Personal Data Protection Policy
1- Personal Data Retention and Destruction Policy ("Policy") has been prepared by Romatem Physical Therapy Rehabilitation Center ("Company") as the data controller in order to determine the procedures and principles regarding our obligations in accordance with the Law No. 6698 on the Protection of Personal Data ("KVKK") and the Regulation on the Deletion, Destruction or Anonymization of Personal Data ("Regulation") and to inform data subjects about the principles of determining the maximum retention period required for the purpose for which personal data are processed and the processes of deletion, destruction and anonymization.
2-Within the scope of this Policy, real persons whose data is processed by automatic or non-automatic means as part of any data recording system include customers, prospective customers, job applicants, employees, company shareholders, company officials, visitors, business partners, employees, shareholders, and officials of institutions we collaborate with, subcontractors, suppliers, and third parties.
The Policy is applied in the activities carried out for the processing and protection of all personal data managed by our Company.
3-This policy is published on our company's website (https://romatem.com/) and is made accessible to relevant individuals upon the request of personal data owners.
4-Its category in the implementation of this Policy,
Relevant Person: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data,
Destruction: Deletion, destruction or anonymization of personal data,
Law Law No. 6698 on the Protection of Personal Data,
Recording medium: Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system,
Personal data: Any information relating to an identified or identifiable natural person,
Personal data subject: The natural person whose personal data is processed,
Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,
Personal data processing inventory: The inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes of processing personal data, data category, transferred recipient group and data subject group, and detailing the maximum period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security,
Board: The Personal Data Protection Board,
Institution Personal Data Protection Authority,
Sensitive personal data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,
Periodic destruction: The process of deletion, destruction or anonymization to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all of the conditions for processing personal data specified in the Law are eliminated,
Data Retention and Destruction Policy: This Policy, which data controllers use as a basis for the process of determining the maximum period of time required for the purpose for which personal data are processed and the process of deletion, destruction and anonymization,
Personal Data Protection, Processing and Privacy Policy: The policy that determines the procedures and principles regarding the management of personal data on the company's website,
Registry: The registry of data controllers kept by the Personal Data Protection Authority,
Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller,
Data recording system: The recording system in which personal data is structured and processed according to certain criteria,
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
For definitions not included in this Policy, the definitions in the Law apply.
5. All unit managers of the company actively support the proper implementation of technical and administrative measures related to the processing, storage, and destruction of personal data within their respective units. For this purpose, unit managers ensure the training and increased awareness of their unit employees, monitor and supervise operations, assist in preventing the unlawful processing of personal data and unlawful access to processed data, and facilitate the adoption and implementation of technical and administrative measures for data security.
By increasing the knowledge and awareness of the relevant users on the protection of personal data, it actively supports the processing, storage and destruction of personal data in accordance with the legislation.
The titles, units and job descriptions of those involved in the storage and destruction of personal data are as follows
General Manager : As the representative of the data controller, he/she is responsible for all transactions related to the protection and destruction of personal data and the implementation of the policy.
Human Resources Manager : Preparation, development and execution of the policy, and its dissemination in relevant environments
publishing and updating, ensuring the compliance of the processes within its responsibility with the retention period, and management of the personal data destruction process, training and information in accordance with the periodic destruction period.
Accounting Manager : Responsible for the preparation, development, execution, publication and updating of the policy in the relevant media, ensuring compliance of the processes within the scope of his/her duty with the retention period and management of the personal data destruction process in accordance with the periodic destruction period.
Information Systems Manager : Responsible for the technical storage, protection and backup of data, determining and implementing the technical solutions needed to implement the policy.
Other Unit Managers : Responsible for the implementation of the policy in their units, monitoring and auditing the implementation, ensuring compliance of the processes within their duties with the retention period and managing the personal data destruction process in accordance with the periodic destruction period.
Relevant Users and Data Processors: Responsible for ensuring that data processing and storage are in accordance with the procedure and the law.
Specially Authorized Relevant User : Responsible for the protection and storage of personal data deleted by the procedure or upon the request of the relevant person until it is destroyed and not accessed by the relevant users.
6-Personal data stored by the Company is maintained in a recording medium appropriate to the nature of the respective data. The recording media utilized for the storage of personal data are outlined below. Furthermore, personal data may be housed in a different medium than those specified herein, depending on its inherent characteristics. In all instances, the data controller company processes and safeguards personal data in adherence to the Law, the Personal Data Protection, Processing, and Privacy Policy, and this Personal Data Storage and Disposal Policy, within the framework of international data security principles.
Electronic Media; Servers, portable disks, software, information security devices, employee computers, optical disks, removable memories, printers, scanners and other digital media such as photocopiers.
Physical Media; Paper, manual data recording systems, written, printed, visual media and other media where data are kept by printing on paper or microfilms.
Cloud Environments; These are the environments where encrypted internet-based systems are used, which are not in the Company's possession but are in the use of the Company.
7. All administrative and technical measures taken within the framework of the principles outlined in Article 12 of the KVKK (Personal Data Protection Law) are specified below, for the purpose of securely storing your personal data, preventing its unlawful processing and access, and ensuring its lawful destruction.
Technical Measures
It takes the following technical measures in all environments where personal data is stored in accordance with the nature of the relevant data and the environment in which the data is stored:
Only up-to-date and secure systems in accordance with technological developments are used in the environments where personal data are kept.
Security systems are used for the environments where personal data are kept.
Security tests and researches are conducted to identify security vulnerabilities on information systems, and existing or potential risks identified as a result of the tests and researches are eliminated.
Access to the media where personal data is kept is restricted and only authorized persons are allowed to access this data limited to the purpose of storing personal data and all accesses are recorded. In limiting access, whether the data is of special nature and the degree of importance are also taken into consideration.
The Company employs sufficient technical personnel to ensure the security of the environments where personal data are kept within the Company. Ensures that the access authorizations of employees working in information technology units to personal data are kept under control
Destruction of personal data is ensured in such a way that it cannot be recycled and leaves no audit trail.
Pursuant to Article 12 of the Law, any digital media where personal data is stored shall be protected by encrypted methods to ensure information security requirements.
Administrative Measures
It takes the following administrative measures in all environments where personal data is stored in accordance with the nature of the relevant data and the environment in which the data is stored:
Efforts are made to raise awareness and raise awareness of all company employees who have access to personal data on information security, personal data and privacy.
Legal and technical consultancy services are obtained in order to follow developments in the field of information security, privacy and protection of personal data and to take necessary actions.
In the event that personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the protection of personal data, and all necessary care is taken to ensure that the relevant third parties comply with their obligations in these protocols.
In the event that the processed personal data is obtained by others through unlawful means, it shall notify the relevant person and the Board as soon as possible.
Carries out and has carried out the necessary audits to ensure the implementation of the provisions of the Law within the Company. It eliminates the confidentiality and security weaknesses that arise as a result of the audits.
8. Personal data belonging to data subjects is securely stored by the company in physical or electronic environments within the limits specified by the KVKK (Personal Data Protection Law) and other relevant legislation. This storage is primarily for the purposes of maintaining commercial activities, fulfilling legal obligations, planning and executing employee rights and benefits, managing customer relations, and for other objectives outlined in the Personal Data Protection, Processing, and Privacy Policy. Personal data held by the company shall be deleted, destroyed, or anonymized ex officio in accordance with this destruction policy, either upon the data subject's request or when the reasons listed in Articles 5 and 6 of the Law cease to exist. The reasons enumerated in Articles 5 and 6 of the Law are as follows:
Explicitly stipulated in the law.
It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract.
It is mandatory for the data controller to fulfill its legal obligation.
It has been made public by the person concerned.
Data processing is mandatory for the establishment, exercise or protection of a right.
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
9. The procedures and principles regarding the deletion and destruction techniques of personal data by the company are listed below.
DELETION OF PERSONAL DATA
Blackout of Personal Data on Paper Media: The method of physically cutting out the personal data on the relevant document and removing it from the document or making it invisible by using fixed ink so that it cannot be reversed and cannot be read with technological solutions.
Secure Erasure from Software: It is the method of deleting personal data stored in the cloud or local digital environments and making it inaccessible again.
DESTRUCTION OF PERSONAL DATA
Physical Destruction: The system of physically destroying personal data in such a way that it cannot be used later is applied. Documents on paper are destroyed by shredding machines in such a way that they cannot be reassembled. Optical and magnetic media containing personal data are physically destroyed by melting, incineration or pulverization.
De-magnetization: It is the method of passing magnetic media through special devices where it will be exposed to high magnetic fields, distorting the data on it in an unreadable way.
Overwriting: It is a destruction method that eliminates the ability to read and recover old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media by means of special software.
ANONYMIZATION OF PERSONAL DATA
Removing variables: It is the method of anonymization by removing the highly descriptive variables from the variables in the data set created after the collected data of the relevant person are brought together.
Regional hiding: Hiding the relevant data provides anonymization if it has a determinative character due to the fact that a single data creates a combination that is barely visible. It is the process of deleting information that may be distinctive for the data in the exceptional case.
Generalization: The process of combining personal data belonging to many people and turning them into statistical data by removing their distinctive information.
Lower and Upper Bound Coding: It is the method of anonymizing the values in a data group with predefined categories by combining them by determining a certain criterion.
Micro-aggregation: Anonymization is achieved by first sorting all data into groups in a meaningful order, taking the average of the groups and substituting the value obtained for the relevant data in the current group.
Data mixing and distortion: Direct or indirect identifiers in personal data are mixed or distorted with other values, severing their relationship with the data subject and making them lose their identifying characteristics.
10-Retention and Disposal Periods
PROCESS STORAGE PERIOD DESTRUCTION PERIOD
Recruitment documents and personal data based on the notifications made to the Social Security Institution regarding the duration of service and wages shall be kept for 10 years from the beginning of the calendar year following the continuation and termination of the service contract. Within 180 days following the end of the retention period
Personal data other than recruitment documents and personal data based on notifications to the Social Security Institution regarding the duration of service and wages are kept for 10 years from the beginning of the calendar year following the continuation and termination of the service contract Following the end of the retention period
Data in the Workplace Personal Health File is kept for 10 years during the continuation and termination of the service contract Within 180 days
Occupational health and safety practices are kept for 10 years following the termination of the employment relationship. Within 180 days following the end of the retention period
It is kept for 10 years following the termination of the employment relationship. Within 180 days following the end of the retention period
Personnel Financing Processes Retained for 10 years following the termination of the business relationship. Within 180 days following the end of the retention period
Identity information, contact information, financial information, Business Partner/Solution Partner/Consultant employee data regarding the execution of the commercial relationship between the Business Partner/Solution Partner/Consultant and the Company shall be kept for 10 years during and after the termination of the business/commercial relationship with the Company in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code. Within 180 days following the end of the retention period
The name, surname, vehicle license plate number and camera records of the Visitor taken at the entrance to the physical spaces are kept for 2 years. Within 180 days following the end of the storage period
The information contained in the CV and job application form of the Employee Candidate is kept for a maximum of 2 years, for the period that the CV will lose its currency. Within 180 days following the end of the retention period
The information contained in the internship file of the intern is kept for 10 years for the continuation of the internship relationship and for 10 years from the beginning of the calendar year following the end of the internship relationship. Within 180 days following the end of the retention period
The name, surname, T.R.K.N., contact information, payment information and methods, product/service preferences, transaction history of the Customer shall be kept for a period of 10 years from the delivery of each product/service purchased by the Customer in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code. Within 180 days following the end of the retention period
Identity information, contact information, financial information received during contract negotiations regarding the establishment of a commercial relationship between the Potential Customer and the company are stored for 2 years. Within 180 days following the end of the retention period
Identity information, contact information, financial information, data on the execution of the commercial relationship between the company and the institutions, companies and customers with which the company cooperates, and the data of the employees of the institutions, companies and customers with which the company cooperates shall be kept for 10 years during and after the termination of the business/commercial relationship with the company in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code. Within 180 days following the end of the retention period
Planning and Execution of Corporate Communication Activities Retained for 10 years following the termination of the business relationship. Within 180 days following the end of the retention period
Other Data Required to be Processed for the Establishment or Execution of a Contract or Processed within this Scope are stored for 10 years during and after the termination of the business/commercial relationship with the Company in accordance with Article 146 of the Turkish Code of Obligations and Article 82 of the Turkish Commercial Code. Within 180 days following the end of the retention period
Information on company shareholders and members of the board of directors is kept for 10 years. Within 180 days following the end of the retention period
Accident Reporting is kept for 10 years. Within 180 days following the end of the retention period
Document preparation is kept for 10 years. Within 180 days following the end of the retention period
Training records are kept on file for 10 years. Within 180 days following the end of the retention period
11-Although no specific period has been determined for the storage of personal data within the scope of the Law, it is essential, in accordance with general principles, that personal data be retained for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they are processed. The Data Controller Company conducts an assessment for each data processing activity, taking into account the applicable legislation and the purpose of the process, in order to determine retention periods in line with this principle. If a longer period is stipulated by legislation, or if a longer period is foreseen by legislation for statutes of limitations, forfeiture periods, retention periods, etc., the periods specified in the legislative provisions are considered the maximum retention period. Accordingly, personal data is stored for at least the period required by legal obligations and until the expiration of the statute of limitations periods subject to the relevant Law.
Personal data may be stored in case of any dispute that may arise between you and the Data Controller in order to make the necessary defenses within the scope of the dispute. Personal data are anonymized, deleted or destroyed in accordance with the Law when the purpose of processing the relevant personal data is eliminated within the scope of any process, including the expiration of the aforementioned periods.
12- Personal data whose retention period has expired or whose purpose of retention has ceased will be deleted, destroyed, or anonymized every six months through processes carried out ex officio at recurring intervals, as specified in this Personal Data Retention and Disposal Policy. The periodic disposal process is also carried out every year in January and July.
13-Our Company makes the necessary assignments within the Company and establishes procedures accordingly to fulfill its obligations under the KVKK (Personal Data Protection Law) and to implement the provisions specified in this Policy.
14-This policy is reviewed and necessary sections are updated, modified, or re-created as needed, by monitoring changes that may occur in Company activities and personal data groups processed, amendments to legal regulations, and principle decisions of the Personal Data Protection Board.
Son Güncelleme : 26.04.2026 16:35:37