Personal Data Destruction Policy

Data controller Özel Maya Cerrahi Tıp Merkezi (Arkansiyel Sağlık Hizmetleri ve Tic. A.Ş.) stores and destroys your personal data in accordance with the general principles and regulations specified in this Personal Data Storage and Destruction Policy prepared in accordance with the Law on the Protection of Personal Data No. 6698 and the Regulation on the Deletion, Destruction or Anonymisation of Personal Data and other relevant legislation, especially the Constitution.With this Policy, the Company aims to set out the general principles and principles regarding the storage and destruction of natural person data subject to personal data processing activities within the scope of KVKK and to fulfil the obligations determined by the legislation.Open Consent: Consent on a specific subject, based on information and expressed with free will,Buyer Group: The category of natural or legal person to whom personal data is transferred by the data controller,Anonymisation: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.Related User: Persons who process personal data within the organisation of the data controller or in accordance with the authority and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data,Destruction: Deletion, destruction or anonymisation of personal data,Personal Data: Any information relating to an identified or identifiable natural person (e.g. name-surname, Turkish ID Number, e-mail, address, date of birth, credit card number, bank account numberContact Person: The natural person whose personal data is processed,Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,Special Categories of Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,Periodic Disposal: In the event that all of the conditions for processing personal data specified in the KVKK disappear, the deletion, destruction or anonymisation process specified in this Policy and to be carried out ex officio at recurring intervals.D WITH POLICYREVISED RECORDING ENVIRONMENTSIt covers all personal data subject to data processing activities within the scope of KVKK. Furthermore, the documents referred to in the Policy include both physical and digital copies.It stores all personal data subject to data processing activities within the scope of KVKK in the following environments where personal data processed by fully or partially automated or non-automated means, provided that they are part of any data recording system:Company computers, e-mail accounts, desktop computers, employee devices (e.g. mobile phone), backup areas, paper files, folders, guestbook, CD, DVD, USB, hard discs, printer, photocopier, etc.REASONS REQUIRING THE STORAGE AND DISPOSAL OF PERSONAL DATAThe following principles are taken as basis in personal data processing activities:

1. Compliance with the law and the rule of honesty,
2. Ensuring that personal data is accurate and up-to-date when necessary,
3. Processing for specific, explicit and legitimate purposes,
4. Being relevant, limited and proportionate to the purpose for which they are processed,
5. Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

Our Company stores and uses personal data for the purposes of personal data processing and in accordance with the conditions for processing personal data set out in Articles 5 and 6 of the LPPD, and destroys personal data ex officio or upon the request of the personal data owner in the event that all of these conditions disappear:A of the Personal Data OwnerExit Consent: The first condition for processing personal data is the explicit consent of the owner.Explicit in Lawforeseen by the Ministry of Labour and Social Security:The personal data of the data subject may be processed in accordance with the law without obtaining his/her explicit consent, if expressly stipulated in the Laws.A) The Personal Data Owner Due to Actual ImpossibilityFailure to obtain consent: The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognised as valid, in order to protect his/her or another person's life or physical integrity.Direct Relevance to the Establishment or Performance of the Contract: Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process personal data belonging to the parties to the contract.Legal Obligation: If data processing is mandatory for our company to fulfil its legal obligations, the data of the personal data owner may be processed.Publicisation of Personal Data by the Personal Data Owner: If the data subject has made his/her personal data public by himself/herself, the relevant personal data may be processed limited to the publicisation.Establishment or Protection of a Right idata processing is mandatory: Personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise or protection of a right.For the Legitimate Interest of Our Companydata processing is mandatory: Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of our company.DELETION, DESTRUCTION OR ANONYMISATION OF PERSONAL DATAPersonal data shall be deleted, destroyed or ex officio deleted, destroyed or anonymised by the company upon the request of the data subject in the event that the provisions of the relevant legislation that constitute the basis for the processing of personal data are changed or abolished, the purpose requiring the processing or storage of personal data disappears, in cases where the processing of personal data is carried out only on the basis of explicit consent, the data subject withdraws his/her explicit consent, the maximum period requiring the storage of personal data has expired and there is no condition that justifies the storage of personal data for a longer period of time.Unless otherwise decided by the Personal Data Protection Board, our Company chooses the appropriate method of ex officio deletion, destruction or anonymisation of personal data according to technological possibilities and implementation cost. In case of request of the personal data owner, the justification of the appropriate method is explained. Necessary technical and administrative measures are taken in each of these procedures.TECHNICAL AND ADMINISTRATIVE MEASURES TAKENOur Company takes the necessary technical and administrative measures in accordance with the provisions of Article 12 of the KVKK and the Regulation, the general principles stated above, this Policy and the decisions of the Personal Data Protection Board, according to the technological possibilities and the cost of implementation regarding the following issues:

1. Necessary software and hardware have been identified. Strong passwords are used on computers and e-mail accounts.
2. In terms of protecting customer information, our personnel have been trained on what needs to be protected and their responsibilities have been documented in their employment contracts (Confidentiality Agreements). This obligation continues even after the relevant persons leave their positions.
3. The necessary infrastructure has been established for the backup of all data.
4. Employees who can access data on computers have been identified.
5. Customer files and information are provided only to the relevant persons themselves, to their relatives to whom they have given written consent, to the relevant public institutions and organisations within the framework of the legislation and to the competent judicial authorities in judicial cases.
6. Before starting to process personal data, the Authority fulfils the obligation to inform the data subjects.
7. Personal data processing inventory has been prepared.

STORAGE AND DISPOSALREPRODUCTIONSOur company retains and destroys personal data only for the period specified in the legislation it is obliged to comply with or for the period required for the purpose for which they are processed.In case the personal data owner requests the destruction of his/her personal data by applying to our company:If all the conditions for processing personal data have disappeared: It finalises the request of the personal data owner within thirty days at the latest and informs the personal data owner and if the personal data subject to the request has been transferred to third parties, it notifies the third party and ensures that the necessary actions are taken before the third party.If all the conditions for processing personal data have not disappeared: It may reject the request of the personal data owner by explaining its justification in accordance with the third paragraph of Article 13 of the KVKK and notifies the rejection to the personal data owner in writing or digitally within thirty days at the latest.PERIODIC DESTRUCTION SREPRODUCTIONSPersonal data are destroyed in the first periodic destruction process following the date on which the obligation to destroy personal data arises. In this context, if the obligation to destroy personal data arises, it is subject to destruction in 6-month periods.

PROCESS	STORAGE TIME	DISPOSAL TIME
Preparation of Contracts	10 years from the end of the contract	At the first periodic destruction period following the end of the storage period
Execution of Human Resources Processes	10 years from the end of the activity	At the first periodic destruction period following the end of the storage period
Execution of Hardware and Software Access Processes	5 years	At the first periodic destruction period following the end of the storage period
Registration of Visitors and Meeting Participants	5 years	At the first periodic destruction period following the end of the storage period
Personal Health Data Register	As long as the period specified in the legislation	At the first periodic destruction period following the end of the storage period
Identity data	As long as the period specified in the legislation	At the first periodic destruction period following the end of the storage period
Camera Images	It is kept for at least 2 months in accordance with the Regulation on Private Hospitals.	At the first periodic destruction period following the end of the storage period

This Policy shall be deemed to have entered into force upon its publication on the website.