PERSONAL DATA RETENTION AND DESTRUCTION POLICY

DATE OF PUBLICATION: 18.08.2022

PURPOSE

The Personal Data Retention and Destruction Policy of HEVI AI HEALTH ARTIFICIAL INTELLIGENCE AND INFORMATION TECHNOLOGIES INC. aims to establish the procedures and principles related to the deletion, destruction, or anonymization of personal data, whether processed fully or partially automatically, or manually as part of any data recording system.

SCOPE

This policy includes traditional well-known platforms such as social media, Facebook, Twitter, YouTube, Flickr, wikis, WeChat, and blogs, as well as other platforms that you may use without considering them as social media, involving user communications.

REFERENCED STANDARDS

This policy is prepared in accordance with Article 7 paragraph 3 and Article 22 paragraph 1 (e) of Law No. 6698, and it complies with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data based on ISO IEC 27001 and 27701 standards.

The company has prepared this Personal Data Retention and Destruction Policy in accordance with its personal data processing inventory.

DEFINITIONS

Recipient group: The category of real or legal persons to whom personal data is transferred by the data controller.

Relevant user: Persons processing personal data under the authority and instruction received from the data controller, excluding those responsible for the technical storage, protection, and backup of data within the organization of the data controller.

Destruction: The process of deleting, destroying, or anonymizing personal data.

Recording medium: Any environment where personal data is processed either fully or partially automatically or manually as part of any data recording system.

Personal data: Any information relating to an identified or identifiable natural person.

Personal data processing inventory: An inventory created by data controllers, linking personal data processing activities to business processes, categorizing personal data based on processing purposes, recipient groups, and subject person groups, detailing the maximum necessary duration for which personal data is retained, personal data transferred to foreign countries, and security measures taken.

Personal data retention and destruction policy: The policy used by data controllers to determine the maximum necessary duration for which personal data is retained and to base the deletion, destruction, or anonymization processes.

Periodic destruction: The process of deleting, destroying, or anonymizing personal data at regular intervals automatically by the data controller once the conditions for processing personal data no longer apply, as stipulated in the policy.

Register: The registry of data controllers maintained by the Presidency of the Personal Data Protection Authority.

Data recording system: The system in which personal data is processed according to specific criteria.

Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Deletion of personal data: The process by which personal data is made completely inaccessible and unrecoverable for relevant users.

Destruction of personal data: The process by which personal data is made inaccessible, unrecoverable, and unusable by anyone in any way.

Anonymization of personal data: The process by which personal data is rendered unrelated to any identified or identifiable real person, even when matched with other data.

For anonymized personal data to be considered such, it must be rendered unrelatable to any identified or identifiable real person by the data controller, recipient, or recipient groups, even through the use of appropriate technical methods within the recording medium and related activity field.

RESPONSIBILITY

Employees of HEVI AI HEALTH ARTIFICIAL INTELLIGENCE AND INFORMATION TECHNOLOGIES INC. are responsible for the implementation of this policy.

IMPLEMENTATION

Our employees and representatives should adhere to the following principles in social media postings;

8.1. Record Environments Regulated by Policy

Paper Environments

Electronic Environments

8.2. Legal, technical, or other reasons requiring the retention and destruction of personal data:

8.2.1. When the conditions for processing personal data are completely absent, the personal data must be deleted, destroyed, or anonymized by the data controller on its own initiative or at the request of the concerned individual.

As regulated under Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law, even though processed in accordance with the law, if the reasons necessitating processing no longer exist, the company may decide on its own or upon the request of the data subject to delete, destroy, or anonymize the personal data.

8.2.2. According to Article 23 of Law No. 6493 on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions, documents and records arising from transactions related to the operation of the business must be stored securely and accessible upon request by the Central Bank within the country for at least ten years.

8.2.3. When an individual applies to the Company requesting the deletion or destruction of their personal data, this request is immediately taken into consideration.

8.2.4. If the conditions for processing personal data have been completely absent; the Company deletes, destroys, or anonymizes the personal data related to the request. The Company concludes the request of the related person within thirty days at most and informs the person involved.

8.2.5. If the personal data related to the request have been transferred to third parties and the conditions for processing these personal data are completely absent, the Company notifies the third party; the third party ensures that the necessary actions are taken in accordance with this policy.

8.2.6. If the conditions for processing personal data have not been completely absent, the Company may reject this request and must provide the reasons for refusal to the concerned individual in writing or electronically within thirty days.

8.3. Reasons Requiring Retention

8.3.1. To conduct human resources processes, 8.3.2. To maintain corporate communication, 8.3.3. To perform statistical studies, 8.3.4. To fulfill transactions and operations resulting from signed contracts and agreements, 8.3.5. To comply with legal regulations or mandatory legal obligations, 8.3.6. To maintain contact with real/legal persons involved in business relationships with the institution, 8.3.7. To manage call center processes, 8.3.8. To serve as evidence in legal disputes that may arise in the future.

8.4. Reasons Requiring Destruction

8.4.1. Amendment or repeal of the relevant legislative provisions that form the basis for the processing of personal data,

8.4.2. Disappearance of the purpose requiring the processing or storage of personal data,

8.4.3. In cases where the processing of personal data is based solely on explicit consent, the withdrawal of explicit consent by the concerned individual,

8.4.4. Acceptance by the Company of an application made by the concerned individual for the deletion and destruction of personal data within the scope of the individual's rights,

8.4.5. In cases where the Company rejects an application made by the concerned individual for the deletion, destruction, or anonymization of personal data, finds the response insufficient, or does not respond within the period stipulated by the law; the individual may file a complaint with the Personal Data Protection Board, and if the Board finds the request appropriate, the necessary actions are taken.

8.4.6. When the maximum duration required for storing personal data has passed and there are no conditions that justify keeping the personal data for a longer period.

8.5. Technical and administrative measures taken to securely store personal data and prevent its unlawful processing and access

8.5.1. Technical Measures

Network security and application security are maintained.

A closed system network is used for data transmissions via the network.

Key management is implemented.

Security measures related to the procurement, development, and maintenance of information technology systems are taken.

An authority matrix is created for employees.

Access logs are regularly kept.

Corporate policies regarding access, information security, use, storage, and destruction have been prepared and implemented.

Data masking is applied when necessary.

Personal data security issues are quickly reported.

Monitoring of personal data security is conducted.

Necessary security measures are taken regarding the entry and exit of physical environments containing personal data.

The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.

The security of environments containing personal data is maintained. Personal data is backed up, and the security of the backed-up personal data is also ensured. User account management and authorization control systems are implemented, and their monitoring is conducted.

Periodic and/or random audits are conducted and enforced within the institution.

Log records are kept in a way that does not allow user intervention.

Intrusion detection and prevention systems are used. Penetration testing is conducted.

Cybersecurity measures are taken, and their implementation is continuously monitored. Encryption is performed.

Regular audits of data processors regarding data security are conducted. Awareness of data security among data processors is ensured.

Data loss prevention software is used.

8.5.2. Administrative Measures

Disciplinary regulations containing data security provisions are available for employees.

Training and awareness sessions regarding data security are conducted for employees at regular intervals.

Corporate policies regarding access, information security, use, storage, and destruction have been prepared and implemented.

Confidentiality agreements are made.

Signed contracts include data security provisions.

Extra security measures are taken for personal data transferred via paper, and relevant documents are sent in a classified document format.

Personal data security policies and procedures are determined.

The security of environments containing personal data is ensured.

Personal data is minimized as much as possible.

Periodic and/or random audits are conducted and enforced within the institution.

8.5.3. Technical and administrative measures taken for the lawful destruction of personal data

All operations related to the deletion, destruction, and anonymization of personal data are performed by authorized personnel according to policy and procedures, and these operations are recorded.

Such records, except for other legal obligations, are kept for at least three years.

8.6. Techniques for the Destruction of Personal Data

8.6.1. Techniques for Deleting Personal Data

8.6.1.1. Deletion of Personal Data in Electronic Media

8.6.1.1.1. Secure Deletion from Software: Data processed entirely or partially automatically and stored in digital environments is deleted/destroyed in such a way that it is highly unlikely to be recoverable, using methods related to deletion from the relevant software.

8.6.1.1.2. Deletion of Personal Data in Databases: Personal data in the relevant rows are deleted using database commands (DELETE, etc.). During this process, it is ensured that the relevant user is not also the database administrator.

8.6.1.2. Deletion of Personal Data in Portable Media

Personal data in cloud and flash-based storage environments is stored encrypted and deleted using appropriate software for these environments.

8.6.1.3. Deletion of Personal Data on Servers

For data whose retention period required by legal obligations has expired, the system administrator removes access permissions for the relevant users and performs the deletion process.

8.6.1.4. Secure Deletion by an Expert

In some cases, the Company may contract an expert to delete personal data on its behalf. In this situation, personal data is securely deleted/destroyed in such a way that it cannot be recovered by an expert in this field.

8.7. Techniques for the Destruction of Personal Data

8.7.1. Physical Destruction of Personal Data in Physical Media

Personal data may also be processed manually as part of any data recording system. When such data is deleted/destroyed, it is physically destroyed according to the Portable Media Destruction Policy.

8.7.2. Destruction of Personal Data in Optical/Magnetic Media

The Portable Media Destruction Policy is implemented.

8.7.3. Techniques for Anonymizing Personal Data

Anonymization of personal data refers to rendering personal data unrelatable to any identified or identifiable real person, even when matched with other data. The Company can anonymize personal data lawfully processed when the reasons for processing disappear. According to Article 28 of the Personal Data Protection Law; anonymized personal data can be processed for research, planning, and statistical purposes. Such processing is outside the scope of the Personal Data Protection Law. Anonymized personal data processed in this way will be outside the scope of the rights regulated in part 10 of the policy.

Masking: Data masking is a method where the fundamental identifying information of personal data is removed from the data set, rendering the identification of the data subject impossible. Example: Removing identifying information such as the name, national ID number, first name, last name, etc., from the data set, making it impossible to identify the data subject.

Aggregation: Data aggregation is a method where many data points are aggregated, rendering personal data unrelatable to any individual. Example: Indicating the presence of 100 customers born in 1975 without showing each birth year individually.

Data Derivation: Data derivation is a method where more general content is created from the content of personal data, rendering the personal data unrelatable to any individual. Example: Indicating age instead of birth dates; indicating the district or city of residence instead of the exact address.

8.8. Titles, units, and job descriptions of those involved in personal data retention and destruction processes

These are explained in the Organization Handbook.

8.9. Periodic Destruction Periods

The Company destroys personal data whose retention period has expired within 90 days from the date the retention period ended.

Following the date when the obligation to delete, destroy, or anonymize personal data arises, the Company deletes, destroys, or anonymizes the personal data at the first periodic destruction operation.

The time interval for periodic destruction is determined by the data controller in accordance with the personal data retention and destruction policy, procedures, and the company's workflow. This period must not exceed six months.

Within three months following the date when the obligation to delete, destroy, or anonymize personal data arises, the Company deletes, destroys, or anonymizes the personal data.

Data Category Data Retention Duration

Identity 10 Years

Communication 10 Years

Location 10 Years

Personnel 10 Years

Legal 10 Years

Customer 10 Years

Physical Security 10 Years

Transaction Security 10 Years

Risk 10 Years

Finance 10 Years

Professional Experience 10 Years

Marketing 10 Years

Contract 10 Years

Visual and Audio Records 10 Years

MANAGEMENT REVIEW

Management review meetings are organized by the BGYS Quality Management Representative and conducted with the participation of Senior Management and Department Managers. These meetings, held at least once a year, assess the appropriateness and effectiveness of the policy.

UPDATING AND REVIEWING THE SOCIAL MEDIA POLICY DOCUMENT

The BGYS Management Representative is responsible for ensuring the continuity and review of the policy document. Policies and procedures should be reviewed at least once a year. In addition, any changes affecting the system structure or risk assessment should also be reviewed, and if any changes are necessary, they should be approved by senior management, recorded as a new version, and published in a manner accessible to all users.