Personal Data Retention and Destruction Policy

Personal Data Retention and Destruction Policy

CCN INVESTMENTS HOLDING INC.
POLICY OF PERSONAL DATA STORAGE AND DESTRUCTION

Table of Contents

1. INTRODUCTION 2
2. Purpose of the Policy 2
3. Scope of the Policy 3
   3. Implementation of the Policy and Related Legislation 3
4. Enforcement of the Policy 3
5. Definitions 3
6. PROTECTION OF PERSONAL DATA 5
7. Security 5
8. Control 5
9. Privacy 5
10. Unauthorized Access to Personal Data 5
11. Observing the Legal Rights of Relevant Persons 6
12. Protection of Personal Data of Special Nature 6

III. PERSONAL DATA DESTRUCTION POLICY AND RETENTION PERIODS 7

3. Techniques for Erasure, Destruction and Anonymization of Personal Data 9
4. Techniques for Anonymizing Personal Data 9
5. Retention and Periodic Destruction Periods of Personal Data 9
6. CLASSIFICATION OF DATA SUBJECTS AND MATCHING THEM WITH PERSONAL DATA 10
7. INTRODUCTION

Law No. 6698 on the Protection of Personal Data ("Law") entered into force on April 7, 2016 and includes regulations on the processing of all kinds of information regarding "identified or identifiable" natural persons ("data subject"). As CCN Hastane Hizmetleri ve İşletme Anonim Şirketi ("Company"), we attach utmost importance to the processing and protection of personal data in accordance with the law and act with this care in all our planning and activities. With this awareness, our Company takes all administrative and technical measures for the protection and processing of personal data. The most important pillar of this issue is the protection of the personal data of our Employees, Employee Candidates, Company Shareholders, Company Officials, Visitors, Employees, Shareholders, Officials and Third Parties of the Institutions we are in cooperation with, which is managed by this Policy on Processing and Protection of Personal Data ("Policy").

According to Article 20 of the Constitution, everyone has the right to request the protection of personal data concerning him/her. Regarding the protection of personal data, which is a constitutional right, our Company pays due attention to the protection of the personal data of Employee Candidates, Company Shareholders, Company Officials, Visitors, Employees, Shareholders, Officials and Third Parties of the Institutions with which it cooperates and makes this a company policy.

In this Policy, detailed explanations will be made regarding the basic principles listed below, which we have adopted as the Company in the processing of personal data:
- Processing personal data in accordance with the law and good faith,
- Keeping personal data accurate and updated when necessary,
- Processing personal data for specific, explicit and legitimate purposes,
- Processing personal data in connection with the purpose for which they are processed, limited and measured,
- Retaining personal data for the period stipulated in the relevant legislation or for the period required for the purpose for which they are processed,
- Informing and enlightening personal data subjects,
- Establishing the necessary system for personal data subjects to exercise their rights,
- Taking necessary measures for the protection of personal data,
- To act in accordance with the relevant legislation and the regulations of the Personal Data Protection Board ("Board") in transferring personal data to third parties in line with the requirements of the purpose of processing,
- Showing the necessary sensitivity to the processing and protection of sensitive personal data.

1. Purpose of the Policy

The purpose of this Policy is to inform the owners of personal data - our Employees, Employee Candidates, Company Shareholders, Company Officials, Visitors, Employees, Shareholders, Officials and Third Parties of the Institutions we are in cooperation with - about the obligations arising from the Law and other relevant legislation and the procedures and principles to be followed in accordance with the Law, and to protect the fundamental rights and freedoms of individuals, especially the privacy of private life regulated in the article of the Constitution, to the maximum extent possible in the processing and protection of personal data in accordance with the purpose of the Law. In line with the purpose of the Policy, we aim to ensure full compliance with the legislation in the processing and protection of personal data carried out by our Company and to protect the right to privacy and data security of personal data owners.

The Personal Data Retention and Destruction Policy is to determine the procedures and principles regarding the security of personal data and the procedures and principles regarding the deletion, destruction and anonymization of personal data processed within the scope of various processes carried out by our Company.

2. Scope of the Policy

This Policy is related to all personal data of our Employees, Employee Candidates, Company Shareholders, Company Authorities, Visitors, Employees, Shareholders, Authorities and Third Parties of the Institutions we are in cooperation with, which are processed automatically or non-automatically provided that they are part of any data recording system. In this respect, all of the provisions of the Policy may be applied to the personal data owners listed above, or only some of its provisions may be applied. This policy relates to all kinds of processing carried out on data such as obtaining, recording, storing, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data belonging to data subjects by fully or partially automated or non-automated means, provided that it is part of any data recording system, and the administrative and technical measures taken for the security of personal data.

3. Implementation of the Policy and Related Legislation

This Policy has been created by concretizing and organizing the rules set forth by the legislation in force within the scope of our Company's practices. In this context, the relevant legal regulations in force regarding the processing and protection of personal data will primarily apply. In case of incompatibility between the legislation in force and the Policy, our Company accepts that the legislation in force will be applied. As the Company, we carry out the necessary systems and preparations to act in accordance with the effective periods stipulated in the Law.

4. Enforcement of the Policy
   It was issued by our Company and entered into force on 08.04.2016. The Policy is published on our Company's website www.ccnholding.com
5. Definitions

Where;
a. Explicit consent: Consent related to a specific subject, based on information and expressed with free will,
b. Anonymization: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data,
c. Relevant person: The natural person whose personal data is processed,
d. Relevant user: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data,
e. Destruction: Deletion, destruction or anonymization of personal data,
f. Law: Law on the Protection of Personal Data dated 24/3/2016 and numbered 6698,
g. Personal data: Any information relating to an identified or identifiable natural person,
h. Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,
i. Personal data processing inventory: The inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes of personal data processing, data category, transferred recipient group and data subject group, and detailing the maximum period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security,
j. Personal data retention and destruction policy: The policy on which data controllers base the process of determining the maximum period of time required for the purpose for which personal data are processed and the process of deletion, destruction and anonymization,
k. Board: Personal Data Protection Board
l. Authority: Personal Data Protection Authority,
m. Periodic destruction: The process of deletion, destruction or anonymization to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy in the event that all of the conditions for processing personal data specified in the law disappear,
n. Registry: The register of data controllers kept by the Personal Data Protection Authority,
o. Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller
p. Data recording system: The recording system where personal data is structured and processed according to certain criteria,
q. Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Third party: Refers to the person/patient who applies to the hospitals/integrated health facilities served by our Company for examination and treatment and receives outpatient or inpatient treatment.

RECORDING ENVIRONMENTS

The recording media where personal data are kept by the Company are computers, programs, Cloud Systems used on behalf of the Company, shared/unshared disk drives used for data storage on the network, paper, unit cabinets, archives. The Company will include other recording media that it may use in addition to the recording media listed in the Destruction Policy.

1. PROTECTION OF PERSONAL DATA

The following measures and precautions are taken by our Company to ensure data security in accordance with Article 12 of the Law.

1. Security

Our Company takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful access and processing of personal data and to ensure the protection of personal data in accordance with the Law.

2. Control

Our Company conducts and has the necessary controls carried out in order to establish the data security described above and to ensure the regularity and continuity of the measures taken. In this context, a team has been formed within the Company with one participant each from HR, IT and Legal departments and external support is received.

3. Confidentiality

Our Company takes all necessary technical and administrative measures according to the technological possibilities and implementation costs in order to ensure that the relevant data controllers and data processors do not disclose their personal data to others in violation of the provisions of the Law and Policy and do not use them for purposes other than processing. In this context, our Company employees are informed and trained about the Law and Policy.

4. Unauthorized Access to Personal Data

In the event that personal data processed by our Company is obtained by others in ways that are not in accordance with the Law, our Company shall carry out the necessary procedures to notify the relevant person and the Board as soon as possible. If deemed necessary by the Board, this situation may be announced on the Board's website or by any other method deemed appropriate by the Board.

5. Observing the Legal Rights of Relevant Persons

Our Company observes all legal rights of the relevant persons regarding the implementation of the Policy and the Law and takes all necessary measures to protect these rights.

6. Protection of Personal Data of Special Nature

According to Article 6 of the Law, data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data. Personal data of special nature are data that carry the risk of causing discrimination or victimization against their owners if they are processed, and they need to be protected much more strictly than other personal data. For this reason, although it is the main principle not to receive such data by our Company, all necessary measures are taken sensitively to protect such personal data processed in accordance with the law.

PROTECTION OF PERSONAL DATA

The Company takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data and unlawful access to personal data and to ensure the protection of personal data.
In this context, first of all, a study has been carried out to determine the personal data processed by our Company, the risks that may arise regarding the protection of this data have been determined, taking into account whether the personal data processed is personal data of special nature, and the necessary technical and administrative measures have been put into practice to reduce or eliminate the risks.

In order to ensure personal data security, regular trainings are provided to personnel and managers in order to prevent unlawful disclosure and sharing of personal data and to raise awareness of the LPPD.

In addition, employees involved in personal data processing processes are asked to sign confidentiality agreements as part of their business processes, and if it is determined that employees act contrary to security policies and procedures, the necessary disciplinary process is carried out.

The Company restricts access to personal data included in data processing processes on a personnel basis, and a limited number of personnel are authorized to access personal data related to the business processes they carry out. Data processing activities carried out by the personnel are recorded. Care is taken to comply with the principle of "Everything is Forbidden Unless Permitted" regarding access to personal data throughout the Company.

In order to prevent unlawful processing of personal data and unlawful access to personal data, technical systems have been established to monitor and audit the processes related to the processing of personal data. Regular internal audits are carried out to prevent unlawful processing of personal data and unlawful access to personal data.

Technical methods with an appropriate level of security are used to prevent unlawful access to personal data and to ensure that it is stored in secure environments, and these methods are updated in accordance with the developing technology.

In the event of an internal or external attack on the Company's data recording system, in order to recognize this situation early and intervene early, it is regularly checked which software and services are running on the information networks and whether there is any infiltration or movement that should not be in the information networks, and the transaction movements of all users are regularly kept.

III. PERSONAL DATA DESTRUCTION POLICY AND RETENTION PERIODS

1. Reasons Requiring Storage and Destruction of Personal Data

The Company may process your personal data if one or more of the following conditions are present:
- Explicit Consent of the Personal Data Owner,
- Explicitly Stipulated in the Laws,
- Failure to Obtain Explicit Consent Due to Actual Impossibility,
- Directly Related to the Establishment or Execution of the Contract,
- Mandatory for the Fulfillment of the Company's Legal Responsibility,
- Publicized by the Data Subject Himself,
- Mandatory for the Establishment, Exercise or Protection of a Right,
- Mandatory for the Legitimate Interests of the Company.

  For detailed information on the processing of personal data, you can review the Personal Data Protection Policy at "www.ccnholding.com".

The personal data of the data subjects are destroyed during the first periodic destruction to be carried out when the reasons for processing personal data listed above disappear. All transactions regarding the deletion, destruction and anonymization of personal data are recorded and such records are kept for at least three years.

2. Deletion, Destruction or Anonymization of Personal Data

Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymization of personal data, and despite the fact that it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code No. 5237, Article 7 of the Law and the Regulation on the Deletion, Destruction or Anonymization of Personal Data ("Regulation") published in the Official Gazette dated 28.10. 7 of the Law and the Regulation on Deletion, Destruction or Anonymization of Personal Data ("Regulation") published in the Official Gazette dated 28.10.2017, our Company deletes, destroys or anonymizes personal data ex officio or upon the request of the relevant person in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the relevant law.

On the other hand, pursuant to Article 7 of the Regulation titled 'Principles', all transactions regarding the deletion, destruction and anonymization of personal data are recorded by our Company and such records are kept for at least 3 years, without prejudice to our other legal obligations.

With the deletion of personal data, this data is made inaccessible and non-reusable in any way for the relevant users. Accordingly, our Company, as the data controller, takes all necessary technical and administrative measures to ensure that the deleted personal data is inaccessible and non-reusable for the relevant users.

In the process of deletion of personal data, the personal data that will be subject to deletion is determined, the relevant users who are authorized to access the personal data in question and the authorities of the users on the personal data are determined, and the access, retrieval and reuse authorities of the relevant users within the scope of the personal data in question are removed.

Personal data on paper media are erased using the blackout method. Blackout is the process of making the personal data on the relevant document invisible to the relevant users by using fixed ink or cutting it in such a way that it cannot be returned and cannot be read by technological analysis.

In databases containing personal data, the relevant rows containing personal data are deleted with database commands (Delete, etc.), for personal data in the file operating system, deletion is performed by deleting the personal data with the delete command in the operating system of the file or by removing the access rights of the relevant user on the file or the directory where the file is located.

Destruction of data, on the other hand, refers to the destruction of materials suitable for storing data such as documents, files, CDs, floppy disks, hard disks, etc. in which the data is recorded so that the information cannot be retrieved and used again.

For the destruction of personal data, all copies containing the data are identified and, depending on the type of systems in which the data is stored, the appropriate method is used, such as de-magnetization for data on magnetic media, melting, burning or pulverizing optical media and magnetic media or passing them through a metal shredder, and passing them through a paper shredder for personal data on paper media.

Anonymization of data means making personal data impossible to be associated with an identified or identifiable natural person, even if the data is matched with other data. The purpose of anonymization is to break the link between the data and the person identified by this data. Methods such as automatic or non-automatic grouping, masking, derivation, generalization, randomization applied to the records in the data recording system where personal data are kept are some of the anonymization methods.

3. Techniques for Erasure, Destruction and Anonymization of Personal Data
4. Techniques for Deletion and Destruction of Personal Data

Although it has been processed in accordance with the provisions of the relevant law, our Company may delete or destroy personal data based on its own decision or upon the request of the person concerned if the reasons requiring its processing are completely eliminated.

Our Company may use the following methods for deletion and destruction:
- Physical Destruction: Personal data may also be processed by our Company by non-automatic means, provided that they are part of any data recording system. When destroying such data, the system of physically destroying the relevant personal data in a way that cannot be accessed, used and recovered by anyone is applied.
- Physical Destruction:
Personal data may also be processed by our Company by non-automatic means, provided that they are part of any data recording system. When destroying such data, the system of physically destroying the relevant personal data in a way that cannot be accessed, used and recovered by anyone is applied.

1. Techniques for Anonymizing Personal Data

Anonymization of personal data is the process of making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching personal data with other data. In accordance with Article 28 of the Law; anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Law and the explicit consent of the data subject will not be sought, and anonymization techniques specified by the Authority may be used.

4. Retention and Periodic Destruction Periods of Personal Data

Our Company stores personal data in accordance with the periods stipulated in the laws and other legislation. If there is no time regulation in the laws and other legislation regarding how long personal data should be stored, personal data is processed for a period until the realization of the purpose of processing personal data within the scope of the activity carried out when our Company processes that personal data. These data are deleted, destroyed or anonymized on the first periodic destruction date and process following the date when the obligation of destruction arises.

The personal data of the data subjects are destroyed during the first periodic destruction to be carried out when the reasons for processing personal data listed above disappear. All transactions regarding the deletion, destruction and anonymization of personal data are recorded and such records are kept for at least three years.

 

1. CLASSIFICATION OF DATA SUBJECTS AND MATCHING THEM WITH PERSONAL DATA
2. Classification of Relevant Persons

As per Article 3 of the Law, only real persons can benefit from the protection of this Policy and the Law; in this context, the relevant persons are grouped as follows:

Employee Candidate: Real entities who have made a job application to our Company by any means or who have opened their CV and related information to our Company's review.
Company Customer: Entities whose personal data are obtained through the Company.
Company Business Partner, Shareholder, Officer, Employee of Business Partners: Real entities with whom our Company has all kinds of business relations and all real entities, including employees, shareholders and officials of real and legal entities (such as business partners, suppliers) with whom our Company has all kinds of business relations.
Company Customer: Real entities who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company.
Potential Customer: Real entities who have made a request or interest in using our products and services or who have been evaluated in accordance with the rules of commercial custom and honesty that they may have this interest.
Company Employee: Real entities working within the Company and its affiliated companies.
Company Shareholder: Entities who are shareholders of the Company and its affiliated companies.
Company Executive: Members of the Board of Directors and other authorized persons of the Company and its affiliated companies.
Third Party: Other parties who are not covered by the Company Policy prepared for Company Employees and who do not fall under any category of relevant parties in this Policy. For example; patients, companions, etc.
Visitor: All real entities who have entered the physical premises owned by our Company for various purposes or who visit our websites for any purpose.

2. Matching Personal Data with Data Subjects, Data Controller and Data Processors

The matching of the classified personal data, the definitions, and scopes of which are given above with the owners of the classified personal data is presented below.

Matching Personal Data Categories and Person Groups

Information Technologies Department	- Responsible for implementing the Personal Data Storage and Destruction Policy	- Managing personal data destruction processes in accordance with the periodic destruction periods by ensuring compliance with the Personal Data Storage and Destruction Policy regarding the processes within the scope of its duties
Finance and Accounting Department	- Responsible for implementing the Personal Data Storage and Destruction Policy	- Managing personal data destruction processes in accordance with the periodic destruction periods by ensuring compliance with the Personal Data Storage and Destruction Policy regarding the processes within the scope of its duties

 

Personal Data Subject Group

 

Individual Group	Individual Group Description
Employees and Interns of the Company, Business Partners	All real entities, including our company employees, our company's subsidiary companies and real entities with whom our company has a business relationship, and shareholders and officials working in legal entities
Employee Candidate, Trainee Employee Candidate	Real entities who have made a job application to our Company or submitted their CVs for review in any way
Company Shareholders	Real entities who are shareholders of the Company
Company Customers, Product or Service Recipient	Real entities benefiting from the products and services offered by our Company
Company Representative	Authorized person working in the relevant public/private institution
Prospective Company Customers	Real entities who have requested to benefit from the products and services offered by our Company
Visitor	Real entities visiting the Company's buildings, facilities and websites
Subsidiary Companies	The company's group companies
Business Partners	Parties with whom the Company has established business partnerships in order to carry out its commercial activities
Legally Authorized Institutions and Organizations and Private Law Legal Entities	Legally authorized institutions and organizations and private legal entities with whom the Company is obliged to share information and documents in accordance with the provisions of the relevant legislation
Company Executive	Members of the Board of Directors and other authorized persons of the Company
Third Parties	The person/patient who applies to the hospitals/integrated health facilities provided by our Company for examination and treatment and receives outpatient or inpatient treatment.

 

Storage and Destruction Periods

 

Work Process	Storage Period	Destruction Period
Personnel Procedure	15 years	Within 180 days following the expiration of the storage period
Recruitment Process	2 years	Within 180 days following the expiration of the storage period
Training Process	15 years	Within 180 days following the expiration of the storage period
Salary and Advance Process	15 years	Within 180 days following the expiration of the storage period
Legal Processes	15 years	Within 180 days following the expiration of the storage period
Internet and E-mail Access Process	2 years	Within 180 days following the expiration of the storage period
Information System Tools Allocation Process	10 years	Within 180 days following the expiration of the storage period
Business Operation and Organization Process	15 years	Within 180 days following the expiration of the storage period