Destruction Policy

2. DEFINITIONS

3. RECORDING MEDIA

Personal data is securely stored in accordance with the law in the media listed in the table below.

4. EXPLANATIONS ON PROCESSING, STORAGE, ADMINISTRATIVE AND LEGAL MEASURES AND CIRCUMSTANCES REQUIRING DESTRUCTION

In Article 4 of the Law, it is stated that personal data should be linked, limited and measured for the purpose for which they are processed and should be kept for the period stipulated in the relevant legislation or for the purpose for which they are processed, and the conditions for processing personal data are listed in Articles 5 and 6.

Personal data are processed securely in physical or electronic media within the framework of the limits specified in the Law and the relevant legislation within the scope of our service purposes offered by INTERLIVA, within the scope of the activities we offer, including the use of the www.interliva.com site, in order to maintain the activities in general, to provide health services, medical consultancy, to fulfill legal obligations, to plan employee rights, to provide courses and training services and to operate processes with business partners.

Our purposes for processing personal data are detailed in the DISCLOSURE TEXT ON THE PROTECTION AND PROCESSING OF PERSONAL DATA of ETİK SAĞLIK HİZMETLERİ VE TİC. A.Ş (INTERLIVA).

4.1. Explanations on Storage

Personal data processed within the framework of our activities are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

The explanation and information regarding the technical and administrative measures we take as INTERLIVA in order to store personal data securely and to prevent unlawful processing and access is detailed in the DISCLOSURE TEXT ON THE PROTECTION AND PROCESSING OF PERSONAL DATA OF ETHICS HEALTH SERVICES AND TRADE. A.Ş (INTERLIVA).

4.1.1. Legal Reasons Requiring Retention

Personal data processed within the framework of our activities are retained for the period stipulated in the relevant legislation. In this context, personal data;

• Law No. 6698 on the Protection of Personal Data
• Law No. 1219 on the Practice of Medicine and Medical Sciences
• Turkish Code of Obligations No. 6098
• Labor Law No. 4857
• Law No. 359 on the Basic Law on Health Services,
• Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliated Organizations
• Regulation on Private Health Institutions Providing Outpatient Diagnosis and Treatment Services
• Regulation on Personal Health Data
• Other relevant regulations and other secondary regulations in force pursuant to these laws

It is kept until the end of the retention periods stipulated in the Framework.

4.1.2. Processing Purposes Requiring Retention

Both personal data of special nature and personal data of general nature that you share;

• Basic Law No. 3359 on Healthcare Services, Law No. 1219 on the Practice and Execution of Medicine and Medical Arts, Decree Law No. 663 on Certain Regulations in the Field of Health, Regulation on Private Healthcare Organizations Providing Outpatient Diagnosis and Treatment Services, Law on the Protection of Personal Data, Regulation on Personal Health Data and other relevant regulations to fulfill our legal obligations,
• Protection of public health, preventive medicine, medical diagnosis, treatment and care services for the provision of health services, hair transplantation and aesthetic services, Maintaining information about your health data that must be kept within the scope of the relevant legislation,
• Maintaining information about your health data that must be kept within the scope of the relevant legislation,
• Responding to written requests of official authorities such as Law Enforcement Forces, Courts, Enforcement Directorates, SSI, İŞKUR, embassies, sharing information requested with the Ministry of Health and other public institutions and organizations in accordance with the relevant legislation,
• Providing information to prosecutors’ offices, courts and relevant public officials upon request and in accordance with the legislation in matters related to public security and legal disputes, fulfilling legal processes, and using it as evidence in order to fulfill the burden of proof in future legal disputes,
• Preparation of power of attorney for the employees appointed as proxy by the senior management for the execution of various works on behalf of our Medical Center and having them notarized,
• Planning and managing financing for the delivery of health services, billing,
• Execution of finance and accounting transactions,
• Execution of Company / Product / Service Loyalty Processes
• Execution of Logistics Activities
• Implementation of Social Responsibility and Civil Society Activities
• Execution of Strategic Planning Activities
• Ensuring the Security of Movable Property and Resources
• Execution of Supply Chain Management Processes
• Execution of Wage Policy
• Execution of Marketing Processes of Products / Services
• Ensuring the Security of Data Controller Operations
• Execution of Investment Processes
• Execution of Talent / Career Development Activities
• Taking all necessary technical and administrative measures within the scope of data security of the Medical Center,
• Planning and management of the internal functioning of the Medical Center, development of services, analysis, risk management and evaluation of quality processes,
• Monitoring and preventing fraud and unauthorized transactions,
• If you make an appointment, you can be notified about the appointment,
• Verification of your identity,
• Fulfillment of legal and contractual obligations, execution of works and transactions as a result of signed contracts and protocols,
• Confirming your relationship with the institutions contracted with our Medical Center, sharing the information requested by the insurance companies you are insured with or the contracted institutions you are a member of within the scope of financing the health service provided,
• Responding to all your questions and complaints about our health services,
• Measuring patient satisfaction and improving patient satisfaction, training and developing our employees,
• Supply of medicines or medical devices, implant materials and fulfillment of laboratory processes,
• Fulfillment of risk management and quality improvement activities,
• Participation in campaigns and providing campaign information by the Marketing, Media and Communication departments, designing and communicating special content, tangible and intangible benefits on web and mobile channels for marketing, promotion and other purposes,
• In order to ensure the execution of our Medical Center’s human resources policies; the data of our employees, the Labor Law and labor and social security legislation, occupational health and safety and other legislation in force, as well as the execution of the obligations and activities in accordance with the legislation, as well as increasing the level of performance and employee satisfaction and ensuring work peace, the creation of the personnel file,
• Realizing private pension deductions at legal rates and notifying the contracted banks on behalf of the employee,
• Providing the necessary trainings to ensure the professional and personal development of employees, orientation of employees,
• Execution of application processes for prospective employees,
• Ensuring the security of the Medical Center, ensuring physical space security,
• Execution of information security processes,
• Ensuring transaction security,
• To be able to carry out processes in case you visit our medical center in terms of guest data and use the website and social media accounts for any reason,

It may be committed for the purposes for which it was intended.

4.2. Reasons Requiring Destruction

Personal data;

• Amendment and repeal of the relevant legislation provisions that constitute the basis for the processing, storage and destruction of personal data,
• The purpose requiring the processing or storage of personal data disappears,
• In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject’s withdrawal of consent,
• The request of the data subject for the deletion or destruction of personal data within the framework of legal rights is examined and deemed appropriate by the data controller,
• In cases where the data controller rejects the application made by the data subject with the request for the deletion, destruction or anonymization of his/her personal data, his/her response is found insufficient or he/she does not respond within the period stipulated in the Law; filing a complaint to the Board and this request is approved by the Board,
• Although the maximum period required for the retention of personal data has expired, there are no circumstances that would require the retention of personal data for a longer period of time,

Although the maximum period for retention of personal data has expired, there are no circumstances that would require the retention of personal data for a longer period, In such cases, it shall be deleted, destroyed or anonymized by INTERLIVA ex officio or upon the request of the person concerned.

5. PERSONAL DATA DESTRUCTION TECHNIQUES

INTERLIVA retains personal data only for the period stipulated in the relevant legislation or required for the purpose for which they are processed. In this context, first of all, it is determined whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period is determined, it is acted in accordance with this period, and if a period is not determined, it is kept for the period required for the purpose for which personal data are processed. In the event that the period expires or the reasons requiring processing disappear, INTERLIVA deletes, destroys and anonymizes personal data ex officio or upon the application of the relevant person in accordance with this Policy.

All transactions regarding the deletion, destruction and anonymization of personal data are recorded and such records are kept for at least 3 (three) years, excluding other legal obligations.

5.1. Deletion of Personal Data

Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way. Deleted data cannot be accessed and used by the relevant users, except for the data controller. The relevant person is all employees other than those responsible for storing, storing and backing up the data. Deletion is the process of making the relevant user unable to perform any of the personal data processing activities such as accessing the personal data in any way, performing any operation on it, correcting, changing, deleting, transferring, seeing, reading, sharing. In short, deletion is not a direct deletion, but the storage, storage, backup and archiving of the processed personal data for protection purposes.

INTERLIVA takes technical and administrative measures to prevent this business unit (the relevant user) from processing the relevant personal data after the purpose and storage period required for the processing of personal data of the relevant business unit within its organization has expired. The relevant personal data cannot be deleted, destroyed or anonymized until the processing purposes and retention periods required for the same personal data of other business units within the INTERLIVA organization have expired.

If the existence of personal data is related to possible claims that may arise in accordance with contractual, commercial, legal, administrative transactions, the data is retained during the statute of limitations for such processing. In the event of a contradiction between the request and our policy in this regard, a written application is made to the Authority in order to resolve the contradiction and action is taken in accordance with the policy decision.

By using an access authorization and control matrix or a similar system, the relevant users are identified for each personal data and the users’ authorizations and methods such as access, retrieval, reuse are determined. Subsequently, the process of closing and eliminating the access, retrieval and reuse authorizations and methods of the relevant users within the scope of personal data is carried out.

If the deletion of personal data will result in the inability to access and use other data that do not need to be deleted within the system;

1. Archiving personal data by anonymizing them or
2. Being closed to the access of any other institution, organization or person and taking all necessary technical and administrative measures to ensure that personal data is accessed only by authorized persons,

provided that the personal data shall be deemed deleted.

Personal data shall be deleted by the methods specified in the table below.

The right to be forgotten, which is linked to the right to erasure within the scope of GDPR provisions for Service Recipients and relevant persons in the GDPR application area, will be evaluated by taking into account the principle of proportionality, the purpose and necessity of collecting and processing the relevant personal data, whether there is a legitimate justification, whether there is unlawful data processing, and whether it is linked to data related to sensitive groups such as children.

In addition, the right to restrict data processing in terms of Service Receivers and relevant persons in the GDPR application area is also available and if possible in terms of KVKK, restriction of data can be requested in the following cases.

These cases are as follows;

• During the period of examination of the relevant objection in cases where it objects to the accuracy of personal data,
• Where the processing is unlawful, where the individual requests restriction of the data and not its erasure,
• In cases where the relevant personal data is no longer needed for the purpose of processing, but the data subject needs this data for a legal claim,

When the data subject has an objection, the legitimate grounds of the data controller and the legitimate grounds of the data subject are evaluated until this evaluation process,

The right to data portability under the provisions of the GDPR for Service Recipients and data subjects in the GDPR application area will be evaluated according to the concrete request, taking into account the principle of proportionality. The right to data portability shall not be applicable in cases where INTERLIVA, as the data controller, has a legitimate interest or in cases of fulfillment of a legal obligation.

The explanations regarding the right of data subjects to be forgotten, the right to data restriction, the right to data portability under the GDPR also apply to the sections on destruction and anonymization of data.

5.2. Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

5.3. Anonymization of Personal Data

Anonymization of personal data is the process of making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the personal data is matched with other data. In order for personal data to be anonymized by INTERLIVA, personal data must be rendered unassociable with an identified or identifiable natural person by the data controller, recipient or groups of recipients, even through the use of techniques appropriate for the recording medium and the relevant field of activity, such as retrieval and matching of data with other data.

In which cases personal data will be anonymized and which method will be chosen for the anonymization process is determined by the data controller according to the characteristics of the transaction and the necessary technical measures are taken accordingly.

When choosing the anonymization method; the nature of the data, the size of the data, the structure of the data in physical environments, the diversity of the data, the benefit to be obtained from the data / purpose of processing, the frequency of processing the data, the reliability of the party to which the data will be transferred, the meaningfulness of the effort to be spent to anonymize the data, The magnitude of the damage that may arise in case the anonymity of the data is disrupted, the impact area, the data’s dispersal / centrality ratio, the users’ access authorization control to the relevant data, the possibility that the effort to be spent to design and implement an attack that will disrupt anonymity is meaningful are taken into account.

5.3.1. Anonymization Techniques

a. Masking

It is the process of making the person unidentifiable by deleting or starring some areas of personal data. For example, part of the Turkish ID number is starred (19*********).

b. Aggregation / Cumulative Data Creation

It refers to the cumulativeization of data and the subsequent reflection of their total values. For example; X number of female patients admitted and 30% of them are university graduates and 70% are postgraduates.

c. Data Derivation

It is obtaining more general data by changing the existing detailed data. For example; writing the date of birth as an age range (20-25 years old) instead of day/month/year details.

d. Data Mixing

It refers to the mixing of values within the dataset and subsequently destroying the ability to identify people without damaging the total benefit. For example; In a community where the age average is to be taken, the values showing the ages of the people are replaced with each other, such as data mixing and eliminating the ability to reach that person.

6. RETENTION AND DESTRUCTION PERIODS

The obligations imposed by legal regulations are taken into consideration when determining the retention period of personal data. Apart from legal regulations, the retention period is determined by taking into account the purposes of processing personal data. In the event that the purpose of data processing disappears, the data is deleted, destroyed or anonymized unless there is another legal reason or basis that allows the data to be kept.

If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and INTERLIVA have come to an end; personal data may be stored only for the purpose of constituting evidence in possible legal disputes or for the assertion or defense of the relevant right related to personal data. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the right in question and the examples of precedent requests on the same issues despite the expiration of the statute of limitations. These periods are shown in the table below. After these periods expire, personal data are deleted, destroyed or anonymized.

Regarding the retention of personal data, if the period stipulated in the legislation expires or if no period is stipulated in the relevant legislation regarding the retention of the data in question, the data is deleted, destroyed or anonymized by the data controller in 6-month periods.

Unless otherwise decided by the Authority, the appropriate method of deleting, destroying or anonymizing personal data is selected by INTERLIVA.

When the relevant person requests the deletion or destruction of his/her personal data by applying to INTERLIVA, the relevant request is evaluated according to whether the conditions for processing personal data have disappeared. If the conditions for processing personal data have completely disappeared, INTERLIVA deletes, destroys or anonymizes the personal data subject to the request. If the conditions for processing personal data have not been completely eliminated, the relevant request is rejected by explaining the reason. In any case, requests are finalized within 30 days and notified to the relevant person.

7. PERIODIC DESTRUCTION PERIOD

INTERLIVA has set the destruction period as 6 months. Accordingly, periodic destruction is carried out regularly in June and December each year.

8. FINAL PROVISIONS

This Policy was approved on 01.09.2022. It will be valid and binding as of this date.

ETİK SAĞLIK HİZMETLERİ VE TİC. A.Ş (INTERLIVA) Clarification Text and KVKK Policy is an annex and integral part of this Policy.

The announcement and execution of this policy will be carried out by the data controller company official Mustafa Sabri Şencan.