Personal Data Protection and Processing Policy

ASG Health and Tourism Services and Trade Inc. (Private DRGO Clinic), as the datacontroller, places utmost importance on the protection of personal data belonging tocustomers, employees, and other natural persons with whom it interacts, in accordancewith the regulations set by the Personal Data Protection Law, adhering to principles of superior service quality, respect for individual rights, transparency, and honesty. Theclinic highly prioritizes maintaining patient confidentiality and meticulously processingand preserving all personal data related to our patients in the best possible manner. Thispolicy has been formulated to protect and process the personal data of our patients, companions, visitors, employees, company officials, employees of collaboratinginstitutions, authorities, and third parties within the framework of the basic principlesspecified in the legislation.

The aim of this Policy is to ensure transparency by informing individuals whose personaldata are processed within the scope of the personal data processing activities conductedby our clinic in a lawful manner. In this context, administrative and technical measuresnecessary for the processing and protection of personal data are taken in accordance withLaw No. 6698 and related legislation. Within the scope of this policy, real persons whosepersonal data are processed are referred to as Data Subject, Relevant Person, or PersonalData Owner.

Explicit Consent: Consent that is informed, based on specific matters, and declaredfreely.

Anonymization: The process of altering personal data in such a way that it no longerretains its personal data attribute in an irreversible manner, such as through masking, aggregation, data distortion, etc., making it impossible to link the data to a real person. Personal data can be anonymized for various purposes without violating the scope of thePDPL and explicit consent. Necessary precautions will be taken within our Clinic toensure that anonymized personal data cannot be associated with a person in any way.

Employees, Shareholders, and Officials of Collaborating Institutions: Refers to realpersons, including employees, shareholders, and officials of institutions we are in business relations with (such as partners, suppliers, but not limited to them).

Processing of Personal Data: Refers to any operation performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure bytransmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Personal Data: Refers to any information relating to an identified or identifiable naturalperson. Information that makes the person identifiable is regulated as personal data, including but not limited to national identification number, name, surname, email address, phone number, residential address, date of birth, bank account number.

Special Categories of Personal Data: Data related to racial or ethnic origin, politicalopinions, religious or philosophical beliefs, trade union membership, and data concerninghealth, sex life, criminal convictions and security measures, and biometric and geneticdata.

Third Party: Refers to real persons associated with the parties mentioned above to ensurecommercial transaction security or to protect and provide benefits for their rights.

Data Processor: Refers to the real or legal person who processes personal data on behalfof the data controller based on the authority given by the controller, such as the IT company holding our data.

Data Controller: Refers to the person who determines the purposes and means of processing personal data, managing the place where the data is systematically stored (data recording system).

Our clinic, being the data controller within the scope of PDPL, has registered in theVERBIS system. A team (Personal Data Responsible Team) has been established by ourcompany. In cases requiring decision-making, the Personal Data Responsible Team consults a Lawyer/Attorney specialized in personal data before implementing the decisionapproved by the management.

The personal data processed may vary depending on the health services provided and arecollected through physical and/or digital means. Our patients, doctors, health personnel, subcontractors and their employees, and companies we engage in commercial activitieswith, our call center, the clinic’s website, online services, and similar means, includinghealth data primarily, as well as other special and general categories of personal data, areprocessed for the purposes listed below and others that may arise in the future:

Execution of medical diagnosis, treatment, and care services,
Protection of public health,
Planning and management of preventive healthcare services and their financing,
Informing our patients about appointments,
Planning and management of internal procedures,
Conducting analysis for the improvement of health services in compliance withregulations,
Fulfillment of risk management and quality improvement activities,
Conducting research,
Compliance with legal and regulatory requirements,
Billing for our services,
Verification of identity,
Verification of relationship with contracted institutions,
Sharing of all requested information with private insurance companies within the scopeof health services financing,
Responding to any questions and complaints related to our health services,
Taking all necessary technical and administrative measures within the scope of datasecurity,
Financial reconciliation with contracted institutions, banks, and all organizationscollecting health expenses (both public and private),
Sharing requested information with the Ministry of Health and other public institutionsand organizations as required by the relevant legislation,
Measuring and enhancing patient satisfaction,
Fulfilling our contracts and legal obligations.



Identity Information: All information related to the individual’s identity contained in documents such as driver’s license, identity card, passport, attorney ID, marriagecertificate.

Communication Information: Information for contacting the data owner, such as phonenumber, address, residence, email.

Location Data: Data that is clearly related to an identified or identifiable natural personwithin a data recording system, used to determine the location of the data owner.

Family Members and Close Relatives Information: Information about the family membersand close relatives of the personal data owner, processed to protect the legal interests of the relevant Institution and the data owner, clearly related to an identified or identifiablenatural person within a data recording system.

Physical Space: Personal data related to records and documents such as camerarecordings, fingerprint records, visual and auditory recordings.

Transaction Security Information: Personal data processed to ensure our technical, administrative, legal, and commercial security while conducting our activities.

Financial Information: Personal data related to all kinds of financial results shown in information, documents, and records.

Candidate Employee Information: Personal data processed about individuals who haveapplied to become an employee (CV or resume information).

Personnel Information: Information related to payroll, disciplinary investigation, SocialSecurity Institution (SGK) information, employment entry-exit document records, assetdeclaration information, resume information, performance evaluation reports, interviewresults, contents of the Employment Contract, employment start information, andtermination of employment information.

Legal Transaction: Personal data processed in the context of determining, tracking ourlegal claims and debts, and fulfilling our legal obligations.

The personal data mentioned above can be processed in accordance with the provisions of the Law No. 3359 on Health Services, Decree Law No. 663 on the Organization andDuties of the Ministry of Health and Its Affiliated Institutions, Regulation on PrivateHospitals, Regulation on Personal Health Data, and other regulations issued by theMinistry of Health.

Our company commits to processing personal data in accordance with the followingprinciples:

Compliance with the law and principles of honesty,
Ensuring personal data are accurate and up to date when necessary,
Processing for specified, explicit, and legitimate purposes,
Being relevant, limited, and proportionate to the purposes for which they are processed,
Retaining for the period stipulated by relevant legislation or necessary for the purposefor which the data are processed.

The explicit consent of the personal data owner is just one of the legal grounds allowingthe lawful processing of personal data. Personal data can also be processed under theconditions other than explicit consent, listed below. The basis for processing personaldata activity may be only one of the conditions below or multiple conditions maysimultaneously serve as the basis for the same personal data processing activity. In caseswhere the processed data is of special category, the following conditions apply:

Existence of Explicit Consent of the Personal Data Owner,
Clearly Stipulated by Laws,
Impossibility of Obtaining Explicit Consent Due to Actual Impossibility,
Directly Related to the Execution or Performance of a Contract,
Obligation for the Company to Fulfill its Legal Duty,
Personal Data Owner Has Made His/Her Personal Data Public,
Data Processing Being Necessary for the Establishment or Protection of a Right,
Data Processing Being Necessary for the Legitimate Interests of Our Company, provided that it does not violate the principles set by the PDPL, the purpose of processingpersonal data, and does not interfere with the essence of the right guaranteed by theConstitution.

Our company processes special categories of personal data, subject to taking adequatemeasures determined by the Personal Data Protection Board, under the followingconditions:

If the personal data owner has given explicit consent, or
If the personal data owner has not given explicit consent; special categories of personaldata except for those related to health and sexual life can be processed in cases stipulatedby laws,
Special categories of personal data related to health and sexual life can only be processed for the purposes of protecting public health, preventive medicine, medicaldiagnosis, treatment and care services, and planning and management of health servicesand financing, by persons or authorized institutions and organizations underconfidentiality obligation.



In accordance with Article 12 of the PDPL, Regulation provisions, the general principlesmentioned above, this Policy, and the decisions of the Personal Data Protection Board, our company takes the necessary technical and administrative measures according totechnological possibilities and implementation costs regarding the following matters:

Necessary software and hardware have been determined. Strong passwords are used on computers and email accounts.
Personnel have been trained on the protection of customer information, and theirresponsibilities have been documented in employment contracts (ConfidentialityAgreements). This obligation continues even after the relevant persons leave theirpositions.
Necessary infrastructure has been established for data backup purposes.
Employees who can access data on computers have been identified.
Customer files and information are provided only to the individuals themselves, theirrelatives who have given written consent, relevant public institutions and organizationswithin the framework of the legislation, and competent judicial authorities in legal cases.
The obligation to inform relevant individuals before starting personal data processing is fulfilled by the Institution.
A personal data processing inventory has been prepared.
Personal data owners are informed about these matters through texts posted or madeavailable to guests in our Clinic in other ways.

Your personal data, in compliance with the basic principles prescribed by the Law andwithin the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law, can be shared with our clinic, Ministry of Health, its subordinate units andfamily medicine centers, private insurance companies (health, pension, and life insurance, etc.), Social Security Institution, General Directorate of Security and other lawenforcement agencies, General Directorate of Population, Turkish PharmacistsAssociation, prosecutors and courts, laboratories, medical centers, and third-party healthservice providers we cooperate with for medical diagnosis either domestically orinternationally, health institutions the patient is referred to or applies to, your authorizedrepresentatives, third parties we consult, regulatory and supervisory authorities andofficial bodies, our suppliers, and support service providers we benefit from or collaboratewith, within the framework of the conditions and purposes for personal data processingspecified in Articles 8 and 9 of the Law. Your personal data are not shared with foreigncountries.


Related persons have the right to learn whether their personal data are processed, requestinformation if their personal data have been processed, access and request their personalhealth data, learn whether they are used appropriately for their purpose, learn the thirdparties to whom they are transferred, request correction in case of incorrect processing, request deletion or destruction of personal data, demand notification of the corrections tothe third parties to whom the data have been transferred, object to the outcome resultingfrom the analysis by automated systems, and demand compensation for the damagearising from the unlawful processing of personal data. These rights can be exercised bysubmitting a petition to our company.


Our company conducts personal data processing activities by using security cameras andrecording images of guest entries and exits. In this context, our clinic acts in accordancewith the Personal Data Protection Law and security legislation.

Access to records stored and preserved in digital media is granted only to authorizedemployees and/or employees of the supplier company. Camera recordings are stored for a period of 2 months.

This Policy takes effect upon its publication on the website.