Personal Data Storage and Destruction Policy
PURPOSE OF THE POLICY

The purpose of this policy is to fulfil the obligations regarding the storage and destruction of personal data in accordance with Articles 5 and 6 of the Regulation on the Erasure, Destruction or Anonymisation of Personal Data, which was issued based on the Law on the Protection of Personal Data No. 6698 (the Law) and published in the Official Gazette No. 30224 on 28 October 2017, (Regulation) published in the Official Gazette No. 30224 on 28 October 2017, and to determine all rules, roles, and responsibilities to be applied throughout DOÇ. DR. TAYLAN ÖZTÜRK.

SCOPE OF THE POLICY

This Policy applies to all personal data and special category personal data defined under Law No. 6698 held by DOÇ. DR. TAYLAN ÖZTÜRK ………………, as well as all employees, managers, consultants, affiliates, external service providers, and all other parties involved in the sharing of personal data at DOÇ. DR. TAYLAN ÖZTÜRK employees, managers, consultants, and affiliates in all situations involving the sharing of personal data, external service providers, and all natural and legal persons with whom DOÇ. DR. TAYLAN ÖZTÜRK has entered into legal relationships.
The Policy covers personal data in systems where data is processed fully or partially automatically or by non-automated means as part of a data recording system, as specified in the Law.
Unless otherwise specified in this Policy, personal data and special category personal data will generally be referred to as ‘Personal Data’.

DEFINITIONS

❖ Anonymisation: The process of rendering personal data incapable of being associated with any identifiable or identifiable natural person, even when combined with other data,
❖ Destruction: The deletion or destruction of personal data,
❖ Personal Data: Any information relating to an identifiable or identifiable natural person,
❖ Personal Data Storage Table (Periods): A table showing the periods for which personal data will be stored by DOÇ. DR. TAYLAN ÖZTÜRK …,
❖ Personal Data Processing Inventory: Personal data processing activities carried out by data controllers in accordance with their business processes; the purposes of processing personal data, the data category, the group of recipients to whom the data is transferred, and the group of data subjects, specifying the maximum period necessary for the purposes for which the personal data is processed, personal data intended for transfer to foreign countries, and the measures taken regarding data security,
❖ Deletion of Personal Data: The process of rendering personal data inaccessible and unusable for relevant users,
❖ Destruction (Disposal) of Personal Data: The process of rendering personal data inaccessible, irrecoverable, and unusable by anyone,
❖ Special Category Personal Data: Data related to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, denomination, or other beliefs, attire, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data,
❖ Periodic destruction: The process of deleting, destroying or anonymising personal data at regular intervals, as specified in the personal data storage and destruction policy, when all the conditions for processing personal data set out in the law have ceased to exist,
❖ Data recording system: A recording system in which personal data is processed according to specific criteria,
❖ Direct identifiers: Identifiers that, on their own, directly reveal, disclose, and distinguish the person they are related to,
❖ Indirect identifiers: Identifiers that, when combined with other identifiers, reveal, disclose, and distinguish the person they are related to,
❖ Law: The Personal Data Protection Law No. 6698 published in the Official Gazette No. 29677 dated 07.04.2016,
❖ Regulation: The Regulation on the Erasure, Destruction or Anonymisation of Personal Data, published in the Official Gazette dated 28.10.2017 and numbered 30224,
❖ Board: The Personal Data Protection Board,
❖ Recording medium: Any medium containing personal data processed either fully or partially automatically or through non-automated means as part of a data recording system,
❖ Personal Data Protection and Processing Policy: The policy determining the procedures and principles for the management of personal data held by ‘DOÇ. DR. TAYLAN ÖZTÜRK’, which can be accessed at ‘www.corclinic.com.tr’,
❖ Data recording system: A recording system in which personal data is processed according to specific criteria.

RECORDING ENVIRONMENTS REGULATED BY THE POLICY

Any environment where personal data is processed, whether fully or partially automated or through non-automated means as part of a data recording system, falls under the scope of recording environments.

4.1. ENVIRONMENTS WHERE PERSONAL DATA IS STORED

Personal data stored by “DOÇ. DR. TAYLAN ÖZTÜRK” is kept in a recording environment that is appropriate for the nature of the data and our legal obligations within the scope of BGYS (ISO 27001:2013).

The storage environments used for personal data are generally as listed below. However, certain data may be stored in environments different from those listed here due to their special characteristics or our legal obligations. “ASSOC. PROF. DR. TAYLAN ÖZTÜRK ..” acts as the data controller and processes and protects data in accordance with the Personal Data Protection Law, the Personal Data Protection and Processing Policy, this Personal Data Storage and Destruction Policy, and within the scope of the ISMS (ISO 27001:2013).

a) Printed media

These are environments where data is stored on paper or microfilm.

b) Local digital media

These include servers, fixed or portable disks, optical disks, and other digital media within the scope of “ASSOC. PROF. DR. TAYLAN ÖZTÜRK.”

c) Cloud environments

These are environments that do not belong to DOÇ. DR. TAYLAN ÖZTÜRK but are used by DOÇ. DR. TAYLAN ÖZTÜRK and utilise internet-based systems encrypted with cryptographic methods.

4.2. Ensuring the Security of Environments

“DOÇ. DR. TAYLAN ÖZTÜRK” takes all necessary technical and administrative measures within the scope of BGYS (ISO 27001:2013) to ensure the secure storage of personal data and to prevent its unlawful processing and access, in accordance with the nature of the personal data and the environment in which it is stored.

These measures include, but are not limited to, the following administrative and technical measures within the scope of the ISMS (ISO 27001:2013), to the extent that they are appropriate to the nature of the relevant personal data and the environment in which it is stored.

4.2.1. Technical Measures

“DOÇ. DR. TAYLAN ÖZTÜRK” takes the following technical measures for all environments where personal data is stored, in accordance with the nature of the relevant data and the environment in which it is stored:

❖ Only up-to-date and secure systems that are compatible with technological developments are used in the environments where personal data is stored. Security systems are used for the environments where personal data is stored.

❖ Security tests and research are conducted to identify security vulnerabilities in information systems, and any existing or potential risks identified as a result of these tests and research are addressed.

❖ Access to environments where personal data is stored is restricted, and only authorised individuals are permitted to access such data, limited to the purpose for which the personal data is stored.

❖ DOÇ. DR. TAYLAN ÖZTÜRK maintains sufficient technical personnel to ensure the security of environments where personal data is stored.

4.2.2. Administrative Measures

“DOÇ. DR. TAYLAN ÖZTÜRK” takes the following administrative measures in accordance with the KVKK Law for all environments where personal data is stored, in line with the nature of the data and the environment in which it is stored:

❖ Efforts are made to raise awareness and educate all DOÇ. DR. TAYLAN ÖZTÜRK employees who have access to personal data on information security, personal data, and privacy.

❖ Legal and technical consulting services are obtained to monitor developments in the fields of information security, privacy, and personal data protection, and to take necessary actions.

❖ In cases where personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data, and all necessary care is taken to ensure that the relevant third parties comply with their obligations under these protocols.

4.2.3. Internal Audit

“ASSOCIATE PROFESSOR TAYLAN ÖZTÜRK” conducts internal audits in accordance with Article 12 of the Law to ensure compliance with the provisions of the Law and the provisions of this Personal Data Storage and Destruction Policy and the Personal Data Protection and Processing Policy.

If any deficiencies or shortcomings are identified in the implementation of these provisions as a result of internal audits, such deficiencies or shortcomings are immediately addressed.

If, during the audit or in any other way, it is understood that personal data under the responsibility of ‘ASSOC. PROF. DR. TAYLAN ÖZTÜRK’ has been obtained by others through unlawful means, ‘ASSOC. PROF. DR. TAYLAN ÖZTÜRK’ shall notify the relevant person and the Board of this situation as soon as possible.

DUTIES AND AUTHORITIES OF THE PERSONAL DATA PROTECTION COMMITTEE

5.1. The Personal Data Protection Committee is responsible for communicating the Policy to the relevant business units and monitoring the fulfilment of its requirements by the units under the responsibility of DOÇ. DR. TAYLAN ÖZTÜRK.

5.2. The Personal Data Protection Committee issues the necessary announcements and notifications to ensure that relevant departments monitor changes in legislation related to the protection of personal data, the Board’s regulatory actions and decisions, court decisions, or changes in processes, applications, and systems, and update their business processes as necessary.

5.3. The Personal Data Protection Committee determines and communicates to the relevant units the processes for reviewing, evaluating, monitoring, and finalising the Law and secondary regulations, the Board’s decisions and regulations, court decisions, and other decisions and/or requests of authorised authorities.

ACTIONS TO BE TAKEN IN THE EVENT OF THE CESSATION OF THE CONDITIONS FOR THE PROCESSING OF PERSONAL DATA

6.1. In the event that the purpose of processing personal data ceases to exist, explicit consent is withdrawn, or all of the conditions for processing personal data set forth in Articles 5 and 6 of the Law cease to exist, or none of the exceptions set forth in the aforementioned articles can be applied, the personal data for which the conditions for processing have ceased to exist shall be deleted, destroyed (erased) or anonymised by the relevant unit, taking into account business needs, under Articles 7, 8, 9, or 10 of the Regulation, the reason for the method applied is also explained, and the data is deleted, destroyed (erased), or anonymised. However, in the event of a final court decision, the destruction method ordered by the court must be applied.

6.2. All users and data controllers who process or store personal data, including the units of ‘ASSOC. PROF. DR. TAYLAN ÖZTÜRK,’ shall review the conditions related to processing in the data storage environments they use within a maximum period of four months to determine whether such conditions have ceased to exist. Upon the request of the data subject or the notification of the Board or a court, the relevant users and units shall conduct this review in the data storage environments they use, regardless of the periodic review period.

6.3. If it is determined as a result of periodic reviews or at any time that the conditions for data processing no longer exist, the relevant user or data subject shall decide to delete, destroy (shred) or anonymise the relevant personal data from the recording medium in their possession in accordance with this policy. In cases of doubt, the relevant data subject shall consult with the relevant unit before taking action. When a decision must be made regarding the destruction of personal data with multiple data owners in the Central Information Systems, the opinion of the Personal Data Protection Committee shall be sought, and the relevant data owner unit shall decide on the storage, deletion, destruction (disposal), or anonymisation of the personal data in question in accordance with this policy.

6.4. All operations related to the deletion, destruction, or anonymisation of personal data shall be recorded, and such records shall be retained for at least three years, except for other legal obligations.

6.5. In accordance with Article 7.4 of the Regulation, the methods applied for the deletion, destruction, or anonymisation of personal data will be published and disclosed after the Policy comes into effect.

6.6. In the deletion, destruction (disposal) or anonymisation of personal data, it is mandatory to act in accordance with the general principles set out in Article 4 of the Law, the technical and administrative measures required under Article 12, the relevant legislation, the decisions of the Board and court decisions.

6.7. When the owner of personal data, who is a natural person, requests the deletion, destruction or anonymisation of their personal data by applying to ‘DOÇ. DR. TAYLAN ÖZTÜRK ………………..’ in accordance with Article 13 of the Law, the relevant data owner unit shall examine whether all the conditions for processing personal data have ceased to exist. If all the conditions for processing have ceased to exist, the personal data subject to the request is deleted, destroyed, or anonymised. In this case, in accordance with the details specified in the Data Destruction Procedure of the ISO 27001:203 Information Security Management System, the request is finalised within thirty days from the date of application, and the relevant person is informed by the KVKK contact person appointed by the KVKK Officer. If all conditions for processing personal data have ceased to exist and the personal data subject to the request has been transferred to third parties, the relevant data owner unit shall immediately notify the third party to whom the transfer was made and ensure that the necessary procedures are carried out in accordance with the Regulation.
6.8. In cases where all conditions for processing personal data have not ceased to exist, requests from data subjects for the deletion or destruction of their data may be rejected by ‘ASSOC. PROF. DR. TAYLAN ÖZTÜRK’ in accordance with Article 13, Paragraph 3 of the Law, with the reasons explained. The rejection response shall be communicated to the relevant person in writing or electronically within a maximum of 30 days.

6.9. Requests for the deletion or destruction of personal data shall only be evaluated if the identity of the relevant person has been verified. Requests made through channels other than those specified shall be directed to channels where the identity of the relevant persons can be verified or confirmed.

IMPLEMENTATION OF THE POLICY, VIOLATIONS AND SANCTIONS

7.1. This Policy shall be communicated to all employees and personal data owners by “DOÇ. DR. TAYLAN ÖZTÜRK” website and shall be binding on all business units, consultants, customers, insurance companies, external service providers, and all others who process personal data on behalf of DOÇ. DR. TAYLAN ÖZTÜRK …………………..

7.2. The monitoring of whether employees of DOÇ. DR. TAYLAN ÖZTÜRK ………. comply with the requirements of the Policy shall be the responsibility of the employees’ supervisors. If any non-compliance with the Policy is detected, the matter shall be immediately reported by the relevant employee’s supervisor to the next higher-ranking supervisor. If the non-compliance is of a significant nature, the higher-ranking supervisor shall promptly inform the Personal Data Protection Committee.

7.3. Following an evaluation by Human Resources, the necessary administrative actions shall be taken against any employee found to be in violation of the Policy.
7.4. To ensure compliance with the requirements of the policy, ‘ASSOC. PROF. DR. TAYLAN ÖZTÜRK’ has taken all necessary security measures within the scope of the KVKK Law.

PERSONS INVOLVED IN THE STORAGE AND DISPOSAL OF PERSONAL DATA AND THEIR RESPONSIBILITIES

All employees, customers, insurance companies, consultants, external service providers, and others who store and process personal data at ‘DOÇ. DR. TAYLAN ÖZTÜRK’ are responsible for complying with the requirements regarding the destruction of data specified in the Law, Regulations, and Policy. DOÇ. DR. TAYLAN ÖZTÜRK ……. ” are responsible for fulfilling these requirements.
Each business unit is responsible for storing and protecting the data it generates in its business processes; however, if the generated data is only stored in information systems outside the control and authority of the business unit, such data will be stored by the units responsible for the information systems.
Periodic disposals that may affect business processes and result in data integrity breaches, data loss, or violations of legal regulations will be carried out by the relevant information systems departments, taking into account the type of personal data, the systems in which it is stored, and the business unit that owns the data.

8.1. PERSONAL DATA PROTECTION COMMITTEE

ASSOC. PROF. DR. TAYLAN ÖZTÜRK establishes a Personal
Data Protection Committee within its structure. The Personal Data Protection Committee is authorised and responsible for carrying out/having carried out the necessary procedures and supervising the processes to ensure that the data of the relevant persons is stored and processed in accordance with the law, the Personal Data Protection and Processing Policy, and the Personal Data Storage and Destruction Policy.
The Personal Data Protection Committee consists of at least three members: a manager, an administrative expert, and a technical expert. The titles and job descriptions of the employees serving on the Personal Data Committee, ‘ASSOC. PROF. DR. TAYLAN ÖZTÜRK ………,’ are listed below:

Title

Job Description

Personal Data Protection Committee Manager

Directing all planning, analysis, research, and risk identification activities in projects carried out in the compliance process; managing the processes that must be carried out in accordance with the Law, the Personal Data Protection and Processing Policy, and the Personal Data Storage and Destruction Policy; and deciding on requests received from relevant persons.

KVK Specialist (Contact Person)

(Technical and Administrative)

Reporting the requests of relevant persons to the Personal Data Committee Manager for review and evaluation; ensuring that the relevant person requests evaluated and decided upon by the Personal Data Committee Manager are carried out in accordance with the decision of the Personal Data Committee Manager; supervising the storage and destruction processes; and ensuring that the relevant person requests are evaluated and decided upon in accordance with the Personal Data Committee Manager’s decision.

; ensuring that the relevant person requests are carried out in accordance with the decision of the Personal Data Committee Manager; supervising the storage and destruction processes and reporting these supervisions to the Personal Data Committee Manager; and carrying out the storage and destruction processes.

8.2. STORAGE AND DISPOSAL REASONS

8.2.1. Storage Reasons

Personal data held by DOÇ. DR. TAYLAN ÖZTÜRK is stored in accordance with the Law and our Personal Data Policy (the relevant policy can be accessed at www.corclinic.com.tr) for the purposes and reasons specified herein.

8.2.2. Reasons for Destruction

Personal data held by DOÇ. DR. TAYLAN ÖZTÜRK is deleted, destroyed or anonymised in accordance with this destruction policy upon the request of the relevant person or when the reasons listed in Articles 5 and 6 of the Law cease to exist. The reasons listed in Articles 5 and 6 of the KVKK Law are as follows:

Explicitly provided for by law.
2. Necessary to protect the life or physical integrity of the individual or another person when the individual is unable to express consent due to actual impossibility or when legal validity is not recognised for their consent.
3. Necessary for the establishment or performance of a contract, provided that it is directly related to the contract and the processing of personal data belonging to the parties to the contract is necessary.
4. Necessary for the data controller to fulfil its legal obligations.
5. The data subject has made the data public.
6. Necessary for the establishment, exercise, or protection of a right.
7. It is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

8.3. DESTRUCTION METHODS

“ASSOC. PROF. DR. TAYLAN ÖZTÜRK …. ”, in accordance with the Law and other legislation and the Personal Data Protection and Processing Policy, deletes, destroys (erases) or anonymises personal data stored in accordance with the Law and other legislation and the Personal Data Protection and Processing Policy, either at the request of the data subject or within the time periods specified in this Personal Data Storage and Destruction Policy, when the reasons for processing the data no longer apply.
The most commonly used deletion, destruction, and anonymisation techniques by Assoc. Prof. Dr. Taylan Öztürk are listed below:

8.3.1.1 Deletion Methods

Deletion Methods for Personal Data Stored in Printed Media
Blacking out Personal data stored in printed media is deleted using the blacking out method. The blacking out process involves cutting out personal data on the relevant documents where possible, or rendering it invisible using permanent ink in cases where cutting is not possible, so that it cannot be read using technological solutions.
Methods for Deleting Personal Data Stored in Cloud and Local Digital Environments
Secure deletion from software Personal data stored in cloud or local digital environments is deleted using a digital command in a manner that makes it impossible to recover. Data deleted in this manner cannot be accessed again.

8.3.1.2 Destruction Methods

Destruction Methods for Personal Data Stored in Printed Media
Physical destruction Documents stored in printed media are destroyed using document shredders in such a way that they cannot be reassembled.
Destruction Methods for Personal Data Stored in Local Digital Media
Physical destruction involves the physical destruction of optical and magnetic media containing personal data, such as melting, burning, or pulverising. Data is rendered inaccessible through processes such as melting, burning, pulverising, physically cutting and/or piercing, or passing through a metal shredder.
Degaussing This is the process of exposing magnetic media to a high magnetic field to render the data on it unreadable.
Overwriting By writing random data consisting of 0s and 1s at least seven times onto magnetic media and rewritable optical media, the reading and recovery of old data is prevented.
Methods of Destruction for Personal Data Stored in the Cloud
Destruction Methods for Personal Data Stored in the Cloud
Secure deletion from software Personal data stored in the cloud is deleted digitally in a manner that prevents recovery, and all copies of the encryption keys required to make the personal data usable are destroyed when the cloud computing service relationship ends. This ensures that the deleted data cannot be accessed again.

8.3.1.3. Anonymisation Methods

Anonymisation is the process of rendering personal data incapable of being associated with any identifiable or identifiable natural person, even when combined with other data.
Removing variables This involves removing one or more direct identifiers from personal data belonging to the relevant person that could be used to identify them in any way.
This method can be used to anonymise personal data, or to delete information that is not relevant to the purpose of data processing.
Regional masking This is the process of deleting information that could be distinctive in relation to data that is an exception in a data table where personal data is collectively anonymous.
Generalisation This is the process of combining personal data belonging to many individuals, removing distinctive information, and converting it into statistical data.
Lower and upper limit coding / Global coding For a given variable, ranges are defined and categorised. If the variable does not contain a numerical value, the data within the variable that are close to each other are categorised.
Values remaining in the same category are combined.
Micro-aggregation With this method, all records in the data set are first sorted into a meaningful order
and then the entire set is divided into a certain number of subsets. The average value of each subset’s variable is then calculated, and the value of that variable in the subset is replaced with the average value. This makes it difficult to associate the data with the relevant person, as the indirect identifiers in the data will be corrupted.
Data mixing and corruption Direct or indirect identifiers in personal data are mixed with other values or corrupted to sever their connection with the relevant person and ensure that they lose their identifying qualities.
‘ASSOC. PROF. DR. TAYLAN ÖZTÜRK’ uses one or more of the aforementioned anonymisation methods to anonymise personal data, depending on the nature of the data in question. “ASSOC. PROF. DR. TAYLAN ÖZTÜRK” may use K-Anonymity, L-Diversity, and T-Proximity statistical methods when applying these anonymisation methods.

PERSONAL DATA RETENTION AND DISPOSAL PERIODS

The table showing personal data retention and disposal periods is included in Appendix 1. These retention and disposal periods will be taken into account in periodic disposal or disposal upon request. The Table Showing Personal Data Retention and Destruction Periods will be updated by the business units responsible for the processes included in the personal data inventory of Assoc. Prof. Dr. Taylan Öztürk, with the evaluations of the Personal Data Protection Committee also taken into consideration in case of any doubts.

9.1. Personal Data Retention Table (Periods)

DATA SUBJECT

DATA CATEGORY

DATA RETENTION PERIOD

Employee

Personal data related to service duration and salary, which is the basis for notifications made to the Social Security Institution with recruitment documents

Retained for 50 (fifty) years during the term of the employment contract and after its termination.

Employee

Personal data other than that used as the basis for notifications regarding service duration and salary submitted to the Social Security Institution with the employment documents

During the term of the employment contract and for 10 (ten) years from the beginning of the calendar year following its termination.

Employee

Data Contained in the Workplace Personal Health File

During the term of the employment contract and for 30 (thirty) years from its termination.

Business Partner/Solution Partner/Consultant

Identity information, contact information, financial information, voice recordings of telephone calls related to the commercial relationship between the Business Partner/Solution Partner/Consultant and ‘…………………’, Business Partner/Solution Partner/Consultant

The Business Partner/Solution Partner/Consultant’s business/commercial relationship with ‘…………………’ shall be retained for a period of 10 (ten) years in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish

Commercial Code

* If a longer period is stipulated by legislation or if legislation provides for a longer period for statutes of limitations, periods of limitation, retention periods, etc., the periods specified in the legislation shall be considered the maximum retention period.

3.3.2. Destruction Periods

“ASSOC. PROF. DR. TAYLAN ÖZTÜRK”, In accordance with the Law, relevant legislation, the Personal Data Protection and Processing Policy, and this Personal Data Retention and Destruction Policy, the personal data for which it is responsible shall be deleted, destroyed, or anonymised in the first periodic destruction process following the date on which the obligation to delete, destroy, or anonymise such data arises.
When the data subject requests the deletion or destruction of their personal data by applying to ‘ASSOC. PROF. DR. TAYLAN ÖZTÜRK’ in accordance with Article 13 of the Law;

If all the conditions for processing personal data have ceased to exist, ‘ASSOC. PROF. DR. TAYLAN ÖZTÜRK …………..’ shall delete, destroy or anonymise the personal data subject to the request within 30 (thirty) days from the date of receipt of the request, explaining the reasons and using an appropriate destruction method. For “DOÇ. DR. TAYLAN ÖZTÜRK” to be deemed to have received the request, the relevant person must have made the request in accordance with the Personal Data Protection and Processing Policy. “DOÇ. DR. TAYLAN ÖZTÜRK” shall, in any case, inform the relevant person about the action taken.
If all the conditions for processing personal data have not ceased to exist, this request may be rejected by “ASSOC. PROF. DR. TAYLAN ÖZTÜRK …..” in accordance with the third paragraph of Article 13 of the Law, with the reasons explained, and the rejection response shall be communicated to the relevant person in writing or electronically within thirty days at the latest.
PERIODIC DESTROYMENT PERIODS

In the event that all conditions for the processing of personal data set forth in the KVKK Law No. 6698 cease to exist, ‘DOÇ. DR. TAYLAN ÖZTÜRK’ shall delete, destroy (dispose of) or anonymise personal data for which the processing conditions have ceased to exist through a process to be carried out automatically at regular intervals as specified in this Personal Data Storage and Destruction Policy.
Periodic destruction processes will begin on 30 September 2019 and will be repeated every six (6) months.

10.1. MONITORING THE LEGALITY OF THE DESTRUCTION PROCESS

“ASSOC. PROF. DR. TAYLAN ÖZTÜRK ………….. “ conducts destruction processes, whether upon request or as part of periodic destruction processes, in compliance with the Law, other legislation, the Personal Data Protection and Processing Policy, and this Personal Data Retention and Destruction Policy.
ASSOC. PROF. DR. TAYLAN ÖZTÜRK “takes certain administrative and technical measures to ensure that destruction processes are carried out in accordance with these regulations.

10.1.1. Technical Measures

❖ ASSOC. PROF. DR. TAYLAN ÖZTÜRK …….“, provides the technical tools and equipment appropriate for each destruction method outlined in this policy.
❖ Assoc. Prof. Dr. Taylan Öztürk ensures the security of the location where destruction operations are carried out.
❖ DOÇ. DR. TAYLAN ÖZTÜRK keeps access records of the persons performing the destruction process.
❖ DOÇ. DR. TAYLAN ÖZTÜRK employs competent and experienced personnel to perform the destruction process or, when necessary, obtains services from competent third parties.

10.1.2. Administrative Measures

“ASSOCIATE PROFESSOR TAYLAN ÖZTÜRK” conducts activities to raise awareness and educate employees who will carry out the destruction process on information security, personal data, and privacy issues.
❖ Assoc. Prof. Dr. Taylan Öztürk obtains legal and technical consulting services to monitor developments in the fields of information security, privacy, personal data protection, and secure destruction techniques, and to take necessary actions.
❖ ASSOC. PROF. DR. TAYLAN ÖZTÜRK “signs protocols with relevant third parties for the protection of personal data in cases where the destruction process is carried out by third parties due to technical or legal requirements, and takes all necessary care to ensure that the relevant third parties comply with their obligations under these protocols.
❖ ASSOC. PROF. DR. TAYLAN ÖZTÜRK “regularly monitors whether the destruction processes are carried out in accordance with the law and the conditions and obligations specified in this Personal Data Storage and Destruction Policy, and takes the necessary actions.
All operations related to the deletion, destruction, and anonymisation of personal data are recorded, and such records are retained for at least three years, except for other legal obligations.

ENTRY INTO FORCE

11.1. The Policy shall enter into force as of the date of publication.
11.2. The Personal Data Protection Committee is responsible for announcing the policy throughout DOÇ. DR. TAYLAN ÖZTÜRK and making the necessary updates.

UPDATES AND COMPLIANCE

“DOÇ. DR. TAYLAN ÖZTÜRK ……………..” reserves the right to make changes to the Personal Data Protection and Processing Policy or this Personal Data Retention and Destruction Policy due to amendments to the Law, in accordance with institutional decisions, or in line with developments in the sector or the field of information technology.
Any changes made to this Personal Data Retention and Destruction Policy are promptly incorporated into the text, and explanations regarding the changes are provided at the end of the policy.