Personal Data Protection and Processing Policy

 

The data controller, the clinic of Assoc. Prof. Dr. Güncel Öztürk,, attaches great importance to the protection of personal data belonging to its customers, employees, and other individuals with whom it has a relationship, in line with the regulations set forth by the Personal Data Protection Law and within the framework of the principles of superior service quality, respect for individuals’ rights, transparency, and integrity. Great importance is given to patient confidentiality and to ensuring that all personal data belonging to our patients is processed and stored in the best possible manner and with due care. This policy has been prepared in order to protect and process the personal data of our patients as well as companions, visitors, and employees of institutions and organizations with which we cooperate, within the scope of the fundamental principles set out in the legislation.

 

The purpose of this Policy is to ensure transparency by informing data subjects whose personal data are processed, primarily our patients, companions, visitors, employees and institutional officials, employees and officials of the institutions we cooperate with, and third parties, within the scope of personal data processing activities carried out by our clinic in compliance with the legislation. Within this scope, administrative and technical measures required for the processing and protection of personal data are taken in accordance with Law No. 6698 and the relevant legislation. Natural persons whose personal data are processed within the scope of this policy are referred to as the Data Subject, the Relevant Person, or the Personal Data Owner.

 

Explicit Consent: Consent given for a specific subject, based on being informed and expressed with free will.

Anonymization: Altering personal data in such a way that it loses its personal data nature and this cannot be reversed. For example, rendering personal data unassociable with a natural person through techniques such as masking, aggregation, data distortion, etc. Personal data may be anonymized for various purposes only in a manner that does not violate the scope of the KVKK and explicit consent, and in accordance with the data subject’s request and/or consent. Necessary measures will be taken within our clinic to ensure that anonymized personal data is not made identifiable through various methods.

Employees, Shareholders and Officials of Institutions We Cooperate With: Refers to natural persons who work in institutions with which we have any kind of business relationship (such as business partners, suppliers, etc., without being limited to these), including the shareholders and officials of such institutions.

Processing of Personal Data: Refers to any operation performed on data, such as obtaining personal data wholly or partially by automatic means or by non-automatic means provided that it is part of a data recording system, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making accessible, classifying, or preventing its use.

Personal Data: Refers to any information relating to an identified or identifiable natural person. All information that makes a person identifiable is regulated as personal data, and information such as Turkish ID Number, name and surname, e-mail address, phone number, residential address, date of birth, and bank account number may be given as examples of personal data.

Special Categories of Personal Data: Refers to special categories of data such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of an association, foundation or trade union, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.

Third Party: Refers to third-party natural persons who are related to the parties mentioned above in order to ensure the security of commercial transactions between such parties or to protect the rights of those persons and provide benefit/interest. (For example, employees or officials of the company from which services are received, companion, etc.)

Data Processor: Refers to the natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller. For example, the IT company that keeps our data.

Data Controller: Refers to the person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system).

 

Within the scope of the KVKK, our clinic has the status of data controller and has been registered in the VERBİS system. A team (Personal Data Controller Team) has been established within our clinic. In cases requiring a decision, the Personal Data Controller Team implements the decision after obtaining the opinion of a legal expert/lawyer specialized in personal data and following management approval.

 

Although the personal data processed may vary depending on the healthcare services provided, it is collected through physical and/or digital methods. Special categories of personal data—primarily health data—collected verbally, in writing or digitally through our patients, physicians, healthcare personnel, our employees, subcontractor companies and their employees, companies with which we engage in any commercial activity, our call center, our clinic’s website, online services and similar means, as well as general personal data, are processed for the purposes listed below and for other purposes that may arise in the future:

  • Carrying out medical diagnosis, treatment and care services,
  • Protecting public health,
  • Planning and management of preventive medicine healthcare services and their financing,
  • Notifying our patients about appointments
  • Planning and management of internal procedures,
  • Conducting analysis for improvement purposes to ensure that healthcare services are carried out in compliance with legislation,
  • Carrying out risk management and quality improvement activities,
  • Conducting research,
  • Fulfilling legal and regulatory requirements,
  • Issuing invoices in return for our services,
  • Verifying your identity
  • Verifying your relationship with contracted institutions,
  • Sharing any information requested by private insurance companies within the scope of financing healthcare services,
  • Being able to respond to any questions and complaints regarding our healthcare services,
  • Taking all necessary technical and administrative measures within the scope of data security,
  • Ensuring financial reconciliation regarding the healthcare services provided to you with the institutions we contract with, banks, and all organizations (public and private) from which healthcare expenditures are collected,
  • Sharing requested information with the Ministry of Health and other public institutions and organizations pursuant to the relevant legislation,
  • Measuring patient satisfaction and increasing patient satisfaction,
  • Being able to fulfill contracts and our legal obligations, etc., and may be collected and processed in order to carry out these purposes.

 

CATEGORIZATION OF PROCESSED PERSONAL DATA

Identity Information: All information regarding the person’s identity contained in documents such as driver’s license, identity card, passport, attorney ID, marriage certificate

Contact Information: Information aimed at contacting the data subject such as phone number, address, residence, e-mail

Location Data: Data that is clearly related to an identified or identifiable natural person and included in the data recording system, enabling the determination of the data subject’s location

Family Members and Relatives Information: Information about the personal data owner’s family members and relatives, clearly related to an identified or identifiable natural person and included in the data recording system, processed in order to protect the legal interests of the relevant Institution and the data subject

Physical Space: Personal data relating to records and documents such as camera recordings, fingerprint records, visual and audio recordings

Transaction Security Information: Personal data processed to ensure our technical, administrative, legal and commercial security while carrying out our activities

Financial Information: Personal data processed in relation to any information, documents and records showing financial results

Job Applicant Information: Personal data processed regarding individuals who have applied to become an employee (CV or resume information)

Employment Information: Information related to payroll information, disciplinary investigations, SGK information, records of entry/exit documents, asset declaration information, CV information, performance evaluation reports, interview results, content of the employment contract, start of employment information, termination of employment information

Legal Transaction: Personal data processed within the scope of determining and following up our legal receivables and rights, fulfilling our debts and statutory obligations

 

The personal data mentioned above may be processed within the framework of legislative provisions such as the Basic Law on Health Services No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Its Affiliated Institutions, the Regulation on Private Hospitals, the Regulation on Personal Health Data and the regulations of the Ministry of Health, etc., and may be transferred to physical archives and information systems belonging to our clinic and/or our suppliers.

 

Our clinic acknowledges that it will process personal data in accordance with the following principles:

  • Compliance with the law and the principle of good faith,
    • Ensuring that personal data are accurate and, where necessary, kept up to date,
    • Processing for specific, explicit and legitimate purposes,
    • Being relevant, limited and proportionate to the purposes for which they are processed,
    • Retaining for the period stipulated in the relevant legislation or required for the purposes for which they are processed

 

The data subject’s explicit consent is only one of the legal bases that allows personal data to be processed lawfully. Apart from explicit consent, personal data may also be processed if one of the other conditions written below exists. The basis for personal data processing activity may be only one of the conditions specified below, or more than one of these conditions may constitute the basis for the same processing activity. If the processed data are special categories of personal data, the conditions below apply:

  • Existence of the Personal Data Owner’s Explicit Consent,
  • Explicitly Provided for in Laws,
  • Failure to Obtain the Data Subject’s Explicit Consent Due to Actual Impossibility
  • Being Directly Related to the Establishment or Performance of a Contract
  • Fulfilling the Clinic’s Legal Obligation:
  • The Personal Data Owner Making Their Personal Data Public:
  • Necessity of Data Processing for the Establishment or Protection of a Right:
  • Necessity of Data Processing for Our Clinic’s Legitimate Interest, (The expression “legitimate interests of the clinic” may in no way be contrary to the principles determined by the KVKK or the purpose of processing personal data, and may not constitute an intervention in the essence of a right secured by the Constitution.)

 

Special categories of personal data are processed by our clinic, provided that adequate measures to be determined by the Personal Data Protection Board are taken, in the following cases:

  • If the personal data owner has explicit consent, or
  • If the personal data owner does not have explicit consent; special categories of personal data other than the personal data owner’s health and sexual life, in cases provided for by laws,
  • Special categories of personal data relating to the personal data owner’s health and sexual life are processed only for the purposes of protecting public health, preventive medicine, carrying out medical diagnosis, treatment and care services, and planning and managing healthcare services and their financing, by persons under an obligation of confidentiality or by authorized institutions and organizations.

 

TECHNICAL AND ADMINISTRATIVE MEASURES

In accordance with Article 12 of the KVKK and the provisions of the Regulation, the general principles stated above, this Policy and the decisions of the Personal Data Protection Board, our clinic takes the necessary technical and administrative measures in line with technological possibilities and implementation costs regarding the matters listed below:

  • The necessary software and hardware have been determined. Strong passwords are used on computers and e-mail accounts.
  • Matters that must be protected for the protection of customer information have been conveyed to our staff through trainings, and responsibilities have been put into writing through employment contracts. (Confidentiality Agreements) This obligation continues after the relevant persons leave their duties.
  • The necessary infrastructure has been established for the purpose of backing up all data provided.
  • Employees who can access data on computers have been determined.
  • Customer files and information are provided only to the relevant persons themselves, to their relatives to whom they have given written approval, to the relevant public institutions and organizations within the framework of legislation, and to competent judicial authorities in judicial cases.
  • Before starting to process personal data, the institution fulfills its obligation to inform the relevant persons.
  • A personal data processing inventory has been prepared.
  • The relevant personal data owners are informed on these matters through texts posted within our clinic or otherwise made accessible to guests.

 

Your personal data may be shared, in accordance with the fundamental principles envisaged by the Law and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law, and for the purposes stated above, by our clinic with the Ministry of Health, its affiliated sub-units and family health centers, private insurance companies (health, pension and life insurance and similar), the Social Security Institution, the General Directorate of Security and other law enforcement forces, the General Directorate of Population, the Turkish Pharmacists’ Association, public prosecutors and courts, laboratories, medical centers and third parties providing healthcare services located domestically or abroad with which we cooperate for medical diagnosis, the healthcare institution to which the patient is referred or to which the patient applies, your representatives whom you have duly authorized, third parties from whom we receive consultancy, regulatory and supervisory authorities and official bodies, our suppliers and support service providers whose services we benefit from or with whom we cooperate, within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law.

 

With regard to processed personal data, the data subject has the rights to learn whether personal data are processed, to request information if they have been processed, to access and request personal health data, to learn whether they are used in accordance with the purpose, to learn the third parties to whom they are transferred, to request correction in case of incorrect processing, to request deletion or destruction of personal data, to request notification of correction to third parties to whom data were transferred in case of incorrect processing, to object to an adverse result arising from analysis through automated systems, and to request compensation for damages incurred due to unlawful processing of personal data. By applying to our clinic with a petition, the rights described above may be exercised.

Our clinic carries out personal data processing activities through the use of security cameras and recording images at guest entrances and exits. Within this scope, our clinic acts in accordance with the Personal Data Protection Law and security legislation.

Only authorized employees and/or employees of the supplier company have access to records recorded and stored in digital environments. Camera recordings are stored for 2 months.

This Policy shall be deemed to have entered into force after it is published on the website.

translate all the content I sent completely, without breaking the HTML/code structure, so that only the texts are in English