Protection, Storage and Disposal Policy of Personal Data

INTRODUCTION

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. (Private B.D.İ. Oral and Dental Health Polyclinic), all kinds of personal data belonging to you, our esteemed patients and their relatives, our employees and all third parties related to us, to whom we provide health services in connection with our activities and service purposes, are subject to the Law on Protection of Personal Data No. 6698 ( We attach importance to its processing and storage in accordance with KVKK).

With this “Personal Data Protection, Storage and Disposal Policy” (Policy), Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. The basic principles are determined by determining the methods and responsibilities regarding the deletion, destruction and anonymization of personal data in the required time for the purposes of processing.

PURPOSE

The purpose of this policy is Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. To make explanations on the systems adopted for the protection of personal data and the personal data processing activities carried out in accordance with the Law on the Protection of Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette dated April 7, 2016 and numbered 29677, , to ensure the regulation and supervision of processes that require personal data processing within the organization, to develop the awareness of the legal processing of personal data in the units involved in the processing of personal data and to establish a sense of responsibility in this context, about our personal data processing processes, our employee candidates, officials, visitors, cooperation To provide transparency about our data processing processes by informing the employees, shareholders and officials of the institutions we are in, as well as the third parties, whose personal data are processed by Best Dental Istanbul.

CONTENT

This policy, within the scope of the activities carried out by Best Dental Istanbul, is valid for our employee candidates, our website and social media account users, our employees, former employees, officials, visitors, participants, employees, shareholders and officials of various institutions/organizations such as the supplier companies we cooperate with. and all personal data of third parties that are subject to automatic or non-automatic processing provided that they are part of any data recording system.

The scope of the matters we have stated in this policy may cover all of these groups, which are counted according to the type of processing activity, as well as some groups, such as employees of the supplier company, wholly or partially.

IMPLEMENTATION OF POLICY AND RELEVANT LEGISLATION

This policy, KVKK, Regulation and Regulation on Data Controllers Registry No. 30286 etc. It has been prepared on the basis of relevant regulations.

DEFINITIONS

The terms used in this policy are used to have the following meanings, and if a different term is used instead of the related term or a different meaning is given to the related term, in the terms defined in the legal legislation or regulatory agency decisions, Best Dental Istanbul may also make a change. Such terms will be considered as amended in the application of this policy from the date the amendment enters into force, without the need to

Contact Categories

Descriptions

AB

European Union

Constitution

Published in the Official Gazette dated 9 November 1982 and numbered 17863; Constitution of the Republic of Turkey dated 7 November 1982 and numbered 2709

Open Consent

Consent on a specific subject, based on information and expressed with free will.

Anonymization

The process of rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching them with other data.

Application Form

“Application Form for Applications to be Made by the Related Person (Personal Data Owner) to the Data Controller in accordance with the Law on Protection of Personal Data No. 6698”, which will include the application to be made by the personal data owners/related persons to exercise their rights, and which explains the method of the application that can be accessed from the website www.bestdentalistanbul.com within the scope of the policy.

Best Dental İstanbul

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti.

Employee Candidate

Real persons who have applied for a job or internship to Best Dental Istanbul by any means or have opened their resume and related information to Best Dental Istanbul for review,

Employees

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. Students or graduates who have a business relationship with the Company in accordance with the Labor Law and who are undergoing internship training.

Related person

The natural person whose personal data is processed.

Destruction

The process of irreversibly deleting, destroying or anonymizing personal data.

Institutions/organizations we cooperate with

Employees, shareholders and officials of Best Dental Istanbul, including the shareholders and officials of these institutions, working in the institutions (such as but not limited to business partners, suppliers) with which it has any business relationship,

Business partner

Parties with whom Best Dental Istanbul has established business partnerships while carrying out its activities,

Participant

Person who attends any event, course or training organized by Best Dental Istanbul,

Personal Data

It means any information relating to an identified or identifiable natural person.

Personal Data Owner/Relevant Person

The natural person whose personal data is processed. For example; employees, visitors,

Special Qualified Personal Data

Data about race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Processing of Personal Data

Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. It is any operation performed on the data, such as blocking.

Personal Data Processing Inventory

Personal data processing activities carried out by data controllers depending on their business processes; It is the inventory that they create by associating personal data with the processing purposes, data category, transferred recipient group and data subject group, and detailing the maximum period required for the purposes for which personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security.

Periodic Destruction

The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data processing, storage and destruction policy, in the event that all of the personal data processing conditions in the law are eliminated.

Deletion

The process of making personal data inaccessible and unusable for the relevant users in any way.

Annihilation

The process of making personal data inaccessible, irretrievable and unusable by anyone in any way.

Recording Media

It refers to any environment where personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system.

KVKK

Law on Protection of Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette dated 7 April 2016 and numbered 29677

KVKK Commission

Best Dental Istanbul Personal Data Protection Commission, which is responsible for ensuring compliance with the Best Dental Istanbul Personal Data Protection Law, KVK Board decisions and the provisions of the relevant legislation, the implementation of the policies regulated and the necessary inspections,

KVKK Board / Regulatory Board

Personal Data Protection Board

KVKK Authority / Regulatory Authority

Personal Data Protection Authority

Responsible Manager

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti Responsible Manager

Policy

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. Refers to this Personal Data Protection, Processing and Disposal Policy, which regulates the principles adopted by the Company in the processing, storage and destruction of personal data.

Instructions

Short, simple, understandable written documents that explain how to do the steps of an activity and/or job and support the procedures

Supplier

Parties that provide services to Best Dental Istanbul on a contractual basis in accordance with Best Dental Istanbul orders and instructions, while carrying out its activities in Best Dental Istanbul,

Turkish Debts Law

Published in the Official Gazette dated February 4, 2011 and numbered 27836; Turkish Law of Obligations dated 11 January 2011 and numbered 6098

Turkish Penal Law

Published in the Official Gazette dated February 4, 2011 and numbered 27836; Turkish Law of Obligations dated 11 January 2011 and numbered 6098

Turkish Commercial Law

Published in the Official Gazette dated 14 February 2011 and numbered 27846; Turkish Commercial Law No. 6102 dated January 13, 2011

Third Party

Natural persons whose personal data are processed within the scope of the policy, who are not defined differently within the scope of the policy (For example, companions, family members and relatives),

Data Processor

It is the natural and legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.

Data Controller

It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Recording System

It is a recording system in which personal data is processed and structured according to certain criteria.

Data Controllers Registry Information System (Verbis)

It is an information system created and managed by the Presidency, accessible over the internet, to be used by the data controllers in the application to the Registry and other related transactions related to the Registry.

Regulation

It refers to the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.

Visitor

Real persons who have entered the physical campuses of Best Dental Istanbul for various purposes or visited our websites.Bu politikada yer almayan tanımlar için KVKK tanımları geçerlidir.

CATEGORIES OF PERSONAL DATA PROCESSED, CATEGORIES OF RELATED PERSONS, CLASSIFICATION OF DATA ACCORDING TO THE DATA SUBJECT PERSON GROUP AND RECIPIENT GROUPS TO WHICH IT IS TRANSFERRED

Personal Data Categories

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. Within the scope of the personal data processing activities carried out by the Company, the categories and explanations of the personal data processed are as follows:

Personal Data Category

Description

Identity

Name, surname, T.C. ID number, passport copy or temporary T.C. ID number, date of birth and other identification data by which we can identify you.

Communication

Telephone number (fixed or mobile phone numbers you have declared), e-mail address, social media accounts, contact records made with the hotline, and personal data obtained when you contact us via e-mail or other means.

Personnel

It is the personal data that is processed to obtain the information that is the basis for the personal rights of natural persons within the scope of your working relationship with our practice. Data received pursuant to the law or employment contract regarding personnel transactions such as the employee’s starting date, wage, number of working days per month, contact information of family members or relatives, places where they worked before, etc. are all data.

Transaction Security

IP address information, browser information, cookie information, website login and exit information, password and password information and navigation data obtained during use.

Finance

Personal data processed regarding information, documents and records showing all kinds of financial results belonging to individuals, and data such as credit card information, bank account number, IBAN number and billing information.

Visual Data

Photo record data.

Health Information

Blood group information, personal health information, device and prosthesis information used, health report, periodic examination form for employment, medical history, data on previous surgeries/operations, skin analysis information, laboratory results, test results, examination data, prescription information, medications you constantly use, visual data before and after surgery and other health data.

Sexual Life

Data on sexual life.

Communication and Complaint Management

It is the personal data obtained during the process of receiving and evaluating all kinds of requests or complaints against our polyclinic.

Contact Categories

Within the scope of this Policy, explanations about our patients, platform users, employees, employee candidates and third parties (suppliers and authorized or employees of institutions with which we have a business relationship) are included.

Contact Categories

Description

Service Recipients

They are real persons who purchase the services offered in our outpatient clinic.

Employees

They are real people who are in a working relationship with our polyclinic.

Employee Candidates

They are real persons who have applied for a job in our polyclinic by any means and submitted their CV or information about the job application form for the examination of our polyclinic.

Website and Social Media Users

Persons who visit and use our website, www.muhammetdilber.com, which belong to our outpatient clinic, and our social media accounts for any purpose.

Business Connections (Real person suppliers, natural person representatives of legal entities).

While carrying out the activities of our polyclinic, real persons with whom we have business relations, real person representatives of legal persons, employees in the presence of these persons, etc. are all real people.

Classification of Personal Data by Data Subject Group

The following table describes the personal data categories and the relevant person categories by matching:

Personal Data Categories

Data Subject Group

Identity Data

Service Users, Parent/Guardian or Representative, Website and Social Media Users, Employees, Employee Candidates and Suppliers.

Contact Data

Service Users, Parent/Guardian or Representative, Website and Social Media Users, Employees, Employee Candidates and Suppliers

Personnel Data

Employees and Employee Candidates

Transaction Security Data

Service Users, Website and Social Media Users and Employees.

Financial Data

Service Users, Employees and Suppliers

Visual Data

Service Users.

Health Data

Service Users, Potential Service Recipients and Employees.

Sexual Life Data

Service Users.

Communication and Grievance Management Data

Service Users, Website and Social Media Users and Employees.

Recipient Groups to which Personal Data is Transferred

Personal data within the scope of the policy, Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. may be transferred to the recipient groups listed below for the purposes specified.

Recipient Groups

Personal Data Transfer Purposes

Suppliers

Limited to the purposes of our polyclinic to carry out its activities and to provide the necessary services.

Legally Authorized Public Institutions and Organizations

Limited to the purpose requested by authorized public institutions and organizations within their legal authority.

Legally Authorized Real Persons or Private Law Legal Entities

Limited to the purpose requested by authorized private legal persons within their legal authority.

RECORDING ENVIRONMENTS

Personal data is recorded and stored securely in accordance with the law in the following environments.

Electronic media:

Servers: Central server, data center servers, backup, email, web, file sharing etc.

Software: Office software etc.

Information security devices: Firewall, intrusion detection and prevention, antivirus, etc.

Electronic devices: Network devices, desktop and laptop computers, portable devices (USB, hard disk, memory card, etc.), printers, scanners, copier, mobile devices (Phone, tablet, etc.) and optical discs (CD, etc.).

Physical environments:

Unit cabinets, archive,

Manual data recording systems (forms, notebooks, etc.) are written, printed and visual media.

MATTERS REGARDING THE PROTECTION OF PERSONAL DATA

Best Dental Istanbul Oral and Dental Health Services Ltd. Şti., in accordance with Article 12 of the KVKK, takes the necessary administrative and technical measures to ensure the level of security appropriate for the nature of the data to be protected in order to prevent the illegal processing of personal data and illegal access to the data, and carries out the necessary audits in this context.

Administrative Measures

The main administrative measures taken to prevent unlawful processing of personal data, to prevent unlawful access to data and to ensure data protection are listed below:

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. Personal data processing activities carried out by the Company were determined and a regularly updated personal data inventory was prepared.

Before starting to process personal data, the obligation to inform the relevant persons is fulfilled.

Responsibilities of employees regarding personal data security have been determined in their job descriptions and it has been ensured that they are aware of their responsibilities in this regard.

In order to improve the quality of the employees, trainings are provided on the protection of personal data, processing in accordance with the law, preventing the illegal processing of personal data and illegal access to the data, communication techniques, technical information skills, information security trainings and the Law No. 657 and other relevant legislation. .

Implementation rules are determined in order to ensure compliance requirements, in-house policies are implemented and audits are carried out in order to ensure the continuity of these issues and practice.

Confidentiality commitments are signed by the employees within the scope of personal data protection legislation and data security regarding the activities carried out.

Service recipients. Provisions have been added to the contracts and documents signed with suppliers and third parties in order to ensure the legal processing, protection and data confidentiality of personal data, the responsibilities of the parties are clearly regulated, and provisions that impose sanctions for data processing activities that are contrary to the law and the contract. In case the processed personal data is obtained by others unlawfully, this situation will be notified to the relevant person and the Board as soon as possible.

Technical Measures

In order to prevent unlawful processing of personal data, illegal access to data and to ensure data protection, measures are taken and updated to the extent technology allows, the main technical measures are listed below:

Risks to prevent the unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and controls are made for the measures taken.

By establishing access procedures, reporting and analysis studies are carried out regarding access to personal data.

Access to personal data stored in electronic or non-electronic media is restricted and only authorized persons are allowed to access this data limited to the purpose of storing personal data, inappropriate access or access attempts are kept under control.

Access to information systems and authorization of users are done through access and authorization matrix and security policies.

Necessary measures are taken for the physical security of information systems equipment, software and data.

Security tests and research are carried out to detect security vulnerabilities on information systems, and the existing or potential risky issues identified as a result of the tests and investigations are eliminated.

The website served by the practice is encrypted with the SHA 256 Bit RSA algorithm using the HTTPS method.

Strong passwords are used in electronic environments where personal data is processed.

Necessary measures are taken to ensure that the deleted personal data is inaccessible and reusable for the relevant users.

Security vulnerabilities are followed and appropriate security patches are installed and information systems are kept up-to-date.

In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, fire extinguishing system, air conditioning system, etc.) and software (virus protection programs, firewalls, network access control, systems that prevent malware, etc.). .) precautions are taken.

Some personal data are given special importance by the legislation due to the risks of causing victimization and discrimination when processed unlawfully. In accordance with the decision of the Board, dated 31.01.2018 and numbered 2018/10, regarding the “Adequate Precautions to be Taken by Data Controllers in the Processing of Special Quality Personal Data”; Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. A separate, manageable and sustainable policy has been determined within the practice, with the utmost sensitivity, for the security of sensitive personal data.

Special quality personal data security trainings have been provided for employees involved in special quality personal data processing, confidentiality agreements have been made, and the scope and duration of authorization of users who have access to data are clearly defined.

The security updates of the environments where the data is located are followed, the necessary security tests are carried out and the test results are recorded.

Adequate security measures (against electrical leakage, fire, flood, theft, etc.) of physical environments where sensitive personal data are processed, stored or accessed are taken, and unauthorized entries and exits are prevented by ensuring physical security.

If sensitive personal data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a KEP account. If transferring is carried out between servers in different physical environments, data transfer is carried out via FTP method or online via the plesk control panel. If it is required to be transferred via paper media, necessary precautions are taken against the risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a confidential format.

Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

In case the personal data processed in accordance with Article 12 of the KVKK is obtained by others illegally, this situation will be notified to the relevant personal data owner and the KVK Board as soon as possible. In this context, Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. Following the determination of the persons affected by the data breach, by notifying the Board without delay and within 72 hours at the latest from the date of learning of this situation, the relevant persons can be reached within the shortest reasonable time possible, such as publishing the contact address of the data subject directly, or on the website of the data controller if it cannot be reached. methods will be reported. In data breach notifications, the purpose of notifying the Board and the people affected by the breach is to ensure that measures are taken to prevent or minimize the negative consequences that may arise for these people as a result of the breach.

MATTERS REGARDING THE STORAGE AND DISPOSAL OF PERSONAL DATA

Storage and Disposal of Personal Data

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. Personal data obtained by us are securely recorded, stored and destroyed in accordance with the relevant legislation, especially the provisions of the KVKK, in different environments depending on the principles such as the nature of the data, the purposes of processing and the frequency of use.

Storage and Disposal Periods of Personal Data

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. It preserves the personal data it processes within the scope of its activities for the period specified in the relevant legislation or for the period required for the purpose for which it is processed. In this framework, first of all, if it is stated in the relevant legislation how long the personal data should be kept, this period is acted upon. In case of expiration of the period, the request of the data owner or the purpose of processing the data, the personal data shall be transferred to Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. deleted, destroyed or anonymized by Detailed information about the storage periods of the processed personal data is given in Annex 2 of this Policy.

Reasons Requiring Destruction of Personal Data

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. Personal data processed within the framework of its activities are deleted, destroyed or anonymized upon the request of the person concerned or ex officio, for the following reasons.

Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing,

The disappearance of all purposes that require the processing of personal data and the reasons that require it to be stored,

In cases where the processing of personal data takes place only on the basis of explicit consent, the data owner withdraws his consent,

The request of the data owner to destroy their personal data by using their rights under KVKK and the application made to Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. in the event that the answer is found insufficient or the answer is not given within the time stipulated in the Law; Complaints to the Board and the approval of this request by the Board are the cases where there is no condition to justify keeping the personal data for a longer period, although the maximum period for keeping the personal data has passed.

Legal Disposal of Personal Data

Despite being processed in accordance with the provisions of the law and other relevant laws, in case the purpose that requires the processing and storage of personal data ceases to exist, the personal data shall be transferred to Best Dental Istanbul Oral and Dental Health Services Ltd., ex officio or upon the request of the data owner. Sti. by deletion, destruction or anonymization.

Best Dental Istanbul Oral and Dental Health Services Ltd. Şti. acts in accordance with the above-mentioned technical and administrative measures, relevant legislation provisions, Board decisions and this Policy in deleting, destroying or anonymizing personal data. All transactions made within this scope are recorded and these records are kept for at least three years, excluding other legal obligations.

Unless a contrary decision is taken by the Board, the appropriate method of deletion, destruction or anonymization regarding the destruction of personal data is selected.

For the destruction of personal data, Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. The main technical and administrative measures taken by the company are listed below:

Best Dental Istanbul Oral and Dental Health Services Ltd. Şti. informs and trains its employees on the periodic and proper destruction of personal data.

Personal data destruction process, Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. carried out by.

Best Dental Istanbul Oral and Dental Health Services Ltd. Şti. evaluates and monitors the personal data inventory on the basis of retention and data destruction periods, and conducts audits.

Provisions have been added to the contracts and documents signed with third parties regarding the legal processing of personal data, their storage and elimination of the purpose of processing, the expiration of the storage period or their destruction upon the request of the data owner.

Methods of Disposal of Personal Data

1-Deletion of Personal Data

Deletion of personal data is the process of making personal data inaccessible and non-reusable for relevant users. Best Dental Istanbul Oral and Dental Health Services Ltd. Şti. can use the following methods to delete personal data, depending on the environment in which the data is recorded:

Recording Media

Data Destruction Method

Secure deletion from software

While deleting data processed by fully or partially automated means and stored in digital media; Methods for deleting the data from the relevant software are used so that it cannot be accessed and reused in any way for the relevant users.

Personal data in the physical environment

Removing the relevant personal data from the document by physically cutting it or rendering it invisible by using fixed ink in a way that cannot be recovered and read with technological solutions, and applying a blackening process by drawing, painting or deleting it in a way that cannot be read.

2-Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. Best Dental Istanbul Oral and Dental Health Services Ltd. Şti. can use one or more of the following methods, depending on the environment in which the data is recorded, to delete personal data:

Recording Media

Data Destruction Method

Data recorded in online server in FTP or plesk control panel

It is the process of deleting personal data from the software panel, whose time period has expired.

Personal data in the physical environment

Among the personal data in the paper environment, the ones whose period has expired are irreversibly destroyed by paper clipping machines or by incineration. Personal data transferred to electronic media are destroyed by scanning from the original paper format and by appropriate methods according to the environment in which they are located.

3-Anonymizing Personal Data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person in any way, even if it is matched with other data. In order for personal data to be anonymized; personal data should not be associated with the data controller, recipient or recipient groups, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning the data and matching the data with other data. In accordance with Article 28 of KVKK; Anonymized personal data may be processed for purposes such as research, planning and statistics. Since such processing will be outside the scope of KVKK, the explicit consent of the data owner will not be sought and the right to apply will not be valid for this data. Best Dental Istanbul Oral and Dental Health Services Ltd. Şti. may use one or more of the following methods to anonymize personal data:

Removing Variables: After the data collected by the method of extracting descriptive data, one or more of the high-descriptive variables in the data set are removed and the existing data set is anonymized.

Removing Records: By removing a data line containing singularity in the personal data set, the stored data is anonymized.

Aggregation: With the data aggregation method, many data are aggregated and personal data is rendered incapable of being associated with any person. For example, it is revealed that there are 50 service recipients born in 1982 without showing the birth years of the patients one by one.

Data Exchange: The data exchange method is record changes obtained by exchanging values belonging to a subset of variables between pairs selected from the records. In this method, which is used for data that can be categorized in general, the aim is to transform the database by interchanging the data of the data owners.

Titles, Units and Job Descriptions of Persons Involved in Personal Data Storage and Disposal Processes

You can find the titles and job descriptions of the personnel involved in the personal data storage and destruction process from the list in Annex-1 of this Policy.

Periodic Destruction Periods of Personal Data

Best Dental Istanbul Oral and Dental Health Services Ltd. Şti. deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.

In accordance with Article 11 of the Regulation, it has determined the period of periodic destruction as 6 months; however, it is accepted that the Board may shorten the periods specified in this article and the destruction period table in case of irreparable or impossible damages and if there is a clear violation of the law. Accordingly, periodic destruction is carried out in June and December each year.

DUTIES REGARDING THE STORAGE AND DISPOSAL OF PERSONAL DATA

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. attaches importance to ensuring, maintaining, maintaining, managing and developing compliance with the personal data protection legislation.

In this context, the following tasks are fulfilled:

To prepare the basic policies regarding the processing, storage, protection and destruction of personal data, to ensure the implementation of the policies, to coordinate and manage the compliance process with the legislation and the practice policy,

Best Dental Istanbul Oral and Dental Health Services Ltd. Coordinating the communication with the relevant data owners within the scope of the activities carried out by the Company as a data controller,

To carry out the necessary activities and arrangements within the practice in relation to the requests, requests, complaints and notifications of the Board, to organize the processes,

To carry out the necessary activities and arrangements within the practice regarding the requests, requests, complaints and notifications from the relevant persons,

To update the personal data processing inventory and to monitor and report data processing activities and to make necessary updates in Verbis in case of changes,

To organize trainings for the awareness of the employees and to measure the efficiency, To inform the institutions with which it cooperates,

To decide how to carry out the supervision of personal data processing activities and to ensure the necessary coordination in this context,

To determine the risks that may occur in personal data processing activities within the scope of KVKK compliance and to ensure that the necessary measures are taken,

Managing processes and corrective actions regarding data privacy violations,

To follow the board announcements and developments regarding the legislation, to ensure that they are implemented in relevant places and to make necessary notifications.

UPDATES AND CHANGES

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti. This Policy is revised as needed and the necessary sections are updated by the company.

Due to the changes made in the Law, the right to make changes in this Policy and other policies related to this Policy, in accordance with the Board decisions or in line with the developments in the sector or in the field of informatics, are reserved.

Changes made in the Policy are immediately recorded in the text and explanations regarding the changes are explained at the end of the Policy.

PUBLICATION AND STORAGE OF THE POLICY

The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is also kept in the file.

ENFORCEMENT AND ANNOUNCEMENT OF THE POLICY

The policy is deemed to have entered into force after its publication on the website. If it is decided to cancel it, old copies of the Policy with wet signatures are canceled and signed and kept for at least 5 years.

Attachments:

Annex-1: Table of Titles, Units and Job Descriptions of Persons Involved in Personal Data Storage and Disposal Processes

EMPLOYEE

DUTY

RESPONSIBILITY

Assistant

Human resources department

Supervising the functionality of processes related to the processing, protection and storage of personal data, excluding sensitive personal data, ensuring the compliance of processes with the storage period and managing the periodical destruction process.

Assistant

Accounting department

Management of financial and accounting processes.

Annex-2: Table of Retention and Disposal Periods of Personal Data

Personal data will be kept for the periods specified in the table below, and will be anonymized or destroyed at the end of the period.

DATA CATEGORY

DATA STORAGE PERIOD

DISPOSAL TIME

Identity

20 Years from expiry of service contract

Within 180 days after the end of the retention period.

Contact

20 Years from expiry of service contract

Within 180 days after the end of the retention period

Personnel

10 Years from the end of the service contract

Within 180 days after the end of the retention period

Transaction Security

2 Years from data acquisition

Within 180 days after the end of the retention period

If the purpose of the polyclinic to use the relevant personal data has not expired, if the storage period stipulated for the relevant personal data in accordance with the legislation is longer than the periods in the table, or if the time-out period for the case requires the personal location to be kept longer than the periods in the table, the periods in the above table may not be applied. In this case, the purpose of use, special legislation or the statute of limitations for the case, whichever comes to an end, will be applicable for that period.

The above periods start from the date of termination of the employment contract for employees, from the date of termination of the contract for suppliers and service users, or from the date of the last transaction if there is no contract.

Best Dental Istanbul Oral and Dental Health Services Ltd. Sti.