The data controller, HairNeva Health Services, retains and destroys your personal data in accordance with the Constitution, the provisions of the Turkish Law No. 6698 on the Protection of Personal Data, the Regulation on the Deletion, Destruction or Anonymization of Personal Data, and other relevant legislation.

This process is carried out in line with the general principles and regulations set forth in this Personal Data Retention and Destruction Policy.

Through this Policy, the Company aims to establish the general principles and procedures for the retention and destruction of personal data belonging to natural persons whose data are processed within the scope of the aforementioned law, and to ensure compliance with all obligations stipulated by the relevant legal framework.

Definitions

Explicit Consent:

Freely given, specific, informed consent expressed by the data subject concerning a particular matter.

Recipient Group:

The category of natural or legal persons to whom personal data are transferred by the data controller.

Anonymization:

The process of rendering personal data impossible to associate with an identified or identifiable natural person, even by matching such data with other data.

Authorized User:

Individuals within the data controller’s organization, or those authorized and instructed by the data controller, who process personal data—excluding those responsible solely for the technical storage, protection, and backup of data.


Destruction:
The act of deleting, destroying, or anonymizing personal data.

 

Personal Data:
Any information relating to an identified or identifiable natural person (e.g., name, surname, national ID number, email address, physical address, date of birth, credit card number, bank account number, etc.).

Data Subject:
The natural person whose personal data are processed.

Processing of Personal Data:
Any operation performed on personal data—whether fully or partially automated, or by non-automated means that form part of a data recording system—including collection, recording, storage, retention, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or restriction of use.

Special Categories of Personal Data:
Data revealing a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance or clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Periodic Destruction:
The deletion, destruction, or anonymization of personal data, carried out ex officio and at regular intervals as specified in this Policy, when all conditions for lawful data processing under the Law have ceased to exist.

 

DATA STORAGE ENVIRONMENTS REGULATED UNDER THIS POLICY

The data processing activities carried out within the scope of the Turkish Law No. 6698 on the Protection of Personal Data cover all forms of personal data. In addition, both physical and digital copies of the documents referenced in this Policy fall within its scope.

 

The Company stores all personal data processed, whether fully or partially automated or processed by non-automated means that form part of a data recording system, in the following environments:

  • Company computers and email accounts
  • Desktop computers and mobile devices assigned to employees
  • Backup systems and servers
  • Physical paper files, folders, and visitor logs
  • Portable storage devices (such as CDs, DVDs, USB drives, and external hard disks)
  • Printers, photocopiers, and similar office equipment

 

REASONS REQUIRING THE RETENTION AND DESTRUCTION OF PERSONAL DATA

In all data processing activities, the following fundamental principles are observed:

  • Compliance with law and the principle of good faith
  • Ensuring that personal data are accurate and, when necessary, kept up to date
  • Processing for specific, explicit, and legitimate purposes
  • Being relevant, limited, and proportionate to the purposes for which they are processed
  • Retaining personal data for the period required by the relevant legislation or for the purpose for which they are processed

 

Our Company retains and uses personal data in accordance with the purposes of data processing and the legal bases specified in Articles 5 and 6 of the Turkish Law No. 6698 on the Protection of Personal Data.

When all such legal grounds cease to exist, personal data are destroyed either automatically (ex officio) or upon the request of the data subject.

Legal Bases for Retaining and Processing Personal Data

  1. Explicit Consent of the Data Subject:

The primary legal basis for processing personal data is the explicit consent of the data subject.

  1. Clearly Provided by Law:

Where the processing of personal data is explicitly provided for by law, such data may be processed lawfully without obtaining explicit consent.

  1. Inability to Obtain Consent Due to Physical Impossibility:

If it is impossible to obtain the data subject’s consent due to a physical incapacity, and the processing of personal data is necessary to protect the life or physical integrity of the person or another individual, data may be processed without consent.

  1. Necessity for the Establishment or Performance of a Contract:

If the processing of personal data belonging to the parties to a contract is required in direct connection with the establishment or performance of that contract, such data may be processed lawfully.

  1. Legal Obligation:

Where data processing is required for the Company to fulfill its legal obligations, personal data may be processed without the data subject’s consent.

  1. Public Disclosure by the Data Subject:

If personal data have been made public by the data subject, such data may be processed to the extent they have been made public.

  1. Necessity for the Establishment, Exercise, or Protection of a Right:

Personal data may be processed when it is necessary for the establishment, exercise, or protection of a legal right.

  1. Legitimate Interests of the Company:

Where data processing is necessary for the legitimate interests of the Company, provided that such processing does not violate the fundamental rights and freedoms of the data subject, personal data may be lawfully processed.

DELETION, DESTRUCTION, OR ANONYMIZATION OF PERSONAL DATA

Personal data shall be deleted, destroyed, or anonymized by the Company upon the request of the data subject in the following circumstances:

  • If the legal provisions forming the basis for processing such data are amended or repealed,
  • If the purpose requiring the processing or storage of the data no longer exists,
  • If the processing of personal data was based solely on explicit consent and the data subject withdraws such consent,
  • If the maximum period for data retention has expired,
  • Or if there are no longer any legal grounds that justify the continued storage of such personal data.

Unless otherwise decided by the Turkish Data Protection Authority, the Company shall determine the appropriate method of deletion, destruction, or anonymization, taking into account technological capabilities and implementation costs.

Upon the data subject’s request, the Company shall provide justification for the method chosen. In each case, all necessary technical and administrative measures shall be implemented to ensure compliance and security.

 

TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN

In accordance with Article 12 of the Turkish Law No. 6698 on the Protection of Personal Data, the Regulation on the Deletion, Destruction or Anonymization of Personal Data, and the decisions of the Personal Data Protection Board, our Company takes all necessary technical and administrative precautions appropriate to current technological capabilities and implementation costs. These include, but are not limited to:

  • The required software and hardware infrastructure has been established; strong passwords are used on all computers and email accounts.
  • Employees have been trained on data protection, and their confidentiality obligations are formally documented in employment contracts (Confidentiality Agreements). These obligations remain in force even after the termination of employment.
  • Necessary infrastructure has been established for the secure backup of all data.
  • Only authorized personnel are granted access to data stored on computers.
  • Customer files and information are disclosed solely to the data subjects themselves, their authorized representatives, public authorities within the scope of legal obligations, or judicial authorities when required.
  • Before commencing any data processing, the obligation to inform the data subjects is duly fulfilled.
  • A comprehensive personal data processing inventory has been prepared.

 

RETENTION AND DESTRUCTION PERIODS

Our Company retains personal data only for the duration required by applicable legislation or for the time necessary to fulfill the purposes for which the data were processed. Once these periods expire, personal data are destroyed.

If a data subject submits a written request for the destruction of their personal data:

  • If all conditions for data processing have ceased to exist:

The Company shall fulfill the request within 30 days and notify the data subject accordingly. If the relevant personal data have been transferred to third parties, such parties will also be informed, and the Company will ensure that necessary actions are taken.

  • If the conditions for data processing still exist:

The Company may reject the request, providing a clear justification as required under Article 13(3) of the Turkish Law on the Protection of Personal Data. The rejection notice shall be communicated to the data subject in writing or electronically within 30 days.

 

PERIODIC DESTRUCTION INTERVALS

Personal data for which the obligation to destroy has arisen shall be deleted, destroyed, or anonymized during the first periodic destruction cycle following the date when such obligation occurs.

Accordingly, our Company carries out periodic destruction processes at six-month intervals.

PROCESS RETENTION PERIOD DESTRUCTION PERIOD
Preparation of Contracts 10 years after the end of the contract During the first periodic destruction period following the end of the retention period
Execution of Human Resources Processes 10 years after the end of the activity During the first periodic destruction period following the end of the retention period
Management of Hardware and Software Access Processes 5 years During the first periodic destruction period following the end of the retention period
Registration of Visitors and Meeting Participants 5 years During the first periodic destruction period following the end of the retention period
Recording of Personal Health Data As long as required by applicable legislation During the first periodic destruction period following the end of the retention period
Identity Data As long as required by applicable legislation During the first periodic destruction period following the end of the retention period
Camera Recordings Retained for at least 2 months in accordance with the Private Hospitals Regulation During the first periodic destruction period following the end of the retention period

 

This Policy is considered effective as of the date of its publication on the website.