PERSONAL DATA PROCESSING AND PROTECTION POLICY
1. PURPOSE AND SCOPE
Merkez Mahallesi Palazoğlu Sokak Eren Palas Apt. Dr. operating in No:5-7 Daire:9 area. As Ahmet Demir (briefly referred to as Physician/Practice/employer below), it was created as a constitutional right, in accordance with the Personal Data Protection Law No. 6698 and the provisions of the European Union General Data Protection Regulation (GDPR); While carrying out our activities, we attach importance to the protection of the personal data of all natural persons with whom we come into contact in any way and to fulfill the requirements set out in this logical KVKK. This Personal Data Protection Policy; personal data, Merkez Mahallesi Palazoğlu Sokak Eren Palas Apt. Dr. operating in No:5-7 Daire:9 field. It has been prepared by Ahmet Demir to provide information about growing, using, sharing and storing. Process of corruption and protection of personal data; It will be implemented as legally relevant legislative regulations. The main purpose of this common Personal Data Protection and Processing Policy (“Policy”) is; To ensure that the rules, regulations, duties and responsibilities within the scope of the personal data protection legislation adopted by the physician and his/her practice are made available for general use and the rules applied for the protection of personal protection of this equipment are explained.
2. DEFINITIONS AND ABBREVIATIONS
The terms used in the implementation of this Policy have the meanings given below. Employees: Refers to the employees of the physician and his/her practice. Contact Person: The person responsible for monitoring the personal data processing activities within the Physician and his Practice and the implementation of KVK Policies and Procedures on an individual basis. Personal Data: It refers to all kinds of information regarding an identified or identifiable natural person. For example; name, surname, address, telephone number, date of birth, place of birth, eye color, T.R. identification number. Personal Data Owner: The real person whose personal data is processed. For example; employee, visitor, customer, Person of Interest Processing of Personal Data: All kinds of operations performed on personal data by fully or partially automated means or by non-automatic means provided that it is part of any data recording system. For example; to obtain, record, store, change, transfer. KVK Law: It refers to the Personal Data Protection Law No. 6698.
GDPR: European Union General Data Protection Regulation
3. PRINCIPLES OF PROCESSING OF PERSONAL DATA
The Physician and his Practice process personal data in accordance with the procedures and principles stipulated in KVKK and other laws.
The following principles are followed in the processing of personal data:
1. a) Compliance with the law and the rules of honesty:
The physician and his/her practice processes personal data in accordance with the provisions of the legal regulations, law and the rules of honesty.
Provides information to personal data owners.
1. b) Being accurate and up to date when necessary:
The physician and his/her practice take the necessary precautions to ensure that the personal data he/she processes are accurate and up-to-date.
1. c) Processing for specific, clear and legitimate purposes:
The Physician and his Practice clearly and precisely determine the purpose of processing personal data, which is legitimate and lawful.
The Physician and his Practice processes personal data in connection with the service it offers and as much as is necessary for them.
ç) Being related to the purpose for which they are processed, limited and proportionate:
The Physician and his Practice processes personal data to achieve the purposes determined within the scope of the service he provides, and avoids receiving, processing and storing personal data that is not necessary to achieve the purpose.
1. d) Preservation for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed:
The physician and his/her practice store personal data in accordance with the legal regulations. At the end of the period, personal data is deleted, anonymized or destroyed.
TERMS OF PROCESSING OF PERSONAL DATA:
When processing personal data, the Physician and his Practice comply with the following conditions in line with the provisions of KVKK No. 6698:
• Personal data cannot be processed without the explicit consent of the relevant person.
Personal data is processed only with the explicit consent of the data owner/data subject. In this regard, patients are informed about the subject and their explicit consent based on free will is obtained.
(2) In case of one of the following conditions, it is possible to process personal data without the explicit consent of the relevant person:
1. a) It is clearly foreseen in the laws.
2. b) It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
3. c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
c) It is mandatory for the data controller to fulfill its legal obligation.
1. d) It has been made public by the person concerned.
2. e) Data processing is mandatory for the establishment, exercise or protection of a right.
3. f) It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
CONDITIONS FOR PROCESSING SPECIAL PERSONAL DATA
The Physician and his Practice comply with the regulations specified in the processing of special personal data specified in KVKK No. 6698. KVKK “ARTICLE 6- (1) Regarding individuals' race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures. data and biometric and genetic data are defined as "special quality personal data".
Physician and his/her practice personal data of special nature; It operates with the express consent of the person concerned, Personal data other than health and sexual life are processed without the explicit consent of the relevant person in cases stipulated by law, Personal data regarding health and sexual life are processed without the express consent of the person concerned by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing. .
METHODS OF COLLECTION AND PROCESSING OF PERSONAL DATA
Real data based on the Personal Data Processing Inventory, which must be prepared in accordance with Articles 4, 5 and 6 of the Personal Data Protection Law and within the scope of Articles 5, 7, 9 and 10 of the Regulation and must include the following information. It processes personal data of individuals.
• Data category
• Personal data processing purposes and legal reason
• Transferred recipient/recipient groups
• Data subject groups
• Maximum retention period of personal data required for the purposes for which they are processed
• Transfer to foreign countries
• Administrative and technical measures taken regarding data security
THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERRED BY THE DOCTOR AND HIS OFFICE AND THE PURPOSES OF TRANSFER
The physician and his/her practice carefully comply with the conditions set out in KVKK regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws.
In this context, personal data is not transferred to third parties by the Physician and his Practice without the explicit consent of the data owner. However, personal data may be transferred by the Physician and his Practice without obtaining the explicit consent of the data owner, if one of the following conditions regulated by KVKK is met:
• It is clearly foreseen in the laws,
• It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity,
• It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• It is mandatory for the data controller to fulfill its legal obligation,
• The data has been made public by the owner himself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.
Provided that adequate precautions are taken; It is prescribed by law in terms of special personal data other than health and sexual life, and in terms of special personal data related to health and sexual life,
• Protection of public health,
• Preventive medicine,
• Medical diagnosis, • Carrying out treatment and care services,
• Your personal data may be transferred without obtaining explicit consent for purposes such as planning and management of health services and financing. In the transfer of special personal data, the conditions specified in the processing conditions of this data are complied with.
Additionally, in accordance with GDPR article 9/2/h, article 6/1/b, article 6/1/f, your data may be processed without requiring an explicit consent statement:
In order to carry out examination, medical diagnosis, treatment and care services, your Health Data, which is considered Special Personal Data, will be processed without your explicit consent by the Practice, which is under the obligation of confidentiality in accordance with the Law.
• Your Personal Data will be processed by the Practice, without your explicit consent, in order to carry out your checks after medical diagnosis and treatment processes, to communicate with you one-on-one, and to manage appointment processes.
• In order to achieve patient satisfaction and demand management, your Personal Data will be processed by the practice without your explicit consent.
Pursuant to legal obligations in accordance with GDPR article 6/1/c, your Personal Data will be processed without your explicit consent in the following cases;
• Creating a patient file.
• Preserving information regarding your health data that must be kept in accordance with the relevant legislation.
• Issuing invoices by checking your wage payments.
• Execution of tax payments.
• Fulfillment of obligations in accordance with the Ministry of Health Legislation.
• Fulfillment of obligations in accordance with Health Tourism Legislation.
• Ensuring your data security.
• Fulfillment of legal obligations before the Judicial Authorities.
Fulfillment of administrative obligations before Administrative Institutions and Organizations.
STORAGE OF PERSONAL DATA UNDER RELEVANT LEGISLATION
Physician and Practice personal data are stored securely in physical or electronic environment for an appropriate period of time in order for our company to carry out its activities in accordance with the provisions of KVKK and other relevant laws. First of all, it examines whether there is a period for storing personal data and acts in accordance with this period. If there is no legal period, the required period is determined and personal data is stored in accordance with this period. When the period expires, personal data is deleted, destroyed and anonymized.
However, in cases where the data controller has a legitimate interest, personal data may be stored until the end of the general limitation period (ten years) regulated in the Code of Obligations, provided that the fundamental rights and freedoms of the data owners are not harmed, despite the expiration of the purpose of processing and the periods specified in the relevant laws. > In this context, it provides the necessary training and awareness to the relevant units within the Physician and his Practice. PRECAUTIONS TAKEN FOR DATA SECURITY
The physician and his/her practice take all necessary technical and administrative measures to ensure the appropriate level of security required to protect personal data.
12(1) of KVKK. The measures foreseen in the article are as follows:
• To prevent unlawful processing of personal data,
• To prevent unlawful access to personal data,
• Ensuring the protection of personal data.
The precautions taken by the physician and his/her practice in this context are listed below:
Administrative Measures • The Physician and his Practice perform the necessary inspections to ensure the implementation of the provisions of the Law.
• If the processed personal data is obtained by others through illegal means, the Physician and his Practice will notify the relevant person and the Board as soon as possible.
• Regarding the sharing of personal data, it ensures data security through framework agreements, consent forms and data owner explicit consent forms or provisions to be added to the contracts with the persons with whom personal data are shared.
• It employs personnel who are knowledgeable and experienced about the processing of personal data and provides the necessary KVK training to its personnel.
Technical Measures
• The Physician and his Practice employ knowledgeable and experienced people to ensure data security and provide the necessary KVK training to his staff.
• It carries out the necessary internal controls within the scope of the established systems.
• Ensures the provision of technical infrastructure and creation of relevant matrices that will prevent and/or monitor personal data from leaking outside the institution.
KVKK11 OF PERSONAL DATA OWNERS. RIGHTS ACCORDING TO ARTICLE:
Within the framework of Article 11 of the Personal Data Protection Law No. 6698 (KVKK), personal data owners can apply to the address of Hekim ve Muyenenehanesi;
a-Learning whether personal data is processed or not,
b- Requesting information about personal data if it has been processed,
c- Learning the purpose of processing personal data and whether they are used appropriately,
ç- Knowing the third parties to whom personal data is transferred domestically or abroad,
d- Requesting correction of personal data if they are incomplete or incorrectly processed,
e- Requesting the deletion or destruction of personal data in accordance with the provisions of KVKK and other relevant legislation,
f- In case your personal data is corrected, deleted or destroyed, requesting that these transactions be notified to third parties to whom personal data are transferred,
g- Objecting to a result that is unfavorable to you by analyzing your processed personal data exclusively through automatic systems,
g- It has the right to demand compensation for the damage if you suffer damage due to unlawful processing of personal data.
RIGHTS OF DATA SUBJECTS ACCORDING TO GDPR
As a Data Owner, your Personal Data is also protected in accordance with the GDPR. In cases where GDPR falls within the jurisdiction (European Union citizens or residents of European Union countries), the rights of Data Owners are as follows;
• Right of Access (GDPR article 15): The data owner has the right to confirm by applying to Kinik whether personal data concerning him/her is being processed or not, and to learn the details in GDPR article 15 in case personal data are processed.
• Right to Correction (Article 16 of the GDPR): The Data Owner has the right to have his/her changed personal data held by the practice corrected at any time.
• Right to Erasure (GDPR article 17): The Data Owner has the right to request the deletion of his personal data held by the Practice. If the issues specified in Article 17 of the GDPR occur, your personal data will be deleted by the Practice without delay.
• Right to Restriction of Processing (Article 18 GDPR):
• If Data Owners object to the up-to-dateness of their Personal Data, they, as the Data Owner, have the right to request the restriction of the use of the data until the accuracy of the Personal Data is confirmed by the Practice.
• In cases where the Data Owner requests the deletion of his Personal Data due to the illegality of the Personal Data processing activity, he has the right to request the restriction of the use of the data until his request is fulfilled.
• The Data Owner has the right to request the restriction of the use of his/her data in cases where his/her personal data is no longer needed in line with the processing purpose of the Clinic.
In cases where Data Subjects object to processing pursuant to Article 21/1 of the GDPR, they have the right to request the restriction of the use of their data until it has been verified whether the legitimate reasons of the Clinic for processing outweigh those of the Data Subject.
• Right to Data Transfer (Article 20 GDPR): The Data Owner has the right to request, at any time, the transfer of his Personal Data held by the Practice to another controller, if technically possible. However, this right can be exercised when data processing is based on consent or when required by contract.
• Right to Object (GDP article 21)
We would like to inform you that we continue our activities with the awareness that personal data security is at the forefront in all the products and treatments we offer to you.