PERSONAL DATA PROCESSING AND PROTECTION POLICY

1.1 Introduction

Op. Dr. Sedat Koyunsever’s Clinic (“Op. Dr. Sedat Koyunsever”) places utmost importance on the protection of personal data and fundamental rights and freedoms of individuals, primarily based on the privacy of private life as regulated in Article 20 of the Constitution. In this context, Op. Dr. Sedat Koyunsever is committed to ensuring the lawful protection and processing of personal data in accordance with the Personal Data Protection Law No. 6698 (“KVKK”) and the European Union General Data Protection Regulation (“GDPR”), and acts in accordance with this understanding in all planning and activities.

Ensuring the security of individuals’ personal data is a primary goal of Op. Dr. Sedat Koyunsever. Therefore, to ensure the safe processing of personal data and to prevent any unauthorized access or leakage, necessary security measures compliant with current legislation are taken by Op. Dr. Sedat Koyunsever.

1.2 Purpose of the Policy

The purpose of the Personal Data Protection and Processing Policy (“Policy”) is to inform the owners of personal data about the obligations and procedures and principles to be followed by Op. Dr. Sedat Koyunsever in the protection and processing of personal data, which are processed entirely or partially automatically or non-automatically as part of any data recording system, in accordance with the purpose of KVKK and GDPR. In line with the purpose of the Policy, it is aimed to ensure full compliance with the legislation in the activities of protection and processing of personal data conducted by Op. Dr. Sedat Koyunsever and to protect the right to privacy and data security of personal data owners.

1.3 Scope of the Policy

This Policy is prepared for Patients/Consultants, Employees, Candidate Employees, and Visitors, provided that they are natural persons, and will be applied within the scope of these specified individuals. The purpose of publishing the provisions of this Policy within the clarification text on the websites of Op. Dr. Sedat Koyunsever is to inform data owners about the protection and processing of personal data and data security. This Policy will not apply to legal entities, regardless of their status.

This Policy will apply to the processing of personal data by Op. Dr. Sedat Koyunsever, whether entirely or partially automated or non-automated, provided that it is part of any data recording system for the above-mentioned data owners. If the data does not fall under the scope of “Personal Data” as specified below, or if the personal data processing activity conducted by Op. Dr. Sedat Koyunsever is not performed in the above-mentioned ways, this Policy will not apply.

1.4 Definitions

In the application of this Policy, the terms used express the meanings given below:

Explicit Consent: Consent that is based on being informed about a specific subject, and is declared freely.
Obligation to Inform: The obligation of the data controller to inform the individuals whose personal data are processed about how their data can be processed, by whom, for what purposes, and on what legal grounds, and to whom and for what purposes the data can be transferred.
Relevant User: Those within the data controller’s organization who process personal data in accordance with the authority and instructions received from the data controller, excluding those responsible for the technical storage, protection, and backup of the data.
Destruction: The act of deleting, destroying, or anonymizing personal data.
Processing of Personal Data: All kinds of operations performed on data, such as the collection, recording, storage, preservation, modification, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use of personal data, whether it is completely or partially automated or non-automated as part of a data recording system.
Data Protection Board: The Personal Data Protection Board.
Data Owner: Patients, Consultants, Employees, Candidate Employees, and Visitors whose Personal Data (including special categories of personal data) are processed.
Personal Data: Any information relating to an identified or identifiable natural person.
Institution/ Regulatory Mechanism: The Institution consists of the Board and the Presidency of the Personal Data Protection Authority.
Automated Data Processing: Processing activity performed by devices with processors such as computers, phones, watches, etc., that takes place automatically without human intervention, under pre-prepared algorithms through software or hardware features.
Special Categories of Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, attire, association, foundation, or union membership, health, sexual life, criminal conviction, and security measures, and biometric and genetic data.
Registry of Data Controllers: The Registry of Data Controllers.
Op. Dr. Sedat Koyunsever: Op. Dr. Sedat Koyunsever’s Clinic.
Data Processor: A real or legal person who processes Personal Data on behalf of the data controller based on the authority given by the data controller.
Data Recording System: The recording system where Personal Data are processed by structuring according to certain criteria.
Data Category: The class of personal data belonging to the group or groups of data subjects grouped according to common features of personal data.
Group of Data Subjects: The group of relevant persons whose personal data are processed by the data controller.
Data Controller: A real or legal person who determines the purposes and means of processing Personal Data and is responsible for establishing and managing the data recording system.

1.5 Effectiveness of the Policy

The principles of the Policy, which was prepared and came into effect on 01.07.2021 by Op. Dr. Sedat Koyunsever, are made available to the access of Data Owners within the content of the KVK clarification text published on the corporate websites of Op. Dr. Sedat Koyunsever.

PROTECTION OF PERSONAL DATA

2.1 Security of Personal Data

Op. Dr. Sedat Koyunsever, in accordance with KVKK and GDPR, takes all necessary administrative and technical measures to securely store personal data, to prevent personal data from being processed unlawfully and accessed unlawfully. The administrative and technical measures taken for the security of personal data are detailed in the Personal Data Storage and Destruction Policy of Op. Dr. Sedat Koyunsever.

2.2 Audit

Op. Dr. Sedat Koyunsever conducts and ensures necessary audits to establish data security and to maintain the regularity and continuity of the measures taken.

The technical measures taken by Op. Dr. Sedat Koyunsever are audited by authorized persons in six-monthly periodic periods, and administrative measures are audited by persons authorized by Op. Dr. Sedat Koyunsever.

2.3 Confidentiality

All administrative and technical measures are taken by Op. Dr. Sedat Koyunsever to ensure that the Data Processor, within the scope of their duties, does not disclose personal data learned and does not use it for purposes other than processing. In this context, information and training activities about KVKK, GDPR, and the Policy are conducted for the employees of the Clinic, and confidentiality agreements are signed as part of the hiring process.

2.4 Unauthorized Disclosure of Personal Data

In cases where personal data processed by Op. Dr. Sedat Koyunsever are obtained by others through unlawful means, Op. Dr. Sedat Koyunsever carries out the necessary procedures to report this situation to the Data Owner and the Data Protection Board within the periods determined by the Data Protection Board. If deemed necessary by the Data Protection Board, this situation may be announced on the website of the Data Protection Board or by another method deemed appropriate by the Board.

2.5 Observance of the Legal Rights of Related Persons

Op. Dr. Sedat Koyunsever respects all legal rights of related persons regarding the implementation of the Policy and the Law and takes all necessary measures to protect these rights.

2.6 Protection of Special Categories of Personal Data

Data related to individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, attire, association, foundation, or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data, are special categories of personal data. Op. Dr. Sedat Koyunsever, aware that such personal data, if learned by others, could cause harm or discrimination to the Data Owner, takes the necessary precautions as determined by the Board for the lawful processing of such personal data. In this context, it has a systematic, clear, manageable, and sustainable separate policy (Security Policy for Special Categories of Personal Data).

PROCESSING AND TRANSFER OF PERSONAL DATA

3.1 General Principles in Processing and Transferring Personal Data

Personal Data are processed by Op. Dr. Sedat Koyunsever in accordance with the procedures and principles foreseen in KVKK, GDPR, and this Policy. In processing personal data, Op. Dr. Sedat Koyunsever adheres to the following principles:

3.1.1 Compliance with Law, Rules of Integrity and Transparency Principle

Op. Dr. Sedat Koyunsever processes personal data in accordance with relevant legislation and the requirements of the rule of integrity, using them within these limits. In line with the principle of compliance with the rule of integrity, Op. Dr. Sedat Koyunsever takes into account the interests and reasonable expectations of the data subjects while striving to achieve its data processing objectives. It acts to prevent outcomes that the data subject would not expect and is not required to expect. Moreover, in accordance with the principle, it ensures the transparency of data processing activities for the data subject; complies with obligations of enlightenment and warning.

3.1.2 Being Correct and Updated When Necessary

Op. Dr. Sedat Koyunsever ensures that the personal data of the data subjects, processed in consideration of their fundamental rights and legitimate interests, are accurate and up-to-date. In this context, it carefully considers factors such as the certainty of the sources from which the data are obtained, the confirmation of their accuracy, and the assessment of whether they need to be updated. Op. Dr. Sedat Koyunsever always keeps channels open to ensure the accuracy and updating of the data subject’s information. Maintaining personal data accurately and up-to-date is necessary not only for the protection of the interests of Op. Dr. Sedat Koyunsever but also for the protection of the fundamental rights and freedoms of the Data Owner.

3.1.3 Processing for Specific, Clear and Legitimate Purposes

Op. Dr. Sedat Koyunsever clearly and precisely determines the purpose of data processing and ensures that this purpose is lawful. The lawfulness of the purpose means that the personal data processed by Op. Dr. Sedat Koyunsever are related to and necessary for the health services it provides. Op. Dr. Sedat Koyunsever does not process data for purposes other than those stated. Therefore, it shows sensitivity to compliance with the principle of definiteness and clarity in legal transactions and texts where personal data processing purposes are declared.

3.1.4 Being Relevant, Limited, Proportional and Necessary for the Purposes for Which They Are Processed

Op. Dr. Sedat Koyunsever ensures that the personal data processed are suitable for achieving the determined purposes and avoids processing data that are not related to or needed for these purposes. Op. Dr. Sedat Koyunsever does not collect or process personal data for purposes that are not present and are considered to occur in the future. It also limits the processed data to what is necessary for the realization of the purpose. Within the scope of the principle of proportionality, it establishes a reasonable balance between the purpose for which data processing is carried out and the intended objective.

3.1.5 Being Stored for the Period Foreseen by the Relevant Legislation or Necessary for the Purpose for Which They Are Processed

Op. Dr. Sedat Koyunsever complies with the periods specified in the relevant legislation for the storage of data; otherwise, personal data are stored only for the period necessary for the purposes for which they are processed. If there is no valid reason for Op. Dr. Sedat Koyunsever to store a personal data any longer, the data in question is deleted, destroyed, or made anonymous. The procedures related to the storage and destruction of personal data are detailed in the Personal Data Storage and Destruction Policy of Op. Dr. Sedat Koyunsever.

3.1.6 Compliance with the Principles of Integrity and Confidentiality

Personal data processed by Op. Dr. Sedat Koyunsever are processed with necessary technical and administrative measures taken against being lost, destroyed, damaged, or ensuring appropriate security for the protection of personal data.

3.1.7 Compliance with the Principle of Accountability

Op. Dr. Sedat Koyunsever has fulfilled its obligation to comply with the rules of personal data protection in its processing activities and can provide documents proving these measures to regulatory authorities in case of any complaint or ex officio examination.

3.2 Conditions for Processing Personal Data

Op. Dr. Sedat Koyunsever does not process personal data without the explicit consent of the Data Owner. Personal data can be processed without seeking the explicit consent of the Data Owner only under the following conditions:

3.2.1 Explicitly Foreseen by Laws

Op. Dr. Sedat Koyunsever may process personal data without seeking the explicit consent of the Data Owner in cases explicitly provided for by law.

3.2.2 Being Necessary for the Protection of Life or Physical Integrity of the Person Who is Physically or Legally Incapable of Giving Consent or for Another Person

Op. Dr. Sedat Koyunsever may process personal data without seeking explicit consent in cases where consent cannot be declared or is not valid, for the protection of life or physical integrity of the person or someone else.

3.2.3 Being Necessary for the Processing of Personal Data of the Parties of a Contract, Provided That It is Directly Related to the Establishment or Execution of the Contract

Op. Dr. Sedat Koyunsever may process personal data of the parties of a contract without seeking explicit consent, provided that it is directly related to the establishment or execution of the contract, as a necessity of the ordinary course of life, limited to this purpose.

3.2.4 Being Necessary for Compliance with a Legal Obligation

Op. Dr. Sedat Koyunsever may process personal data of the Data Owner without seeking explicit consent, in cases where it is necessary to fulfill a legal obligation as a Data Controller.

3.2.5 Being Made Public by the Data Subject

Op. Dr. Sedat Koyunsever may process personal data that have been made public by the Data Owner, limited to the purpose of public disclosure, considering that the legal interest to be protected by processing such data is eliminated due to being made public and thus known to everyone.

3.2.6 Being Necessary for the Establishment, Exercise, or Protection of a Right

Op. Dr. Sedat Koyunsever may process personal data of the Data Owner without seeking explicit consent, in cases where data processing is necessary for the establishment, exercise, or protection of a legal right.

3.2.7 Being Necessary for the Legitimate Interests of Op. Dr. Sedat Koyunsever, Provided That It Does Not Harm the Fundamental Rights and Freedoms of the Data Owner

Op. Dr. Sedat Koyunsever may process personal data of the Data Owner, provided that it is necessary for the legitimate interests of Op. Dr. Sedat Koyunsever, without harming the fundamental rights and freedoms of the Data Owner protected under KVKK, GDPR, and the Policy. Op. Dr. Sedat Koyunsever shows the necessary sensitivity in ensuring compliance with the fundamental principles of data protection and maintaining the balance of interests between Op. Dr. Sedat Koyunsever and the data owner. The legitimate interest refers to a legitimate, effective interest at a level that can compete with the fundamental rights and freedoms of the Data Owner, specific and currently existing. Op. Dr. Sedat Koyunsever takes additional protective measures to ensure that the rights of the Data Owner are not harmed. A reasonable balance is maintained between the interest of Op. Dr. Sedat Koyunsever and the fundamental rights and freedoms of the relevant person.

3.3 Conditions for Processing Special Categories of Personal Data

Op. Dr. Sedat Koyunsever does not process special categories of personal data without the explicit consent of the Data Owner. Special categories of personal data can be processed without the explicit consent of the data subject only under the following conditions:

3.3.1 Explicitly Foreseen by Laws

Special categories of personal data, other than those related to the health and sexual life of the Data Owner, can be processed without the explicit consent of the Data Owner if explicitly provided for by laws.

3.3.2 For the Purposes of Protecting Public Health, Preventive Medicine, Medical Diagnosis, Treatment and Care Services, Planning and Managing Health Services and Financing

Special categories of personal data related to the health and sexual life of the Data Owner can be processed without the explicit consent of the Data Owner by persons or authorized institutions and organizations under the obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.

3.4 Conditions for Transferring Personal Data

Op. Dr. Sedat Koyunsever can transfer personal data to third parties, limited to and based on one or more of the personal data processing conditions specified in Articles 8 and 9 of KVKK and Articles 45 and 49 of GDPR, taking necessary security measures:

With the explicit consent of the Data Owner,
If there is an explicit regulation in the laws regarding the transfer of personal data,
If the transfer of personal data is necessary for the protection of life or physical integrity of the person or someone else, and the data subject is physically or legally incapable of giving consent,
If it is necessary for the transfer of personal data of the parties of a contract, provided that it is directly related to the establishment or execution of the contract,
If it is necessary for Op. Dr. Sedat Koyunsever to fulfill a legal obligation,
If personal data have been made public by the Data Owner,
If the transfer of personal data is necessary for the establishment, exercise, or protection of a right,
If the transfer of personal data is necessary for the legitimate interests of Op. Dr. Sedat Koyunsever, provided that it does not harm the fundamental rights and freedoms of the Data Owner.
Special categories of personal data can be transferred, based on one of the conditions below and limited to the necessary precautions, as follows:

With the explicit consent of the relevant person,
If special categories of personal data other than those related to the health and sexual life of the Data Owner are involved, they can be transferred if there is an explicit regulation in the laws.
If special categories of personal data related to the health and sexual life of the Data Owner are involved, they can be transferred for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing by persons or authorized institutions and organizations under the obligation of confidentiality.

CATEGORIES OF PERSONAL DATA AND GROUPS OF DATA SUBJECTS

4.1 Categories of Personal Data

Op. Dr. Sedat Koyunsever processes personal data in the following categories:

Identity: Your name, surname, Turkish ID Number and/or Passport Number and/or Temporary Turkish ID Number, place and date of birth, marital status, gender, profession, signature, and other identity data that can identify you.
Contact: Your address (residential, workplace), phone number (home/workplace landline and/or mobile phone numbers you provided), email address, social media accounts, and other contact data.
Personal Information: Resume, title information; records of entry-exit documents; social security/retirement information, payroll information, and other personal data.
Financial: Personal data related to any kind of financial relationship established between our Clinic and personal data owners, including bank account information, credit information, balance sheet data, financial profile, property and insurance information, and other financial data.
Visual and Auditory Records: Photographs, camera and sound recordings of personal data owners, taken outside the scope of physical space security.
Communication Records: Communication data that can be obtained through our Clinic’s communication and information systems: Corporate phone call records, corporate mail and email records and contents, etc.
Customer Transaction: Information related to our patients such as satisfaction information, invoice, receipt information, etc.
SPECIAL CATEGORIES OF PERSONAL DATA

Health Information: Your blood group, allergies, chronic diseases, data related to surgeries/operations you have undergone, medications you use regularly, analysis and imaging results, prescription information, body analysis and measurement information, medical history, skin analysis information, hormonal tests, information about your sexual life, venereal disease information, information about Covid-19 disease, medical treatments, anesthesia information, and other health data.
4.2 Groups of Data Subjects

Only natural persons can benefit from the protection of this Policy and the Law. The groups of personal data owners within this scope are grouped as follows:

Candidate Employee: Real persons who have applied for a job to our Clinic in any way or have made their resumes and related information available for review by our Clinic.
Customer: Patients or consultants who visit our Clinic.
Employee: Individuals working in Op. Dr. Sedat Koyunsever Clinic.
Visitor: All real persons who have entered the physical premises of our Clinic for various purposes or visited our websites for any purpose.

METHODS AND LEGAL REASONS FOR COLLECTING PERSONAL DATA

5.1 Methods of Collecting Personal Data

Your Personal Data is collected by real or legal persons authorized by Op. Dr. Sedat Koyunsever as “DATA PROCESSOR/PROCESSING” verbally, in writing, by taking camera and photo recordings, and stored in physical and electronic environments, processed in accordance with KVKK and GDPR, with your explicit consent when required.

Job application forms,
Personnel information forms,
Various documents presented to Op. Dr. Sedat Koyunsever,
Mails and emails sent to Op. Dr. Sedat Koyunsever,
Corporate telephones,
Photo/Video recordings,
Websites,
Patient Information Forms,
Analysis Results,
Imaging Results,
Health Information Forms,
Firewall Log Device,
Service providers with servers located abroad (WhatsApp, Instagram, Facebook, Messenger, LinkedIn, YouTube, Zoom, Google, Hotmail, Yahoo, etc.)
5.2 Legal Reasons for Collecting Personal Data

Our Clinic collects personal data based on one of the legal reasons specified in Articles 5 and 6 of KVKK and Articles 6 and 9 of GDPR as follows: