It is of great importance for the data controller. This Personal Data Processing and Protection Policy (“Policy”) has been prepared in order to ensure that personal data processing activities comply with the Personal Data Protection Law No. 6698 and the regulations, circulars and directives issued within the scope of this law, and to harmonize the company as a whole with the KVKK legislation. In addition, this Policy determines the principles, procedures and principles of personal data processing, storage and security.
2. DEFINITIONS
Among the legal and technical terms included in this Policy;
Explicit Consent
Consent regarding a specific subject, based on information and expressed with free will,
Related User
Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,
Destruction
Deletion, destruction or anonymization of personal data,
Law
Personal Data Protection Law No. 6698 dated 24.3.2016,
recording media
Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system,
Personal Data
Any information regarding an identified or identifiable natural person,
Personal DataProcessing
Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data such as blocking,
Personal DataDeletion
Deletion of personal data; making personal data inaccessible and unusable in any way for Relevant Users,
Personal DataDestruction
The process of making personal data inaccessible, irretrievable and reusable by anyone,
Board
Personal Data Protection Board,
Special Qualified PersonalData
Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data,
Periodic Destruction
In case all the conditions for processing personal data specified in the law are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy and to be carried out ex officio at recurring intervals,
Relevant Person / Data Owner
The real person whose personal data is processed,
Data Controller
The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
It expresses.
3. PROCESSING OF PERSONAL DATA
3.1 Basic Principles Followed in the Processing of Personal Data
Personal data will be processed in accordance with the basic principles specified in the law. In this context, personal data;
It will be processed in accordance with the law and the rule of honesty.
Personal data will be ensured to be accurate and updated when necessary.
It will be processed for specific, explicit and legitimate purposes.
They will be used and disclosed in a limited and measured manner in connection with the legal purpose for which they are processed.
They will be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
3.2 Conditions for Processing Personal Data
Personal data that are not of special nature may be processed in the presence of at least one of the following legal reasons or by obtaining the explicit consent of the relevant person.
It is clearly stipulated in the law
Processing of the data of the parties is necessary for the performance of the contract
It is mandatory for the data controller to fulfill its legal obligation
Data processing is mandatory for the establishment, exercise or protection of a right
Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
3.3 Processing of Special Personal Data
The procedures and principles to be followed when processing special personal data are explained in detail in the Processing of Special Personal Data Policy prepared and published by our company.
Policy on Processing of Special Personal Data; https://dryavuzbesogul.com/ You can reach us from our website
3.4 Disclosure of the Personal Data Owner
Relevant persons are informed in accordance with the Law. In this context, relevant persons are informed about the identity of the data controller, the purposes for which personal data will be processed, to whom it will be transferred, the method by which it is collected, the legal reason and the following rights of the relevant person.
Rights of Relevant Persons;
Learning whether personal data is processed or not,
Requesting information if personal data has been processed,
Learning the purpose of processing personal data and whether they are used for their intended purpose,
Knowing the third parties to whom personal data is transferred at home or abroad,
Requesting correction of personal data if they are incomplete or incorrectly processed,
Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
Requesting updates or deletions regarding personal data to be notified to transferred third parties,
Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,
Requesting compensation for damage in case of damage due to illegal processing of personal data
To exercise your rights listed above:
From our clinic whose address is written above.
You can obtain it from our website mentioned above. Data Owner Application FormYou must fill out the form completely and send it with a wet signature to the clinic address by hand, by mail or via a notary public, or to our e-mail address above via your e-mail address that you have previously notified us and registered in our system.
Applications made as stated above will be responded to free of charge as soon as possible and within 30 (thirty) days at the latest. However, if the transaction subject to your request causes an additional cost, the Clinic will charge the fee at the tariff determined by the Personal Data Protection Board.
4. PURPOSES OF PROCESSING PERSONAL DATA
It is processed for the purposes listed below, in accordance with the basic principles set out in Article 4 of the Law and based on at least one of the processing conditions of personal data and special personal data specified in Articles 5 and 6 of the Law.
Carrying out the application processes of employee candidates
Fulfillment of obligations arising from employment contracts and legislation for employees
Carrying out fringe benefits and benefits processes for employees
Carrying out activities in accordance with the legislation
Carrying out financial and accounting affairs
Ensuring physical space security
Follow-up and execution of legal affairs
Carrying out communication activities
Carrying out occupational health and safety activities
Execution of contract processes
Follow-up of requests and complaints
Ensuring the security of movable goods and resources
Providing information to authorized persons, institutions and organizations
Carrying out promotional activities is processed limited to its purposes.
5. STORAGE PERIOD AND DESTRUCTION OF PERSONAL DATA
In accordance with the provisions of the Law and the Regulation on Deletion, Destruction or Anonymization of Personal Data, personal data are stored for the period necessary for the purpose for which they are processed and in accordance with the periods stipulated in the legal legislation governing the relevant activity.
First of all, it is determined whether the relevant legislation provides for a period of storage of personal data. If a period is specified in the legislation, it is stored until this period, or if there is no legal period, it is stored for the period necessary for the purpose for which it is processed.
The storage periods determined separately for each category of personal data in accordance with the specified criteria are shown in the table below. Personal data is destroyed by the specified destruction methods within six-month periodic destruction periods starting from the end of these periods, or within thirty days at the latest if the relevant person applies.
Storage periods of personal data;
PROCESSED DATA
CONTACT CATEGORY
STORAGE PERIOD
ID information
Worker
15 years after termination of active employment relationship
Employee Candidate
It will not be stored if the job application is rejected.
Patient
20 years from the end of treatment
Companion
During service
Real Persons Providing Outside Services
10 years from end of service
Contact information
Worker
15 years after termination of active employment relationship
Employee Candidate
It will not be stored if the job application is rejected.
Patient
20 years from the end of treatment
Companion
During service
Real Persons Providing Outside Services
10 years from end of service
Personal Health Data
Worker
15 years after termination of active employment relationship
Employee Candidate
It will not be stored if the job application is rejected.
Patient
20 years from the end of treatment
Criminal Conviction and Security Measures Information
Worker
15 years after termination of active employment relationship
Employee Candidate
It will not be stored if the job application is rejected.
personnel
Worker
10 years after termination of active employment relationship
Employee Candidate
It will not be stored if the job application is rejected.
Legal action
Employee and Patient
10 years from the end of the legal process
Transaction Security
Employee and Patient
2 years
Customer Transaction
Patient
20 years
Real Persons Providing Outside Services
10 years from end of service
finance
Patient
20 years
Worker
10 years
Camera Recordings
For All Groups of People
2 months
Professional experience
Worker
10 years after termination of active employment relationship
Employee Candidate
If the job application process is negative, it is not stored
Audiovisual Records
Worker
15 years after termination of active employment relationship
Patient
20 years after treatment ends
Employee Candidate
If the job application process is negative, it is not stored
6. TRANSFER OF PERSONAL DATA
6.1 Transfer of Personal Data Domestically
Processed personal data may be transferred to the third parties listed below.
Personal data of our personnel;
In case of a legal dispute, upon request, to judicial authorities and party lawyers, limited to the requested personal data.
Identity and contact information are shared with an authorized financial advisor for the purpose of following up legal obligations.
Identity and financial information is sent to the contracted bank for salary payment.
Identity, contact, health, photograph, diploma and criminal conviction data are submitted to the district/provincial health directorate for the purpose of applying for a personnel work certificate.
Identity and title information is sent to the Health Personnel Tracking System within the Ministry of Health.
Identity information is submitted to the Social Security Institution for the purpose of employment declaration.
Identity and financial information must be submitted to the tax office for tax return.
Identity and family information must be submitted to the tax office for minimum subsistence allowance.
To the software company that is the developer of workplace computer programs for archiving purposes.
Personal data of patients receiving service;
In case of a legal dispute, upon request, to judicial authorities and party lawyers, limited to the requested personal data.
Identity, health and insurance information of those who receive service within the scope of private insurance are provided to private insurance companies.
Identity, contact, health and companion information will be sent to the health institution to be referred in case the patient is referred.
In accordance with the Private Hospitals Regulation, the software company that is the developer of the patient registration program for the purpose of archiving patient files
Personal data obtained from real persons providing services;
In case of legal dispute, judicial authorities and party lawyers upon request
Authorized financial advisor in accordance with legal obligations,
Contracted bank for payments
Software company that develops workplace computer programs for archiving
Personal data obtained from other groups of individuals;
In case of a legal dispute, it can be transferred to judicial authorities and party lawyers upon request.
7. PROTECTION OF PERSONAL DATA
Our business, as stated in Article 12 of the Law;
To prevent unlawful processing of personal data,
To prevent unlawful access to personal data,
In order to ensure the protection of personal data, it takes the necessary technical and administrative measures to ensure the appropriate level of security and carries out or has the necessary inspections carried out to implement the measures taken.
7.1 Measures Taken to Protect Personal Data
1.1 Administrative Measures
There are disciplinary regulations for employees that include data security provisions.
Training and awareness activities on data security are carried out for employees at regular intervals.
Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
Confidentiality commitments are made.
The signed contracts contain data security provisions.
Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly.
Personal data security is monitored.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
The security of environments containing personal data is ensured.
Personal data is reduced as much as possible.
Periodic and/or random audits are carried out within the institution.
Protocols and procedures for the security of special personal data have been determined and implemented.
If special personal data is to be sent via e-mail, it must be sent encrypted and using a KEP or corporate mail account.
The authorization scope and duration of users who are authorized to access sensitive personal data are clearly defined.
Inventory allocated to employees who change positions or leave their jobs is returned.
A personal data inventory has been prepared.
Deletion, destruction or anonymization processes are carried out periodically.
1.2 Technical Measures
Network security and application security are ensured.
Security measures are taken within the scope of supply, development and maintenance of information technology systems.
An authority matrix has been created for employees.
Access logs are kept regularly.
The authorities of employees who change their duties or leave their jobs in this area are removed.
Up-to-date anti-virus systems are used.
Firewalls are used.
User account management and authorization control system is implemented and these are also monitored.
Log records are kept without user intervention.
Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
Cyber security measures have been taken and their implementation is constantly monitored.
Specially qualified persons' data transferred on portable memory, CD, DVD media is encrypted.
Periodic authorization checks are carried out for employees who have access to sensitive personal data.
Security updates for the environments where the data is stored are constantly monitored, necessary security tests are performed or performed regularly and the test results are recorded.
Security tests of software that access sensitive personal data are carried out regularly and the test results are recorded.
A two-stage authentication system is used for remote access to sensitive personal data.
If personal health data is to be transferred between servers in different physical environments, the transfer is made by establishing a VPN between the servers or using sFTP methods.
For personal data stored in digital environment, periodic deletion, destruction or anonymization processes are carried out.
7.2 Precautions to be Taken in Case of Data Breach
If the personal data processed by our clinic/office is obtained by others through illegal means, our business will notify the data owner and the Board as soon as possible after learning of the violation.
Following the identification of the persons affected by the violation in question by our clinic/practice, the relevant persons will be notified directly to the contact address of the relevant person as soon as possible.
In the violation notification to be made to the relevant person;
When the violation occurred,
Which personal data were affected by the breach,
Possible consequences of the violation,
Measures taken or proposed to be taken to reduce the effects of the violation,
The name and contact details of the contact person who will ensure that the relevant person receives information about the data breach will be included.
8. RIGHTS OF PERSONAL DATA OWNERS AND THE USE OF THESE RIGHTS
8.1 Rights of Personal Data Owner
Personal data owners have the following rights:
Learning whether personal data is processed or not,
Requesting information if personal data has been processed,
Learning the purpose of processing personal data and whether they are used for their intended purpose,
Knowing the third parties to whom personal data is transferred at home or abroad,
Requesting correction of personal data in case personal data has been processed incompletely or incorrectly and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the law and other relevant legal provisions, and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,
Request compensation for damage in case of damage due to unlawful processing of personal data.
8.2 Exercise of Personal Data Owner's Rights
Personal data owners,
From our clinic whose address is written above.
From our website dryavuzbesogul.com
what they will acquire Data Owner Application FormThey can exercise their rights listed above and listed in Article 11 of the Law by filling in the form with a wet signature and delivering it by hand, by mail or through a notary to the address of the data controller specified above.
8.3 Responding to Applications
If the personal data owner submits his request regarding the rights listed above and in Article 11 of the Law to our Clinic in accordance with the procedure, the clinic will finalize the relevant request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.
9. COORDINATION OF PERSONAL DATA PROTECTION AND PROCESSING PROCESSES
The data controller or authorized personnel coordinates the protection and processing of personal data.
10. UPDATES TO THE POLICY
Our clinic has the right to make changes to this Personal Data Processing and Protection Policy due to changes in legislation, in accordance with the Board decisions or in line with developments in the sector or the field of informatics. Changes made in this context are immediately recorded in the text and explanations regarding the changes are added to the updates table below.
Updates Table
Personal Data Processing and Protection Policy has entered into force.
11. FINAL PROVISIONS
This Personal Data Storage and Destruction Policy is prepared by the data controller;
in appropriate places within the business
From our website dryavuzbesogul.com
was announced and communicated to the relevant people.