1. PURPOSE OF THE POLICY

The purpose of this policy; 5 and 6 of the Regulation (Regulation) on the Deletion, Destruction or Anonymization of Personal Data, which was issued based on the Law (Law) on the Protection of Personal Data No. 6698 and published in the Official Gazette No. 30224 on 28.10.2017. ” ENTO KULAK BURUN BOĞAZ ÖZEL SAĞLIK HİZMETLERİ TİCARET A.Ş.”   (hereinafter briefly  referred to as “ENTO ENT”  ), to determine the rules and roles and responsibilities to be applied throughout.

2. SCOPE OF THE POLICY

The Policy covers the personal data and sensitive personal data defined by the Law, kept by “ENTO KBB”, all “ENTO KBB” employees, managers, consultants and their affiliates, external service providers and “ENTO KBB” in all cases where personal data sharing is in question . It includes natural and legal persons with whom it has other legal relations.

Policy covers personal data in systems where data is processed by fully or partially automated or non-automated means provided that it is a part of any data recording system, as specified in the Law.

Unless otherwise stated in the policy, personal data and sensitive personal data will be collectively referred to as “Personal Data”.

3. DEFINITIONS

• Anonymization: Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even if it is matched with other data,
• Destruction: Deletion, destruction or anonymization of personal data,
• Personal Data: Any information relating to an identified or identifiable natural person,
• Personal Data Retention Table: The table showing the periods during which personal data will be kept at “ENTO KBB” ,
• Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the purposes of processing, the data category, the transferred recipient group and the data subject group, explaining the maximum time required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security,
• Deletion of Personal Data: The process of making personal data inaccessible and unusable for the relevant users,
• Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and reusable by anyone,
• Sensitive Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data,
• Periodic destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are eliminated,
• Data registration system: The registration system in which personal data is processed and structured according to certain criteria,

4. RECORDING MEDIA REGULATED BY POLICY

Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system, is within the scope of the recording medium.

5. DUTIES AND AUTHORITIES OF THE PERSONAL DATA PROTECTION COMMITTEE

• Personal Data Protection Committee Announcing the policy to the relevant business units and following up the fulfillment of the requirements by the “ENTO KBB” units.
• The Personal Data Protection Committee makes the necessary announcements and notifications for the relevant business units to follow up on the legislation changes regarding the protection of personal data, regulatory acts and decisions of the Board, court decisions or changes in the processes, practices and systems, and update their business processes if necessary,
• Personal Data Protection Committee; It determines the processes for the examination, evaluation, follow-up and conclusion of the law and its secondary regulations as well as the decisions and regulations of the Board, court decisions and decisions and/or requests of other competent authorities, and submits them to the relevant units.

6. WHAT TO DO IN CASE THE CONDITIONS FOR THE PROCESSING OF PERSONAL DATA AVOID

• In the event that the purpose factor for the processing of personal data is eliminated, the express consent is withdrawn, or all the conditions for processing personal data in Articles 5 and 6 of the Law are eliminated, or if there is a situation where none of the exceptions in the aforementioned articles can be applied, the processing conditions are eliminated. Personal data is deleted, destroyed or anonymized by the relevant business unit, taking into account business needs, within the scope of Articles 7, 8, 9 or 10 of the Regulation, by explaining the reason for the method applied. However, in case of a finalized court decision, the method of destruction determined by the court decision must be applied.
• All users who process or store personal data and “ENTO KBB” units, which are data owners, will review the data recording media they use, within four-month periods at the latest, whether the conditions related to processing have been eliminated. Upon the application of the personal data owner or the notification of the Board or a court, the relevant users and units will make this review in the data recording media they use, regardless of the period of periodic inspection.
• As a result of periodic reviews or at any time, when it is determined that the data processing conditions have been removed, the relevant user or data owner will decide to delete, destroy or anonymize the relevant personal data from the recording medium in his/her own responsibility, in accordance with this policy. In case of hesitation, action will be taken by obtaining the opinion of the relevant data owner business unit. When it is necessary to take a decision on the destruction of personal data with multi-stakeholder data ownership in the Central Information Systems, the opinion of the Personal Data Protection Committee will be taken and the data owner concerned will be asked to keep or delete, destroy or anonymize the personal data in accordance with this policy. decision by business unit
• All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.
• Pursuant to Article 7.4 of the Regulation, the methods applied for the deletion, destruction and anonymization of personal data will be published and announced after the entry into force of the Policy.
• In deleting, destroying or anonymizing personal data, acting in accordance with the general principles in Article 4 of the Law and the technical and administrative measures to be taken within the scope of Article 12, the provisions of the relevant legislation, Board decisions and court decisions.
• The real person who owns a personal data, pursuant to Article 13 of the Law “ENTO KBB”When it requests the deletion, destruction or anonymization of its personal data, the relevant data owner business unit examines whether all the conditions for processing personal data have disappeared. If all the processing conditions have disappeared; deletes, destroys or anonymizes the personal data subject to the request. In this case, the details are as determined in the Data Disposal Procedure in the ISO 27001:203 Information Security Management System; The request is finalized within thirty days at the latest from the date of application and the person concerned is informed through the KVKK team appointed by the KVKK Officer. If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties,
• In cases where all the conditions for processing personal data are not eliminated, the requests of personal data owners for the deletion or destruction of their data may be rejected by “ENTO KBB” by explaining the reason in accordance with the 3rd paragraph of Article 13 of the Law. The rejection response is notified to the relevant person in writing or electronically within 30 days at the latest.
• Requests for deletion or destruction of personal data will only be considered if the identity of the person concerned has been identified. In requests to be made outside of the said channels, the relevant persons will be directed to the channels where identification or verification can be made.

7. POLICY IMPLEMENTATION, VIOLATIONS AND SANCTIONS

• This Policy will come into force by announcing it on the website of “ENTO KBB” and all employees and as of its effective date, all business units, consultants, customers, insurance companies , external service providers and other COMPANY A.Ş. It will be binding on anyone who processes personal data before him.
• It will be the responsibility of the supervisors of the relevant employees to monitor whether the “ENTO KBB” employees fulfill the requirements of the Policy. When a violation of the policy is detected, the issue will be immediately reported to a higher supervisor by the supervisor of the relevant employee. If the violation is significant, the Personal Data Protection Committee will be informed without delay by the superior.
• Necessary administrative action will be taken against the employee who violates the policy, after the evaluation by Human Resources.
• By ” ENTO KBB ” in order to fulfill the policy requirements ; All necessary security measures are taken within the scope of Information Security Management System and KVK Law No. 6698.

8. PERSONS TO BE INVOLVED IN PERSONAL DATA STORAGE AND DISPOSAL AND THEIR RESPONSIBILITIES

All employees, customers, insurance companies, consultants, external service providers and anyone else who stores and processes personal data before “ENTO KBB” is responsible for fulfilling the requirements regarding the destruction of data specified in the Law, Regulation and Policy within “ENTO KBB”. .

Each business unit is obliged to store and protect the data it produces in its own business processes; however, if the data produced is only available in information systems outside the control and authority of the business unit, the data in question will be stored by the units responsible for information systems.

Periodic destructions, which will affect business processes and cause data integrity, data loss and results contrary to legal regulations, will be made by the relevant information systems departments, taking into account the type of personal data, the systems in which it is included, and the data owner business unit.

9. PERSONAL DATA STORAGE AND DISPOSAL TIMES

Table showing the Periods of Retention and Disposal of Personal Data is given in Annex: 1. The storage and destruction periods in question will be taken into account in the periodic destruction or on-demand destruction processes. The Table Showing the Periods of Retention and Disposal of Personal Data will be updated by the business units that own the processes to be included in the personal data inventory of “ENTO KBB” , in case of hesitation, by taking the evaluations of the Personal Data Protection Committee.

10. PERIODIC DISPOSAL TIMES

Periodic Destruction Period of Personal Data is determined and determined by the relevant business units; however, this period cannot exceed 1 (one) year in any case.

11. ENFORCEMENT

• The policy is in effect as of the date of publication.
• It is the responsibility of the Personal Data Protection Committee to announce the policy throughout “ENTO KBB” and to make the necessary updates.

APPENDIX-1 Table Showing the Periods of Retention and Destruction of Personal Data

Personal data will be kept for the periods specified in the table below, taking into account the issues specified in Article 6 of the Policy, unless there is a final court decision or interim injunction to the contrary, and will be destroyed at the end of the period: