1. PURPOSE and SCOPE
Personal data security is undoubtedly the most important subject of the recent global legal regulations in the field of fundamental rights and freedoms. A Regulation that entered into force in 2016 in the EU in the field of confidentiality/privacy of personal information owned by each individual, regardless of their legal or social status, has also affected our country, which is in the process of membership negotiations. As a result, the issue of personal data in our country was first constitutionally secured by the Referendum in 2010, and then the Law No. 6698 on the Protection of Personal Data was adopted in 2016.
As Taylanakgun.com (or “Muayenehane”), we attach importance to the protection of personal data, sensitive personal data and confidential information that we process. For this reason, as Muayenehane, as Data Controller, we apply adequate, measured and necessary administrative and technical measures to process such data and information in accordance with the Law on the Protection of Personal Data No. 6698 (“Law”) by using, recording, storing, storing, updating, transferring and / or classifying such data and information limited to our business purposes, as described in this policy document.
This Privacy Policy covers the information and data processed by the Muayenehane in all data processing media and tools, on-site or remotely, physical or electronic. The Privacy Policy covers all means of providing visibility, control and assurance, such as all layered disclosure texts, disclosure texts, policies and guidelines produced by the Practice.
2. BASIC CONCEPTS
- Explicit consent: Consent on a specific subject, based on information and expressed with free will
- Anonymisation: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data
Relevant person The natural person whose personal data is processed - Relevant user: Natural or legal persons who process personal data within the organisation of the data controller or in accordance with the authorisation and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data
- Personal data: Any information relating to an identified or identifiable natural person
- Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system
- Officer: The responsible person who is established within the practice in accordance with the “Directive on the Duties and Responsibilities of the KVK Officer”, who has duties such as monitoring all personal data processes carried out by the Practice, its units and employees, checking whether the policies are complied with, and carrying out personal data processes on behalf of the Practice
- Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data
- Data processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller
- Data recording system: The recording system in which personal data are structured and processed according to certain criteria
- Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
3. IDENTITY OF THE DATA CONTROLLER
The Muayenehane has the status of “Data Controller” against all natural persons with whom it contacts and processes personal data while carrying out its corporate activities and is obliged to fulfil the obligations arising from the law. The Muayenehane fulfils these obligations through the visibility, control and assurance tools it produces and implements, and through administrative measures and technical measures at an appropriate and measured level.
4. DATA SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED
The practice generally and intensively processes the data of the data subjects within the scope of this Privacy Policy and other administrative and technical measures. In the processing of personal data of natural persons outside these categories, the data processing policies of the Muayenehane, especially this Privacy Policy, will be complied with. The categories of natural persons whose personal data are being processed are as follows:
OTHER (INTERNET SITE VISITOR), OTHER (PATIENT), OTHER (PATIENT RELATIVE), EMPLOYEE, SUPPLIER (AUTHORISED), SUPPLIER EMPLOYEE , PARENT / GUARDIAN / REPRESENTATIVE
5. PURPOSES OF PROCESSING PERSONAL DATA
The personal data belonging to the persons concerned processed by the practice, completely and directly related to the activities of the practice and the commercial, business or legal connection with the person concerned;
a. GENERAL PURPOSES
Execution of Communication Activities, Execution / Supervision of Business Activities, Fulfilment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Storage and Archive Activities, Execution of Contract Processes, Planning of Human Resources Processes, Execution of Finance and Accounting Affairs, Execution of Goods / Service Procurement Processes, Execution of Activities in accordance with Legislation
b. SPECIAL PURPOSES
Operating Websites, Informing Interested Persons, Communicating through Electronic Channels, Organising Forms on Websites, Processing Website Cookie Records, Paying Salaries, Creating and Storing Personnel Files, Executing Resignation / Retirement Procedures, Accessing and controlling information on electronic media belonging to users, Execution of Employees’ Leave Procedures, Execution of Severance and Notice Indemnity Procedures, Fulfilment of Recruitment Processes, Fulfilment of SSI Obligations, Placing Orders, Conducting Market Price Research and Obtaining Quotations, Managing Appointments, Creating Patient Files, Preparing Self-Employment Receipts, Making Collections, Performing Patient Treatment, Preparing Prescriptions, Providing Health Services
6. CATEGORIES OF PERSONAL DATA PROCESSED and LEGAL REASONS FOR PROCESSING
Your personal data may be processed primarily based on the condition of “explicit consent” as stated in Article 5 of the Law. Also mentioned in the same article,
- Explicitly stipulated by law
- Fulfilment of the requirements of the contract to which you are a party, based on the legal reason of “establishment or performance of the contract”,
- Fulfilment of legal obligations stipulated in the relevant legislation, such as responding to the requests of courts and public institutions and organisations requesting information-documents, based on the legal reason that “the data controller can fulfil its legal obligation”,
- publicised by the person concerned himself,
- To be a means of proof in possible disputes based on the legal reason of “establishment, use or protection of a right”, to receive legal counselling and technical support
- Data processing is mandatory for the “legitimate interests” of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject
“without seeking explicit consent” on the basis of legal grounds.
The categories of data of each data subject person group and the other legal grounds for processing their data are listed below.
6.1 OTHER (INTERNET SITE VISITOR) DATA
As a medical practice, we process their general personal data such as Transaction Security, Identity, Contact and special categories of personal data such as Health Information within the scope of the activities listed below and on legal grounds.
6.1.1 Legal Grounds
1- Law No. 6698 on the Protection of Personal Data Art. 5/f (Legitimate Interest)
6.2 OTHER (PATIENT) DATA
As a medical practice, we process their general personal data such as Identity, Contact, Location, Finance, Other Information and special categories of personal data such as Health Information within the scope of the activities listed below and on legal grounds.
6.2.1 Legal grounds
1- Law No. 6698 on the Protection of Personal Data Art. 5/f (Legitimate Interest)
2- Regulation on Personal Health Data
3- Regulation on Private Health Institutions for Outpatient Diagnosis and Treatment
4- Code of Ethics of the Medical Profession
5- Tax Procedure Law No. 213
6- Turkish Commercial Code No. 6102
7- Article 5/ç of the Law No. 6698 on the Protection of Personal Data (Legal Obligation)
6.3 OTHER (PATIENT RELATIVES) DATA
As a medical practice, we process their general personal data such as Identity, Contact, Location, Finance and special categories of personal data such as Health Information within the scope of the activities listed below and on legal grounds.
6.3.1 Legal Grounds
1- Law No. 6698 on the Protection of Personal Data Art. 5/f (Legitimate Interest)
2- Regulation on Personal Health Data
3- Regulation on Private Health Institutions for Outpatient Diagnosis and Treatment
4- Code of Ethics of the Medical Profession
5- Tax Procedure Law No. 213
6- Turkish Code of Obligations No. 6098
6.4 EMPLOYEE DATA
As a medical practice, we process their general personal data such as Identity, Contact, Customer Transaction, Personnel, Other Information, Legal Transaction, Finance, Professional Experience, Visual and Auditory Records and special categories of personal data such as Philosophical Belief, Religion, Sect and Other Beliefs, Health Information within the scope of the activities listed below and on legal grounds.
6.4.1 Legal grounds
1- Law No. 6698 on the Protection of Personal Data Art. 5/f (Legitimate Interest)
2- Law No. 6698 on the Protection of Personal Data Art. 5/c (Establishment and Execution of the Contract)
3- Regulation on the Payment of Wages, Premiums, Bonuses and All kinds of Remuneration of this Nature through Banks
4- Labour Law No. 4857
5- Social Security and General Health Insurance Law No. 5510
6- Turkish Code of Obligations No. 6098
7- Regulation on Social Insurance Transactions
6.5 SUPPLIER (AUTHORISED) DATA
As a medical practice, we process general personal data such as Identity, Contact and special categories of personal data of these persons within the scope of the activities listed below and on legal grounds.
6.5.1 Legal Grounds
1- Turkish Code of Obligations numbered 6098
2- Law No. 6698 on the Protection of Personal Data Art. 5/f (Legitimate Interest)
6.6 SUPPLIER EMPLOYEE DATA
As a medical practice, we process general personal data such as Identity, Contact and special categories of personal data of these persons within the scope of the activities listed below and on legal grounds.
6.6.1 Legal Grounds
1- Turkish Code of Obligations numbered 6098
2- Law No. 6698 on the Protection of Personal Data Art. 5/f (Legitimate Interest)
6.7 PARENT / GUARDIAN / REPRESENTATIVE DATA
As a medical practice, we process general personal data such as Identity, Finance and special categories of personal data of these persons within the scope of the activities listed below and on legal grounds.
6.7.1 Legal Grounds
1- Law No. 6698 on the Protection of Personal Data Art. 5/f (Legitimate Interest)
7. RIGHTS OF THE PERSON CONCERNED
The practice recognises that the data subject has the right to obtain the consent of the data subject before the data is processed within the scope of Article 11 of the Law, and that the data subject has the right to determine the fate of the data after the data is processed.
In this sense, the persons concerned can apply to the Contact Person;
- To learn whether his/her personal data is being processed or not,
- Request information if personal data has been processed,
- To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
- To know the third parties to whom personal data are transferred domestically or abroad,
- To request correction of personal data in case of incomplete or incorrect processing,
- To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
- To request notification of the transactions made pursuant to Articles (5) and (6) to third parties to whom personal data are transferred,
- Object to the occurrence of a result to your detriment by analysing the processed data exclusively through automated systems,
- In case you suffer damage due to unlawful processing of personal data, to request compensation for the damage
can exercise their rights.
On the other hand, individuals do not have any rights regarding anonymised data within the Practice. Personal data may be shared with the relevant institutions and organisations in the event that a legal authority is exercised by the judicial or public authority as required by the business and contractual relationship.
Requests within the scope of the aforementioned rights are made by filling out the Practice Application Form completely and sending it to the Contact Person with your wet signature by registered letter with return receipt and photocopies of your identity card (only the front side photocopy for the identity card). You can take a look at the Clarification Text on Personal Data Applications regarding the application process.
8. BASIC RULES TO BE FOLLOWED IN THE PROCESSING OF PERSONAL DATA
The practice units and their employees shall pay attention to the following basic rules, on which the Privacy Policy and other corporate policies are built, when processing the personal data of the data subjects.
- Compliance with the law and honesty rules: The practice checks and inquires whether the personal data collected by itself or shared with it by other parties fulfil the conditions specified in the Law, such as enlightening the data subject, obtaining the explicit consent of the data subject for the processing of data where necessary. It acts in accordance with the rules of honesty while responding to the applications of the relevant persons for enlightenment, obtaining their explicit consent or for information.
- Being accurate and up-to-date when necessary: The practice tries to ensure that the personal data it processes and keeps in its databases contain accurate information as much as the control mechanisms allow. It takes care to keep the data up to date as much as possible. It encourages data sources to share accurate information and update in case of changes. It pays attention to check that the data are accurate and up-to-date during the collection phase.
- Processing for specific, explicit and legitimate purposes: The Practice only processes personal data for the specific, explicit and legitimate purposes set out in this Privacy Policy.
- Being relevant, limited and proportionate to the purpose for which they are processed: The practice takes care not to process personal data for any purpose other than the purpose for which they are processed, and when such a need arises, to inform the person concerned and to obtain his/her explicit consent when necessary. It uses the data only for the purpose for which they are processed and to the extent required by the service. It does not process, use or have data used for purposes other than business purposes. When it is necessary to process personal data for another purpose, it is ensured that corrections are made in the relevant compliance tools and control tools under the supervision and approval of the Officer.
- Duration Commitment: The practice takes care to keep personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed. It retains personal data arising from the contract as long as the dispute periods in the relevant Laws and the requirements of commercial and tax law. However, when these purposes disappear, the Practice deletes or anonymises the personal data. The duration of the retention of which category of data is determined in the Personal Data Inventory.
- Data Minimisation: The practice, its units and employees collect data in the categories relevant to the purpose, in the amount required by the purpose of processing, except for the scope and periods required by laws and relevant legislation, and take care to process them in their systems as long as necessary.
- Deletion and Destruction: The practice keeps the personal data it processes for the periods limited to the periods stipulated in the relevant field legislation such as laws, social security, debts, tax and commercial law and/or for the periods required by the purpose of processing. In the event that these periods expire, it deletes, destroys or anonymises the expired personal data in accordance with the Personal Data Retention, Deletion, Destruction and Transfer Policy and under the permission and supervision of the Officer.
- Confidentiality and Data Security: The practice pays attention to ensure general confidentiality rules and data security in all processes of processing, transferring and storing personal data, and transactions are carried out in accordance with the policy documents and rules established for this purpose. It takes necessary and sufficient administrative and technical measures, provided that they are proportionate.
9. TRANSFER OF PERSONAL DATA
As a medical practice, for the purposes listed below; In accordance with Articles 8 and 9 of the Law, it is transferred to the organisations with which we have a business relationship in accordance with Articles 8 and 9 of the Law, and to domestic and foreign public and private institutions / organisations in the nature of service providers and solution partners whose administrative, legal and technical services we benefit from.
As a data controller, we carry out the necessary controls to the extent possible to ensure that the institutions and organisations with which we share data fulfil their obligations arising from the Law, and we secure the obligations of the parties with data transfer agreements.
9.1. Domestic Transfers
We share personal data with the following domestic data controllers and data processors.
1- For the purposes of Operating Internet Services with IT Companies, Organising Forms on Websites, Processing Website Cookie Records,
2- Financial Advisor for the purposes of carrying out activities in accordance with the legislation, carrying out financial and accounting affairs, and realising payments,
3- Receiving and Evaluating Suggestions for Improving Business Processes with the KVK Consultant, Improving Service Quality, Processing Information,
4- For the purposes of notifying institutions and organisations for permission,
5- For the purposes of Execution of Occupational Health / Safety Activities with OHS Organisation
9.2. Transfers Abroad
The practice shares your personal data with the following service providers located abroad for the purposes of conducting our website, developing services, conducting office work and transactions, providing services to users and visitors, ensuring their satisfaction, meeting their expectations and establishing communication.
1- With Youtube (Google) for the purposes of Execution of Communication Activities, Processing of Website Cookie Records
2- For the purposes of Execution / Supervision of Business Activities, Realisation of Correspondence with Public / Private Sector, Execution of Communication Activities, Realisation of Patient Treatment, Managing Patient-Physician Relationship, with Hotmail (Microsoft) of origin
3- For the purposes of Execution of Communication Activities, Execution/Supervision of Business Activities, Realising the Treatment of the Patient, Managing the Patient-Physician Relationship, with WhatsApp of origin
4- For the purposes of Execution of Communication Activities, Processing of Website Cookie Records, with the US origin Automattic Inc.
5- For the purposes of Execution of Communication Activities, Processing of Website Cookie Records, with the US origin Google Inc.
You can access the privacy policies of each service provider from the following links:
1- Youtube (Google) Privacy Policy
2- Hotmail (Microsoft) Privacy Policy
3- WhatsApp Privacy Policy
4- Automattic Inc. Privacy Policy
5- Google Inc. Privacy Policy
10. AUDIT, APPLICATIONS AND DATA BREACH NOTIFICATIONS
The practice can have the necessary internal and external audits on the protection of personal data.
The applications made by the relevant persons are answered by the Officer within 30 days at the latest, taking the opinion of the relevant unit.
When the practice is notified of any violation of personal data, the PDP Board shall be notified without delay and within 72 hours at the latest from the date of learning of this situation. It also informs the relevant parties and persons in the same way.
11. UPDATE
This policy document is updated when the conditions, tools, purposes and scope of personal data processing of the Muayenehane changes and the parties with whom personal data are shared change. Updates made in each article are kept in a separate table.
12. RELATED TOOLS AND RESOURCES
12.1 Relevant Control and Assurance Instruments
- Personal Data Storage, Transfer, Deletion and Destruction Policy
- Clean Desk Clean Screen Policy
- Special Categories of Data Policy
- Data Subject Applications Directive
- Cookie Policy
- Layered Lighting and Lighting Texts
- Personal Data Inventory
- Data Transfer Agreements
- Data Processing Agreements
12.2 External Sources
- Law No. 6698 on the Protection of Personal Data
- KVKK Implementation Guide on the Law on the Protection of Personal Data
- KVKK Personal Data Breach Notification Form Guide
- KVKK Personal Data Security Guide (Technical and Administrative Measures)
- Guidance on the Considerations to be Considered in the Processing of Biometric Data
- Recommendations on Personal Data Protection in the Field of Artificial Intelligence