info@avrupagozgaziemir.com
+90 (232) 251 24 25 (PBX)
Contact Us

+90 (507) 460 00 80

INFORMATION SECURITY AND PERSONAL DATA PROTECTION PROCEDURE

DOCUMENT CODE : BY.PR.004 PUBLICATION DATE : 04.03.2024 REVISION NO : 00 REVISION DATE : PAGE NO / NUMBER : 1 / 11

1. PURPOSE

Since the KVKK entered into force, we attach great importance to the protection of personal data belonging to all natural persons with whom we come into contact in any way while performing our commercial activities and to fulfill the requirements of the KVKK in this context.

The main purpose of this procedure is to make explanations about the personal data processing activity carried out by the company in accordance with the law and the systems adopted for the protection of personal data, and in this context, to ensure transparency by informing the persons whose personal data are processed by our company, especially our customers, potential customers, employees, employee candidates, company officials, visitors, employees and officials of the institutions we cooperate with and third parties whose personal data are processed.

2. SCOPE

This procedure relates to all personal data of our Employees, Employee Candidates, Company Officials, Customers, Potential Customers, Visitors, Employees of the Institutions we are in cooperation with and Third Parties whose personal data are processed automatically or non-automatically provided that they are part of any data recording system.

3. ABBREVIATIONS

KVKK Personal Data Protection Law

4. DEFINITIONS

Issues Regarding the Processing of Personal Data: According to Law No. 6698 on the Protection of Personal Data ("KVKK"), everyone has the right to request the protection of personal data about him/her. Regarding the protection of personal data, which is a constitutional right, Özel AG Avrupa Göz Hastalıkları Dal Merkezi ("Company") pays due attention to the protection of personal data of its customers, potential customers, employees, employee candidates, company officials, visitors, employees, officials and third parties of the institutions it cooperates with and makes it a Company procedure.

Implementation of the law and under this procedure;

  • Explicit Consent: Consent on a specific subject, based on information and expressed with free will,
  • Anonymization: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data,
  • Relevant User: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data,
  • Destruction: Deletion, destruction or anonymization of personal data,
  • Law: Law No. 6698 on the Protection of Personal Data,
  • Personal Data Owner/Related Person: Customers, or non-customers whose personal data are processed; potential customers, employees, employee candidates, shareholders, visitors, institutions and organizations with whom we have a business relationship within the framework of a contract (support service, independent audit, rating, consultancy, service, purchase, cooperation, solution partnership, etc.) and their employees, shareholders and officials and third real person,
  • Personal Data: Any information relating to an identified or identifiable natural person,
  • Processing of Personal Data: All kinds of operations performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,
  • Institution Personal Data Protection Authority,
  • Customer The relevant natural person who receives services from the Company and whose data is processed based on the contract signed with the Company,
  • Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller,
  • Data Recording System: The recording system where personal data is structured and processed according to certain criteria,
  • Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

5. RESPONSIBLE

This procedure enters into force after the approval of the Responsible Manager and all employees are responsible for its implementation.

6. FLOW OF ACTIVITY

6.1. ACCESS AND AUTHORIZATION CONTROL

Basic Principles in the Processing of Personal Data:

6.1.1. Processing in Compliance with Law and Good Faith:

Our Company acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data.

6.1.2. Being accurate and up-to-date when necessary:

Necessary measures are taken to ensure that the personal data processed by the Company are accurate and in accordance with the current situation and necessary opportunities are provided to the data owners by providing information to ensure that the data being processed reflect the actual situation.

6.1.3. Processing for Specific, Explicit and Legitimate Purposes:

Our Company clearly and precisely determines the legitimate and lawful purpose of personal data processing. Our Company processes personal data in connection with and to the extent necessary for the services it provides. The purpose for which personal data will be processed by our Company is determined before the personal data processing activity begins.

6.1.4. Being Relevant, Limited and Proportionate to the Purpose of Processing:

Data are processed by the Company in accordance with the LPPD and other relevant legislation, in a manner that is suitable for the realization of the purposes determined according to the data categories, relevant and proportionate to the realization of the purpose, and the processing of personal data that is not needed is avoided.

6.1.5. Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed:

Personal data processed by the Company are retained only for the period stipulated in the relevant legislation or required for the purpose for which they are processed. In this context, if there is a period stipulated in the relevant legislation for the storage of data, the Company complies with this period; if there is no such period, it retains the data only for the period required for the purpose for which they are processed. The Company does not store data based on the possibility of future use.

6.2. PHYSICAL AND ENVIRONMENTAL SAFETY MANAGEMENT
  • All personnel comply with the rules set out within the framework of physical security measures (entrance and exit doors, office rooms, product delivery areas, security of warehouses and use of personnel identification cards, etc.).
  • Protection against viruses and attackers belongs to the IT Officer. The responsible person notifies the senior management of the hardware and software required for protection from viruses and attackers and takes the necessary measures. These measures consist of the minimum requirements required by the Ministry of Health, including hardware and software apparatus such as anti-virus software and firewall. Updating these software is the responsibility of the Information Management System Officer. When it is time to update, he/she makes the updates by informing the senior management.
6.2.1. Realization of Personal Data Processing Activities in Compliance with KVKK:

The KVKK regulates the conditions for the processing of personal data, and personal data are processed by the Company in accordance with the conditions mentioned below.

Except for the exceptions listed in the Law, the Company processes personal data only by obtaining the explicit consent of the data subjects. In the presence of the following cases listed in the Law, personal data can be processed even without the explicit consent of the data subject.

  • Explicitly stipulated in the law,
  • It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
  • It is necessary to process personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of the contract.
  • It is mandatory for the data controller to fulfill its legal obligation,
  • It has been made public by the data subject himself/herself,
  • Data processing is mandatory for the establishment, exercise or protection of a right,
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Special sensitivity is shown by the Company in the processing of special categories of personal data, the protection of which is believed to be more critical for data subjects in various respects. In this context, such data are not processed without the explicit consent of the data subjects, provided that adequate measures determined by the Quality Unit are taken. However, special categories of personal data other than data related to health and sexual life may be processed without the explicit consent of the data subject in cases stipulated by law.

6.2.2. Data on health and sexual life may be processed without explicit consent, provided that adequate measures are taken and in the presence of the reasons listed below:
  • Protection of public health,
  • Preventive medicine,
  • Medical diagnosis,
  • Carrying out treatment and care services,
  • Planning and management of health services and financing.
6.3. COMMUNICATION SECURITY

To make explanations about the personal data processing activities carried out by the Company in accordance with the law and the systems adopted for the protection of personal data, and in this context, to ensure transparency by informing the persons whose personal data are processed by our company, especially our customers, potential customers, employees, employee candidates, company officials, visitors, employees and officials of the institutions we cooperate with, and third parties whose personal data are processed.

  • The medical center has created a domain structure in accordance with the "Information Security Management System Policy" and all computers are "logged in" to the domain structure. Computers not connected to the domain are removed from the local network, and no information is exchanged between devices on the local network.
  • No files can be exchanged over computers except for official documents, programs and educational documents
  • Internet access and e-mail connections are controlled by the firewall device in the medical center.
  • A corporate e-mail address is created for all authorized personnel who start working at the medical center.
  • E-mails and passwords are communicated to the relevant personnel during training.
  • The user accepts that all statements expressed during e-mail are his/her own. The user is responsible for sending threatening, illegal, insulting, abusive or slanderous, immoral messages that may constitute a crime.
  • The User may not include materials and documents that may constitute a legal offense in his/her account, and may not use practices that are harmful to personal account holders.
  • It may not use another system's server or another user's account to send messages without that person's permission.
  • The user may not use his/her account for commercial and profit purposes. He/she may not send e-mails to a large number of users in bulk for advertising, promotion, announcement, etc. (SPAM).
  • The legal responsibilities that may arise from the publication rights of any information contained in the user's account belong to the user.
6.3.1. Enlightening and Informing the Personal Data Owner

In accordance with Article 10 of the KVK Law, our Company enlightens personal data owners during the acquisition of personal data. In this context, the Company informs about the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and the rights of the personal data owner.

Article 20 of the Constitution stipulates that everyone has the right to be informed about personal data concerning him/her. In this direction, "requesting information" is listed among the rights of the personal data owner in Article 11 of the KVK Law. In this context, our Company provides the necessary information in case the personal data owner requests information in accordance with Article 20 of the Constitution and Article 11 of the KVK Law.

6.3.2. Purposes of Processing Personal Data

Your sensitive personal data and personal data, especially your health data, may be processed by the Company in a limited and measured manner in connection with the purposes set out below, including but not limited to the following;

  • Your name, surname, Turkish ID number, temporary Turkish ID number, passport number, place and date of birth, marital status, gender, insurance or patient protocol number and other identification data that identifies you.
  • Your address, telephone number, e-mail address
  • Your health and sexual life data obtained during the execution of medical diagnosis, treatment and care services such as, but not limited to, your test results, laboratory and imaging results, examination data, prescription information,
  • Your IBAN number, credit card information,
  • Your closed circuit camera system image and sound recording taken during your visit to our medical center,
  • Your voice call recordings in case you contact Patient Reception/Counseling,
  • Your data on private health insurance for the purpose of financing and planning health services

Our company processes personal data limited to the purposes and conditions within the personal data processing conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the Personal Data Protection Law No. 6698.

These are the goals and conditions;

  • It is clearly stipulated in the Laws that our Company is engaged in the relevant activity regarding the processing of your personal data,
  • The processing of your personal data by our Company is directly related and necessary for the establishment or performance of a contract,
  • Processing of your personal data is mandatory for our Company to fulfill its legal obligation,
  • Provided that your personal data has been made public by you; processing by our Company in a limited manner for the purpose of your publicization,
  • Processing of your personal data by our Company is mandatory for the establishment, use or protection of the rights of our Company or you or third parties,
  • It is mandatory to carry out personal data processing activities for the legitimate interests of our Company, provided that it does not harm your fundamental rights and freedoms,
  • The processing of personal data by our Company is mandatory for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to disclose his/her consent due to actual impossibility or legal invalidity,
  • Processing of sensitive personal data other than the health and sexual life of the personal data subject is stipulated by law,
  • Processing of personal data of special nature related to the health and sexual life of the personal data owner by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

Under the above-mentioned conditions; Our Company may process personal data, including but not limited to these and within the personal data processing conditions and purposes specified in Article 9,

  • The Ministry of Health and its sub-units,
  • Your authorized representatives,
  • Private insurance companies,
  • Social Security Institution,
  • General Directorate of Security and other law enforcement agencies,
  • General Directorate of Population,
  • Pharmacists Association of Turkey,
  • Courts and any judicial authorities, centers and other third parties,
  • Lawyers
  • Laboratories, medical centers, ambulances, medical devices and healthcare providers that we cooperate with for medical diagnosis and treatment,
  • It may be shared with our suppliers, limited to the purpose of providing the Services.
6.4.3. Transfer of Personal Data Abroad

Our Company may transfer personal data and sensitive personal data of the personal data owner to third parties abroad by taking necessary security measures in line with the lawful personal data processing purposes. Personal data are transferred by our Company to foreign countries declared to have adequate protection by the PDP Authority ("Foreign Country with Adequate Protection") or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the PDP Authority has permission ("Foreign Country Where the Data Controller Undertakes Adequate Protection"). In this respect, our Company acts in accordance with the regulations stipulated in Article 9 of the KVK Law.

6.4.4. Building, Facility entrances and Personal Data Processing Activities Conducted Inside and Website Visitors
  • Personal data processing activities carried out by the Company at the entrances of the building facility and within the facility are carried out in accordance with the Constitution, the PDP Law and other relevant legislation.
  • In order to ensure security, our Company carries out personal data processing activities for the monitoring of guest entrances and exits with security cameras in our Company's buildings and facilities.
  • Personal data processing activity is carried out by our Company through the use of security cameras and recording of guest entrances and exits.
  • The Company's security camera surveillance activity aims to protect the interests of the company and other persons in ensuring the security of the company and other persons, and in this context, our Company acts in accordance with the Constitution, KVK Law and other relevant legislation.
  • Video recordings of our visitors are taken by means of a camera surveillance system at the entrances of our Company's buildings, facilities and inside the facility.
  • Within the scope of security camera surveillance activities, our Company aims to increase the quality of the service provided, to ensure its reliability, to ensure the security of the company, customers and other persons, and to protect the interests of customers regarding the service they receive.
  • Our Company acts in accordance with the regulations in the KVK Law in carrying out camera surveillance activities for security purposes. The camera surveillance activity carried out by our Company is carried out in accordance with the Law on Private Security Services and the relevant legislation.
  • Only a limited number of Company employees have access to the records recorded and stored in digital media. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.
  • In accordance with Article 12 of the KVK Law, necessary technical and administrative measures are taken by our Company to ensure the security of personal data obtained as a result of camera surveillance activities.

In addition to the above-mentioned camera recording, our Company carries out personal data processing activities to ensure security and to monitor guest entrances and exits in our Company's buildings and facilities for the purposes specified in this Policy.

  • While the names and surnames of the persons who come to our Company's premises as guests are obtained or through the texts posted in the Company or otherwise made available to the guests, the personal data owners in question are enlightened within this scope. The data obtained for the purpose of tracking guest entry-exit are processed only for this purpose or the relevant personal data are physically recorded in the data recording system.
  • For the purposes of ensuring security by our Company and for the purposes specified in this Procedure; Our Company may provide internet access to our Visitors who request it during your stay in our Buildings and Facilities. In this case, log records regarding your internet access are recorded in accordance with the Law No. 5651 and the mandatory provisions of the legislation regulated in accordance with this Law; These records are processed only upon request by authorized public institutions and organizations or in order to fulfill our legal obligation in the audit processes to be carried out within the Company.
  • Only a limited number of Company employees have access to the log records obtained within this framework. Company employees who have access to the aforementioned records access these records only for use in requests or audit processes from authorized public institutions and organizations and share them with legally authorized persons. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.
  • Enlightenment is provided through the Cookie policy for visitors to the Website.
6.4.5. Personal Data Categories
  • Identity (name, surname, mother's and father's name, mother's maiden name, date of birth, place of birth, marital status, identity card serial number, TR ID number, etc.)
  • Contact (such as address no, e-mail address, contact address, registered electronic mail address (REM), telephone no)
  • Location (location information of where it is located)
  • Personnel (payroll information, disciplinary investigation, employment records, property declaration information, CV information, performance evaluation reports, etc.)
  • Legal Action (such as information in correspondence with judicial authorities, information in the case file)
  • Customer Transaction (such as call center records, invoice, promissory note, check information, information in box office receipts, order information, request information)
  • Physical Space Security (such as employee and visitor entry and exit records, camera records)
  • Transaction Security (such as IP address information, website login and exit information, password and password information)
  • Risk Management (such as information processed to manage commercial, technical, administrative risks)
  • Finance (such as balance sheet information, financial performance information, credit and risk information, asset information)
  • Professional Experience (such as diploma information, courses attended, vocational training information, certificates, transcript information)
  • Marketing (shopping history information, surveys, cookie records, information obtained through campaigns)
  • Audiovisual Recordings (such as audiovisual recordings)
  • Race and Ethnicity (such as race and ethnicity information)
  • Political Opinion Information (information indicating political opinion, such as political party membership information)
  • Philosophical Beliefs, Religion, Sect and Other Beliefs (such as information on religious affiliation, information on philosophical beliefs, information on sectarian affiliation, information on other beliefs)
  • Dress and Attire (information on dress and attire)
  • Association Membership (such as association membership information)
  • Foundation Membership (such as foundation membership information)
  • Union Membership (such as union membership information)
  • Health Information (such as information on disability status, blood type information, personal health information, device and prosthesis information)
  • Sexual Life (such as information on sexual life)
  • Criminal Conviction and Security Measures (such as information on criminal conviction, information on security measures)
  • Biometric Data (such as palm data, fingerprint data, retinal scan data, facial recognition data)
  • Genetic Data (such as genetic data)
  • Other Information (such as data types to be determined by the user)
6.4.6. Data Subject Person Groups
  • Employee Candidate
  • Employee
  • Subject
  • Subject of the news
  • Shareholder/Partner
  • Potential Product or Service Buyer
  • Examination candidate
  • Intern
  • Supplier Employee
  • Supplier Officer
  • Product or Service Recipient
  • Parent / Guardian / Representative
  • Visitor
  • Other
6.4.7. Technical and Administrative Measures Taken Regarding the Processing and Protection of Personal Data

The Company takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data. The measures stipulated in Article 12 of the KVKK are as follows:

  • To prevent unlawful processing of personal data,
  • To prevent unlawful access to personal data,
  • Ensuring the protection of personal data

As the Data Controller, the Company has initiated the necessary process for the implementation of the following Technical and Administrative Measures to improve the KVKK Compliance process.

  • Authority Matrix
  • Authority Control
  • Access Logs
  • User Account Management
  • Network Security Application
  • Security Encryption Penetration
  • Log Records Data Masking
  • Data Loss Prevention Software
  • Backup Firewalls
  • Current Anti-Virus Systems
  • Delete, Destroy or Anonymize Key Management
  • Preparation of Personal Data Processing Inventory
  • Corporate Policies (Access, Information Security, Use, Storage and Destruction etc.) Contracts (between Data Controller - Data Controller, Data Controller - Data Processor)
  • Confidentiality Undertakings
  • Internal Periodic and/or Random Audits
  • Risk Analysis
  • Labor Contract, Disciplinary Regulation (Addition of Provisions in Compliance with the Law) Corporate Communication (Crisis Management, Committee and Relevant Person Information Processes, Reputation Management, etc.)
  • Training and Awareness Activities (Information Security and Law) Notification to Data Controllers Registry Information System (VERBIS)
6.4.8. Rights of the Personal Data Owner listed in Article 11 of the KVK Law

As personal data owners, if you submit your requests regarding your rights to our Company by the methods set out below in this Personal Data Protection Law Clarification Text, our Company will finalize the request free of charge within 30 (thirty) days at the latest, depending on the nature of the request. However, if a fee is stipulated by the Personal Data Protection Board, the fee in the tariff determined by our Company will be charged.

In this context, personal data owners;

  • Learn whether personal data is being processed,
  • Request information if their personal data has been processed,
  • To learn the purpose of processing personal data and whether they are used for their intended purpose,
  • To know the third parties to whom personal data are transferred domestically or abroad,
  • To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • Although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
  • In case of damage due to unlawful processing of personal data, it has the right to demand compensation for the damage.

As a data subject, you are required to submit your requests in writing to our Company. In this context, in order to manage the applications you will make to our Company within the scope of Article 11 of the KVK Law in a healthy and fast manner, we recommend that you use the "Relevant Person Information Request Application Form" document under the heading of Protection of Personal Data on the website of Çevre Sağlık Tesisleri Ltd. Şti., by providing the documents / information that may be requested according to your request and the necessary documents identifying your identity, in person or by registered letter with return receipt. In addition, you can also submit your request to us via .............................com.tr as an online user (with the Electronic Mail Address previously notified to our Company and registered in our Company's system).

6.5. INFORMATION SECURITY BREACH INCIDENT MANAGEMENT

Detection

Agency personnel report incidents in suspicious situations such as unintentionally lost or emerging files, problems in the operation of the antivirus agent, unintentionally running programs or pop-up windows, presence of unauthorized personnel in critical information processing facilities, openness of confidential files to external intervention, failure to take action in accordance with written procedures, etc.

Evaluation and Reporting

When information security breach events are reported to the quality unit with the "Unwanted Event Notification Form", the quality unit evaluates the breach event and informs the senior management with a report if it decides that there is a violation.

The report includes at least the following headings;

  • Evidence collected.
  • Type of evidence.
  • Evidence storage.
  • Date and time of evidence.
  • Corrective action form if corrective action has been initiated for the incident
  • Date and time of detection of the breach event.

Considerations for information security incident reporting are as follows:

  • Physical security arrangements and access information in environments.
  • Ineffective security check.
  • Breach of confidentiality, integrity and accessibility of information.
  • Human failures.
  • Uncontrolled software or hardware system changes.
  • Malfunctions.
  • Access control.
  • Non-compliance with policies and procedures.
  • Vulnerabilities detected by system security software.

Records opened for the aforementioned topics are evaluated at quality management evaluation meetings. Violation incidents are measured within the scope of risk assessment.

The evaluation mechanism is as follows:

  • In assessing breach incidents, the number of incidents and incident impact are taken into account.
  • Data from breach incidents are used as metrics in risk assessments.
  • The impact value is discussed at information security meetings and reflected in the risk probability values according to the number of records and the impact of the records.
  • If there is a 7% to 10% increase in the number of registrations at the end of the year, users are provided with additional awareness trainings.
  • If there is an increase of 11% to 30% in the number of registrations at the end of the year, an additional meeting is organized to review the procedures.
  • In case of an increase of 31% or more in the number of registrations at the end of the year, awareness trainings, procedure updates, investment and structural change decisions are taken.
Intervention
  • Closure is not performed for any vulnerability that could destroy or corrupt evidence.
  • For all incidents detected through controls or reported incidents and for all incidents for which evidence is collected, the vulnerability that caused the incident is corrected before any other action is taken.
  • When deemed necessary for intervention, the Information Security Continuity Procedure is applied.
Taking Precautions and Gaining Experience

Necessary measures are taken to prevent the recurrence of information security breach incidents that are detected and evidence is collected. All information security breach incidents are reviewed to gain experience and the information learned is recorded. Gaining experience aims to prevent any breach incident from recurring or to find a solution to the problem in a shorter time when it occurs again.

Any of the following actions can be taken to respond to a security breach event:
  • The records created are examined and the necessary information for solutions is recorded.
  • Written procedures are established for incidents caused by incorrect practices.
  • For incidents arising from procedures, procedures are reviewed and corrected.
  • It is checked whether there is a risk record of the information security incident, if there is, the risk is re-evaluated, if not, a risk record is created for evaluation.
  • For access-related problems, accesses are checked again and other similar access authorizations are also checked.
  • In incidents caused by software and applications, updates are checked, and the incident is closed with methods such as vulnerability closure, update, patch development.
  • Measures taken for problems arising from physical equipment are also applied to other similar equipment.
  • For incidents caused by malicious code, the source of the problem is identified and the adequacy of security software is examined. The measures found are applied to all systems.
Recording and Evidence Collection
  • During the record and evidence gathering phase, it is first checked that the integrity of the records that can identify the incident and the person responsible is intact.
  • Only records whose integrity has been preserved are used for evidence.
  • Evidence collected for information security breach incidents is kept for 3 years.
  • In cases related to the detection of information security breach incidents, if any, camera records, access records, control records, records kept by system security software, cost records required to solve problems, records that may be needed for the evaluation of information security breach incidents and that will determine the frequency, damage and cost limits of future incidents are kept.
Improvement
  • Awareness training should be provided to employees on information security and protection of personal data.
  • Passwords used in the information management system must comply with the Ministry's password policies.
  • A confidentiality agreement must be signed by information management system managers and users.
  • Risk assessments should be made on issues such as physical hazards to the information management system, problems with software and hardware, information security, information privacy, protection of personal data, user errors.
  • In case of information security breaches, improvements are made by evaluating the situation analysis with corrective actions, and senior management and employees are informed after the improvement.