Personal Data Retention and Destruction Policy

EFC HEALTH SERVICES TRADE INC.

PERSONAL DATA RETENTION AND DISPOSAL POLICY

ARTICLE 1- PURPOSE

This Personal Data Retention and Disposal Policy has been prepared to determine the procedures and principles regarding the processes and operations for the retention and disposal of personal data processed by EFC HEALTH SERVICES TRADE INC..

ARTICLE 2- SCOPE

Personal data belonging to company employees, job applicants, interns, those receiving products and services, potential customers, partners, visitors, suppliers, and other third parties are within the scope of this policy.

This policy applies to all recording media owned by the company or managed by the company where personal data are processed, and to activities related to the processing of personal data.

ARTICLE 3- DEFINITIONS

Recipient group : The category of natural or legal persons to whom personal data are transferred by the data controller.

Explicit consent : Consent declared with free will, based on information, regarding a specific subject.

Anonymization : Rendering personal data such that they cannot be associated with an identified or identifiable natural person in any way, even by matching with other data.

Employee : Company personnel.

Electronic environment : Environments where personal data can be created, read, changed, and written through electronic devices.

Non-electronic environment : All written, printed, visual, etc. environments other than electronic environments.

Service provider : A natural or legal person providing services to the company within the framework of a specific contract.

Relevant person : The natural person whose personal data are processed.

Relevant user : Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.

Disposal : Deletion, destruction, or anonymization of personal data.

Law : Personal Data Protection Law No. 6698.

Recording environment : Any environment where personal data processed by fully or partially automated means or by non-automated means, provided that it is part of any data recording system, are located.

Personal data : Any information relating to an identified or identifiable natural person.

Personal data processing inventory : The inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal basis of processing, data category, recipient group to whom they are transferred, and the data subject group, and by explaining the maximum retention period required for the purposes for which the personal data are processed, personal data intended to be transferred to foreign countries, and the measures taken regarding data security.

Processing of personal data : Any operation performed on data such as obtaining, recording, storing, keeping, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automated means or by non-automated means, provided that it is part of any data recording system.

Board : Personal Data Protection Board.

Special categories of personal data : Data regarding individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Periodic disposal : The deletion, destruction, or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and disposal policy in the event that all of the conditions for processing personal data specified in the Law cease to exist.

Policy : Personal Data Retention and Disposal Policy.

Company : EFC HEALTH SERVICES TRADE INC.

Data processor : A natural or legal person processing personal data on behalf of the data controller based on the authority granted by the data controller.

Data recording system : The recording system where personal data are processed by structuring according to certain criteria.

Data controller : A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data controllers registry information system : The information system, accessible via the internet, created and managed by the Presidency, which data controllers will use in applications to the Registry and other related transactions.

VERBIS : Data Controllers Registry Information System.

Regulation : The Regulation on Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.

ARTICLE 4- RESPONSIBILITIES AND DUTIES

All employees and units of the company provide full and active support to the responsible units in the lawful collection, processing, and retention of personal data. In the implementation of the administrative and technical measures taken within the scope of the Policy, in training unit employees, ensuring, increasing and monitoring employees’ awareness, preventing unlawful access to personal data, and keeping personal data in accordance with the law, all employees and units support the responsible units. The distribution of the titles, units and job descriptions of those involved in personal data retention and disposal processes is shown in ANNEX TABLE: 1.

ARTICLE 5- RECORDING MEDIA

Personal data are stored securely and lawfully by the company in the environments listed in ANNEX TABLE: 2.

ARTICLE 6- LEGAL GROUNDS REQUIRING RETENTION

Within the company, personal data processed within the scope of activities are retained for the period stipulated in the relevant legislation and within the scope of the Law and relevant legislation. In this context, the reasons requiring retention are as follows:

  1. Retention of personal data due to being directly related to the establishment and performance of contracts,
  2. Retention of personal data for the purpose of establishing, using, or protecting a right
  3. Retention of personal data being mandatory for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of individuals
  4. Retention of personal data for the purpose of fulfilling any legal obligation of the company
  5. Personal data retention being explicitly prescribed in the legislation
  6. Existence of the explicit consent of data subjects for retention activities requiring obtaining the explicit consent of data subjects

ARTICLE 7- PROCESSING PURPOSES REQUIRING RETENTION

The Company may process personal data of the relevant person or third parties specified by the relevant person for various purposes, including but not limited to the following:

  1. Conducting human resources processes
  2. Ensuring corporate communication
  3. Ensuring company security
  4. Being able to conduct statistical studies
  5. Being able to perform business and operations as a result of signed contracts and protocols
  6. Ensuring the fulfillment of legal obligations as required or mandated by legal regulations
  7. Establishing contact with natural/legal persons having a business relationship with the Company
  8. Making legal reports
  9. Fulfilling the burden of proof as evidence in future legal disputes
  10. Carrying out/following up the Company’s legal affairs

ARTICLE 8- LEGAL GROUNDS REQUIRING DISPOSAL

Personal data are deleted or destroyed by the Company upon the request of the relevant person or ex officio in the presence of the following situations:

  1. Amendment or repeal of the relevant legislation provisions that constitute the basis for the processing of personal data
  2. Elimination of the purpose requiring the processing or retention of personal data
  3. In cases where the processing of personal data is carried out solely based on explicit consent, withdrawal of explicit consent by the relevant person
  4. Acceptance by the data controller of the application made by the relevant person regarding the deletion and destruction of their personal data within the scope of the rights of the relevant person pursuant to Article 11 of the Law
  5. Expiration of the maximum period requiring the retention of personal data and absence of any condition that would justify retaining personal data for a longer period

ARTICLE 9- TECHNICAL MEASURES

The technical measures taken by the Company regarding the personal data it processes are as follows:

  1. Performs necessary internal controls within the established systems
  2. Carries out the processes of conducting information technology risk assessment and business impact analysis within the established systems
  3. Ensures the provision of technical infrastructure that will prevent or monitor data leakage outside the company and the establishment of relevant matrices
  4. Ensures the control of system vulnerabilities by obtaining penetration testing services regularly and when needed
  5. Ensures that the access authorizations of employees working in information technology units to personal data are kept under control
  6. Ensures that the destruction of personal data is carried out in a way that cannot be recovered and does not leave an audit trail
  7. Pursuant to Article 12 of the Law, all digital environments where personal data are stored are protected by encrypted and/or cryptographic methods in a way that meets information security requirements

ARTICLE 10- ADMINISTRATIVE MEASURES

The administrative measures taken by the Company regarding the personal data it processes are as follows:

  1. Limits internal access to stored personal data to personnel who need access due to their job description. In limiting access, whether the data are special categories of personal data and the degree of importance are also taken into consideration.
  2. In the event that processed personal data are obtained by others through unlawful means, it notifies the relevant person and the Board as soon as possible.
  3. With regard to the sharing of personal data, it ensures data security by signing a framework agreement on the protection of personal data and data security with the persons to whom personal data are shared, or by provisions added to existing agreements.
  4. Employs personnel knowledgeable and experienced about personal data processing and provides necessary trainings to its personnel within the scope of personal data protection legislation and data security.
  5. Carries out and has carried out necessary audits to ensure the implementation of the provisions of the Law within its legal entity. It eliminates confidentiality and security vulnerabilities revealed as a result of audits.

ARTICLE 11- METHODS FOR DELETING PERSONAL DATA

Personal data are deleted by the methods specified in ANNEX TABLE: 3.

ARTICLE 12- METHODS FOR DESTROYING PERSONAL DATA

Personal data are destroyed by the methods specified in ANNEX TABLE: 4.

 

ARTICLE 13- RETENTION AND DISPOSAL PERIODS

When determining the retention period of personal data by the Company; primarily, if a period is prescribed in the legal legislation regarding the retention of the relevant personal data, this period is complied with. Apart from this; the retention and disposal period table in ANNEX TABLE: 5 is taken as basis.

ARTICLE 14- PERIODIC DISPOSAL PERIOD

The Company carries out the periodic disposal process every year in the months of June and December.

ARTICLE 15- PUBLICATION, STORAGE AND UPDATING OF THE POLICY

The Policy is published in two different environments, as wet signed (printed paper) and electronically, and is announced to the public on the website. The printed paper copy is kept within the company. The Policy is reviewed as needed and necessary sections are updated.

ARTICLE 16- EFFECTIVE DATE

The Policy is deemed to have entered into force after it is published on the company’s website. In case it is decided to repeal it, the wet signed old copies of the policy are canceled (by stamping canceled or writing canceled), signed, and kept by the company for at least 5 years.

ANNEX TABLE: 1 Task distribution for retention and disposal processes

TITLE UNIT DUTY
Company Manager Company Responsible for employees’ compliance with the policy.
…. Responsible for the preparation, development, execution, publication in relevant environments, and updating of the Policy.
IT Manager IT Directorate Responsible for providing technical solutions needed in the implementation of the Policy.
All Other Units Responsible for the execution of the Policy in accordance with their duties.

 

ANNEX TABLE: 2 Personal Data Storage Media

Electronic Media Non-Electronic Media
Personal computers

Mobile Devices

Optical discs

Printers, scanners, photocopy machines

Removable and portable memories

Servers

Software

Information security devices

 Papers

Written and printed media

Visual records

Manual data recording systems

 

ANNEX TABLE: 3 Methods for Deleting Personal Data

Data Recording Medium Deletion Method
Servers For personal data on servers whose retention period has expired, deletion is performed by the system administrator by removing the access authorization of relevant users.
Electronic media Personal data in electronic media whose retention period has expired are rendered inaccessible and unusable for all employees (relevant users) other than the database administrator.
Physical media For personal data kept in physical media whose retention period has expired, they are rendered inaccessible and unusable for all employees other than the unit manager responsible for the document archive. In addition, blackening is also applied by scratching/painting/erasing in a way that cannot be read.
Portable media Personal data stored in flash-based storage media whose retention period has expired are encrypted by the system administrator and stored in secure environments with encryption keys, with access authorization granted only to the system administrator.

 

ANNEX TABLE: 4 Methods for Destroying Personal Data

Data Recording Medium Destruction Method
Physical media Personal data on paper whose retention period has expired are destroyed irreversibly in document destruction machines.
Optical or magnetic media Physical destruction is applied for personal data on optical and magnetic media whose retention period has expired, such as melting, burning, or pulverizing. In addition, magnetic media are passed through a special device and exposed to a high magnetic field, rendering the data on them unreadable.

 

ANNEX TABLE: 5 Retention and Disposal Period Table

PROCESS RETENTION PERIOD DISPOSAL PERIOD
Occupational health and safety practices 10 years following the end of the employment relationship 180 days following the end of the retention period
Payroll 10 years following the end of the employment relationship 180 days following the end of the retention period
Responding to personnel court/judiciary requests 10 years following the end of the employment relationship 180 days following the end of the retention period
Records regarding visitors and patients 10 years from the date of arrangement and recording 180 days following the end of the retention period
Filing of training records 10 years after the training is organized 180 days following the end of the retention period
Emergency preparedness 10 years following the preparation 180 days following the end of the retention period
Log record tracking systems 10 years from the date of creation 180 days following the end of the retention period
Camera recordings 1 year from the date of recording 180 days following the end of the retention period