINITIONS
  3. RECORDING MEDIA
  4. EXPLANATIONS ON PROCESSING, STORAGE, ADMINISTRATIVE AND TECHNICAL MEASURES AND CIRCUMSTANCES REQUIRING DESTRUCTION
    1. Explanations on Safekeeping
      1. Legal Grounds for Retention
      2. Processing Tools that Require Retention
    2. Reasons for Destruction
  5. PERSONAL DATA DESTRUCTION TECHNIQUES
    1. Deletion of Personal Data
    2. Destruction of Personal Data
    3. Anonymization of Personal Data
      1. Anonymization Techniques
  6. STORAGE AND DESTRUCTION PERIODS
  7. PERIODIC DESTRUCTION PERIOD
  8. FINAL PROVISIONS

1. PURPOSE AND SCOPE OF THE POLICY

This Personal Data Retention and Destruction Policy (hereinafter referred to as the “Policy”), the personal data that ETİK SAĞLIK HİZMETLERİ VE TİC. A.Ş. (hereinafter referred to as “INTERLIVA”), as the data controller, keeps in accordance with the Personal Data Protection Law No. 6698 (hereinafter referred to as “KVKK” or “Law”) and other legislation containing special provisions. ) and other legislation containing special provisions, and the Regulation on the Deletion, Destruction or Anonymization of Personal Data (hereinafter referred to as the “Regulation”) and the relevant legislation in order to determine the procedures and principles regarding the processes of storing, deleting, destroying and anonymizing personal data and to fulfill the obligations under the Law and the relevant legislation. In this context, personal data and special categories of personal data may be processed with the explicit consent of the data subject in accordance with the procedures and principles set out in the Law and other relevant legal regulations. Exceptions in legal regulations are reserved. In addition, although the services provided by INTERLIVA are provided by applying the rules of Turkish Law within the scope of the Republic of Turkey, the provisions of the European Union General Data Protection Regulation (“GDPR”) are taken into consideration for Service Receivers and related persons who are European Union citizens or within the scope of European Union legislation.

In the event of a contradiction in the implementation of this Policy, the provisions of the Law and the Regulation and the decisions of the Personal Data Protection Authority and the Personal Data Protection Authority will be applied respectively.

Revisions that may occur in this Policy or legislation will be added to the policy by specifying the date and subject, and will be accepted as an integral part of the policy after the necessary announcements are made.

The works and transactions regarding the storage and destruction of personal data are carried out in accordance with this Policy prepared by INTERLIVA in this direction. This Policy shall apply to all recording media in which personal data are processed within INTERLIVA and in all activities for processing personal data.

2. DEFINITIONS

i
Explicit Consent It is the consent regarding a specific subject, based on information and expressed with free will.
Anonymization It is the rendering of personal data that cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Employees Employees are employees of INTERLIVA.
Electronic Environment The environments where personal data can be created, read, changed and stored with electronic devices.
Non-Electronic MediaAll written, printed, visual, etc. other media other than electronic media.
Data Subject The real person whose personal data is processed.
Relevant User Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.
Destruction The deletion, destruction or anonymization of personal data.
Law Law No. 6698 on the Protection of Personal Data
Recording Medium Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system.
Personal Data Any information relating to an identified or identifiable natural person.
Processing of Personal Data It is any operation performed on personal data such as obtaining, recording, storing, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system.
The Authoritys the Personal Data Protection Authority established under the Law No. 6698 on the Protection of Personal Data.
Board The Personal Data Protection Board established under the Law No. 6698 on the Protection of Personal Data.
Sensitive Personal Data Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data
Periodic Destruction It is the process of deletion, destruction or anonymization to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in case all the conditions for processing personal data specified in the Law disappear.
Policy is the Personal Data Storage and Destruction Policy.
Data Processor Natural or legal persons who process personal data on behalf of the data controller based on the authorization granted by the data controller.
Data Controller Natural or legal persons who determine the purposes and means of processing personal data and are responsible for the establishment and management of the data recording system.
Regulation Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

3. RECORDING MEDIA

Personal data is securely stored in accordance with the law in the media listed in the table below.

Electronic Media Non-Electronic Media
  • Servers (Server - backup, e-mail, website etc.)
  • Software (Office software, adobe, MEDISIS, e-invoice program, etc.)
  • Information security devices (Firewall, intrusion detection and prevention, antivirus, etc.)
  • Mobile devices (phone, tablet, etc.)
  • Optical disks (CD, DVD etc.)
  • Personal computers (desktop, laptop)
  • Removable memory (Memory card )
  • Printer, scanner, copier
  • Paper
  • Manual data recording systems (medical patient file, personal file, protocol book, medical inquiry form application forms, etc.)
  • Written, printed and visual media

4. EXPLANATIONS ON PROCESSING, STORAGE, ADMINISTRATIVE AND LEGAL MEASURES AND CIRCUMSTANCES REQUIRING DESTRUCTION

In Article 4 of the Law, it is stated that personal data should be linked, limited and measured for the purpose for which they are processed and should be kept for the period stipulated in the relevant legislation or for the purpose for which they are processed, and the conditions for processing personal data are listed in Articles 5 and 6.

Personal data are processed securely in physical or electronic media within the framework of the limits specified in the Law and the relevant legislation within the scope of our service purposes offered by INTERLIVA, within the scope of the activities we offer, including the use of the www.interliva.com site, in order to maintain the activities in general, to provide health services, medical consultancy, to fulfill legal obligations, to plan employee rights, to provide courses and training services and to operate processes with business partners.

Our purposes for processing personal data are detailed in the DISCLOSURE TEXT ON THE PROTECTION AND PROCESSING OF PERSONAL DATA of ETİK SAĞLIK HİZMETLERİ VE TİC. A.Ş (INTERLIVA).

4.1. Explanations on Storage

Personal data processed within the framework of our activities are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

The explanation and information regarding the technical and administrative measures we take as INTERLIVA in order to store personal data securely and to prevent unlawful processing and access is detailed in the DISCLOSURE TEXT ON THE PROTECTION AND PROCESSING OF PERSONAL DATA OF ETHICS HEALTH SERVICES AND TRADE. A.Ş (INTERLIVA).

4.1.1. Legal Reasons Requiring Retention

Personal data processed within the framework of our activities are retained for the period stipulated in the relevant legislation. In this context, personal data;

  • Law No. 6698 on the Protection of Personal Data
  • Law No. 1219 on the Practice of Medicine and Medical Sciences
  • Turkish Code of Obligations No. 6098
  • Labor Law No. 4857
  • Law No. 359 on the Basic Law on Health Services,
  • Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliated Organizations
  • Regulation on Private Health Institutions Providing Outpatient Diagnosis and Treatment Services
  • Regulation on Personal Health Data
  • Other relevant regulations and other secondary regulations in force pursuant to these laws

It is kept until the end of the retention periods stipulated in the Framework.

4.1.2. Processing Purposes Requiring Retention

Both personal data of special nature and personal data of general nature that you share;

  • Basic Law No. 3359 on Healthcare Services, Law No. 1219 on the Practice and Execution of Medicine and Medical Arts, Decree Law No. 663 on Certain Regulations in the Field of Health, Regulation on Private Healthcare Organizations Providing Outpatient Diagnosis and Treatment Services, Law on the Protection of Personal Data, Regulation on Personal Health Data and other relevant regulations to fulfill our legal obligations,
  • Protection of public health, preventive medicine, medical diagnosis, treatment and care services for the provision of health services, hair transplantation and aesthetic services, Maintaining information about your health data that must be kept within the scope of the relevant legislation,
  • Maintaining information about your health data that must be kept within the scope of the relevant legislation,
  • Responding to written requests of official authorities such as Law Enforcement Forces, Courts, Enforcement Directorates, SSI, İŞKUR, embassies, sharing information requested with the Ministry of Health and other public institutions and organizations in accordance with the relevant legislation,
  • Providing information to prosecutors’ offices, courts and relevant public officials upon request and in accordance with the legislation in matters related to public security and legal disputes, fulfilling legal processes, and using it as evidence in order to fulfill the burden of proof in future legal disputes,
  • Preparation of power of attorney for the employees appointed as proxy by the senior management for the execution of various works on behalf of our Medical Center and having them notarized,
  • Planning and managing financing for the delivery of health services, billing,
  • Execution of finance and accounting transactions,
  • Execution of Company / Product / Service Loyalty Processes
  • Execution of Logistics Activities
  • Implementation of Social Responsibility and Civil Society Activities
  • Execution of Strategic Planning Activities
  • Ensuring the Security of Movable Property and Resources
  • Execution of Supply Chain Management Processes
  • Execution of Wage Policy
  • Execution of Marketing Processes of Products / Services
  • Ensuring the Security of Data Controller Operations
  • Execution of Investment Processes
  • Execution of Talent / Career Development Activities
  • Taking all necessary technical and administrative measures within the scope of data security of the Medical Center,
  • Planning and management of the internal functioning of the Medical Center, development of services, analysis, risk management and evaluation of quality processes,
  • Monitoring and preventing fraud and unauthorized transactions,
  • If you make an appointment, you can be notified about the appointment,
  • Verification of your identity,
  • Fulfillment of legal and contractual obligations, execution of works and transactions as a result of signed contracts and protocols,
  • Confirming your relationship with the institutions contracted with our Medical Center, sharing the information requested by the insurance companies you are insured with or the contracted institutions you are a member of within the scope of financing the health service provided,
  • Responding to all your questions and complaints about our health services,
  • Measuring patient satisfaction and improving patient satisfaction, training and developing our employees,
  • Supply of medicines or medical devices, implant materials and fulfillment of laboratory processes,
  • Fulfillment of risk management and quality improvement activities,
  • Participation in campaigns and providing campaign information by the Marketing, Media and Communication departments, designing and communicating special content, tangible and intangible benefits on web and mobile channels for marketing, promotion and other purposes,
  • In order to ensure the execution of our Medical Center’s human resources policies; the data of our employees, the Labor Law and labor and social security legislation, occupational health and safety and other legislation in force, as well as the execution of the obligations and activities in accordance with the legislation, as well as increasing the level of performance and employee satisfaction and ensuring work peace, the creation of the personnel file,
  • Realizing private pension deductions at legal rates and notifying the contracted banks on behalf of the employee,
  • Providing the necessary trainings to ensure the professional and personal development of employees, orientation of employees,
  • Execution of application processes for prospective employees,
  • Ensuring the security of the Medical Center, ensuring physical space security,
  • Execution of information security processes,
  • Ensuring transaction security,
  • To be able to carry out processes in case you visit our medical center in terms of guest data and use the website and social media accounts for any reason,

It may be committed for the purposes for which it was intended.

4.2. Reasons Requiring Destruction

Personal data;

  • Amendment and repeal of the relevant legislation provisions that constitute the basis for the processing, storage and destruction of personal data,
  • The purpose requiring the processing or storage of personal data disappears,
  • In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject’s withdrawal of consent,
  • The request of the data subject for the deletion or destruction of personal data within the framework of legal rights is examined and deemed appropriate by the data controller,
  • In cases where the data controller rejects the application made by the data subject with the request for the deletion, destruction or anonymization of his/her personal data, his/her response is found insufficient or he/she does not respond within the period stipulated in the Law; filing a complaint to the Board and this request is approved by the Board,
  • Although the maximum period required for the retention of personal data has expired, there are no circumstances that would require the retention of personal data for a longer period of time,

Although the maximum period for retention of personal data has expired, there are no circumstances that would require the retention of personal data for a longer period, In such cases, it shall be deleted, destroyed or anonymized by INTERLIVA ex officio or upon the request of the person concerned.

5. PERSONAL DATA DESTRUCTION TECHNIQUES

INTERLIVA retains personal data only for the period stipulated in the relevant legislation or required for the purpose for which they are processed. In this context, first of all, it is determined whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period is determined, it is acted in accordance with this period, and if a period is not determined, it is kept for the period required for the purpose for which personal data are processed. In the event that the period expires or the reasons requiring processing disappear, INTERLIVA deletes, destroys and anonymizes personal data ex officio or upon the application of the relevant person in accordance with this Policy.

All transactions regarding the deletion, destruction and anonymization of personal data are recorded and such records are kept for at least 3 (three) years, excluding other legal obligations.

5.1. Deletion of Personal Data

Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way. Deleted data cannot be accessed and used by the relevant users, except for the data controller. The relevant person is all employees other than those responsible for storing, storing and backing up the data. Deletion is the process of making the relevant user unable to perform any of the personal data processing activities such as accessing the personal data in any way, performing any operation on it, correcting, changing, deleting, transferring, seeing, reading, sharing. In short, deletion is not a direct deletion, but the storage, storage, backup and archiving of the processed personal data for protection purposes.

INTERLIVA takes technical and administrative measures to prevent this business unit (the relevant user) from processing the relevant personal data after the purpose and storage period required for the processing of personal data of the relevant business unit within its organization has expired. The relevant personal data cannot be deleted, destroyed or anonymized until the processing purposes and retention periods required for the same personal data of other business units within the INTERLIVA organization have expired.

If the existence of personal data is related to possible claims that may arise in accordance with contractual, commercial, legal, administrative transactions, the data is retained during the statute of limitations for such processing. In the event of a contradiction between the request and our policy in this regard, a written application is made to the Authority in order to resolve the contradiction and action is taken in accordance with the policy decision.

By using an access authorization and control matrix or a similar system, the relevant users are identified for each personal data and the users’ authorizations and methods such as access, retrieval, reuse are determined. Subsequently, the process of closing and eliminating the access, retrieval and reuse authorizations and methods of the relevant users within the scope of personal data is carried out.

If the deletion of personal data will result in the inability to access and use other data that do not need to be deleted within the system;

  1. Archiving personal data by anonymizing them or
  2. Being closed to the access of any other institution, organization or person and taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons,

provided that the personal data shall be deemed deleted.

Personal data shall be deleted by the methods specified in the table below.

Data Recording Environment Description
Personal Data on Servers For the personal data on the servers, the system administrator removes the access authorization of the relevant users and deletes the personal data on the servers after the period required to be retained has expired.
Personal Data in Electronic MediaThose of the personal data in electronic media whose retention period has expired are rendered inaccessible and non-reusable in any way for employees other than the database administrator. It is deleted by using the deletion commands (such as del, remove-item, rm) provided by the operating system or by using software that implements these commands. It is sufficient to delete the relevant user.
Personal Data Stored in Physical Media and Personal Data Stored in Paper Media Personal data stored in physical media are made inaccessible and non-reusable in any way for employees other than the unit manager responsible for the document archive for those who have expired. It should be stored in archive / storage / storage areas or in the relevant sections of these areas that the relevant user cannot access and cannot enter and examine. The relevant users must not enter these storage areas and must not perform any action on the personal data contained therein. Or it should be stored in locked areas in certain parts of the storage / storage / archive areas that are not accessible to anyone other than the archive officers and the deletion process should be carried out.
Personal Data on Portable Media The personal data kept in Flash-based storage media and those whose period of storage has expired are encrypted by the system administrator and access authorization is given only to the system administrator and stored in secure environments with encryption keys.
Personal data stored in the cloud environmentPersonal data stored in the cloud operating system can be deleted by using the deletion commands provided by the cloud operating system (such as del, remove - item, rm), similar to the deletion of personal data in electronic environments, or by using software that applies these commands. Deletion can also be performed by removing the users' access to the said environment by changing the encryption key used to access the cloud environment.

The right to be forgotten, which is linked to the right to erasure within the scope of GDPR provisions for Service Recipients and relevant persons in the GDPR application area, will be evaluated by taking into account the principle of proportionality, the purpose and necessity of collecting and processing the relevant personal data, whether there is a legitimate justification, whether there is unlawful data processing, and whether it is linked to data related to sensitive groups such as children.

In addition, the right to restrict data processing in terms of Service Receivers and relevant persons in the GDPR application area is also available and if possible in terms of KVKK, restriction of data can be requested in the following cases.

These cases are as follows;

  • During the period of examination of the relevant objection in cases where it objects to the accuracy of personal data,
  • Where the processing is unlawful, where the individual requests restriction of the data and not its erasure,
  • In cases where the relevant personal data is no longer needed for the purpose of processing, but the data subject needs this data for a legal claim,

When the data subject has an objection, the legitimate grounds of the data controller and the legitimate grounds of the data subject are evaluated until this evaluation process,

The right to data portability under the provisions of the GDPR for Service Recipients and data subjects in the GDPR application area will be evaluated according to the concrete request, taking into account the principle of proportionality. The right to data portability shall not be applicable in cases where INTERLIVA, as the data controller, has a legitimate interest or in cases of fulfillment of a legal obligation.

The explanations regarding the right of data subjects to be forgotten, the right to data restriction, the right to data portability under the GDPR also apply to the sections on destruction and anonymization of data.

5.2. Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

Data Recording Medium Description
Personal Data in Physical Media Personal Data in Physical Media Personal data in paper media that expire after the expiry of the period required to be retained are irreversibly destroyed in paper shredding machines. If the papers are scanned and transferred to electronic media, the destruction process is carried out by selecting the appropriate method from magnetization, physical destruction or overwriting methods according to the conditions of the electronic media they are in.
In addition, blackout process is also applied by scratching / painting / erasing in such a way that it cannot be read. The blackout process is performed by cutting out the personal data on the relevant document, where possible, and making it invisible to the relevant users by using fixed ink in a way that cannot be reversed and cannot be read by technological solutions.
Personal Data on Optical/Magnetic Media Physical destruction of personal data on optical media and magnetic media, such as melting, incineration or pulverization, is applied to those whose retention period has expired. In addition, the magnetic media is passed through a special device and the data on it is rendered unreadable by exposing it to a high magnetic field.

5.3. Anonymization of Personal Data

Anonymization of personal data is the process of making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data. In order for personal data to be anonymized by INTERLIVA, personal data must be rendered unassociable with an identified or identifiable natural person by the data controller, recipient or groups of recipients, even through the use of techniques appropriate for the recording medium and the relevant field of activity, such as retrieval and matching of data with other data.

In which cases personal data will be anonymized and which method will be chosen for the anonymization process is determined by the data controller according to the characteristics of the transaction and the necessary technical measures are taken accordingly.

When choosing the anonymization method; the nature of the data, the size of the data, the structure of the data in physical environments, the diversity of the data, the benefit to be obtained from the data / purpose of processing, the frequency of processing the data, the reliability of the party to which the data will be transferred, the meaningfulness of the effort to be spent to anonymize the data, The magnitude of the damage that may arise in case the anonymity of the data is disrupted, the impact area, the data’s dispersal / centrality ratio, the users’ access authorization control to the relevant data, the possibility that the effort to be spent to design and implement an attack that will disrupt anonymity is meaningful are taken into account.

5.3.1. Anonymization Techniques

a. Masking

It is the process of making the person unidentifiable by deleting or starring some areas of personal data. For example, part of the Turkish ID number is starred (19*********).

b. Aggregation / Cumulative Data Creation

It refers to the cumulativeization of data and the subsequent reflection of their total values. For example; X number of female patients admitted and 30% of them are university graduates and 70% are postgraduates.

c. Data Derivation

It is obtaining more general data by changing the existing detailed data. For example; writing the date of birth as an age range (20-25 years old) instead of day/month/year details.

d. Data Mixing

It refers to the mixing of values within the dataset and subsequently destroying the ability to identify people without damaging the total benefit. For example; In a community where the age average is to be taken, the values showing the ages of the people are replaced with each other, such as data mixing and eliminating the ability to reach that person.

6. RETENTION AND DESTRUCTION PERIODS

The obligations imposed by legal regulations are taken into consideration when determining the retention period of personal data. Apart from legal regulations, the retention period is determined by taking into account the purposes of processing personal data. In the event that the purpose of data processing disappears, the data is deleted, destroyed or anonymized unless there is another legal reason or basis that allows the data to be kept.

If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and INTERLIVA have come to an end; personal data may be stored only for the purpose of constituting evidence in possible legal disputes or for the assertion or defense of the relevant right related to personal data. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the right in question and the examples of precedent requests on the same issues despite the expiration of the statute of limitations. These periods are shown in the table below. After these periods expire, personal data are deleted, destroyed or anonymized.

Regarding the retention of personal data, if the period stipulated in the legislation expires or if no period is stipulated in the relevant legislation regarding the retention of the data in question, the data is deleted, destroyed or anonymized by the data controller in 6-month periods.

Unless otherwise decided by the Authority, the appropriate method of deleting, destroying or anonymizing personal data is selected by INTERLIVA.

When the relevant person requests the deletion or destruction of his/her personal data by applying to INTERLIVA, the relevant request is evaluated according to whether the conditions for processing personal data have disappeared. If the conditions for processing personal data have completely disappeared, INTERLIVA deletes, destroys or anonymizes the personal data subject to the request. If the conditions for processing personal data have not been completely eliminated, the relevant request is rejected by explaining the reason. In any case, requests are finalized within 30 days and notified to the relevant person.

DATA TYPE DETAILS STORAGE PERIOD DESTRUCTION PERIOD
Data Related to the Patient (name, surname, TR No, date and place of birth, medical information/medical history-examination-medication used, sexual life data/partner information related to health data, genetic data, e-mail, address, telephone, passport number, marital status, private health insurance data, photocopy of identity card, data taken from medical center cameras, medical images/images of the face, hair, skin, data related to the structure of the head, religious belief information, mother and father's name, place of registration, gender, blood group, intraoral measurements, contact information of the person to be informed in case of emergency. medical images/images of the face, data on hair, skin, head structure, religious belief information, mother and father's name, place of registration, gender, blood group, intraoral measurements, contact information of the person to be informed in case of emergency, before/after photos/images of the patient, past examination results and reports, application data regarding complaints/satisfaction, marketing data) Data processed within the scope of the documents required to be included in the medical patient file will be processed in their entirety within 20 years from the termination of the legal relationship with the patient.



If it is not deemed necessary by the relevant physician to keep the past test results and reports, 3 months if they are not received by the patient

Camera recordings, from the time of recording until the hard disk is full (on average 2 months)

Video recording and photographic data processed by obtaining explicit consent to be used in informative promotional
applications 20 years from the last use In the first periodic destruction period following the end of the storage period
Patient Payment Instruments Information (IBAN, credit card information) 10 years from the end of the legal relationship with the patient At the first periodic destruction period following the end of the retention period
Data on Patient Relatives (name, surname, telephone, IBAN, credit card information, proximity information with the patient, complaint/satisfaction application data, data taken from medical center cameras)Since it is a part of the patient file, 20 years from the termination of the legal relationship with the patient to whom the patient is a relative

IBAN, credit card information 10 years from the end of the legal relationship with the patient

Camera recordings, from the time of recording until the hard disk is full (on average 2 months)
At the first periodic destruction period following the end of the storage period
Data on the Patient Candidate (name, surname, telephone, e-mail, date of birth, complaints based on the application)Camera recordings, after the hard disk fills up after recording (average 2 months) will be deleted

if a physical examination is not performed.
At the first periodic destruction period following the end of the storage period
10 years from the termination of the employment relationship

Reference data 1 year from the start of employment

Contact details of those to be informed in emergencies are deleted after the end of the working period.

Camera recordings, from the time of recording until the hard disk is full (on average 2 months)

Company's system data, log records 20 years from the last use

Vehicle tracking location data is stored by Arvento for 2 years.
During the first periodic destruction period following the end of the storage period
Employee Candidate Data (name, surname, telephone, reference, CV information, entry and exit information, camera recordings) 1 year from the end of the last interview / communication

1 year from the collection of entry and exit information

During the first periodic destruction period following the end of the storage period Camera recordings, after the hard disk is full from the recording (average 2 months)
At the first periodic destruction period following the end of the storage period
Data on Consultant, Service Provider, Supplier, Collaboration Partners Official / Employee (name, surname, TR No, address, company e-mail address, work phone / personal cell phone, camera recording) 10 years from the termination of the contractual relationship

1 year from the collection of entry and exit information

amera recordings, after the hard disk is full from the recording (average 2 months)
During the first periodic destruction period following the end of the storage period
Data on the Data Subject (information in correspondence with judicial authorities) 20 years from the end of the legal relationship At the first periodic destruction period following the end of the retention period
Guest Data (camera recordings) Camera recordings, from the time of recording until the hard disk is full (average 2 months)

1 year from the collection of entry and exit information
At the first periodic destruction period following the end of the storage period
Website Visitor Data / Marketing Data (cookie records, IP address, log records) Cookie records 2 years, IP address and log records 10 years from the end of the website visit At the first periodic destruction period following the end of the storage period
Legal Process Data 20 years after the end of the last use At the first periodic destruction period following the end of the retention period
Legal Process Data 20 years after the end of the last use At the first periodic destruction period following the end of the retention period

7. PERIODIC DESTRUCTION PERIOD

INTERLIVA has set the destruction period as 6 months. Accordingly, periodic destruction is carried out regularly in June and December each year.

8. FINAL PROVISIONS

This Policy was approved on 01.09.2022. It will be valid and binding as of this date.

ETİK SAĞLIK HİZMETLERİ VE TİC. A.Ş (INTERLIVA) Clarification Text and KVKK Policy is an annex and integral part of this Policy.

The announcement and execution of this policy will be carried out by the data controller company official Mustafa Sabri Şencan.

DOCUMENT HISTORY
Version Publication Date Change Description
---
Prepared Reviewed Approved
---