Sensitive Personal Data Processing and Protection Policy

Home » Sensitive Personal Data Processing and Protection Policy

SCOPE

This Summary of Sensitive Personal Data Management Policy covers all departments, employees and 3rd party companies and employees within the body of “Carelink Sağlık Turizm Hizmetleri Tic. Ltd. Şti” (“Carelink”) that processes all personal data.

This Policy; by defining the rules for the security of Carelink’s sensitive personal data, will cover all activities that will provide management in this area and will be implemented at every step of the process.

This Policy will not be applied to all data that is not Sensitive Personal Data.

In the event that the Legislation is determined or the relevant legislation is updated, Carelink will ensure that this policy is updated to comply with the relevant legislation, and compliance with the requirements will be ensured.

In cases where it is believed that there is a legal obstacle in the implementation of this Policy by “Carelink”, “Carelink” will be able to re-determine this Policy in consultation with a senior management if it deems necessary.

DEFINITIONS

LawPersonal Data Protection Law No. 6698
RegulationRegulation on the Deletion, Destruction or Anonymization of Personal Data
Relevant DecisionThe decision of the PDPL Board dated 31/01/2018 and numbered 2018/10 regarding the “Adequate Precautions to be Taken by Data Controllers in the Processing of Sensitive Personal Data”.
BoardPersonal Data Protection Board
Recording MediumsThe is the name given to any environment where personal data is processed, either fully or partially automatically or by non-automatic means, provided that it is part of any data recording system.
Personal DataAll kinds of information related to an identified or identifiable natural person and includes all situations that enable the identification of the person as a result of carrying concrete content expressing the physical, economic, cultural, social or psychological identity of the person or associating it with any record such as identity, tax number.
Personal Data Processing InventoryThe inventory that creates and details the personal data processing activities carried out by data controllers depending on their business processes, the purposes of processing personal data, the data category, the transferred recipient group and the data subject by associating them with the person group.
Sensitive Personal Data  Sensitive Personal Data specified in this law are data that carry the risk of causing discrimination against their owners if processed.
RegistryThe Registry of Data Controllers maintained by the Presidency.
Data Recording SystemA recording system in which personal data is processed and structured according to certain criteria.
Data ControllerThe natural or legal person who determines the purposes and rules of processing personal data and is responsible for the establishment and management of the data recording system.
Recipient GroupThe category of natural or legal persons to whom personal data is transferred by the data controller.
Relevant UserThe person responsible for the technical storage, protection and backup of the data or the persons who process the data in line with the authorization and instruction from the data controller.

The definitions in the Personal Data Protection and Processing Policy, the Storage Disposal Policy and other policies created within the body of “Carelink” are valid in this policy.

PURPOSE

This Policy will determine the essentials and be applied to the real and legal persons who are responsible for the “Conditions for Processing Sensitive Personal Data” in the Regulation created in accordance with the 6th article of the PDP Law and must be complied with by “Carelink” and “Carelink” contractually responsible third parties.

In accordance with the decision of the PDPL Board (Published in the Official Gazette on 07/02/2018) dated 31/01/2018, “Carelink” is a Data Controller with an obligation to register in the Data Controllers Registry. Therefore, it is obliged to process the Personal Data under its responsibility in compliance with the Personal Data Processing Inventory, to store them, define rules for ensuring the security of said data, and prepare a policy encompassing all activities to be provided by senior management in line with this policy.

The following rules will apply to the storage and destruction of personal data:

  • The general principles in Article 4 of the PDP Law will be followed.
  • “Carelink” acknowledges, declares, and commits to complying with the security measures stipulated in Article 12 of the PDP Law, as well as the provisions in relevant legislation, decisions of the PDP Board, administrative and technical measures as specified in the data security guidelines when storing, deleting, disposing of, or anonymizing personal data, in accordance with the Policy.
  • “Carelink” acknowledges that by preparing this Policy, it does not imply that personal data is deleted, destroyed, or anonymized solely in accordance with the Personal Data Regulation, Relevant Legislation, and the Law.
  • “Carelink” acts in accordance with this Policy during the deletion, destruction or anonymization of personal data, which is fully or partially received by automatic means or processed by non-automatic means as part of any recording system.

RECORDING MEDIUMS

The environments specified below, which contain personal data, agree to include personal data in other media that may arise in addition to these, within the scope of the said Policy.

  • Computer/servers/mobile devices used on behalf of the company,
  • Storage areas of Computer/servers/mobile devices used on behalf of the company,
  • Magnetic Tape, Optical Disc, Micro Plug,
  • Network Devices,
  • USB Hard Disk, USB Memory,
  • Paper
  • Shared/non-shared drives for data storage and backup on the network.

SENSITIVE PERSONAL DATA

1. General Principles Regarding the Processing of Sensitive Personal Data

  • “Carelink” takes all kinds of administrative and technical measures regarding the safe storage of personal data, unlawful processing and blocking of access.
  • “Carelink” undertakes to process data in accordance with the manner specified in the PDP Law.
  • “Carelink”, in cases where there are no exceptions to the conditions for the processing of Sensitive Personal Data pursuant to Article 6, Paragraph 3 of the PDP Law;
  • “Carelink” stores Sensitive Personal Data, processes the said data within the knowledge of the PDPB team (if available, any legal unit) of “Carelink” on condition that it adheres to the legislation, on the condition that Explicit Consent is obtained.
    • Except for the exceptions specified in the PDP Law, it is forbidden to keep the personal data in question in cases where the explicit consent of the data subject is not obtained.

2. Sensitive Personal Data Processed by “Carelink”

  • Personal data related to health and sexual life can be processed without obtaining explicit consent from the Data Subject only by individuals or authorized institutions and organizations who are under the obligation of confidentiality for the purposes of Preventive Medicine, health services, Public Health Protection, medical diagnosis, treatment, and care services, as well as the planning and management of healthcare services and financing.
  • Special category personal data other than health and sexual life, such as a person’s ethnic origin, political opinions, race, sect, religion, philosophical beliefs, or other beliefs, membership in associations, foundations, or unions, clothing style, criminal convictions, and security-related data, as well as genetic and biometric data, can be processed without the explicit consent of the Data Subject in cases prescribed by law.
  • Personal data is processed by “Carelink” with the explicit consent of the Data Subject and is processed in the manner specified in the “General Principles of Data Processing” section of this Policy. Depending on the nature, type, and quality of the relationship between “Carelink” and the data subject, as well as the communication channels used and the purpose in question, these data may vary and diversify. These data are also specified in the Personal Data Inventory.

3. Purposes of Processing Sensitive Personal Data

Sensitive Personal data is processed within the scope of the purposes specified in the Personal Data Processing Inventory and can be stored for the periods stipulated by the relevant laws within the scope of these purposes.

4. Transfer of Sensitive Personal Data

  • “Carekink” transfers domestic and international data as stated in Articles 8 and 9 of the PDPL, within the framework of the purposes specified in the “Purposes of Processing of Sensitive Personal Data” section of the said Policy. The personal data in question can be processed and stored in the servers and electronic media used within this scope.
  • In the Personal Data Inventory prepared by “Carelink”, the parties to which data transfer is carried out are also specified. The nature of these data transfers and the shared parties vary depending on the type, nature and type of relationship between the Data Subject and “Carelink”, the purpose of the transfer and the relevant legal bases. In addition, other conditions are defined in the PDPL Privacy Policy, and the measures and actions specified here are valid.

In accordance with the decision of the Personal Data Protection Board dated 31/1/2018 published in the Official Gazette dated 07/03/2018, if “Carelink” is to transfer Sensitive Data;

  1. In case the data is transferred via email, it is transferred in encrypted form via the corporate email address or via Registered Electronic Mail,
  2. In case the data is transferred via media such as Portable USB Memory, CD, DVD, it is transferred using cryptographic methods,
  3. In case the data transfer is to be made between physical servers in different locations, data is transferred between these servers by VPN or SFTP style methods,
  4. If the data is transferred via paper media, the documents are transferred by converting them into confidential documents, taking into account the risks such as theft, loss or seizure of the said documents by unauthorized persons.

5. Elimination of Data Processing Conditions

  • “Carelink” is responsible for keeping Sensitive Personal Data Processing conditions up-to-date and shares this responsibility with all data processors.
  • “Carelink” employees cannot continue to process data when the data processing conditions are no longer valid.
  • “Carelink” accepts that the conditions for the processing of Sensitive Personal Data will be eliminated according to the list below and the situations specified in the regulation:
  • In the case when processing personal data is against the law and the principle of honesty,
    • In the case that the purposes that require the processing of personal data are eliminated,
    • In the case where the personal data processing takes place only in accordance with the conditions of Explicit Consent, and the data subject withdraws their Explicit Consent

In this context, the measures and the actions to be taken within this framework defined by “Carelink” in its Personal Data Storage and Destruction Policy will be valid.

6. Security of Sensitive Personal Data

In the processing of Sensitive Personal Data, it is essential to take adequate measures determined by the PDP Board. The security of Sensitive Personal Data has been determined as follows in accordance with the decision of the Personal Data Protection Board dated 31/1/2018 published in the Official Gazette on 07/03/2018.

  • Confidentiality agreements are made between the said Data Controller and the Employees,
  • Authorization scopes and durations of users who have access to data are defined,
  • Regular training and information is provided to employees on all matters related to laws, legislation and regulations regarding the processing of special personal data, and any decisions and guides to be published by the PDP Board,
  • Authorization Controls are carried out periodically,
  • In cases of change of duty or resignation, the existing authorizations in this area are checked and the authorizations are revoked, and those allocated to them by the data controller with the entitlement form are taken back in accordance with the relevant procedure.

If the environments where sensitive personal data are stored, processed and/or accessed are digital environments (electronic),

  • The security of all environments with personal data is ensured and necessary follow-ups are made for updates.

If the environments where Sensitive Personal Data are stored, processed and/or accessed are physical environments,

  • Unauthorized entry-exit to physical environments containing Sensitive Personal Data is prevented,
  • Adequate security measures (precautions against situations such as fire, flood, theft, electricity leakage, etc.) have been taken in accordance with the nature of the environments where Sensitive Personal Data is located.

This Policy will enter into force from the date of approval by the Data Controller “Carelink” and will be published in the relevant places. Necessary work will be done and put into effect by the necessary studies to put into effect the changes to be made in the policy.

In line with legislative changes, changes in a technical standard referred to, the actions and/or decisions of the Personal Data Protection Board and court decisions, “Carelink” reserves the right to review this Policy and, when necessary, to update, change or eliminate the Policy and create a new Policy.

“Carelink” will share the latest updated version of all the changes it has made on the Policy via email, written documents and/or corporate intranet and will make it available to its employees.

Policy Effective Date: 01/01/2023