1. POLICY SUMMARY
2. THE PURPOSE OF THE POLICY
3. SCOPE OF THE POLICY
4. DEFINITIONS
5. MEASURES FOR THE PERSONNEL IN THE PROCESSING OF SENSITIVE PERSONAL DATA
5.1. Staff Training and Awareness Activities
5.2. Contracts on Confidentiality
5.3. Scope, Duration and Supervision of Authorization for Access to Sensitive Personal Data
6. MEASURES FOR THE ENVIRONMENTS WHERE SENSITIVE PERSONAL DATA ARE PROCESSED, STORED AND/OR ACCESSED
6.1. Electronic Environments
a) Retention (Storage) of Sensitive Data using Cryptographic Methods
b) Cryptographic Keys
c) Log Records
d) Security Updates, Tests and Records of the Environments Where the Data Are Found
e) If the Data Is Accessed Through a Software
f) If Data Is Accessed Remotely
6.2. Physical Environments
a) Security Measures to be Taken According to the Nature of the Environments Where Sensitive Personal Data are Found b) Ensuring the Physical Security of the Environments Where Sensitive Personal Data Are Found
7. MEASURES TO BE TAKEN AGAINST THE TRANSFER OF SENSITIVE PERSONAL DATA
7.1. Transfer via E-mail
7.2. Transfer via External Memory Storage Devices
7.3. Transfer between Servers
7.4. Transfer via Hard Copy
8. VALIDITY
9. APPROVALS
10. POLICY HISTORY AND REVISION INFORMATION
Policy Name | Policy On Protection And Processing Of Sensitive Personal Data |
Version | 1.0 |
Policy Holder | PERSONAL DATA PROTECTION COMMITTEE |
Application Date |
|
Revision Date |
|
Status | Active |
The purpose of this Policy is to determine the rules regarding the determination and implementation of technical and administrative measures to ensure the appropriate level of security in the processing of sensitive personal data specified in Article No 6/1 of KVKK (Law on the Protection of Personal Data) in line with the principles stipulated by the Law No 6698 on the Protection of Personal Data (“KVKK”), the Policy on the Protection and Processing of Personal Data prepared and put into effect by SWEDISH CARE SAĞLIK HIZMETLERI AŞ (“Company”), and the Decision of the Personal Data Protection Committee on Determining the Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data published by the Personal Data Protection Committee in the Official Gazette on 31.01.2018 with the Decision Number: 201810 and the Meeting Number: 2018/3.
This Policy shall apply to all Company Personnel, Consultants, Business Partners and Staff and anyone, who may come into contact with sensitive personal data processed by the Company.
Within the scope of this Policy, adequate measures to be taken regarding the following and processes regarding technical and administrative measures aimed at ensuring the appropriate level of security are regulated:
1-The above-mentioned persons involved in the processing of sensitive personal data
2- Electronic or physical media, where sensitive personal data are processed, stored and/or accessed
3-Processing and transfer of sensitive personal data
Account: It refers to the identification details used to access company systems, resources, software, databases and applications.
Group: It refers to the department to which the account information is defined.
Decision: Decision of the Personal Data Protection Committee on the Determination of Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data published in the Official Gazette dated 31.01.2018 with the Decision Number: 2018/10 and Meeting Number: 2018/3
Personal Data: It refers to all information about a real person, whose identity is certain or can be ascertained.
Sensitive Personal Data: It refers to the data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data of the persons specified in Article No 6/1 of the KVKK (Law on the Protection of Personal Data).
Processing of Personal Data: It refers to all kinds of transactions carried out on data such as obtaining, recording, storing, preserving, modifying, re-modifying, disclosing, transferring, taking over, making accessible, classifying or preventing the use of personal data fully or partially automatically or by non-automatic means, provided that it is a part of any data recording system.
Committee: It refers to the Personal Data Protection Committee
Authority: It refers to the Personal Data Protection Authority
KVKK: It refers to the Law No 6698 on the Protection of Personal Data
Policy: It refers to this Policy On The Protection And Processing Of Sensitive Personal Data
Role/Profile: It refers to the identification information given to get additional features in applications.
5.1.1. The implementation of this Policy shall be ensured by the Personal Data Protection Committee.
5.1.2. This Policy aims to ensure that the Company Personnel involved in the processing of sensitive personal data are regularly subjected to training on KVKK (Law on the Protection of Personal Data) and related regulations and sensitive personal data security issues in line with the activities carried out in accordance with their job descriptions, and that awareness raising activities are carried out for all Company personnel. The obligations to prepare and notify the appropriate calendar to the relevant personnel in line with the determination and planning of such training and awareness activities, and to ensure the registration and monitoring of participation by the personnel shall be fulfilled by the Personal Data Protection Committee.
5.1.3. The relevant authorities and responsibilities regarding the activities of processing sensitive personal data described in the Policy shall be carried out by all personnel in line with the access and authorization processes regarding Company Applications, all Company Software and Hardware, Company Networks and Internet Access Activities.
The execution of Confidentiality Contracts with the personnel involved in the processing of sensitive personal data shall be carried out by the Personal Data Protection Committee. The execution of Confidentiality Contracts with the personnel, who shall take part in the processing of sensitive personal data as a part of the recruitment process, shall be ensured by the Personal Data Protection Committee.
5.3.1. In line with the activities carried out by the users authorized to access Sensitive Personal Data in accordance with their job descriptions, it shall be ensured that the data that they have access to and can process in line with KVKK (Law on the Protection of Personal Data) and the Policy on Protection and Processing of Personal Data shall be limited. In addition, in order to determine the authorities and responsibilities in line with these limitations, the obligations to define accounts and to define roles/profiles shall be fulfilled by the Personal Data Protection Committee.
5.3.2. In order for Sensitive Personal Data to be processed in compliance with KVKK (Law on the Protection of Personal Data), Policy on Protection and Processing of Personal Data and other relevant legislation, the conditions for processing must be evaluated separately on the basis of each processing activity within the framework of a systematic analysis stipulated in this Policy. This analysis shall be carried out in accordance with the principles that must be complied with in the processing of sensitive personal data specified in Article No 4 of KVKK (Law on the Protection of Personal Data) and with the help of the personal data processing inventory.
5.3.3. Sensitive Personal Data can be processed only for a specific, explicit and legitimate purpose. Therefore, first, the purpose of processing sensitive personal data should be determined.
5.3.4. The activity of processing sensitive personal data must be related, limited and proportionate to the identified purpose. It must be mandatory to process sensitive personal data in order to realize the identified purpose. The processed sensitive personal data must be suitable for the realization of the identified purposes. Processing of sensitive personal data that is not related to the realization of the identified purposes or is not needed should be avoided.
5.3.5. The principle of respecting the law and good faith, which should be taken as a basis in all kinds of transactions to be carried out on sensitive personal data, can be explained in a manner not limited to the following examples:
–
5.3.6. The processed sensitive personal data must be up-to-date and accurate. Accordingly:
And, other matters set out in this Policy must be observed. Sensitive Personal Data that lose their validity and accuracy shall be processed within the framework of the procedures and principles stipulated in the Regulation on Deletion, Destruction or Anonymization of Personal Data and the Personal Data Retention and Destruction Policy.
5.3.7. Sensitive Personal Data must be retained (stored) only for the period stipulated in the relevant legislation or for the period required for the purpose for which they are processed. Therefore, if there is a period of time stipulated in the relevant legislation for the retention of data, this period shall be respected; otherwise, the data shall be retained (stored) only for the period necessary for the purpose for which they are processed. In the event that there is no valid reason for further retention (storage) of data, that data shall be processed within the framework of the procedures and principles stipulated in the Regulation on Deletion, Destruction or Anonymization of Personal Data and the Personal Data Retention and Destruction Policy. Data shall not be stored based on the possibility of future use.
5.3.8. The relevant authorities and responsibilities regarding the activities described in this Policy shall be fulfilled by the personnel authorized to access sensitive personal data in accordance with the access and authorization processes related to Company Applications, all Company Software and Hardware, Company Networks and Internet Access Activities.
a) Role/Profile Identification
5.3.9. Within the framework of the determinations and limitations to be set within the scope of the role/profile of the departments and relevant personnel, role/profile definitions shall be made by the Personal Data Protection Committee on Applications and Systems. And, authorizations shall be arranged according to these role/profile definitions. In this way, when the new employee is defined to an appropriate role/profile, all the authorizations required by the task shall be automatically added to the account.
5.3.10. The obligation to define roles/profiles within the framework of the determinations and limitations to be set by the Personal Data Protection Committee, the obligation to ensure coordination in order to audit the compliance of such definitions with the law and the needs of the Company, and the obligation to make the necessary arrangements belong to the Personal Data Protection Committee.
b) Defining the Authority
5.3.11. Within the framework of the determinations and limitations to be set by the Personal Data Protection Committee for departments and relevant personnel on Applications and Systems, access authorization shall be defined for roles/profiles.
5.3.12. The obligation to define access authorizations for roles/profiles within the framework of the determinations and limitations to be set by the Personal Data Protection Committee, the obligation to ensure coordination in order to audit the compliance of such definitions with the law and the needs of the Company, the obligation to ensure their being up-to-date, and the obligation to make the necessary arrangements belong to the Personal Data Protection Committee.
c) User Identification
5.3.13. Within the framework of the determinations and limitations to be set by the Personal Data Protection Committee regarding the departments and relevant personnel on the Applications and Systems, a user account specific to the personnel in question shall be created and appropriate role/profile assignments shall be made by the Personal Data Protection Committee in line with the job description of the personnel.
5.3.14. The obligations to open user accounts and make appropriate role/profile assignments within the framework of the determinations and limitations to be set by the Personal Data Protection Committee and to audit the compliance of the definitions of such user accounts with the law and the needs of the Company, to ensure their up-to-dateness and to make the necessary arrangements belong to the Personal Data Protection Committee. On the other hand, the obligation to use the accounts in accordance with the law, authorizations and all Company regulations belongs to the user. The obligation to check whether the accounts are used in line with the law and to determine the sanctions to be applied belongs to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
5.3.15. Within the framework of the determinations and limitations to be set by the Personal Data Protection Committee, it is the obligation of the Personal Data Protection Committee to take back the inventory allocated to the personnel whose position changes or who leave the job, to supervise the said take-back process and to make the necessary arrangements. The obligation to ensure the return of the inventory belongs to the user. The obligation to supervise whether the return of the inventory is carried out in accordance with the law and to determine the sanctions to be applied belongs to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
6.1. Electronic Environments
a) Retention (Storage) of Sensitive Data using Cryptographic Methods,
6.1.2. The obligation to encrypt the electronic environments or systems in which sensitive personal data are processed, stored and/or accessed by cryptographic methods, to transfer them by encryption if they are being transferred to the cloud environment, to supervise the continuity of the said encryption process and to make the necessary arrangements, to check whether the encryption process is carried out in compliance with the law and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
b) Cryptographic Keys
6.1.3. The obligation to encrypt the electronic environments or systems in which sensitive personal data are processed, stored and/or accessed using cryptographic methods, to determine and use the cryptographic / encryption keys to be generated as a result of encryption and disposal if they are being transferred to the cloud environment separately wherever possible, to supervise the continuity of the said encryption process and to make the necessary arrangements, to check whether the encryption process is carried out in accordance with the law and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
6.1.4. The obligation to encrypt electronic environments or systems where sensitive personal data are processed, stored and/or accessed using cryptographic methods, the obligation to determine and use the cryptographic / encryption keys to be generated as a result of encrypting and discarding this information if they are being transferred to the cloud environment and to keep them in secure and different environments, the obligation to supervise the continuity of ensuring the security of such cryptographic/encryption keys and to make the necessary arrangements, the obligation to verify whether the securing of cryptographic/encryption keys is carried out in a lawful manner, and the obligation to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
c) Log Records
6.1.5. The obligation to ensure that the transaction records of all actions performed on sensitive personal data in electronic environments or systems where sensitive personal data are processed, stored and/or accessed are securely logged, the obligation to monitor the continuity of such logging processes and to make the necessary arrangements, the obligation to check whether logging operations are carried out in accordance with the law, and the obligation to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
d) Security Updates, Tests and Records of The Environments Where The Data Are Found
6.1.5. The obligation to continuously monitor the security updates of the environments where sensitive personal data are found in the electronic environments or systems where sensitive personal data are processed, stored and/or accessed, the obligation to supervise the continuous monitoring of such security updates and to ensure coordination for making the necessary arrangements, the obligation to check whether the updating operations are carried out in accordance with the law and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
6.1.6. The obligation to regularly perform/ have performed the necessary security tests regarding the electronic environments or systems where sensitive personal data are processed, stored and/or accessed, the obligation to ensure coordination for the supervision of the provision of regular security tests and to make the necessary arrangements, the obligation to check whether regular security tests are carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
6.1.7. The obligation to record the results of all security tests performed on electronic environments or systems where sensitive personal data are processed, stored and/or accessed, the obligation to supervise the recording of the results of all such security tests and to ensure coordination for making the necessary arrangements, the obligation to check whether the recording of the results of all security tests is carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
e) If The Data Is Accessed Through a Software
6.1.8. If sensitive personal data are accessed through a specific Software in electronic environments or systems where sensitive personal data are processed, stored and/or accessed, the obligation to make user authorizations for this Software, the obligation to supervise the provision of such user authorization procedures and to ensure coordination for making the necessary arrangements, the obligation to check whether the user authorization procedures are carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
6.1.9. If sensitive personal data are accessed through a specific Software in electronic environments or systems where sensitive personal data are processed, stored and/or accessed, the obligation to regularly perform/have security tests of this Software, the obligation to supervise the regular performance/conduct of such security tests and to make the necessary arrangements, The obligation to check whether regular security tests are carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
6.1.10. If sensitive personal data are accessed through a specific Software in electronic environments or systems where sensitive personal data are processed, stored and/or accessed, the obligation to record the results of the security tests of this Software, the obligation to supervise the recording of the results of all such security tests and to ensure coordination for making the necessary arrangements, the obligation to check whether the recording of the results of all security tests is carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
f) If Data Is Accessed Remotely
6.1.11. If remote access to sensitive personal data is required in electronic environments or systems where sensitive personal data are processed, stored and/or accessed, the obligation to provide at least a two-step authentication system, the obligation to audit the authentication system in question and to make the necessary adjustments, the obligation to check whether the authentication system is carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
6.2. Physical Environments
a) Security Measures to be Taken According to the Nature of the Environments Where Sensitive Personal Data are Found
The obligation to take adequate security measures against situations such as electrical leakage, fire, flood, theft, according to the nature of the environment where sensitive personal data is processed, stored and/or accessed in physical environments where sensitive personal data is processed, stored and/or accessed, the obligation to supervise that such security measures are taken and to make the necessary arrangements, the obligation to check whether the security measures are carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
b) Ensuring The Physical Security Of The Environments Where Sensitive Personal Data Are Found
The obligation to prevent unauthorized entries and exits by ensuring the physical security of the physical environments where sensitive personal data are processed, stored and/or accessed, the obligation to supervise the provision of such security and to make the necessary arrangements, the obligation to check whether the security measures are carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
7.1.) Transfer via E-mail
7.1.1. If sensitive personal data must be transferred (shared) via e-mail, it must be transferred (shared) in encrypted form using a corporate e-mail address.
7.1.2. The obligation to ensure that sensitive personal data, when it is being transferred via e-mail, is encrypted and transferred (shared) using a corporate e-mail address, the obligation to check that such transfer is provided in accordance with this Policy and to make the necessary arrangements, the obligation to check whether the transfer is carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
7.2.) Transfer Via External Memory Storage Devices
7.2.1. If sensitive personal data needs to be transferred via media such as Portable Storage Devices (USB, etc.), External Disks, CDs, DVDs, etc., they must be encrypted using cryptographic methods.
7.2.2. If sensitive personal data must be transferred (shared) via media such as Portable Storage Devices (USB, etc.), External Disks, CDs, DVDs, etc., the obligation to ensure that sensitive personal data is encrypted using cryptographic methods, the obligation to check that such transfer is achieved in accordance with this Policy and to make the necessary arrangements, the obligation to check whether the transfer is carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
7.2.3. Cryptographic Keys generated upon encryption of sensitive personal data using cryptographic methods while they are being transferred via media such as Portable Storage Devices (USB, etc.), External Disks, CDs, DVDs, etc. should be retained (stored) in different environments.
7.2.4. The obligation to ensure that the cryptographic keys generated upon encryption of sensitive personal data using cryptographic methods when they are being transferred via media such as Portable Storage Devices (USB, etc.), External Disks, CDs, DVDs, etc. are retained (stored) in different environments, the obligation to check that the storage of such cryptographic keys in different environments is ensured in accordance with this Policy and to make the necessary arrangements, the obligation to check whether the storage of keys is carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
7.3.) Transfer Between Servers
7.3.1. If sensitive personal data are being transferred between servers in different physical environments, data transfer must be carried out by establishing a VPN between the servers or by using the sFTP Method.
7.3.2. If sensitive personal data are being transferred between servers in different physical environments, the obligation to ensure that data transfer is carried out by establishing a VPN between servers or by using the sFTP Method, the obligation to check that such transfer is achieved in accordance with this Policy and to make the necessary arrangements, the obligation to check whether the transfer is carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
7.4.) Transfer via Hard Copy
7.4.1. If it is necessary to transfer sensitive personal data via hard copy, necessary measures must be taken against risks such as theft, loss or unauthorized viewing of the document and the document must be delivered in the format of “Confidential Documents”.
7.4.2. If it is necessary to transfer sensitive personal data via hard copy, the obligation to take necessary measures against risks such as theft, loss or unauthorized viewing of the document and to ensure that the document is delivered in the format of “Confidential Documents”, the obligation to check that such transfer is achieved in accordance with this Policy and to make the necessary arrangements, the obligation to check whether the transfer is carried out in a lawful manner and to determine the sanctions to be applied belong to the manager of the department to which the user is affiliated and the Personal Data Protection Committee.
8.1. This Policy shall be effective as of the date of publication.
8.2. In case this Policy is published in a way to reach all Company Personnel and necessary updates are made, it is the obligation of the Personal Data Protection Committee to announce them as well.
