Search Site
DNA Laboratuvarları

PDPL

CORPORATE PERSONAL DATA PROTECTION POLICY

Document Name: Personal Data Protection Policy
Document Relevance: The purpose of the Personal Data Protection Policy is to plan the processes for the protection of personal data by DNA Laboratories Health and Bio Technology Services Joint Stock Company and to determine the principles to be applied on this issue.
Revision Date: 26.08.2022
Version No: 2               
Reference / Justification: Personal Data Protection Law No. 6698 and other legislation
Approval Authority: DNA Laboratories Health and Bio Technology Services Joint Stock Company Board of Directors

DNA LABORATORIES HEALTH AND BIO TECHNOLOGY SERVICES JOINT STOCK COMPANY

CORPORATE PERSONAL DATA PROTECTION POLICY

1. PURPOSE

The right of every individual to request the protection of personal data about him/her is a sacred right arising from the Constitution. As DNA Laboratories Health and Bio Technology Services Joint Stock Company, we consider fulfilling the requirements of this right as one of our most valuable duties. Therefore, we attach importance to the legal processing and protection of your personal data.

The Corporate Personal Data Protection Policy has been prepared to determine the principles we base and the procedures we apply when processing and protecting personal data, as a result of the importance we attach to the protection of personal data.

2. SCOPE

Policy: All personal data managed by Dna Laboratories Sağlık Ve Bio Teknoloji Hizmetleri Anonim Şirketi is obtained, recorded, stored, preserved, changed, rearranged by fully or partially automatic or non-automatic means provided that it is part of any data recording system, It covers all kinds of operations performed on data such as disclosure, transfer, acquisition, making available, classification or preventing its use.

The policy relates to all processed personal data of Dna Laboratories Sağlık Ve Bio Teknoloji Hizmetleri Anonim Şirketi’s partners, officials, customers, employees, supplier officials and employees, and third parties.

Dna Laboratories Health and Bio Technology Services Joint Stock Company may change the Policy in order to comply with the legislation and the decisions of the Personal Data Protection Authority and to better protect personal data.
3. DEFINITIONS

Abbreviation Description
Buyer Group

 

The category of natural or legal person to whom personal data is transferred by the data controller.
Explicit Consent Consent regarding a specific issue, based on informed consent and expressed with free will.
Anonymization Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
Contact Person The real person whose personal data is processed.
Relevant User Except for the person or unit responsible for the technical storage, protection and backing up of data, they are persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller.
Destruction Deletion, destruction or anonymization of personal data.
Law/KVKK Personal Data Protection Law No. 6698.
 

Recording Media

Any environment containing personal data that is processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Personal Data Any information regarding an identified or identifiable natural person.
Data Inventory Data controllers personal data processing activities they carry out depending on their business processes; The inventory they create by associating the personal data with the purposes and legal reason for processing personal data, the data category, the transferred recipient group and the data subject person group, and detailing the maximum retention period required for the purposes for which personal data are processed, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security.
Personal Data

Processing

Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, obtaining personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any operation performed on data, such as making it accessible, classifying it or preventing its use.
Commission Personal Data Protection Commission established by DNA Laboratories Health and Bio Technology Services Joint Stock Company to manage the Policy and other relevant procedures and to ensure the validity of the Policy.
Board Personal Data Protection Board.
Institution Personal Data Protection Authority.
Special Personal Data Regarding people’s race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures data and biometric and genetic data.
Periodic Destruction The process of deleting, destroying or anonymizing personal data specified in the personal data storage and destruction policy and to be carried out ex officio at recurring intervals in case all the conditions for processing personal data specified in the Law are eliminated.
Policy Personal Data Protection Policy
Data Processor A natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Controller A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

4. GENERAL PRINCIPLES

Dna Laboratories Health and Bio Technology Services Joint Stock Company checks the compliance of the data to be processed with the following principles during the preparation phase of the workflow requiring the processing of each new personal data. Workflows that are deemed inappropriate are not implemented.

While Dna Laboratories Health and Bio Technology Services Joint Stock Company processes personal data;

(I) Complies with the law and the rules of honesty.

(II) Ensures that personal data is accurate and, when necessary, up-to-date.

(III) It ensures that the purpose of processing is specific, clear and legitimate.

(IV) It checks that the processed data is related to the purpose of processing, that it is processed as limited as necessary and is proportionate.

(V) It retains the data only as long as required by the relevant legislation or for the purpose of processing, and destroys it when the purpose of processing is eliminated.

5. DUTIES AND RESPONSIBILITIES

Personal Data Protection Commission has been established within Dna Laboratories Sağlık Ve Bio Teknoloji Hizmetleri Anonim Şirketi to manage this Policy and other relevant procedures regarding the processing of personal data and to ensure the enforcement of the Policy. The Commission consists of the General Coordinator, Accounting Officer, Quality Management Representative, and Genetic Test Sales and Marketing Coordinator. Dna Laboratories Health and Bio Technology Services Joint Stock Company also receives KVKK consultancy support when necessary in order to comply with the Personal Data Protection Law No. 6698. If the commission deems necessary, it may invite the KVKK consultant to its meetings.

The duties and responsibilities of the Commission are stated below.

  • It normally meets every 6 months. Extraordinary meetings may be held if circumstances require (for example, in the event of a possible data breach).
  • Discuss the issues that need to be changed/improved in the Policy.
  • It determines the issues that can be fulfilled in order to process and protect personal data in accordance with the law.
  • The Commission determines the steps that can be taken to increase KVKK awareness within the company and among its business partners.
  • Detects the risks that may be encountered regarding the processing and protection of personal data and takes the necessary administrative and technical measures.
  • Ensures contact with the institution and manages relations.
  • Evaluates requests from the Relevant Person.
  • Follows periodic destruction processes.
  • Updates the Data Inventory.
  • Makes assignments regarding the matters listed above.
    6. Precautions Taken for Data Security

    Dna Laboratories Health and Bio Technology Services Joint Stock Company provides all necessary technical and administrative services to ensure the appropriate level of security in order to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data, (iii) ensure the preservation of personal data. takes precautions.

    6.1. Technical Measures

  • Network security and application security are provided.
  • Security measures are taken within the scope of supply, development and maintenance of information technology systems.
  • Access logs are kept regularly.
  • Up-to-date anti-virus systems are used.
  • Firewalls are used.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
  • The security of environments containing personal data is ensured.
  • Personal data is backed up and the security of the backed up personal data is ensured.
  • User account management and authorization control system is implemented and these are also monitored.
  • Log records are kept without user intervention.
  • Encryption is performed.
  • 6.2. Administrative Measures

  • There are disciplinary regulations for employees that include data security provisions.
  • Training and awareness activities are carried out for employees on data security at regular intervals.
  • Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
  • Data masking measures are applied when necessary.
  • Confidentiality commitments are made.
  • An authority matrix has been created for employees.
  • Employees who change their duties or leave their jobs have their authorizations in this area removed.
  • The signed contracts contain data security provisions.
  • Personal data security policies and procedures have been determined.
  • Personal data security issues are reported quickly.
  • Personal data security is monitored.
  • Personal data is reduced as much as possible.
  • Periodical and/or random audits are carried out within the institution.
  • Current risks and threats have been identified.
  • Protocols and procedures for the security of special personal data have been determined and implemented.
  • If special personal data is to be sent via e-mail, it must be sent encrypted and using a KEP or corporate mail account
  • .

  • Data processing service providers are made aware of data security.
  • 7. Rights of the Relevant Person Regarding Personal Data

    The relevant person may request the following issues by applying to DNA Laboratories Health and Bio Technology Services Joint Stock Company:

  • Learning whether personal data is being processed,
  • Requesting information if personal data has been processed,
  • Learning the purpose of processing personal data and whether they are used for their intended purpose,
  • Learning about third parties to whom personal data is transferred domestically or abroad,
  • Requesting correction of personal data in case their personal data has been processed incompletely or incorrectly and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
  • Requesting the deletion, destruction or anonymization of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the provisions of KVKK and other relevant laws, and requesting that the transaction carried out in this context be notified to third parties to whom personal data has been transferred,
  • Objecting to the emergence of an unfavorable result by analyzing the processed data exclusively through automatic systems,
  • Requesting compensation for damages in case of damage due to unlawful processing of personal data.
  • VIOLATION NOTIFICATIONS

    Dna Laboratories Health and Bio Technology Services Joint Stock Company employees report to the Commission any work, action or phenomenon that they believe violates the provisions of KVKK and/or the Policy. Following this violation notification, the committee meets if deemed necessary and creates an action plan regarding the violation.

    If the violation has occurred by illegally obtaining personal data by others, the Commission will notify the relevant person and the Board within 72 hours within the scope of the Board’s decision dated 24.01.2019 and numbered 2019/10.

    CHANGES

    Changes to the policy are prepared by the Commission and submitted to the approval of the Board of Directors of DNA Laboratories Health and Bio Technology Services Joint Stock Company. The updated Policy can be sent to employees via e-mail or published on the website.

    EFFECTIVE DATE

    The first version of the Policy was approved by the Board of Directors on 24.04.2020 and the second version came into force on 26.08.2022.