MEDICA FLY

PERSONAL DATA

STORAGE AND DISPOSAL POLICY

CONTENTS

 

1. PURPOSE. 1
2. RECORDING MEDIA WHERE PERSONAL DATA IS STORED.. 1
3. EXPLANATIONS REGARDING REASONS THAT REQUIRE CONCEALMENT. 1
4. MEASURES RELATED TO THE PROTECTION OF PERSONAL DATA.. 2

4.1 TECHNICAL MEASURES. 2

4.2 ADMINISTRATIVE MEASURES. 3

5. MEASURES TAKEN REGARDING THE DISPOSAL OF PERSONAL DATA.. 3

5.1      Methods for Deletion, Destruction and Anonymization of Personal Data. 3

5.1.1       Deletion of Personal Data. 3

5.1.2       Destruction of Personal Data. 4

5.1.3       Making Personal Data Anonymous. 4

6. PERSONAL DATA STORAGE AND DISPOSAL TIMES. 5
7. PERIODIC DISPOSAL TIMES. 5
8. EMPLOYEE. 5
9. REVISION AND REVOCATION.. 5
10. ENFORCEMENT. 5

EK 1- Data Retention and Disposal Periods 6

EK 2- Table of Staff Responsibility for Personal Data Storage and Destruction. 7

 

 

 

 

1. PURPOSE

MEDICA FLY TOURISM TIC.ltd.Şti. (“Medica Fly”)

Retention and destruction policy of personal data (“retention and destruction Policy”), the Law No. 6698 on protection of personal data (“law”) in accordance with the technical and administrative protection, the conditions in the case of the disappearance of the processing of personal data, published in the official gazette dated 28/10/2017 of personal data deletion, destruction or anonymization regulation (“regulation”) in order to regulate the application of the provisions.

2. RECORDING MEDIA WHERE PERSONAL DATA IS STORED

Personal data belonging to data owners is safely stored in the following environments by Medica Fly in accordance with the provisions of relevant legislation, primarily the provisions of the Law:

Electronic environments:

• CRM
• MS SQL Server
• E-Mail Box
• Microsoft Office Programs
• Video Recorders

 

Physical environments:

• Unit Cabinets
• Folders
• Archive

 

3. EXPLANATIONS RELATING TO REASONS FOR CONCEALMENT

• Execution of Emergency Management Processes
• Execution of Information Security Processes
• Execution of Employee Satisfaction and Loyalty Processes
• Fulfillment of Employment Contract and Legislative Obligations for Employees
• Execution of Employee Rights and Benefits Processes
• Execution of Auditing / Ethics Activities
• Execution of Training Activities
• Execution of Access Rights
• Execution of Activities in compliance with regulations
• Execution of Financial and Accounting Affairs
• Execution of Company/Product/Service Loyalty Processes
• Ensuring the Physical Security of the place
• Execution of Assignment Processes
• Follow-up and Execution of Legal Affairs
• Execution of Internal Audit/Investigation/Intelligence Activities
• Execution of Communication Activities
• Planning of Human Resources Processes
• Execution / Supervision of Business Activities
• Execution of Occupational Health / Safety Activities
• Receiving and Evaluating Recommendations for Improving Business Processes
• Execution of Activities and Ensuring Business Continuity
• Execution of Logistics Activities
• Execution of Processes for purchase of Goods and Services
• Execution of After-Sales Support Services for Goods/Services
• Execution of sales processes for goods/services
• Execution of production and Operational processes for goods/services
• Execution of customer relationship management processes
• Execution of activities aimed at customer satisfaction
• Organization and event management
• Execution of marketing analysis studies
• Execution of performance evaluation processes
• Execution of advertising/campaign/promotion processes
• Execution of risk management processes
• Execution of storage and archiving activities
• Execution of contract processes
• Execution of strategic planning activities
• Follow-up requests and complaints
• Execution of supply chain management processes
• Execution of salary policy
• Execution of marketing processes for products and services
• Ensuring the Security of Data Controller Operations
• Work and residence permit procedures for foreign personnel
• Execution of investment processes
• Providing Information to Authorized Persons, Institutions and Organizations
• Execution of management activities
• Create and follow-up of visitor records.

For this purpose, the personal data of the data subjects are stored securely in physical and/or electronic environments within the limits specified in the law and other relevant regulations.

 

Reasons for storage:

 

1. The establishment and execution of contracts directly related to personal data
2. The establishment, use or protection of a right related to personal data
3. The use of personal data, as long as it does not harm the fundamental rights and freedoms of individuals, in the interest of Medica Fly
4. The fulfillment of any legal obligation of Medica Fly related to personal data
5. The storage of personal data as specified in legislation
6. The explicit consent of data subjects being present for storage activities that require the consent of the data subjects.

In accordance with the regulation, personal data belonging to data subjects shall be deleted, destroyed or anonymized by Medica Fly or upon request in the following cases:

1. The amendment or revocation of the relevant legislation that constitutes the basis for the processing or storage of personal data
2. Elimination of the purpose for which personal data is processed or stored
3. The conditions that require the processing of personal data under articles 5 and 6 of the law no longer existing
4. In cases where the processing of personal data is based solely on express consent, the revocation of the consent by the relevant person
5. The acceptance by the data controller of the request made by the data subject in the context of the rights specified in Article 11, paragraphs 2(e) and 2(f) of the Law, for the erasure, destruction, or anonymization of their personal data
6. The rejection of the request for deletion, destruction or anonymization of personal data by the data controller, or finding the response insufficient, or failing to respond within the time frame provided for by the law, and filing a complaint with the Board, and finding the complaint appropriate by the Board
7. The maximum storage period for personal data has expired, and there is no condition that justifies storing personal data for a longer period.

 

 

4. MEASURES RELATED TO THE PROTECTION OF PERSONAL DATA

MedicaFly takes the necessary technical and administrative measures to ensure an adequate level of security to prevent the unlawful processing of personal data it processes in accordance with Article 12 of the Law, to prevent unauthorized access to data, and to ensure the protection of data. MedicaFly carries out or has necessary inspections done in this context. Despite all technical and administrative measures taken for the processed personal data, if it is acquired by third parties through illegal means, MedicaFly will notify the relevant units as soon as possible

4.1 Technical Measures

• Network security and application security are provided.
• A closed system network is used for personal data transfers via the network.
• Key management is implemented.
• Security measures are taken in the scope of procurement, development, and maintenance of information technology systems.
• Discipline regulations containing data security rules are available for employees.
• Training and awareness activities on data security are conducted for employees at certain intervals.
• An authority matrix is created for employees.
• Access logs are kept regularly.
• Policies and procedures on access, information security, use, storage and destruction are prepared and implemented.
• Data masking measures are applied when necessary.
• Privacy declarations are made.
• The authority of employees who have changed their duties or quit their job in the this field are revoked.
• Current anti-virus systems are used.
• Firewalls are used.
• Signed contracts include data security provisions.
• Personal data security policies and procedures have been determined.
• Personal data security issues are reported quickly.
• Personal data security is followed up.
• Necessary security measures are taken for entry and exit to physical environments containing personal data.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• The Security of environments containing personal data is ensured.
• Personal data is minimized as much as possible.
• Personal data is backed up and the security of backed-up personal data is also ensured the necessary safety.
• User account management and authorization control system are implemented and also followed.
• Internal periodic and/or random audits are conducted and made.
• Log records are kept in a way that cannot be intervened by the user.
• Current risks and threats are identified.
• Protocols and procedures for special-qualified personal data security have been determined and applied.

 

• If special qualified personal data is to be sent via e-mail, it must be sent in encrypted form and using KEP (e-Government Gateway) or corporate mail account.
• Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
• Specially qualified persons and data are transferred by being encrypted in Portable memory, CD, DVD media.
• Data processing service providers are periodically audited on data security.

 

 

 

 

4.2 Administrative Measures

 

• Employees are trained to take technical measures to prevent illegal access to personal data.

 

• Access and authorization processes for personal data are designed and implemented within Medica Fly in accordance with legal requirements for processing personal data on a business unit basis. The degree of importance and whether the data is sensitive is taken into account in limiting restriction of access.

 

• Medica Fly has added records stating that all documents that regulate the relationship between Medica Fly personnel and the company, and contain personal data, must be processed in compliance with the obligations prescribed by the Law, personal data must not be disclosed, personal data must not be unlawfully used, and the obligation of confidentiality regarding personal data continues even after the termination of the employment contract with Medica Fly.

 

• Employees are informed that they cannot disclose the personal data they learn to others in violation of the law and cannot use it for other purposes and that this obligation will continue even after they leave their job and they are required to make necessary commitment accordingly.

 

• Contracts concluded by Medica Fly with persons to whom personal data is transferred in accordance with the law; Provisions are added that the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data and ensure that these measures are complied with in their own institutions.

 

• If personal data is obtained illegally by third parties, this situation is reported to the relevant person and the Authority as soon as possible.

 

• When necessary, employs personnel who are knowledgeable and experienced in processing personal data and provides training to its personnel within the scope of personal data protection legislation and data security.

 

• Medica Fly carries out and arranges necessary inspections to ensure the implementation of the provisions of the Law, and eliminates privacy and security vulnerabilities that may arise as a result of these inspections.

 

 

5. MEASURES TAKEN REGARDING THE DISPOSAL OF PERSONAL DATA

Even though Medica Fly processes personal data in accordance with the relevant legal provisions, it may delete or destroy such data at its own discretion or upon request from the data subject if the reasons for processing the data no longer apply. The deletion of personal data will mean that the data in question will no longer be accessible or used by anyone. Medica Fly will have an effective data tracking process in place for the destruction of personal data, including identifying data to be deleted, identifying the individuals concerned, determining their access methods and then deleting the data. Medica Fly may use one or more of the following methods to destroy, delete or anonymize personal data, depending on the environment in which the data is stored.

 

5.1 Methods for Deleting, Destroying, and Anonymizing Personal Data

5.1.1 Deletion of Personal Data

Deletion of personal data is a process that makes personal data inaccessible and non-reusable for the relevant users. As a method of deleting personal data, Medica Fly can use one or more of the following methods:

• Personal data on paper will be processed by the method of blackening, colouring, cutting or deleting.
• The access rights of the user(s) will be removed for the office files in the main file.
• Rows or columns containing personal information in databases will be deleted with the ‘Delete’ command.

If necessary, it will be safely deleted by the help of an expert.

Formun Üstü

Formun Altı

 

5.1.2   Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and reusable by anyone by the following institutions.

 

• Physical Annihilation
• Destruction by Paper Shredder
• De-magnetization: A method in which magnetic media is passed through special devices that expose it to high magnetic fields, causing the data on it to become unreadable.

 

5.1.3 Anonymization of Personal Data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable person under any circumstances, even by matching with other data. Medica Fly may use one or more of the following methods to anonymize personal data:

Masking: Data masking is a method of anonymizing personal data by removing the identifying information from the data set.

Record Removal: In the record removal method, unique data rows are removed from the records and the stored data is anonymized.

Regional Concealment: In the regional concealment method, since a single data creates a very rarely visible combination, if it has a determining feature, hiding the relevant data provides anonymization.

Global Coding: With the data derivation method, a more general content is created than the content of the personal data and it is ensured that the personal data cannot be associated with any person. For example; indication of ages instead of dates of birth; specifying the area of ​​residence instead of the full address.

Adding Noise: In the data set where numerical data is predominant, the data anonymization is achieved by adding certain deviations in the positive or negative direction to the existing data by the noise addition method. For example, in a data group where weight values are present, using (+/-) 3 kg deviation, the display of real values is prevented and the data is anonymized. The deviation is applied to each value equally.

According to article 28 of the Law, anonymized personal data can be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Law and the personal data owner’s explicit consent will not be sought.

Medica Fly will be able to make its own decision regarding the deletion, destruction or anonymization of personal data and freely determine the method to be used according to the category it has chosen. In addition, if the person concerned chooses one of the categories of deletion, destruction or anonymization of his personal data during the application within the scope of Article 13 of the Regulation, MEDICA FLY will be at liberty regarding the methods to be used in the relevant category.

 

 

 

 

6. PERSONEL DATA STORAGE AND DESTRUCTION PERIODS

Medica Fly stores personal data for the periods specified in Annex-1 for the purposes for which they are processed. If a period is specified in the legislation for the storage of such personal data, this period is complied with. If no period is specified in the legislation, personal data will be stored for the maximum period specified in Annex-1 for the retention of personal data.

In the event that the expiry of these periods results in the obligation of deletion, destruction or anonymization, MEDICA FLY will delete, destroy or anonymize the personal data in the first periodic destruction process following this date.

All actions related to the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.”

7. PERIODIC DISPOSAL TIMES

 

Medica Fly destroys personal data in the first periodical destruction process following the date on which the obligation to destroy personal data arises. In this context, our agency is subject to destruction of personal data twice a year in case of an obligation to destroy personal data. The aforementioned period does not exceed the maximum period of periodic destruction specified in Article 11 of the Regulation in any case and condition. Each personal data to be destroyed will be recorded with the destruction report and images such as photographs, visuals or log records, if any, will be kept for at least 3 years together with the destruction report.

8. STAFF

As the data controller under the law, the titles, units, and job descriptions of the personnel who will fulfill their obligations in terms of the implementation of the data storage and destruction process as specified in Article 11, paragraph 1 of the Regulation, are determined in the Table in Annex-2 of the Storage and Destruction Policy.

These individuals are responsible for any actions and transactions within their scope of authority according to the Turkish Commercial Code, Code of Obligations and Turkish Penal Code.  Specifically, the Chairman of Medica Fly’s Personal Data Protection Committee is authorized to represent and speak on behalf of Medica Fly in law enforcement, prosecutors’ offices, public institutions and courts. Each department head will be responsible for inspecting whether the relevant users in the departments act in accordance with the Storage and Disposal Policy and Personal Data Policy prepared within the framework of the Law and Regulation. All department heads will report the procedures carried out in accordance with this Storage and Destruction Policy during the specified periodic destruction periods to the Chairman of the Medica Fly Personal Data Protection Committee. The decision resulting from the work results for these reports will be implemented.

 

9. REVISION AND REVOCATION

If the Storage and Disposal Policy is changed or repealed, the new regulation will be announced on the Medica Fly website.

 

10. ENFORCEMENT

This Retention and Disposal Policy is effective on the date of publication.

APPENDICES

 

APPENDIX 1 – Data Storage and Destruction Periods

APPENDIX 2 – Table of Personnel Responsible for Personal Data Storage and Destruction

 

 

TABLE 1- Data Storage and Destruction Periods

Data Category	Storage Time	Disposal Period
Identity	10 YEARS After the Legal Relationship Ended	At the first periodic disposal period following the end of the storage period
Contact	10 YEARS After the Legal Relationship Ended	At the first periodic disposal period following the end of the storage period
Location	10 YEARS After the Legal Relationship Ended	At the first periodic disposal period following the end of the storage period
Personnel	10 Years From the Termination Date of Employment	At the first periodic disposal period following the end of the storage period
Legal Action	10 Years from the Termination Date of the Employment Contract (As long as the activity continues)	At the first periodic disposal period following the end of the storage period
Customer Transaction	10 YEARS After the Legal Relationship Ended	At the first periodic disposal period following the end of the storage period
Physical Place Security	IN CASE OF DISPUTE, WITHIN 1 MONTH AFTER LEGAL DISPUTE IS RESOLVED, IN OTHER CASES WITHIN 2 MONTHS.	At the first periodic disposal period following the end of the storage period
Process Security	1 YEARS After the Legal Relationship Ended	At the first periodic disposal period following the end of the storage period
Finance	10 YEARS After the Legal Relationship Ended	At the first periodic disposal period following the end of the storage period
Professional experience	10 Years From the Termination Date of Employment	At the first periodic disposal period following the end of the storage period
Marketing	10 Years From the Termination Date of Employment	At the first periodic disposal period following the end of the storage period
Visual and Audio records	10 YEARS – IN CASE OF DISPUTE, WITHIN 1 MONTH AFTER LEGAL DISPUTE IS RESOLVED, IN OTHER CASES WITHIN 2 MONTHS.	At the first periodic disposal period following the end of the storage period
Race & Ethnic background	10 YEARS After the Legal Relationship Ended	At the first periodic disposal period following the end of the storage period
Health information	10 YEARS After the Legal Relationship Ended	At the first periodic disposal period following the end of the storage period
Criminal Conviction and Security Measures	10 YEARS After the Legal Relationship Ended	At the first periodic disposal period following the end of the storage period

TABLE 2- Table of Staff Responsibility for Personal Data Storage and Destruction.

 

STAFF	DUTY	RESPONSIBILITY
Responsible of Staff	Implementation responsible	The management of the personal data destruction process in accordance with the storage period and the periodic destruction period for ensuring the conformity of the processes within the scope of their responsibilities.
Responsible of Administrative Affairs	Implementation responsible	The management of the personal data destruction process in accordance with the storage period and the periodic destruction period for ensuring the conformity of the processes within the scope of their responsibilities.
Responsible of Financial/Financial Affairs	Implementation responsible	The management of the personal data destruction process in accordance with the storage period and the periodic destruction period for ensuring the conformity of the processes within the scope of their responsibilities.