PERSONAL DATA PROCESSING AND PROTECTION POLICY
1.1 Introduction
Op. Dr. Sedat Koyunsever’s Clinic (“Op. Dr. Sedat Koyunsever”) places utmost importance on the protection of personal data and fundamental rights and freedoms of individuals, primarily based on the privacy of private life as regulated in Article 20 of the Constitution. In this context, Op. Dr. Sedat Koyunsever is committed to ensuring the lawful protection and processing of personal data in accordance with the Personal Data Protection Law No. 6698 (“KVKK”) and the European Union General Data Protection Regulation (“GDPR”), and acts in accordance with this understanding in all planning and activities.
Ensuring the security of individuals’ personal data is a primary goal of Op. Dr. Sedat Koyunsever. Therefore, to ensure the safe processing of personal data and to prevent any unauthorized access or leakage, necessary security measures compliant with current legislation are taken by Op. Dr. Sedat Koyunsever.
1.2 Purpose of the Policy
The purpose of the Personal Data Protection and Processing Policy (“Policy”) is to inform the owners of personal data about the obligations and procedures and principles to be followed by Op. Dr. Sedat Koyunsever in the protection and processing of personal data, which are processed entirely or partially automatically or non-automatically as part of any data recording system, in accordance with the purpose of KVKK and GDPR. In line with the purpose of the Policy, it is aimed to ensure full compliance with the legislation in the activities of protection and processing of personal data conducted by Op. Dr. Sedat Koyunsever and to protect the right to privacy and data security of personal data owners.
1.3 Scope of the Policy
This Policy is prepared for Patients/Consultants, Employees, Candidate Employees, and Visitors, provided that they are natural persons, and will be applied within the scope of these specified individuals. The purpose of publishing the provisions of this Policy within the clarification text on the websites of Op. Dr. Sedat Koyunsever is to inform data owners about the protection and processing of personal data and data security. This Policy will not apply to legal entities, regardless of their status.
This Policy will apply to the processing of personal data by Op. Dr. Sedat Koyunsever, whether entirely or partially automated or non-automated, provided that it is part of any data recording system for the above-mentioned data owners. If the data does not fall under the scope of “Personal Data” as specified below, or if the personal data processing activity conducted by Op. Dr. Sedat Koyunsever is not performed in the above-mentioned ways, this Policy will not apply.
1.4 Definitions
In the application of this Policy, the terms used express the meanings given below:
Explicit Consent: Consent that is based on being informed about a specific subject, and is declared freely.
Obligation to Inform: The obligation of the data controller to inform the individuals whose personal data are processed about how their data can be processed, by whom, for what purposes, and on what legal grounds, and to whom and for what purposes the data can be transferred.
Relevant User: Those within the data controller’s organization who process personal data in accordance with the authority and instructions received from the data controller, excluding those responsible for the technical storage, protection, and backup of the data.
Destruction: The act of deleting, destroying, or anonymizing personal data.
Processing of Personal Data: All kinds of operations performed on data, such as the collection, recording, storage, preservation, modification, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use of personal data, whether it is completely or partially automated or non-automated as part of a data recording system.
Data Protection Board: The Personal Data Protection Board.
Data Owner: Patients, Consultants, Employees, Candidate Employees, and Visitors whose Personal Data (including special categories of personal data) are processed.
Personal Data: Any information relating to an identified or identifiable natural person.
Institution/ Regulatory Mechanism: The Institution consists of the Board and the Presidency of the Personal Data Protection Authority.
Automated Data Processing: Processing activity performed by devices with processors such as computers, phones, watches, etc., that takes place automatically without human intervention, under pre-prepared algorithms through software or hardware features.
Special Categories of Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, attire, association, foundation, or union membership, health, sexual life, criminal conviction, and security measures, and biometric and genetic data.
Registry of Data Controllers: The Registry of Data Controllers.
Op. Dr. Sedat Koyunsever: Op. Dr. Sedat Koyunsever’s Clinic.
Data Processor: A real or legal person who processes Personal Data on behalf of the data controller based on the authority given by the data controller.
Data Recording System: The recording system where Personal Data are processed by structuring according to certain criteria.
Data Category: The class of personal data belonging to the group or groups of data subjects grouped according to common features of personal data.
Group of Data Subjects: The group of relevant persons whose personal data are processed by the data controller.
Data Controller: A real or legal person who determines the purposes and means of processing Personal Data and is responsible for establishing and managing the data recording system.
1.5 Effectiveness of the Policy
The principles of the Policy, which was prepared and came into effect on 01.07.2021 by Op. Dr. Sedat Koyunsever, are made available to the access of Data Owners within the content of the KVK clarification text published on the corporate websites of Op. Dr. Sedat Koyunsever.
PROTECTION OF PERSONAL DATA
2.1 Security of Personal Data
Op. Dr. Sedat Koyunsever, in accordance with KVKK and GDPR, takes all necessary administrative and technical measures to securely store personal data, to prevent personal data from being processed unlawfully and accessed unlawfully. The administrative and technical measures taken for the security of personal data are detailed in the Personal Data Storage and Destruction Policy of Op. Dr. Sedat Koyunsever.
2.2 Audit
Op. Dr. Sedat Koyunsever conducts and ensures necessary audits to establish data security and to maintain the regularity and continuity of the measures taken.
The technical measures taken by Op. Dr. Sedat Koyunsever are audited by authorized persons in six-monthly periodic periods, and administrative measures are audited by persons authorized by Op. Dr. Sedat Koyunsever.
2.3 Confidentiality
All administrative and technical measures are taken by Op. Dr. Sedat Koyunsever to ensure that the Data Processor, within the scope of their duties, does not disclose personal data learned and does not use it for purposes other than processing. In this context, information and training activities about KVKK, GDPR, and the Policy are conducted for the employees of the Clinic, and confidentiality agreements are signed as part of the hiring process.
2.4 Unauthorized Disclosure of Personal Data
In cases where personal data processed by Op. Dr. Sedat Koyunsever are obtained by others through unlawful means, Op. Dr. Sedat Koyunsever carries out the necessary procedures to report this situation to the Data Owner and the Data Protection Board within the periods determined by the Data Protection Board. If deemed necessary by the Data Protection Board, this situation may be announced on the website of the Data Protection Board or by another method deemed appropriate by the Board.
2.5 Observance of the Legal Rights of Related Persons
Op. Dr. Sedat Koyunsever respects all legal rights of related persons regarding the implementation of the Policy and the Law and takes all necessary measures to protect these rights.
2.6 Protection of Special Categories of Personal Data
Data related to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, attire, association, foundation, or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data, are special categories of personal data. Op. Dr. Sedat Koyunsever, aware that such personal data, if learned by others, could cause harm or discrimination to the Data Owner, takes the necessary precautions as determined by the Board for the lawful processing of such personal data. In this context, it has a systematic, clear, manageable, and sustainable separate policy (Security Policy for Special Categories of Personal Data).
PROCESSING AND TRANSFER OF PERSONAL DATA
3.1 General Principles in Processing and Transferring Personal Data
Personal Data are processed by Op. Dr. Sedat Koyunsever in accordance with the procedures and principles foreseen in KVKK, GDPR, and this Policy. In processing personal data, Op. Dr. Sedat Koyunsever adheres to the following principles:
3.1.1 Compliance with Law, Rules of Integrity and Transparency Principle
Op. Dr. Sedat Koyunsever processes personal data in accordance with relevant legislation and the requirements of the rule of integrity, using them within these limits. In line with the principle of compliance with the rule of integrity, Op. Dr. Sedat Koyunsever takes into account the interests and reasonable expectations of the data subjects while striving to achieve its data processing objectives. It acts to prevent outcomes that the data subject would not expect and is not required to expect. Moreover, in accordance with the principle, it ensures the transparency of data processing activities for the data subject; complies with obligations of enlightenment and warning.
3.1.2 Being Correct and Updated When Necessary
Op. Dr. Sedat Koyunsever ensures that the personal data of the data subjects, processed in consideration of their fundamental rights and legitimate interests, are accurate and up-to-date. In this context, it carefully considers factors such as the certainty of the sources from which the data are obtained, the confirmation of their accuracy, and the assessment of whether they need to be updated. Op. Dr. Sedat Koyunsever always keeps channels open to ensure the accuracy and updating of the data subject’s information. Maintaining personal data accurately and up-to-date is necessary not only for the protection of the interests of Op. Dr. Sedat Koyunsever but also for the protection of the fundamental rights and freedoms of the Data Owner.
3.1.3 Processing for Specific, Clear and Legitimate Purposes
Op. Dr. Sedat Koyunsever clearly and precisely determines the purpose of data processing and ensures that this purpose is lawful. The lawfulness of the purpose means that the personal data processed by Op. Dr. Sedat Koyunsever are related to and necessary for the health services it provides. Op. Dr. Sedat Koyunsever does not process data for purposes other than those stated. Therefore, it shows sensitivity to compliance with the principle of definiteness and clarity in legal transactions and texts where personal data processing purposes are declared.
3.1.4 Being Relevant, Limited, Proportional and Necessary for the Purposes for Which They Are Processed
Op. Dr. Sedat Koyunsever ensures that the personal data processed are suitable for achieving the determined purposes and avoids processing data that are not related to or needed for these purposes. Op. Dr. Sedat Koyunsever does not collect or process personal data for purposes that are not present and are considered to occur in the future. It also limits the processed data to what is necessary for the realization of the purpose. Within the scope of the principle of proportionality, it establishes a reasonable balance between the purpose for which data processing is carried out and the intended objective.
3.1.5 Being Stored for the Period Foreseen by the Relevant Legislation or Necessary for the Purpose for Which They Are Processed
Op. Dr. Sedat Koyunsever complies with the periods specified in the relevant legislation for the storage of data; otherwise, personal data are stored only for the period necessary for the purposes for which they are processed. If there is no valid reason for Op. Dr. Sedat Koyunsever to store a personal data any longer, the data in question is deleted, destroyed, or made anonymous. The procedures related to the storage and destruction of personal data are detailed in the Personal Data Storage and Destruction Policy of Op. Dr. Sedat Koyunsever.
3.1.6 Compliance with the Principles of Integrity and Confidentiality
Personal data processed by Op. Dr. Sedat Koyunsever are processed with necessary technical and administrative measures taken against being lost, destroyed, damaged, or ensuring appropriate security for the protection of personal data.
3.1.7 Compliance with the Principle of Accountability
Op. Dr. Sedat Koyunsever has fulfilled its obligation to comply with the rules of personal data protection in its processing activities and can provide documents proving these measures to regulatory authorities in case of any complaint or ex officio examination.
3.2 Conditions for Processing Personal Data
Op. Dr. Sedat Koyunsever does not process personal data without the explicit consent of the Data Owner. Personal data can be processed without seeking the explicit consent of the Data Owner only under the following conditions:
3.2.1 Explicitly Foreseen by Laws
Op. Dr. Sedat Koyunsever may process personal data without seeking the explicit consent of the Data Owner in cases explicitly provided for by law.
3.2.2 Being Necessary for the Protection of Life or Physical Integrity of the Person Who is Physically or Legally Incapable of Giving Consent or for Another Person
Op. Dr. Sedat Koyunsever may process personal data without seeking explicit consent in cases where consent cannot be declared or is not valid, for the protection of life or physical integrity of the person or someone else.
3.2.3 Being Necessary for the Processing of Personal Data of the Parties of a Contract, Provided That It is Directly Related to the Establishment or Execution of the Contract
Op. Dr. Sedat Koyunsever may process personal data of the parties of a contract without seeking explicit consent, provided that it is directly related to the establishment or execution of the contract, as a necessity of the ordinary course of life, limited to this purpose.
3.2.4 Being Necessary for Compliance with a Legal Obligation
Op. Dr. Sedat Koyunsever may process personal data of the Data Owner without seeking explicit consent, in cases where it is necessary to fulfill a legal obligation as a Data Controller.
3.2.5 Being Made Public by the Data Subject
Op. Dr. Sedat Koyunsever may process personal data that have been made public by the Data Owner, limited to the purpose of public disclosure, considering that the legal interest to be protected by processing such data is eliminated due to being made public and thus known to everyone.
3.2.6 Being Necessary for the Establishment, Exercise, or Protection of a Right
Op. Dr. Sedat Koyunsever may process personal data of the Data Owner without seeking explicit consent, in cases where data processing is necessary for the establishment, exercise, or protection of a legal right.
3.2.7 Being Necessary for the Legitimate Interests of Op. Dr. Sedat Koyunsever, Provided That It Does Not Harm the Fundamental Rights and Freedoms of the Data Owner
Op. Dr. Sedat Koyunsever may process personal data of the Data Owner, provided that it is necessary for the legitimate interests of Op. Dr. Sedat Koyunsever, without harming the fundamental rights and freedoms of the Data Owner protected under KVKK, GDPR, and the Policy. Op. Dr. Sedat Koyunsever shows the necessary sensitivity in ensuring compliance with the fundamental principles of data protection and maintaining the balance of interests between Op. Dr. Sedat Koyunsever and the data owner. The legitimate interest refers to a legitimate, effective interest at a level that can compete with the fundamental rights and freedoms of the Data Owner, specific and currently existing. Op. Dr. Sedat Koyunsever takes additional protective measures to ensure that the rights of the Data Owner are not harmed. A reasonable balance is maintained between the interest of Op. Dr. Sedat Koyunsever and the fundamental rights and freedoms of the relevant person.
3.3 Conditions for Processing Special Categories of Personal Data
Op. Dr. Sedat Koyunsever does not process special categories of personal data without the explicit consent of the Data Owner. Special categories of personal data can be processed without the explicit consent of the data subject only under the following conditions:
3.3.1 Explicitly Foreseen by Laws
Special categories of personal data, other than those related to the health and sexual life of the Data Owner, can be processed without the explicit consent of the Data Owner if explicitly provided for by laws.
3.3.2 For the Purposes of Protecting Public Health, Preventive Medicine, Medical Diagnosis, Treatment and Care Services, Planning and Managing Health Services and Financing
Special categories of personal data related to the health and sexual life of the Data Owner can be processed without the explicit consent of the Data Owner by persons or authorized institutions and organizations under the obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.
3.4 Conditions for Transferring Personal Data
Op. Dr. Sedat Koyunsever can transfer personal data to third parties, limited to and based on one or more of the personal data processing conditions specified in Articles 8 and 9 of KVKK and Articles 45 and 49 of GDPR, taking necessary security measures:
With the explicit consent of the Data Owner,
If there is an explicit regulation in the laws regarding the transfer of personal data,
If the transfer of personal data is necessary for the protection of life or physical integrity of the person or someone else, and the data subject is physically or legally incapable of giving consent,
If it is necessary for the transfer of personal data of the parties of a contract, provided that it is directly related to the establishment or execution of the contract,
If it is necessary for Op. Dr. Sedat Koyunsever to fulfill a legal obligation,
If personal data have been made public by the Data Owner,
If the transfer of personal data is necessary for the establishment, exercise, or protection of a right,
If the transfer of personal data is necessary for the legitimate interests of Op. Dr. Sedat Koyunsever, provided that it does not harm the fundamental rights and freedoms of the Data Owner.
Special categories of personal data can be transferred, based on one of the conditions below and limited to the necessary precautions, as follows:
With the explicit consent of the relevant person,
If special categories of personal data other than those related to the health and sexual life of the Data Owner are involved, they can be transferred if there is an explicit regulation in the laws.
If special categories of personal data related to the health and sexual life of the Data Owner are involved, they can be transferred for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing by persons or authorized institutions and organizations under the obligation of confidentiality.
CATEGORIES OF PERSONAL DATA AND GROUPS OF DATA SUBJECTS
4.1 Categories of Personal Data
Op. Dr. Sedat Koyunsever processes personal data in the following categories:
Identity: Your name, surname, Turkish ID Number and/or Passport Number and/or Temporary Turkish ID Number, place and date of birth, marital status, gender, profession, signature, and other identity data that can identify you.
Contact: Your address (residential, workplace), phone number (home/workplace landline and/or mobile phone numbers you provided), email address, social media accounts, and other contact data.
Personal Information: Resume, title information; records of entry-exit documents; social security/retirement information, payroll information, and other personal data.
Financial: Personal data related to any kind of financial relationship established between our Clinic and personal data owners, including bank account information, credit information, balance sheet data, financial profile, property and insurance information, and other financial data.
Visual and Auditory Records: Photographs, camera and sound recordings of personal data owners, taken outside the scope of physical space security.
Communication Records: Communication data that can be obtained through our Clinic’s communication and information systems: Corporate phone call records, corporate mail and email records and contents, etc.
Customer Transaction: Information related to our patients such as satisfaction information, invoice, receipt information, etc.
SPECIAL CATEGORIES OF PERSONAL DATA
Health Information: Your blood group, allergies, chronic diseases, data related to surgeries/operations you have undergone, medications you use regularly, analysis and imaging results, prescription information, body analysis and measurement information, medical history, skin analysis information, hormonal tests, information about your sexual life, venereal disease information, information about Covid-19 disease, medical treatments, anesthesia information, and other health data.
4.2 Groups of Data Subjects
Only natural persons can benefit from the protection of this Policy and the Law. The groups of personal data owners within this scope are grouped as follows:
Candidate Employee: Real persons who have applied for a job to our Clinic in any way or have made their resumes and related information available for review by our Clinic.
Customer: Patients or consultants who visit our Clinic.
Employee: Individuals working in Op. Dr. Sedat Koyunsever Clinic.
Visitor: All real persons who have entered the physical premises of our Clinic for various purposes or visited our websites for any purpose.
METHODS AND LEGAL REASONS FOR COLLECTING PERSONAL DATA
5.1 Methods of Collecting Personal Data
Your Personal Data is collected by real or legal persons authorized by Op. Dr. Sedat Koyunsever as “DATA PROCESSOR/PROCESSING” verbally, in writing, by taking camera and photo recordings, and stored in physical and electronic environments, processed in accordance with KVKK and GDPR, with your explicit consent when required.
Job application forms,
Personnel information forms,
Various documents presented to Op. Dr. Sedat Koyunsever,
Mails and emails sent to Op. Dr. Sedat Koyunsever,
Corporate telephones,
Photo/Video recordings,
Websites,
Patient Information Forms,
Analysis Results,
Imaging Results,
Health Information Forms,
Firewall Log Device,
Service providers with servers located abroad (WhatsApp, Instagram, Facebook, Messenger, LinkedIn, YouTube, Zoom, Google, Hotmail, Yahoo, etc.)
5.2 Legal Reasons for Collecting Personal Data
Our Clinic collects personal data based on one of the legal reasons specified in Articles 5 and 6 of KVKK and Articles 6 and 9 of GDPR as follows:
The explicit consent of the relevant person,
Being explicitly provided for in the laws;
Personal data being made public by the data subject,
Being necessary for the processing of personal data belonging to the parties of a contract, provided that it is directly related to the establishment or execution of the contract,
If it concerns the special categories of personal data related to the health and sexual life of the Data Owner, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing,
Being necessary for Op. Dr. Sedat Koyunsever to fulfill a legal obligation,
Being necessary for the establishment, exercise, or protection of a right,
Being necessary for the legitimate interests of Op. Dr. Sedat Koyunsever, provided that it does not harm the fundamental rights and freedoms of the relevant person.
PURPOSES OF PROCESSING PERSONAL DATA
6.1 Matching the Purposes of Processing with the Categories of Personal Data for Data Subject Groups
The purposes of processing associated with the personal data categories of the data subject groups defined above are presented below:
Candidate Employee
Data Categories: Identity, Contact, Personal Information, Professional Experience
Processing Purposes: Conducting Emergency Management Processes, Conducting Information Security Processes, Conducting Selection and Placement Processes for Candidate Employees / Interns / Students, Conducting Application Processes of Candidate Employees, Conducting Communication Activities
Customer (Patient/Consultant)
Data Categories: Identity, Contact, Financial, Customer Transaction, Health Data, Biometric Data
Processing Purposes: Creating patient files, conducting examinations, preventive medicine, medical diagnosis, providing your treatment and care services, conducting your controls after medical diagnosis and treatment processes, communicating with you directly, managing appointment processes, conducting patient satisfaction and request management, fulfilling legal and contractual obligations, preserving health data for the periods required by relevant legislation, consulting with another relevant specialist physician when necessary for the correct conduct of the treatment, fulfilling legal obligations in accordance with international health tourism regulations, planning transfer and accommodation services for patients/consultants coming within the framework of health tourism, announcing innovations related to medical treatment and applications, informing third parties about the medical procedure applied, planning and managing health services and their financing, fulfilling responsibilities arising from the legal relationship established between doctor and patient, fulfilling financial and administrative obligations, ensuring technical and commercial security, fulfilling public obligations
Employee
Data Categories: Identity, Contact, Personal Information, Financial, Visual and Auditory Information
Processing Purposes: Conducting Emergency Management Processes, Conducting Information Security Processes, Fulfilling Contractual and Legal Obligations for Employees, Conducting Processes of Side Benefits and Interests for Employees, Ensuring Activities are Conducted in Compliance with Legislation, Conducting Business Activities / Oversight, Organizational and Event Management
Visitor
Data Categories: Legal Transaction
Processing Purposes: Conducting Emergency Management Processes, Conducting Information Security Processes
6.2 Personal Data Processing Activities on the Website
The traffic information of online visitors visiting our website is automatically processed for the purpose of conducting information security processes. In addition, under the Law No. 5651 and other relevant legislation, hosting providers are obliged to record and store website traffic information.
6.3 Personal Data Processing Activities via Communication Channels
Communications made via telephone, email, etc., are monitored and recorded by Op. Dr. Sedat Koyunsever for the purposes of conducting business activities/oversight and following up on requests/complaints.
Data owners should use these channels only within the scope of business activities.
PURPOSES AND RECIPIENTS OF PERSONAL DATA TRANSFER
7.1 Purposes of Transferring Personal Data
Op. Dr. Sedat Koyunsever transfers personal data within the limits and for the purposes specified under Articles 8 and 9 of KVKK and Articles 45 and 49 of GDPR:
To conduct medical examination, preventive medicine, medical diagnosis, treatment and care services,
To manage complication processes,
To obtain consultations,
To fulfill obligations under the regulations of the Ministry of Health,
To fulfill obligations under International Health Tourism regulations,
To meet the transportation, accommodation, and interpreter needs of health tourist patients,
To fulfill administrative obligations at the Provincial Health Directorates and District Health Directorates,
To inform third parties medically related to the provided health services,
To conduct Application Processes for Candidate Employees,
To fulfill Contractual and Legal Obligations for Employees,
To conduct Processes of Side Benefits and Interests for Employees,
To ensure that Activities are Conducted in Accordance with Legislation,
To conduct Finance and Accounting Affairs,
To conduct Business Activities / Oversight,
To ensure Business Continuity,
To conduct Risk Management Processes,
To ensure and monitor data security,
To conduct Contract Processes,
To provide information to Authorized Persons, Institutions, and Organizations.
7.2 Recipients of Personal Data
Op. Dr. Sedat Koyunsever may transfer personal data, limited to the data subject groups and data required for the purpose of transfer, to the following persons and organizations:
Other specialist doctors for consultation purposes,
Insured Employees,
Suppliers,
Financial Advisors, Tax Advisors, Auditors,
Legal Advisors,
Database (Server) Providers,
Interpreters,
Web Consultants,
Data Protection Officer,
IT Consultants,
Tourism Agencies,
Public Institutions and Organizations authorized by laws,
Judicial Authorities.
DESTRUCTION OF PERSONAL DATA AND RETENTION PERIODS
8.1 Destruction of Personal Data
Subject to the provisions of other laws regarding the destruction of personal data, Op. Dr. Sedat Koyunsever, in accordance with KVKK and other legal provisions, deletes, destroys, or anonymizes personal data when the reasons necessitating their processing cease to exist, either ex officio or upon the request of the data subject, in accordance with the Personal Data Storage and Destruction Policy.
The deletion of personal data refers to the process of making personal data inaccessible and unusable for the relevant users in any way.
Destruction of data refers to the process of making personal data inaccessible, irretrievable, and unusable for anyone in any way.
Anonymization of data refers to the process of making personal data unassociated with an identifiable or identifiable real person, even when matched with other data, through techniques such as masking, variable extraction, generalization, etc.
8.2 Retention Periods of Personal Data
Op. Dr. Sedat Koyunsever retains personal data for the periods specified in the laws and other relevant legislation. If there is no specified retention period in the laws and other legislation, personal data are retained for the period necessary for the purposes for which they are processed and then deleted, destroyed, or anonymized within the framework of periodic destruction periods, in accordance with the Personal Data Storage and Destruction Policy of Op. Dr. Sedat Koyunsever.
RIGHTS OF PERSONAL DATA OWNERS UNDER KVKK AND GDPR
9.1 Rights of the Data Owner Under GDPR
As a Data Owner, your Personal Data is also protected under GDPR. In cases where GDPR jurisdiction applies (for European citizens or residents), the rights of data owners are as follows:
Right of Access (Article 15 GDPR): The data owner has the right to request confirmation from Op. Dr. Sedat Koyunsever about whether their personal data is being processed and, if so, to learn the details specified in Article 15 of GDPR.
Right to Rectification (Article 16 GDPR): The data owner has the right to request the correction of their personal data held by Op. Dr. Sedat Koyunsever at any time.
Right to Erasure (“Right to be Forgotten”) (Article 17 GDPR): The data owner has the right to request the erasure of their personal data held by Op. Dr. Sedat Koyunsever. Upon the occurrence of the conditions specified in Article 17 of GDPR, your personal data will be deleted by Op. Dr. Sedat Koyunsever without undue delay.
Right to Restriction of Processing (Article 18 GDPR):
If the data owner disputes the accuracy of their personal data, they have the right to request restriction of use of their data until their accuracy is verified by Op. Dr. Sedat Koyunsever.
If the processing of personal data is unlawful and the data owner opposes the erasure of their personal data, they may request the restriction of use of their data.
If Op. Dr. Sedat Koyunsever no longer needs the personal data for processing purposes but the data owner requires them for the establishment, exercise, or defense of legal claims, they may request the restriction of use of their data.
If the data owner has objected to processing pursuant to Article 21(1) of GDPR and it is being verified whether the legitimate grounds of Op. Dr. Sedat Koyunsever override those of the data owner, they may request the restriction of use of their data.
Right to Data Portability (Article 20 GDPR): The data owner has the right to request the transfer of their personal data held by Op. Dr. Sedat Koyunsever to another controller, whenever technically feasible. However, this right can be exercised only when data processing is based on consent or is necessary for the performance of a contract.
Right to Object (Article 21 GDPR):
The data owner has the right to object to the processing of their personal data carried out under Article 6(1)(e) or (f) of GDPR, including profiling, based on reasons related to their particular situation. If Op. Dr. Sedat Koyunsever cannot demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data owner, or for the establishment, exercise, or defense of legal claims, it cannot process the personal data.
The data owner has the right to object at any time to processing of their personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing.
If the data owner objects to processing for direct marketing purposes, their personal data will no longer be processed for such purposes.
9.2 Rights of the Data Owner Under KVKK
Real persons whose Personal Data are processed have the following rights under Article 11 of KVKK:
To learn whether their personal data are processed,
To request information if their personal data are processed,
To learn the purpose of processing of their personal data and whether they are used in accordance with their purpose,
To know the third parties in the country or abroad to whom personal data have been transferred,
To request rectification in case personal data are processed incompletely or inaccurately,
To request deletion or destruction of personal data under the conditions set forth in Article 7 of KVKK,
To request notification of the operations made as per the above clauses to third parties to whom personal data have been transferred,
To object to the occurrence of any result that is to their detriment by means of analysis of personal data exclusively through automated systems,
To request compensation for the damages in case the person incurs damages due to unlawful processing of personal data.
Data owners who wish to exercise any of the above-mentioned rights or have requests regarding these rights should specify which of the rights specified in Article 11 of KVKK they wish to use in their written applications, clearly and understandably, and submit their requests in writing, with wet signature, along with documents proving their identity, either personally to the address of Op. Dr. Sedat Koyunsever Clinic, send them through a notary, or send them to the corporate email address of Op. Dr. Sedat Koyunsever with a secure e-signature or other methods specified in KVKK. It is mandatory for applications to include name, surname, signature, Turkish ID number/passport number/temporary ID number, residential or workplace address, email address, telephone, and fax number, and subject of request as per the “Communiqué on the Procedures and Principles of Application to the Data Controller.”
Op. Dr. Sedat Koyunsever will conclude the request as soon as possible and within thirty (30) days at the latest free of charge. However, if the transaction requires a separate cost, the fee determined by the Personal Data Protection Board’s tariff may be charged.
Effective Date: 31.12.2021
Update Date: 10.11.2023