en
en

SAĞLIK AT HOME

PERSONAL DATA RETENTION AND DESTRUCTION POLICY

In accordance with the Law on the Protection of Personal Data No. 6698 (“KVKK”), your personal data obtained during the provision of our healthcare services is collected, stored, and processed in compliance with the law. Your personal data is used only with your explicit consent or within the scope of legal obligations. For detailed information, you can review our KVKK Information Notice or contact us at info@saglikhome.com.

PURPOSE OF THE POLICY

This Personal Data Retention and Destruction Policy (“Policy”) has been prepared by Sağlık At Home to ensure the secure storage of personal data in compliance with the KVKK and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette on 28/10/2017, and to regulate the procedures to be followed when the conditions for data processing no longer apply.

DATA STORAGE ENVIRONMENTS

Personal data belonging to data subjects is securely stored by Sağlık At Home in accordance with the Law and relevant regulations in the following environments:

Electronic Environments:

• Servers and user computers

• Backup disks

Physical Environments:

• Department cabinets

• Folders

• Archives

REASONS FOR DATA RETENTION

Personal data is retained securely in physical or electronic media for the following reasons:

• Continuation of operations

• Fulfillment of legal obligations

• Planning and execution of employee rights and benefits

• Management of business relations

Legal bases for retention include:

• Necessity for contract execution

• Requirement for the establishment or protection of a legal right

• Legitimate interest of Sağlık At Home, provided that it does not harm fundamental rights and freedoms

• Compliance with legal obligations

• Explicit retention requirements under law

• Data subject’s explicit consent, when required

DATA DELETION, DESTRUCTION, AND ANONYMIZATION CONDITIONS

Under the Regulation, personal data will be deleted, destroyed, or anonymized by Sağlık At Home either on its own initiative or upon request if:

• Legal grounds for data processing or retention change or are removed

• The purpose for processing is no longer valid

• Conditions under Articles 5 and 6 of the Law no longer apply

• The data subject withdraws their explicit consent

• The data subject’s request for deletion is accepted

• The Personal Data Protection Board approves the data subject’s complaint

• The maximum retention period has expired without further justification

MEASURES TO PROTECT PERSONAL DATA

Sağlık At Home implements technical and administrative measures to protect personal data against unlawful access, processing, or destruction in compliance with Article 12 of the Law.

Technical Measures Include:

• Network and application security

• Encrypted communication and closed systems

• Cloud data security

• Access control and masking techniques

• Data backup and monitoring

• Secure deletion procedures

• Regular audits and cybersecurity precautions

• Staff training and confidentiality agreements

• Anti-virus protection and data retention policies

MEASURES FOR DATA DESTRUCTION

Even if personal data is lawfully processed, it will be deleted or destroyed by Sağlık At Home if the reasons for processing no longer apply. Once deleted, data will be permanently inaccessible. A secure data deletion process will be followed, including:

5.1 Methods Used:

• Deletion:

• Removal of access rights

• Overwriting or masking for paper records

• Deletion using software commands in databases

• Destruction:

• Physical shredding

• Degaussing of magnetic media

• Anonymization:

• Masking, record removal, regional suppression

• Generalization (e.g. age instead of date of birth)

• Noise addition for numeric data sets

Pursuant to Article 28 of the Law, anonymized data may be used for research, planning, or statistical purposes without requiring further consent.

RETENTION AND DESTRUCTION PERIODS

Personal data is retained only for the duration specified in Annex-1. If a specific legal retention period is defined, it is followed. Otherwise, the data is kept for a maximum of 10 years, in line with statutory time limitations. After the expiry of the retention period, data is deleted, destroyed, or anonymized in the next periodic destruction cycle.

All operations related to deletion, destruction, or anonymization are logged and stored for at least three years, excluding other legal obligations.

REVISIONS AND ENFORCEMENT

Any changes or repeals to this policy will be announced on the Sağlık At Home website.

privacy and terms of use

kvkk information notice

info@saglikathome.com

05389289112

© 2025. All rights reserved.

Cookıe policy

privacy policy