ÖZEL DEMİDERM POLİKLİNİĞİ

PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. INTRODUCTION

DEMİDERM MAKİNA-MEDİKAL VE GÜZELLİK MERKEZİ SAN. TİC. İTH. İHR. LTD. ŞTİ. (“ÖZEL DEMİDERM POLİKLİNİĞİ”), attaches utmost importance to protecting individuals’ fundamental rights and freedoms in the protection and processing of personal data, primarily taking as its basis the privacy of private life regulated under Article 20 of the Constitution. Within this framework, ÖZEL DEMİDERM POLİKLİNİĞİ takes due care to protect and process personal data lawfully pursuant to the Personal Data Protection Law No. 6698 (“KVKK”) and the European Union General Data Protection Regulation (“GDPR”), and acts with this understanding in all its planning and activities.

Ensuring the security of individuals’ Personal Data is among ÖZEL DEMİDERM POLİKLİNİĞİ’s primary objectives. For this reason, in order to ensure that individuals’ Personal Data are processed securely and to prevent any unlawful access or leakage that may occur with respect to such data, the necessary security measures compatible with the applicable legislation are taken by ÖZEL DEMİDERM POLİKLİNİĞİ.

1.1 PURPOSE OF THE POLICY

The purpose of the Personal Data Protection and Processing Policy (“Policy”) is to inform Personal Data Subjects about ÖZEL DEMİDERM POLİKLİNİĞİ’s obligations and the procedures and principles it will comply with in the protection and processing of personal data processed wholly or partially by automatic means or, provided that it forms part of any data recording system, by non-automatic means, in accordance with the purpose of the KVKK and GDPR. In line with the purpose of the Policy, it is aimed to ensure full compliance with the legislation in personal data protection and processing activities carried out by ÖZEL DEMİDERM POLİKLİNİĞİ and to protect Personal Data Subjects’ right to privacy and data security.

1.2 SCOPE OF THE POLICY

This Policy has been prepared for Customers (Patients/Clients), Employees, Employee Candidates and Visitors, provided that they are natural persons, and will be applicable within the scope of these persons. ÖZEL DEMİDERM POLİKLİNİĞİ’s purpose in publishing this Policy on its website is to inform Data Subjects about personal data protection and processing activities and data security. This Policy shall not apply to legal entities, regardless of their capacity.

This Policy shall apply for the above-mentioned Data Subjects in cases where their personal data are processed by ÖZEL DEMİDERM POLİKLİNİĞİ wholly or partially by automatic means or, provided that it forms part of any data recording system, by non-automatic means. If the data does not fall within the scope of “Personal Data” as stated below, or if the personal data processing activity carried out by ÖZEL DEMİDERM POLİKLİNİĞİ is not performed by the above-mentioned means, this Policy shall not apply.

1.3 DEFINITIONS

The concepts used in the implementation of this Policy shall have the meanings set out below:

Explicit Consent	Consent that is related to a specific matter, based on being informed, and declared with free will.
Obligation to Inform	The obligation of the data controller to inform the persons whose personal data it processes about by whom, for which purposes and on which legal grounds their data may be processed, and to whom and for which purposes it may be transferred.
Relevant User	Persons who process personal data within the organization of the data controller or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Disposal	Refers to the deletion, destruction or anonymization of personal data.
Processing of Personal Data	Any operation performed on data such as obtaining, recording, storing, retaining, altering, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing its use, by wholly or partially automatic means or, provided that it forms part of any data recording system, by non-automatic means.
KVK Board	The Personal Data Protection Board.
Personal Data Subject	Refers to Patients, Clients, Employees, Employee Candidates and Visitors whose Personal Data (including special categories of personal data) are processed.
Personal Data	Any information relating to an identified or identifiable natural person.
Institution / Audit Mechanism	The Personal Data Protection Authority consisting of the Board and the Presidency.
Processing Data by Automated Means	A processing activity carried out by devices with processors such as computers, phones, watches, etc., which occurs automatically without human intervention within the scope of pre-prepared algorithms through software or hardware features.
Special Categories of Personal Data	Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data are special categories of data.
Registry	The Data Controllers’ Registry.
ÖZEL DEMİDERM POLİKLİNİĞİ	DEMİDERM MAKİNA-MEDİKAL VE GÜZELLİK MERKEZİ SAN. TİC. İTH. İHR. LTD. ŞTİ.
Data Processor	A natural or legal person who processes Personal Data on behalf of the data controller based on the authority granted by the data controller.
Data Recording System	Refers to the recording system in which Personal Data are processed by being structured according to certain criteria.
Data Category	A personal data class belonging to a group or groups of data subjects or data subject groups, grouped according to common characteristics of personal data.
Data Subject Group	The related group of persons whose personal data are processed by the data controller.
Data Controller	The natural or legal person who determines the purposes and means of the processing of Personal Data and is responsible for the establishment and management of the data recording system.

1.4 EFFECTIVE DATE OF THE POLICY

The principles of the Policy, which was prepared by ÖZEL DEMİDERM POLİKLİNİĞİ and entered into force on 01.12.2023, are published on ÖZEL DEMİDERM POLİKLİNİĞİ’s corporate websites and made available for Data Subjects’ access.

2. PROTECTION OF PERSONAL DATA

2.1 SECURITY OF PERSONAL DATA

ÖZEL DEMİDERM POLİKLİNİĞİ takes all necessary administrative and technical measures to ensure an adequate level of security in order to store personal data securely, and to prevent the unlawful processing of and access to personal data, in accordance with the KVKK and GDPR. The administrative and technical measures taken regarding the security of personal data are regulated in detail in the Personal Data Retention and Disposal Policy of Özel Demiderm Polikliniği.

2.2 AUDIT

ÖZEL DEMİDERM POLİKLİNİĞİ conducts and has conducted the necessary audits in order to ensure the establishment of the data security explained above and the regularity and continuity of the measures taken. The audit of the technical measures taken by ÖZEL DEMİDERM POLİKLİNİĞİ is carried out by authorized persons in six-month periodic periods, and the administrative measures are audited by persons authorized by ÖZEL DEMİDERM POLİKLİNİĞİ.

2.3 CONFIDENTIALITY

ÖZEL DEMİDERM POLİKLİNİĞİ takes all necessary administrative and technical measures to ensure that the Data Processor does not disclose the personal data learned within the scope of its duty to others in violation of the KVKK, GDPR and Policy provisions, and does not use them outside the purpose of processing. In this context, information and training activities regarding KVKK, GDPR and the Policy are carried out for clinic employees, and confidentiality agreements are signed as part of the recruitment processes of relevant employees. In addition, the policies are notified to Suppliers and Data Processors providing external services and Confidentiality Undertakings are obtained.

2.4 UNAUTHORIZED DISCLOSURE OF PERSONAL DATA

In the event that personal data processed by ÖZEL DEMİDERM POLİKLİNİĞİ are obtained by others through unlawful means, ÖZEL DEMİDERM POLİKLİNİĞİ carries out the necessary procedures to notify the Data Subject and the KVK Board within the time periods determined by the KVK Board. If deemed necessary by the KVK Board, this situation is announced on the website of the KVK Board or by another method deemed appropriate by the KVK Board.

2.5 OBSERVATION OF THE LEGAL RIGHTS OF THE RELEVANT PERSONS

ÖZEL DEMİDERM POLİKLİNİĞİ observes all legal rights of the relevant persons regarding the implementation of the Policy and the Law and takes all necessary measures to protect these rights.

2.6 PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Data relating to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data are special categories of personal data. ÖZEL DEMİDERM POLİKLİNİĞİ is aware that Special Categories of Personal Data are data that may cause the Data Subject to suffer or be subjected to discrimination if learned by others, and therefore takes with due diligence the adequate measures determined by the Board for the protection of such data processed lawfully. Within this framework, it has a separate policy (Special Categories of Personal Data Security Policy) that is systematic, with clearly defined rules, manageable and sustainable.

3. PROCESSING AND TRANSFER OF PERSONAL DATA

3.1 GENERAL PRINCIPLES IN THE PROCESSING AND TRANSFER OF PERSONAL DATA

Personal Data are processed by ÖZEL DEMİDERM POLİKLİNİĞİ in accordance with the KVKK, GDPR and the procedures and principles set forth in this Policy. ÖZEL DEMİDERM POLİKLİNİĞİ complies with the following principles while processing personal data.

a) Compliance with Law, Principles of Honesty and the Principle of Transparency

ÖZEL DEMİDERM POLİKLİNİĞİ processes personal data in accordance with the relevant legislation and the requirements of the rule of honesty and uses them within these limits. Pursuant to the principle of acting in accordance with the rule of honesty, ÖZEL DEMİDERM POLİKLİNİĞİ takes into account the interests and reasonable expectations of the relevant persons while trying to achieve its goals in data processing. It acts in a way that prevents the emergence of results that the Data Subject does not expect and is not required to expect. Pursuant to the principle, it also ensures that the data processing activity in question is transparent for the data subject; it acts in accordance with the obligations to inform and warn.

b) Being Accurate and Up to Date When Necessary

ÖZEL DEMİDERM POLİKLİNİĞİ ensures that personal data it processes are accurate and up to date, taking into account the fundamental rights and legitimate interests of Data Subjects. In this context, it carefully considers issues such as the source from which the data are obtained being identifiable, verification of accuracy, and evaluation of whether updates are required. ÖZEL DEMİDERM POLİKLİNİĞİ always keeps open the channels that will ensure that the personal data subject’s information is accurate and up to date. Keeping personal data accurate and up to date protects the interests of ÖZEL DEMİDERM POLİKLİNİĞİ as well as being necessary for the protection of the fundamental rights and freedoms of the Data Subject.

c) Processing for Specific, Explicit and Legitimate Purposes

ÖZEL DEMİDERM POLİKLİNİĞİ determines the purpose of data processing clearly and precisely and ensures that such purpose is lawful. The lawfulness of the purpose means that the personal data processed by ÖZEL DEMİDERM POLİKLİNİĞİ are related to and necessary for the healthcare service in which it operates. ÖZEL DEMİDERM POLİKLİNİĞİ does not process data for purposes other than those it has stated. In this respect, it shows due diligence in complying with the principles of specificity and clarity in legal transactions and texts where personal data processing purposes are explained.

d) Being Related to the Purpose for Which They Are Processed, Limited, Proportionate and Necessary

ÖZEL DEMİDERM POLİKLİNİĞİ pays attention to personal data processed being suitable for the realization of the determined purposes and refrains from processing data that are not related to or not needed for the realization of the purpose. ÖZEL DEMİDERM POLİKLİNİĞİ does not collect or process personal data for purposes that do not currently exist and are only expected to occur later. In addition, it limits the processed data only to what is necessary for the realization of the purpose. Within the scope of the proportionality principle, it establishes a reasonable balance between the data processing and the purpose intended to be achieved.

e) Being Retained for the Period Prescribed in the Relevant Legislation or Necessary for the Purpose for Which They Are Processed

ÖZEL DEMİDERM POLİKLİNİĞİ complies with retention periods prescribed in the relevant legislation; otherwise, it retains personal data only for the period necessary for the purpose for which they are processed. If there is no valid reason for retaining a personal data for a longer period, such data are deleted, destroyed or anonymized. Procedures regarding the retention and disposal of personal data are regulated in detail in Özel Demiderm Polikliniği’s Personal Data Retention and Disposal Policy.

f) Compliance with the Principles of Integrity and Confidentiality

Personal data are processed by ÖZEL DEMİDERM POLİKLİNİĞİ by taking the necessary technical and administrative measures against loss, destruction and damage, or in order to ensure an appropriate level of security regarding the protection of personal data.

g) Compliance with the Principle of Accountability

ÖZEL DEMİDERM POLİKLİNİĞİ has fulfilled its obligation to comply with the rules of personal data protection in its processing activities, and in the event of any complaint or ex officio review, it will be able to submit documents proving to supervisory authorities that these measures have been taken.

3.2 CONDITIONS FOR PROCESSING PERSONAL DATA

ÖZEL DEMİDERM POLİKLİNİĞİ does not process personal data without the explicit consent of the Data Subject. Personal data may be processed without seeking the explicit consent of the Data Subject only if one of the following conditions exists:

a) Explicitly Prescribed by Laws

ÖZEL DEMİDERM POLİKLİNİĞİ may process personal data without seeking the explicit consent of the Data Subject in cases explicitly prescribed by laws.

b) Being Mandatory for the Protection of the Life or Physical Integrity of the Person or Another Person, Where the Person Is Unable to Express Consent Due to Actual Impossibility or Where the Person’s Consent Is Not Legally Valid

ÖZEL DEMİDERM POLİKLİNİĞİ may process personal data without seeking explicit consent for the protection of the life or physical integrity of persons in cases where consent cannot be expressed or is not valid.

c) Being Necessary for the Establishment or Performance of a Contract, Provided That It Is Directly Related to the Establishment or Performance of a Contract

If it is mandatory to process the personal data of the parties to a contract in order to establish or perform a contract, ÖZEL DEMİDERM POLİKLİNİĞİ may process the personal data of the Data Subject without seeking explicit consent, limited to this purpose, as required by the ordinary course of life.

d) Being Mandatory for Özel Demiderm Polikliniği to Fulfill Its Legal Obligation

ÖZEL DEMİDERM POLİKLİNİĞİ may process the personal data of the Data Subject without seeking explicit consent in cases where it is mandatory to fulfill its legal obligations as the Data Controller.

e) Being Made Public by the Relevant Person

ÖZEL DEMİDERM POLİKLİNİĞİ may process personal data that have been made public by the Data Subject, in other words disclosed to the public in any way, limited to the purpose of making public, since it is accepted that the legal interest that needs to be protected in the processing of such data, which have become known to everyone, is eliminated.

f) Being Mandatory for the Establishment, Exercise or Protection of a Right

ÖZEL DEMİDERM POLİKLİNİĞİ may process the personal data of the Data Subject without seeking explicit consent in cases where processing is mandatory for the establishment, exercise or protection of a legitimate right.

g) Being Mandatory for the Legitimate Interests of Our Clinic, Provided That It Does Not Harm the Fundamental Rights and Freedoms of the Relevant Persons

ÖZEL DEMİDERM POLİKLİNİĞİ may process the personal data of the Data Subject for the purpose of ensuring its legitimate interests, provided that it does not harm the fundamental rights and freedoms of the Data Subject protected under the KVKK, GDPR and the Policy. ÖZEL DEMİDERM POLİKLİNİĞİ shows due diligence in complying with the basic principles regarding the protection of personal data and in observing the balance of interests between ÖZEL DEMİDERM POLİKLİNİĞİ and personal data subjects. Legitimate interest means an interest that is lawful, effective at a level that can compete with the fundamental right and freedom of the Data Subject, specific and currently existing. ÖZEL DEMİDERM POLİKLİNİĞİ takes additional protective measures to prevent harm to the rights of the Data Subject. A reasonable balance is maintained between the interest of our Clinic and the fundamental rights and freedoms of the relevant person.

3.3 CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

ÖZEL DEMİDERM POLİKLİNİĞİ does not process special categories of personal data without the explicit consent of the Data Subject. Special categories of personal data may be processed without seeking the explicit consent of the relevant person only if one of the following conditions exists:

· Explicitly Prescribed by Laws

Special categories of personal data other than the health and sexual life of the Data Subject may be processed without seeking the explicit consent of the Data Subject in cases explicitly prescribed by laws.

· For the Purposes of Protecting Public Health, Preventive Medicine, Medical Diagnosis, Treatment and Care Services, and Planning and Management of Health Services and Their Financing

Special categories of personal data relating to the health and sexual life of the Data Subject may be processed by persons under an obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, carrying out medical diagnosis, treatment and care services, and planning and management of health services and their financing.

3.4 CONDITIONS FOR TRANSFER OF PERSONAL DATA

ÖZEL DEMİDERM POLİKLİNİĞİ may transfer personal data to third parties in a limited manner, by taking necessary security measures, based on one or more of the personal data processing conditions specified below, pursuant to Articles 8 and 9 of the KVKK and Articles 45 and 49 of the GDPR:

The explicit consent of the Data Subject exists,
There is an explicit regulation in the laws regarding the transfer of personal data,
The transfer of personal data is mandatory for the protection of the life or physical integrity of the Data Subject or another person, and the relevant person is unable to express consent due to actual impossibility or the person’s consent is not legally valid,
The transfer is necessary, provided that it is directly related to the establishment or performance of a contract, of the personal data of the parties to the contract,
The transfer of personal data is mandatory for ÖZEL DEMİDERM POLİKLİNİĞİ to fulfill its legal obligation,
Personal data have been made public by the Data Subject,
The transfer of personal data is mandatory for the establishment, exercise or protection of a right,
The transfer of personal data is mandatory for the legitimate interests of ÖZEL DEMİDERM POLİKLİNİĞİ, provided that it does not harm the fundamental rights and freedoms of the Data Subject.

Special categories of personal data may be transferred, provided that adequate measures are taken, in a limited manner based on one of the following conditions:

The explicit consent of the relevant person exists,
If special categories of personal data other than the health and sexual life of the relevant person are in question, there is an explicit regulation in the laws regarding the transfer of such data.
If special categories of personal data relating to the health and sexual life of the relevant person are in question, such data may be transferred by persons under an obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, carrying out medical diagnosis, treatment and care services, and planning and management of health services and their financing.

4. PERSONAL DATA CATEGORIES AND DATA SUBJECT GROUPS

4.1 Personal Data Categories

Personal data are processed by ÖZEL DEMİDERM POLİKLİNİĞİ by being categorized as follows:

Identity	Name-Surname, T.R. Identity Number and/or Passport Number and/or Temporary T.R. Identity Number, place and date of birth, marital status, gender, profession, signature and other identity data that can identify natural persons
Contact	Address (residence, workplace), phone number (declared home/work landline and/or mobile phone numbers), e-mail address, social media accounts, IP address and other contact data
Personnel	CV, title information; employment entry-exit document records; social security/retirement information, payroll information and other personnel data
Physical Premises Security	Security camera recordings and other physical premises security data
Finance	Personal data processed regarding information, documents and records showing the outcome of any financial relationship established by ÖZEL DEMİDERM POLİKLİNİĞİ with personal data subjects, as well as bank account information, credit card information and other financial information
Visual and Audio Records	Photograph, camera and audio recording data of personal data subjects obtained outside the scope of physical premises security
Communication Records	Communication data obtainable through ÖZEL DEMİDERM POLİKLİNİĞİ’s communication and information systems: Corporate telephone call records, corporate mail and e-mail records and contents, etc.
Customer Transaction	Satisfaction information regarding our clinic’s patients, invoice, receipt information, etc.
SPECIAL CATEGORIES OF PERSONAL DATA
Health Information	Blood group, allergies, chronic diseases, data related to previous procedures/operations, continuously used medications, analysis and imaging results, prescription information, body analysis and measurement information, medical history, skin analysis information, hormonal tests, venereal disease information, anesthesia information, information related to Covid-19 disease, medical treatments and other health data
Biometric Data	Image, voice, video data

4.2 Data Subject Groups

Only natural persons can benefit from the protection of this Policy and the Law. Within this scope, personal data subjects are grouped as follows:

Employee Candidate	Natural persons who have applied for a job to our Clinic in any way or have made their CV and relevant information available for our Clinic’s review.
Customer	Patients or clients who come to our Clinic.
Employee	Individuals working at ÖZEL DEMİDERM POLİKLİNİĞİ.
Visitor	All natural persons who have entered our Clinic’s physical premises for various purposes or who visit our websites for any purpose.

5. METHOD OF COLLECTION OF PERSONAL DATA AND LEGAL BASIS

5.1 METHOD OF COLLECTION OF PERSONAL DATA

Your Personal Data are processed by natural or legal persons authorized by ÖZEL DEMİDERM POLİKLİNİĞİ in the capacity of “DATA PROCESSOR/PROCESSING ENTITY”; by being recorded in physical and electronic media through verbal, written, camera and photo recording, and where required by the KVKK and GDPR, by obtaining your explicit consent.

Job application forms,
Personnel information forms,
Various documents submitted to ÖZEL DEMİDERM POLİKLİNİĞİ,
Mail and e-mails sent to ÖZEL DEMİDERM POLİKLİNİĞİ,
Corporate phones,
Photograph/Video recordings,
Websites,
Patient Information Forms,
Test Results,
Health Information Forms, Service providers whose servers are located abroad (whatsapp/instagram/facebook/messanger/linkedin/youtube/zoomus/Google/Hotmail/yahoo etc.).

5.2 LEGAL BASIS FOR THE COLLECTION OF PERSONAL DATA

ÖZEL DEMİDERM POLİKLİNİĞİ collects personal data based on one of the legal grounds specified below pursuant to Articles 5 and 6 of the Law and Articles 6 and 9 of the GDPR:

The explicit consent of the relevant person,
Explicitly prescribed by laws;
The personal data have been made public by the relevant person,
Being directly related to the establishment or performance of a contract, provided that it is necessary to process the personal data of the parties to the contract,
If special categories of personal data relating to the health and sexual life of the Data Subject are in question, such data are for the purposes of protecting public health, preventive medicine, carrying out medical diagnosis, treatment, operation and care services, and planning and management of health services and their financing,
Being mandatory for ÖZEL DEMİDERM POLİKLİNİĞİ to fulfill its legal obligation,
Being mandatory for the establishment, exercise or protection of a right,
Being mandatory for the legitimate interests of ÖZEL DEMİDERM POLİKLİNİĞİ, provided that it does not harm the fundamental rights and freedoms of the relevant persons.

6. PURPOSES OF PROCESSING PERSONAL DATA

6.1 Matching of Data Subject Groups with the Purposes of Processing Regarding Personal Data Categories

The matching of the purposes of processing of the personal data categories of the data subject groups whose definitions and scopes are given above is presented below:

Employee Candidate

Data Categories: Identity, Contact, Personnel, Professional Experience, Physical Premises Security

Purposes of Processing: Conducting Emergency Management Processes, Conducting Information Security Processes, Conducting Employee Candidate Selection and Placement Processes, Conducting Employee Candidates’ Application Processes, Ensuring Physical Premises Security, Conducting Communication Activities

Patient/Client

Data Categories: Identity, Contact, Financial, Customer Transaction, Physical Premises Security, Health Data, Biometric Data

Purposes of Processing: to be able to create a patient file, to be able to carry out examination, preventive medicine, medical diagnosis, treatment, operation and care services, to be able to perform health checks after medical diagnosis, treatment and operation processes, to be able to contact patients directly, to manage appointment processes, to carry out patient satisfaction and request management, to fulfill legal and contractual obligations, to be able to retain information regarding your health data that must be retained pursuant to the relevant legislation within the specified periods, to ensure clinic security, to be able to obtain consultation from another relevant specialist physician when necessary so that treatments can be performed correctly, to fulfill legal obligations in accordance with the legislation within the scope of health tourism, to be able to plan transfer and accommodation services of patients/clients coming within the framework of health tourism, to be able to announce innovations regarding medical treatments and practices, to be able to medically inform third parties about the medical procedures performed, to carry out promotional and marketing activities regarding medical practices carried out within the scope of International Health Tourism Incentive legislation, to plan and manage health services and their financing, to fulfill responsibilities arising from the legal relationship established between doctor and patient, to fulfill financial and administrative obligations, to ensure technical and commercial security and to fulfill public obligations.

Employee

Data Categories: Identity, Contact, Personnel, Finance, Health, Visual and Audio Information, Physical Premises Security,

Purposes of Processing: Conducting Emergency Management Processes, Conducting Information Security Processes, Fulfilling Employees’ Employment Contract and Obligations Arising from Legislation, Conducting Employees’ Fringe Benefits and Interests Processes, Conducting Occupational Health/Safety Activities, Conducting Risk Management Processes, Conducting Activities in Compliance with Legislation, Ensuring Physical Premises Security, Conducting / Auditing Business Activities, Organization and Event Management

Visitor

Data Categories: Physical Premises Security

Purposes of Processing: Conducting Emergency Management Processes, Conducting Information Security Processes, Ensuring Physical Premises Security

6.2 Personal Data Processing Activities Carried Out in Physical Premises

In order to ensure the security of our Clinic, entrances and exits are recorded and an appointment tracking system is used. Employees’ processing activities are carried out within the authority matrix created by ÖZEL DEMİDERM POLİKLİNİĞİ and the necessary confidentiality agreements are signed with employees.

6.3 Personal Data Processing Activities Carried Out on the Website

Traffic information of online visitors who visit our website is automatically processed for the purpose of conducting information security processes. In addition, pursuant to Law No. 5651 and other legislation, hosting providers have an obligation to record and retain website traffic information.

6.4 Personal Data Processing Activities Carried Out Through Communication Channels

Communications made through channels such as telephone, e-mail, etc. are monitored and recorded by ÖZEL DEMİDERM POLİKLİNİĞİ for the purposes of conducting/auditing business activities and tracking requests/complaints.

Data Subjects are required to use these channels only within the scope of business activities.

7. PURPOSES OF TRANSFER OF PERSONAL DATA AND THE RECIPIENT PERSONS/ORGANIZATIONS

7.1 Purposes of Transfer of Personal Data

ÖZEL DEMİDERM POLİKLİNİĞİ transfers personal data in a limited manner for the following purposes within the framework of the conditions specified in Articles 8 and 9 of the KVKK and Articles 45 and 49 of the GDPR:

To be able to carry out examination, preventive medicine, medical diagnosis, treatment, operation and care services,
To be able to manage complication processes,
To be able to obtain consultation,
To be able to fulfill obligations required by the Ministry of Health legislation,
To be able to fulfill obligations required by International Health Tourism legislation,
To be able to meet transportation, accommodation and interpreter needs of health tourist patients,
To fulfill administrative obligations before Provincial Health Directorates and District Health Directorates,
To be able to inform third parties medically regarding the health services provided,
To be able to carry out promotional and marketing activities regarding the health services provided within the scope of International Health Tourism Incentive legislation,
Conducting Employee Candidate Selection and Placement Processes,
Conducting Employee Candidates’ Application Processes,
Fulfilling Employees’ Employment Contract and Obligations Arising from Legislation,
Conducting Employees’ Fringe Benefits and Interests Processes,
Conducting Activities in Compliance with Legislation,
Conducting Finance and Accounting Works,
Conducting / Auditing Business Activities,
Conducting Activities to Ensure Business Continuity,
Conducting Risk Management Processes,
Ensuring and auditing data security,
Conducting Contract Processes,
Providing Information to Authorized Persons, Institutions and Organizations.

7.2 Persons/Organizations to Whom Personal Data Are Transferred

ÖZEL DEMİDERM POLİKLİNİĞİ may transfer personal data, limited to the data subject groups and data required by the purpose of transfer, by applying all administrative and technical security measures prescribed by the legislation, to the following persons and organizations:

To other specialist physicians for consultation purposes,
To its insured Employees,
To its Suppliers,
Certified Public Accountant, Tax and Financial Advisors and Auditors
Legal Advisor
Database (Server) Providers
“Clinic Management Software System” Service Providers
Interpreters
Web Consultant
Overseas Promotion Consultant
Support Management System (DYS) Authorized Person
Data Protection Officer
IT Consultant
Tourism Agencies
To Public Institutions and Organizations authorized within the framework of laws,
To Judicial Authorities.

8. DISPOSAL AND RETENTION PERIODS OF PERSONAL DATA

8.1 Disposal of Personal Data

Without prejudice to the provisions regarding the disposal of personal data in other laws, ÖZEL DEMİDERM POLİKLİNİĞİ deletes, destroys or anonymizes personal data it has processed in accordance with the KVKK and other laws, ex officio or upon the request of the relevant person, in accordance with the Personal Data Retention and Disposal Policy when the reasons requiring their processing cease to exist.
Deletion of personal data refers to making personal data inaccessible and unusable in any way for relevant users.
Destruction of data refers to making personal data inaccessible, unrecoverable and unusable in any way by anyone.
Anonymization of data refers to making personal data impossible to be associated with an identified or identifiable natural person in any way, even if matched with other data, by means of techniques such as masking, removing variables, generalization, etc.

8.2 Retention Periods of Personal Data

ÖZEL DEMİDERM POLİKLİNİĞİ retains personal data in accordance with the periods prescribed in laws and other legislation. If no retention period is prescribed in laws and other legislation, personal data are retained for the period required for the realization of the purpose of processing that personal data in accordance with Özel Demiderm Polikliniği’s Personal Data Retention and Disposal Policy, and then deleted, destroyed or anonymized within the framework of periodic disposal periods.

9. RIGHTS OF THE PERSONAL DATA SUBJECT PURSUANT TO KVKK AND GDPR

9.1 RIGHTS OF THE DATA SUBJECT PURSUANT TO GDPR

As a Data Subject, your Personal Data are also protected pursuant to the GDPR. In cases falling within the jurisdiction of the GDPR (EU citizens or residents in Europe), the rights of Data Subjects are as follows;

Right of Access (GDPR Article 15): The data subject has the right to confirm, by applying to ÖZEL DEMİDERM POLİKLİNİĞİ, whether personal data relating to him/her are being processed, and if personal data are being processed, to learn the details set forth in GDPR Article 15.
Right to Rectification (GDPR Article 16): The Data Subject has the right to have personal data held by ÖZEL DEMİDERM POLİKLİNİĞİ and changed personal data corrected at any time by applying to us.
Right to Erasure (GDPR Article 17): The Data Subject has the right to request the deletion of his/her personal data held by ÖZEL DEMİDERM POLİKLİNİĞİ. In the event that the matters specified in GDPR Article 17 occur, your personal data will be deleted by ÖZEL DEMİDERM POLİKLİNİĞİ without undue delay.
Right to Restriction of Processing (GDPR Article 18):
If the Data Subject objects to the accuracy of the Personal Data, the Data Subject has the right to request restriction of use of the data until the accuracy of the Personal Data is verified by ÖZEL DEMİDERM POLİKLİNİĞİ.
If the personal data processing activity is unlawful and the Data Subject objects to the deletion of the Personal Data, the Data Subject has the right to request restriction of use of the data.
Although ÖZEL DEMİDERM POLİKLİNİĞİ no longer needs your personal data, if we wish to establish or exercise your rights, the Data Subject has the right to request restriction of use of the data.
Until it is verified whether ÖZEL DEMİDERM POLİKLİNİĞİ’s legitimate grounds override the Data Subject’s legitimate grounds, if the Data Subject objects to processing activity pursuant to GDPR Article 21/1, the Data Subject has the right to request restriction of use of the data.
Right to Data Portability (GDPR Article 20): The Data Subject has the right, where technically feasible, to request at any time by applying to us that the Personal Data held by ÖZEL DEMİDERM POLİKLİNİĞİ be transferred to another controller. However, you may exercise this right only when the processing is based on your consent or where required for the performance of a contract.
Right to Object (GDPR Article 21):
The Data Subject has the right to object, on grounds relating to his/her particular situation, to processing of Personal Data, including profiling, based on points (e) or (f) of GDPR Article 6(1). If ÖZEL DEMİDERM POLİKLİNİĞİ cannot demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject, or for the establishment, exercise or defense of legal claims, it may not process your Personal Data.
Where Personal Data are processed for direct marketing purposes, the Data Subject has the right to object at any time to processing of Personal Data for such marketing, including profiling to the extent that it is related to such direct marketing.
If the Data Subject objects to the processing of Personal Data for direct marketing purposes, the Personal Data will no longer be processed for such purposes.

9.2 RIGHTS OF THE DATA SUBJECT PURSUANT TO KVKK

The rights of natural persons whose personal data are processed pursuant to Article 11 of the KVKK are as follows;

To learn whether personal data are processed,
To request information if personal data have been processed,
To learn the purpose of processing personal data and whether they are used in accordance with the purpose,
To know the third parties to whom personal data are transferred domestically or abroad,
To request correction of personal data if they are processed incompletely or inaccurately and to request that the transaction carried out within this scope be notified to third parties to whom personal data have been transferred,
To request deletion or destruction of personal data where the reasons requiring processing cease to exist, although they have been processed in accordance with the KVKK and other relevant laws, and to request that the transaction carried out within this scope be notified to third parties to whom personal data have been transferred,
To object to the occurrence of a result against the person as a result of analysis of processed data exclusively through automated systems,
To request compensation for damages in case personal data are processed unlawfully.

In the event that Data Subjects wish to exercise any of the rights listed above or have any requests; they may submit their written applications, clearly and understandably stating which of the rights specified in Article 11 of the KVKK they request to exercise, with wet signature and together with documents proving their identity, to the address of ÖZEL DEMİDERM POLİKLİNİĞİ in person, send via notary, or by signing with secure e-signature and sending to “info@demiderm.com.tr” and/or “demiderm@hs01.kep.tr” e-mail addresses, or by other methods specified in the KVKK. In applications, the presence of name-surname, signature, T.R. identity number/passport no/temporary identity no, residence or workplace address, e-mail address, telephone and fax number, and the subject matter of the request is mandatory pursuant to the “Communiqué on the Procedures and Principles of Application to the Data Controller”.

ÖZEL DEMİDERM POLİKLİNİĞİ will conclude the request free of charge as soon as possible and within thirty (30) days at the latest depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged.

EFFECTIVE DATE : 01.12.2023

UPDATE DATE : 01.12.2023