1. PURPOSE AND SCOPE OF THE POLICY

Data controller title: Prof. Dr. Yavuz Beşoğul 
Data controller address: İstinye University Hospital Medical Park, Çukurçeşme Cd. No:57 D:59, 34250 Gaziosmanpaşa/İstanbul

Data controller phone: (0530) 035 44 02
Data controller e-mail: ilkberuygur@hotmail.com

Data controller website: dryavuzbesogul.com

The data controller acts extremely sensitively in terms of protecting the sensitive personal data it processes.

This policy applies to the special categories of personal data obtained, as stated in paragraph (4) of Article 6 of the Law: "In the processing of special categories of personal data, it is also essential to take adequate measures determined by the Board." It has been prepared to explain the security measures taken pursuant to the provision and to determine the procedures and principles in this context.

2. DEFINITIONS

Among the legal and technical terms included in this Policy;

Explicit Consent: Consent regarding a specific issue, based on information and expressed with free will.
The Law is the Personal Data Protection Law No. 6698 dated 24.3.2016,
Recording environment: Any environment where personal data is processed, either fully or partially automatically or by non-automatic means, provided that it is part of any data recording system.
Personal Data of a Special Nature: Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data,
Processing of Personal Data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. or any action performed on the data, such as preventing its use,
The Board refers to the Personal Data Protection Board,
Relevant Person: The real person whose personal data is processed.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

expresses

3. PROCESSING OF SPECIAL PERSONAL DATA

3.1 Basic Principles Followed in the Processing of Special Personal Data

Special personal data are processed by taking all necessary administrative and technical measures in accordance with the Law and the principles specified in this Policy. In this context, special personal data;

It will be processed in accordance with the law and the rule of honesty,
It will be ensured that personal data is accurate and up-to-date when necessary,
It will be processed for specific, clear and legitimate purposes,
They will be used and disclosed in a limited and measured manner in connection with the legal purpose for which they are processed,
They will be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

3.2 Processing of Special Personal Data

Personal health data of patients are processed by our physicians who are under the obligation of confidentiality for the purpose of carrying out medical diagnosis, treatment and care services, health services and management in accordance with Article 6/3 of KVKK. These special personal health data are processed electronically and physically by personnel who are regularly given awareness training on KVKK and employed with a confidentiality agreement. 
Health reports obtained from personnel pursuant to the Occupational Health and Safety Law are processed in accordance with KVKK legislation.
The criminal record records of our healthcare professionals are processed based on the legal reason that it is clearly stipulated in the law for personnel employment certificate transactions.
The criminal record records of those who have not been issued a personnel employment certificate are informed and processed physically and electronically with their express consent based on their free will.
The clothing data of healthcare professionals working within our organization are processed based on the legal reason that it is clearly stipulated in the Laws specified in Article 6 of the Law.

Health, criminal conviction and security precaution data are obtained from personnel candidates with explicit consent, and the data of those whose job applications are rejected are immediately deleted.

4. PURPOSES OF PROCESSING SPECIAL PERSONAL DATA

The Center processes personal data for the purposes listed below, in accordance with the basic principles set out in Article 4 of the Law, and based on at least one of the conditions for processing special personal data specified in Article 6 of the Law.

Conducting Emergency Management Processes
Carrying out the application processes of employee candidates
Fulfillment of Employment Contract and Legislation Obligations for Employees
Execution of Fringe Benefits and Benefits Processes for Employees
Conducting Activities in Compliance with Legislation
Follow-up and Execution of Legal Affairs
Planning Human Resources Processes
Carrying out Occupational Health / Safety Activities
Carrying out the Operational Processes of the Service
Carrying out storage and archive activities
Execution of Contract Processes
Ensuring the Security of Movable Goods and Resources
Ensuring the Security of Data Controller Operations
Providing Information to Authorized Persons, Institutions and Organizations
Protection of public health, provision of medical diagnosis, treatment and care services

5. TRANSFER OF SPECIAL PERSONAL DATA

5.1 Domestic Transfer

Personal health data of patients may be transferred to the third parties listed below.
In case of a legal dispute, upon request, to judicial authorities and party lawyers, limited to the requested personal data.
Identity and health information is transferred to the E-Nabız system in accordance with the Health Services Basic Law.
Identity, health and insurance information of those who receive service within the scope of private insurance are provided to private insurance companies.

Personal health data of the personnel are transferred to the third parties listed below.
Personal health, criminal conviction and security measures data obtained from job applicants with explicit consent are immediately deleted and destroyed if the job application is rejected.

5.2 Transfer Abroad

Processed sensitive personal data is not transferred abroad.

6. MEASURES TAKEN FOR THE PROTECTION OF SPECIAL PERSONAL DATA

7.1 Security Measures Taken

1- Our center has determined a systematic, clearly defined, manageable and sustainable separate policy and procedure for the security of special personal data,

2-For employees involved in the processing of special personal data,

a) Regular training is provided on the law and related regulations and special personal data security,

b) Confidentiality agreements have been made,

c) The authorization scope and duration of users who have access to data are clearly defined,

d) Authorization checks are carried out periodically,

e) The authorizations of employees who change their duties or leave their jobs in this area are immediately removed. In this context, the inventory allocated to the employee who left the job is returned,

3- If the environments where special personal data are processed, stored and/or accessed are electronic media;

 Security updates for the environments where data is stored are constantly monitored, necessary security tests are performed regularly and test results are recorded.

4- The physical environment where sensitive personal data is processed, stored and accessed;

a) Adequate security measures have been taken (against situations such as electricity leakage, fire, flood, theft, etc.) depending on the nature of the environment where sensitive personal data is stored,

b) Physical security of these environments is ensured and unauthorized entries and exits are prevented,

5- If special personal data will be transferred;

a) If the data must be transferred via e-mail, it is transferred encrypted using the corporate e-mail address or Registered Electronic Mail (KEP) account.

b) If data must be transferred via paper, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in the format of "confidential documents".

Also Administrative and Technical Measures Taken

Administrative Measures

Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
The signed contracts contain data security provisions.
Personal data is reduced as much as possible.
Internal Periodic and/or Random Audits are carried out or are carried out.
Risk Analyzes are made and reported.
KVKK provisions are added to texts such as employment contracts and disciplinary regulations.
Personal data security is monitored.
Confidentiality agreements are made with the recipient groups to whom data is transferred. 
Personal Data Processing Inventory has been prepared.
Deletion, destruction or anonymization operations are carried out periodically.

Technical Measures

Network security and application security are ensured.
Security measures are taken within the scope of supply, development and maintenance of information technology systems.
Up-to-date anti-virus systems are used.
Firewalls are used.
User account management and authorization control system is implemented and these are also monitored.

7 RIGHTS OF RELATED PERSONS AND THE USE OF THESE RIGHTS

7.2 Rights of Relevant Persons

Learning whether personal data is processed or not,
Requesting information if personal data has been processed,
Learning the purpose of processing personal data and whether they are used for their intended purpose,
Requesting correction of personal data in case personal data has been processed incompletely or incorrectly and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the law and other relevant legal provisions, and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,
Request compensation for damage in case of damage due to unlawful processing of personal data.

7.3 Exercising the Rights of the Relevant Person

Personal data owners,

From our clinic whose address is written above.
From our website mentioned above  

You must fill out the Data Owner Application Form and send it by hand, by mail or through a notary, to the address of the data controller specified above, or to our e-mail address above, via your e-mail address that you have previously notified us and registered in our system.

7.4 Responding to Applications

If the relevant person submits his request regarding the rights listed above and mentioned in Article 11 of the Law to us in accordance with the procedure, the relevant request will be finalized free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

8 COORDINATION OF PERSONAL DATA PROTECTION AND PROCESSING PROCESSES

The coordination of the processing and protection of special personal data is carried out by the company manager or the personnel assigned by him.

9 UPDATES TO THE POLICY

Changes may be made to this Policy on the Processing of Special Personal Data due to changes in legislation, in accordance with the Board decisions or in line with developments in the sector or the field of informatics. Changes made in this context are immediately recorded in the text and explanations regarding the changes are added to the updates table below.

Updates Table

…………………………………. The Processing and Protection of Special Personal Data Policy has entered into force.

Click to Download Special Personal Data Processing Policy