ASG Health and Tourism Services and Trade Inc. (Private DRGO Clinic), as the datacontroller, places utmost importance on the protection of personal data belonging tocustomers, employees, and other natural persons with whom it interacts, in accordancewith the regulations set by the Personal Data Protection Law, adhering to principles of superior service quality, respect for individual rights, transparency, and honesty. Theclinic highly prioritizes maintaining patient confidentiality and meticulously processingand preserving all personal data related to our patients in the best possible manner. Thispolicy has been formulated to protect and process the personal data of our patients, companions, visitors, employees, company officials, employees of collaboratinginstitutions, authorities, and third parties within the framework of the basic principlesspecified in the legislation.

The aim of this Policy is to ensure transparency by informing individuals whose personaldata are processed within the scope of the personal data processing activities conductedby our clinic in a lawful manner. In this context, administrative and technical measuresnecessary for the processing and protection of personal data are taken in accordance withLaw No. 6698 and related legislation. Within the scope of this policy, real persons whosepersonal data are processed are referred to as Data Subject, Relevant Person, or PersonalData Owner.

Explicit Consent: Consent that is informed, based on specific matters, and declaredfreely.

Anonymization: The process of altering personal data in such a way that it no longerretains its personal data attribute in an irreversible manner, such as through masking, aggregation, data distortion, etc., making it impossible to link the data to a real person. Personal data can be anonymized for various purposes without violating the scope of thePDPL and explicit consent. Necessary precautions will be taken within our Clinic toensure that anonymized personal data cannot be associated with a person in any way.

Employees, Shareholders, and Officials of Collaborating Institutions: Refers to realpersons, including employees, shareholders, and officials of institutions we are in business relations with (such as partners, suppliers, but not limited to them).

Processing of Personal Data: Refers to any operation performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure bytransmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Personal Data: Refers to any information relating to an identified or identifiable naturalperson. Information that makes the person identifiable is regulated as personal data, including but not limited to national identification number, name, surname, email address, phone number, residential address, date of birth, bank account number.

Special Categories of Personal Data: Data related to racial or ethnic origin, politicalopinions, religious or philosophical beliefs, trade union membership, and data concerninghealth, sex life, criminal convictions and security measures, and biometric and geneticdata.

Third Party: Refers to real persons associated with the parties mentioned above to ensurecommercial transaction security or to protect and provide benefits for their rights.

Data Processor: Refers to the real or legal person who processes personal data on behalfof the data controller based on the authority given by the controller, such as the IT company holding our data.

Data Controller: Refers to the person who determines the purposes and means of processing personal data, managing the place where the data is systematically stored (data recording system).

Our clinic, being the data controller within the scope of PDPL, has registered in theVERBIS system. A team (Personal Data Responsible Team) has been established by ourcompany. In cases requiring decision-making, the Personal Data Responsible Team consults a Lawyer/Attorney specialized in personal data before implementing the decisionapproved by the management.

The personal data processed may vary depending on the health services provided and arecollected through physical and/or digital means. Our patients, doctors, health personnel, subcontractors and their employees, and companies we engage in commercial activitieswith, our call center, the clinic’s website, online services, and similar means, includinghealth data primarily, as well as other special and general categories of personal data, areprocessed for the purposes listed below and others that may arise in the future:

CATEGORIZATION OF PROCESSED PERSONAL DATA

Identity Information: All information related to the individual’s identity contained in documents such as driver’s license, identity card, passport, attorney ID, marriagecertificate.

Communication Information: Information for contacting the data owner, such as phonenumber, address, residence, email.

Location Data: Data that is clearly related to an identified or identifiable natural personwithin a data recording system, used to determine the location of the data owner.

Family Members and Close Relatives Information: Information about the family membersand close relatives of the personal data owner, processed to protect the legal interests of the relevant Institution and the data owner, clearly related to an identified or identifiablenatural person within a data recording system.

Physical Space: Personal data related to records and documents such as camerarecordings, fingerprint records, visual and auditory recordings.

Transaction Security Information: Personal data processed to ensure our technical, administrative, legal, and commercial security while conducting our activities.

Financial Information: Personal data related to all kinds of financial results shown in information, documents, and records.

Candidate Employee Information: Personal data processed about individuals who haveapplied to become an employee (CV or resume information).

Personnel Information: Information related to payroll, disciplinary investigation, SocialSecurity Institution (SGK) information, employment entry-exit document records, assetdeclaration information, resume information, performance evaluation reports, interviewresults, contents of the Employment Contract, employment start information, andtermination of employment information.

Legal Transaction: Personal data processed in the context of determining, tracking ourlegal claims and debts, and fulfilling our legal obligations.

The personal data mentioned above can be processed in accordance with the provisions of the Law No. 3359 on Health Services, Decree Law No. 663 on the Organization andDuties of the Ministry of Health and Its Affiliated Institutions, Regulation on PrivateHospitals, Regulation on Personal Health Data, and other regulations issued by theMinistry of Health.

Our company commits to processing personal data in accordance with the followingprinciples:

The explicit consent of the personal data owner is just one of the legal grounds allowingthe lawful processing of personal data. Personal data can also be processed under theconditions other than explicit consent, listed below. The basis for processing personaldata activity may be only one of the conditions below or multiple conditions maysimultaneously serve as the basis for the same personal data processing activity. In caseswhere the processed data is of special category, the following conditions apply:

Our company processes special categories of personal data, subject to taking adequatemeasures determined by the Personal Data Protection Board, under the followingconditions:

TECHNICAL AND ADMINISTRATIVE MEASURES

In accordance with Article 12 of the PDPL, Regulation provisions, the general principlesmentioned above, this Policy, and the decisions of the Personal Data Protection Board, our company takes the necessary technical and administrative measures according totechnological possibilities and implementation costs regarding the following matters:

Your personal data, in compliance with the basic principles prescribed by the Law andwithin the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law, can be shared with our clinic, Ministry of Health, its subordinate units andfamily medicine centers, private insurance companies (health, pension, and life insurance, etc.), Social Security Institution, General Directorate of Security and other lawenforcement agencies, General Directorate of Population, Turkish Pharmacists‘ Association, prosecutors and courts, laboratories, medical centers, and third-party healthservice providers we cooperate with for medical diagnosis either domestically orinternationally, health institutions the patient is referred to or applies to, your authorizedrepresentatives, third parties we consult, regulatory and supervisory authorities andofficial bodies, our suppliers, and support service providers we benefit from or collaboratewith, within the framework of the conditions and purposes for personal data processingspecified in Articles 8 and 9 of the Law. Your personal data are not shared with foreigncountries.

Related persons have the right to learn whether their personal data are processed, requestinformation if their personal data have been processed, access and request their personalhealth data, learn whether they are used appropriately for their purpose, learn the thirdparties to whom they are transferred, request correction in case of incorrect processing, request deletion or destruction of personal data, demand notification of the corrections tothe third parties to whom the data have been transferred, object to the outcome resultingfrom the analysis by automated systems, and demand compensation for the damagearising from the unlawful processing of personal data. These rights can be exercised bysubmitting a petition to our company.

Our company conducts personal data processing activities by using security cameras andrecording images of guest entries and exits. In this context, our clinic acts in accordancewith the Personal Data Protection Law and security legislation.

Access to records stored and preserved in digital media is granted only to authorizedemployees and/or employees of the supplier company. Camera recordings are stored for a period of 2 months.

This Policy takes effect upon its publication on the website.