1. PURPOSE
The purpose of this policy is to provide clarification on the personal data processing activities and the systems adopted for the protection of personal data, carried out by our Company in accordance with Personal Data Protection Law No. 6698, of March 24, 2016, published in the Official Gazette of April 7, 2016, number 29677, as well as relevant legislation and decisions of regulatory bodies. This policy aims to ensure the regulation and supervision of processes within the organization involving the processing of personal data, to raise awareness about the lawful processing of personal data in the units involved in the processing of personal data, and to establish a sense of responsibility in this matter. In addition, it aims to promote transparency about our data processing processes by informing individuals whose personal data is processed by our Company, including, but not limited to, patients, family members of patients, job applicants, employees, former employees, authorities and employees of collaborating institutions.
2. SCOPE
This policy covers all personal data of patients, their family members, job applicants, employees, former employees, authorities, visitors, employees of various institutions/organizations such as the supply companies we collaborate with, shareholders, officials, and third parties, whether processed automatically or as part of any data recording system, within the scope of the activities carried out by our company.
The scope of the matters we have stated in this policy may cover all of these groups, which are counted according to the type of processing activity, as well as some groups, such as employees of the supplier company, wholly or partially.
3. RESPONSIBLES
All Company employees are responsible for the implementation of this procedure.
4. ABBREVIATIONS
PDPL: Personal Data Protection Law
5. DEFINITIONS
The terms used in this policy are used to express the following meanings, and in the event of a change in the relevant legislation or regulatory authority decisions regarding the terms defined in the legal regulations or decisions, or if a different term is used instead of the relevant term or a different meaning is attributed to it, our company will consider these terms in their modified form in the implementation of this policy without the need for further modification from the date the change comes into effect:
Express Consent: Consent on a particular subject, based on information and expressed with free will,
Anonymization: Causing personal data to lose its sense as personal data, so it cannot be associated with a real person, in such a way that cannot be undone (e.g. by techniques such as blackout, masking, aggregation, data corruption, etc.),
Application Form: “Relevant Person Request Application Form Pursuant to the Law on Protection of Personal Data No. 6698”, which will include the application to be made by the personal data subjects to exercise their rights, and which can be accessed on the website http://www.antalyadentsmile.com/ within the scope of the policy,
Employee Candidate: Real persons who have applied for a job or internship to our company by any means or have opened their resume and related information to our company’s inspection,
Destruction: Deletion, destruction or anonymization of personal data,
Institutions/organizations with which we cooperate: Employees, shareholders and officials, including shareholders and officials of these institutions, working in institutions (such as but not limited to business partners, suppliers) with which our company has any business relationship,
Business Partner: The parties with which our company partnered while carrying out its activities,
Processing of Personal Data: Any operation performed on personal data, whether fully or partially automatic, or non-automatic means as long as it is part of any data recording system, including obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of data,
Personal Data: Any information relating to an identified or identifiable natural person. E.g. name-surname, ID number, mobile phone number, email, contact address etc.,
Relevant User (Data Subject): The natural person whose personal data is processed. E.g. patients, relatives, employees, visitors,
Personal Data Retention and Destruction Policy: The policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization,
PDP Law: Protection of Personal Data Law No. 6698, dated March 24, 2016, published in the Official Gazette dated 7 April 2016 and numbered 29677,
PDP Authority/Regulatory Authority: Personal Data Protection Authority,
Periodic Destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are eliminated,
Policy: Carelink Sağlık Turizmi Hizmetleri Tic. Ltd. Şti’s Policy on the Protection and Processing of Personal Data,
Sensitive Personal Data: Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,
Third Party: Natural persons whose personal data are processed within the scope of the policy, who are not defined differently within the scope of the policy (e.g. patient, patient relatives, etc.),
Data Processor: Real and legal persons who processes personal data on behalf of the data controller, based on the authority given by the data controller,
Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system),
Visitor: Real persons who have entered the physical campus of our company for any purpose or visited our websites.
6. ACTIVITY PROCESS
6.1 BASIC PRINCIPLES OF PROCESSING PERSONAL DATA
All our personal data processing activities to be carried out within our company are;
- In compliance with the law and principles of honesty,
- Accurate and updated when necessary,
- Processed for specific, explicit and legitimate purposes,
- Connected, limited and restrained with the purpose for which they are processed,
- Kept for the period required by the relevant legislation or for the purpose for which they are processed,
- To be taken the necessary administrative and technical measures for the storage of personal data,
- Ensured that the necessary sensitivity is shown in line with the rules stipulated in the processing of sensitive personal data, which is under special protection due to its nature,
- Informed to the personal data subjects when required by the legislation and to obtain their explicit consent when deemed necessary,
- To be taken the necessary administrative and technical measures in the transfer of personal data, and in this context, supervising the data processing of the third parties to whom the transfer is made in accordance with the relevant legislation and regulatory agency decisions,
We realize the principles stated in the law in accordance with all the terms and conditions stipulated in the legislation in force and the general principles of the law.
6.2 LEGAL REASONS FOR PROCESSING PERSONAL DATA
In accordance with Articles 20 of the Constitution and Articles 5 of the PDP Law No. 6698, our company is subject to one or several of the following conditions specified in Article 5/2 of the PDP Law regarding the processing of personal data, although the personal data varies depending on the nature of the personal data processed and the data processing process.
- When it is expressly provided for in the law,
- When it is necessary for the protection of the data subject’s or another person’s life or physical integrity, who is unable to express their consent due to actual impossibility or whose consent is not legally valid,
- When it is necessary for the establishment or performance of a contract, provided that it is directly related to the parties to the contract, and the processing pertains to personal data of the parties to the contract,
- When it is necessary for the data controller to fulfill its legal obligation,
- When the data subject has made the data public themselves,
- When it is necessary for the establishment, exercise, or protection of a legal right,
- When it is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
If personal data processing is not covered by the situations specified in the law, the data controller evaluates it as necessary and proportionate and obtains explicit consent.
In cases where the processed personal data is sensitive personal data, in accordance with Article 6 of the Law, if there is no regulation provided for in the laws; personal data can only be processed within the scope of the Explicit Consent of the data subject, with due regard to necessity and proportionality principles, when it cannot be processed in compliance with the conditions of processing by individuals or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, conducting medical diagnosis, treatment, and care services, as well as planning and managing healthcare services and financing.
6.3 ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
Article 12 of the PDP Law imposes obligations on the data controller to take all necessary technical and administrative measures to establish the appropriate level of security in order to:
- Prevent the unlawful processing of personal data,
- Prevent unlawful access to personal data,
- Ensure the preservation of personal data.
In accordance with the obligations specified in this article of the said law, our company takes the necessary legal, technical, and administrative measures to ensure the security of personal data that is the subject of processing activities.
6.3.1 Our company takes technical and administrative measures, including technological possibilities, to ensure the lawful processing of personal data. Employees are informed that they cannot disclose personal data to others in violation of the provisions clearly stated in Law No. 6698 on the Protection of Personal Data, they cannot use it for purposes other than processing, they should not leave personal data accessible to others, and these obligations will continue after their departure, and commitments are obtained from them accordingly.
6.3.2 Our company places particular emphasis on protecting “sensitive” personal data, as defined by Law No. 6698 on the Protection of Personal Data and ensures that they are processed in compliance with legal regulations. In this context, the technical and administrative measures taken by our company for the protection of personal data are carefully applied to sensitive personal data, and necessary audits are conducted.
6.3.3 Our company takes technical and administrative measures, within technological capabilities, to prevent the unlawful disclosure, access, transfer, or any other form of unauthorized access to protected data. Our company enters into contracts with data processors, such as business partners and suppliers, to prevent the unlawful processing of personal data, prevent unauthorized access to data, and ensure the lawful preservation of data.
6.3.4 To ensure compliance with relevant legislation and regulatory authority decisions and to facilitate audits and maintain ongoing compliance, our company has established a Data Protection Team within its organization to oversee and audit personal data processing activities.
6.3.5 Our company takes the necessary technical and administrative measures, including technological possibilities, to store personal data in secure environments and prevent their destruction, loss, or alteration for unlawful purposes.
6.3.6 In accordance with Article 12 of the PDP Law, our company conducts necessary audits through the established team or third parties. The results of these audits are reported to the Data Controller within the scope of the company’s internal processes, and new measures are taken or activities are carried out to improve existing measures within the framework of recommendations and instructions.
6.3.7 Our company has also established a personal data retention and disposal policy in accordance with Article 7 of the PDP Law and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette dated 28.10.2017 and numbered 30224.
6.4 INFORMING AND CLARIFYING THE PERSONAL DATA SUBJECT
Our company ensures that the relevant persons are informed in accordance with Article 10 of the PDP Law and Article 4 of the ” Regulation on Procedures and Principles to be Followed in Fulfilling the Obligation to Inform”. In the clarification given, the following issues are included in the related articles:
- The identity of our company, which is the data controller,
- For what purpose we process/can process personal data,
- To whom and for what purpose we may transfer personal data,
- Our personal data collection methods and legal reasons,
- The Data Subject’s other rights, listed in Article 11 of the Law and 4.6 of this policy.
In accordance with Article 10 of the PDP Law No. 6698, and in compliance with Article 6 of the Regulation on Procedures and Principles to be Followed in Fulfilling the Obligation to Inform when personal data is not obtained from the Data Subject during the collection of personal data:
- Within the legally determined period from the acquisition of personal data,
- When personal data will be used for communication purposes, at the time of first contact,
- When personal data will be transferred, at the time of the first transfer of personal data, the obligation to inform is fulfilled.
6.5 TRANSFERRING PERSONAL DATA
Our company, in accordance with the law, can transfer the personal data and sensitive personal data of the Data Subject to third parties by taking necessary security measures within the scope of its personal data processing purposes. In this regard, compliance is maintained with the regulations stipulated in Article 8 of the PDP Law. When transferring personal data abroad, the appropriate method determined by the Personal Data Protection Board is used. In this context, compliance is ensured with the regulations stipulated in Article 9 of the PDP Law.
6.6 SUPERVISING THE DATA SUBJECT’S RIGHTS; EVALUATION OF THE DATA SUBJECT’S REQUESTS
Article 11 of the PDP Law regulates the rights of the data subject, and the following rights can be exercised by applying to the data controller:
- Learning whether personal data is being processed,
- Requesting information if personal data has been processed,
- Learning the purpose of processing personal data and whether they are used in accordance with that purpose,
- Knowing the third parties to whom personal data are transferred domestically or abroad,
- Requesting the correction of personal data in case they are incomplete or inaccurate,
- Requesting the deletion or destruction of personal data within the framework of the conditions specified in Article 7 of the PDP Law (even if they have been processed in accordance with the PDP Law and other relevant legal provisions, in case the reasons requiring their processing no longer exist due to compelling reasons),
- Requesting the notification of the transactions carried out in accordance with paragraphs (d) and (e) to third parties to whom personal data have been transferred,
- Objecting to a result that is against the data subject’s interests arising from the analysis of personal data solely through automated systems,
- Requesting the compensation of damages in case of suffering harm due to the unlawful processing of personal data.
In order to evaluate the requests to be sent to our company by the Data Subject and to provide the necessary information to the Data Subject, the necessary team has been formed in accordance with Article 13 of the PDP Law and the necessary legal, administrative and technical regulations are carried out by this Team.
The inquiry methods foreseen for the Data Subject within the scope of this article are defined as follows:
- The Data Owner can submit a signed copy of the request application form in person or through an authorized representative with a special power of attorney to “Carelink Sağlık Turizmi Hizmetleri Tic. Ltd. Şti, Arapsuyu Mah. Atatürk Blv. No: 47/41 Konyaaltı, Antalya/Turkey” address,
- The Data Owner can send a signed copy of the request application form by registered mail to “Carelink Sağlık Turizmi Hizmetleri Tic. Ltd. Şti, Arapsuyu Mah. Atatürk Blv. No: 47/41 Konyaaltı, Antalya/Turkey” address,
- The data subject can send a signed copy of the request application form to [email protected] by electronic signature,
- The data subject can send a signed copy of the request application form to [email protected] via email.
For the application methods outlined here to be utilized, the applicant must provide their identity documents to our company through the preferred method. In addition, the application documents have been announced on our company’s website http://www.antalyadentsmile.com/ and made available to the data subjects.
In this context, the procedure that our company will follow for a received request is as follows:
In compliance with legal regulations, requests submitted to our company by the data subjects through one of the methods outlined above will be evaluated based on the nature of the request. Within the time frame specified in the law and no later than 30 (thirty) days, a response will be provided to the requester regarding the request, free of charge.
If it is understood that the process requires an additional cost, the requester will be promptly informed of this situation, and it will be communicated that, starting from the understanding of this situation, the requester is required to cover this cost, taking into account the current tariff published by the PDP Authority.
6.7 DESTRUCTION OF PERSONAL DATA
In accordance with the legal grounds specified in Article 6.2 of this policy, if the conditions for the processing of personal data no longer exist specifically for that personal data, it will be deleted, destroyed, or anonymized, either ex officio or upon the request of the data subject (Data Owner).
The deletion, destruction, or anonymization of personal data is carried out in accordance with the fundamental principles stated in Article 6.1 of this policy, the technical and administrative measures required for the protection of this personal data, relevant legal regulations, decisions of the PDP Board, and the “Personal Data Storage and Destruction Policy.”
In the case that data covered by this article has been transferred to third parties at any time, these third parties will also be informed about the transaction, ensuring that they take the necessary actions.
6.8 METHOD
6.8.1 IMPLEMENTATION OF POLICY AND LEGISLATION
In the personal data processing activities carried out by our company, priority is given to the provisions of the current legislation and, to the extent applicable, regulatory authority decisions. In the event of any inconsistency between the provisions outlined in this policy and the applicable regulations or decisions, the rules that are most favorable to the data subjects will be taken into consideration.
6.8.2 EFFECTIVE DATE
This policy, issued by our company, entered into effect on 01.01.2023. If some articles in this policy are changed partially or completely, the relevant amendment will enter into force on the date of the publication of the change.