04/10/2022

Personal Data Disposal Policy

Data supervisor, Cinik Aesthetic (ERC Estetik Turizm Sağlık Hizmetleri Tic. Ltd. Şti.) stores and destroys your personal data in accordance with the general principles and regulations set forth in this Personal Data Storage and Disposal Policy prepared in accordance with the Constitution, the Law on Protection of Personal Data No. 6698, the Regulation on the Deletion, Destruction or Anonymization of Personal Data and other relevant legislation.

With this Policy, the Company aims to set forth the general principles regarding the storage and destruction of real personal data subject to personal data processing activities within the scope of PDPL and to fulfill the obligations determined by the legislation.

Explicit Consent: Consent on a specific subject, based on the information and expressed with free will,

Recipient Group: The natural or legal person category to which personal data is transferred by the data controller,

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data.

Relevant User: Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data,

Destruction: Deletion, destruction or anonymization of personal data,

Personal Data: Any information relating to an identified or identifiable natural person (e.g. name-surname, TCKN, e-mail, address, date of birth, credit card number, bank account number)

Relevant Person: The natural person whose personal data is processed,

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, and making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use,

Special Quality Personal Data: Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,

Periodic Destruction: The deletion, destruction, or anonymization process, which will be carried out ex officio at repetitive intervals and specified in this Policy, if all of the personal data processing conditions in the PDPL are eliminated,

 

Registration Environments Regulated By Policy

It covers all personal data subject to data processing activities within the scope of the Personal Data Protection Law (KVKK). In addition, the documents referred to by the Policy cover both physical and digital copies.

It stores all personal data subject to data processing activities within the scope of Personal Data Protection Law (KVKK) in the following environments, where there is personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system:

Company computers, e-mail accounts, desktop computers, employees’ tools (e.g. mobile phones), backup areas, paper files, folders, guestbooks, CDs, DVDs, USBs, Hard disks, printers, copiers, etc.

 

Reasons For Requesting the Storage and Disposal of Personal Data

Personal data processing activities are based on the following principles:

  • Compliance with the law and the rule of honesty,
  • Ensuring that personal data is accurate and up-to-date when necessary,
  • Processing for specific, explicit, and legitimate purposes,
  • Being connected, limited, and restrained with the purpose for which they are processed,
  • To keep for the period required by the relevant legislation or for the purpose for which they are processed.

Our company stores and uses personal data for personal data processing purposes and by the personal data processing conditions set out in Articles 5 and 6 of the Personal Data Protection Law (KVKK) mentioned below, and if all of these conditions disappear, it destroys the personal data without any request or upon the request of the personal data owner:

Finding the Explicit Consent of the Personal Data Owner: The first condition for the processing of personal data is the explicit consent of the owner.

Explicitly Provided in Laws: The personal data of the data owner may be processed by the law without obtaining his explicit consent, provided that it is expressly stipulated in the Laws.

Failure to Obtain the Explicit Consent of the Personal Data Owner due to Actual Impossibility: If the personal data of the person who is unable to express his/her consent due to actual impossibility or whose consent cannot be validated is required to be processed to protect the life or bodily integrity of himself or another person, the personal data of the data owner may be processed.

Direct Interest in the Establishment or Performance of the Contract: Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process the personal data of the parties to the contract.

Legal Obligation: If data processing is mandatory for our company to fulfill its legal obligations, the data of the personal data owner may be processed.

Making Personal Data Public by the Personal Data Owner: In case the data owner has made his personal data public by himself, the relevant personal data may be processed and limited to making it public.

Obligatory Data Processing for the Establishment or Protection of a Right: If the data processing is mandatory for the establishment, exercise, or protection of a right, the personal data of the data owner may be processed.

Mandatory Data Processing for the Legitimate Interest of Our Company: Provided that the fundamental rights and freedoms of the personal data owner are not harmed, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of our company.

 

Deleting, Disposal or Making Personal Data Anonymous

Personal data is subject to change or repeal of the provisions of the relevant legislation, which is the basis for processing, the disappearance of the purpose that requires its processing or storage, in cases where the processing of personal data is carried out only based on express consent, the data subject withdraws his explicit consent, the maximum period requiring the storage of personal data has passed, and the personal data In the absence of any conditions justifying keeping the data for a longer period, it is deleted, destroyed or ex officio deleted, destroyed or anonymized by the company at the request of the person concerned.

Unless a contrary decision is taken by the Personal Data Protection Board, our Company chooses the appropriate method of deletion, destruction, or anonymization of personal data ex officio, according to technological possibilities and application cost. At the request of the personal data owner, the rationale for the appropriate method is explained. Necessary technical and administrative measures are taken in each of these transactions.

 

Technical and Administrative Measures Taken

Our company takes the necessary technical and administrative measures according to the technological possibilities and implementation costs regarding the following issues in accordance with the provisions of Article 12 of the PDPL and the provisions of the Regulation, the general principles stated above and the decisions of this Policy and the Personal Data Protection Board:

  • Required software and hardware have been determined. Strong passwords are used on computers and e-mail accounts.
  • What needs to be protected in terms of protecting customer information was conveyed to our personnel through training, and their responsibilities with business contracts were written. (Confidentiality Agreements) This obligation continues even after the persons concerned leave their positions.
  • Necessary infrastructure has been established for the backup of all data.
  • Employees who can access data on computers have been identified.
  • Customer files and information are only given to the persons concerned, to their relatives to whom they have given written consent, to the relevant public institutions and organizations within the framework of their legislation, and to the competent judicial authorities in judicial cases.
  • Before starting to process personal data, the Authority fulfills the obligation to inform the relevant persons.
  • Personal data processing inventory has been prepared.

 

Storage and Disposal Times

Our company preserves and destroys personal data only for the period specified in the legislation it is obliged to comply with or for the period required for the purpose for which they are processed.

If the personal data owner requests the destruction of his personal data by applying to our company:

If all the conditions for processing personal data have been removed: Finalizes the personal data owner’s request within thirty days at the latest and informs the personal data owner, and notifies the third party if the personal data subject to the request has been transferred to third parties; ensures that the necessary actions are taken before the third party.

If all the conditions for processing personal data have not disappeared: The request of the personal data owner may be rejected by explaining the reason in accordance with the third paragraph of Article 13 of the PDPL and the personal data owner shall notify the rejection in writing or digitally within thirty days at the latest.

 

Periodic Disposal Times

In the first periodical destruction process following the date on which the obligation to destroy personal data arises, personal data is destroyed. In this context, if the obligation to destroy personal data arises, it is subject to destruction in 6 months.

PROCESS STORAGE TIME DISPOSAL TIME
Preparation of Contracts 10 years from the end of the contract At the first periodic disposal period following the end of the storage period
Execution of Human Resources Processes 10 years from the end of the activity At the first periodic disposal period following the end of the storage period
Execution of Hardware and Software Access Processes 5 years At the first periodic disposal period following the end of the storage period
Registration of Visitors and Meeting Participants 5 years At the first periodic disposal period following the end of the storage period
Personal Health Data Record For the period specified in the legislation. At the first periodic disposal period following the end of the storage period
Identity data For the period specified in the legislation. At the first periodic disposal period following the end of the storage period
Camera records It is kept for at least 2 months by the Private Hospitals Regulation. At the first periodic disposal period following the end of the storage period

 

This Policy is deemed to have entered into force after its publication on the website.