Data officer Dr. Esra Bayri’s practice, within the framework of the determined superior service quality, respect for the rights of individuals, transparency and honesty, in line with the regulations determined by the Personal Data Protection Law, it is of great importance to protect the personal data of its customers, employees and other real persons with whom it has a relationship. We attach great importance to patient privacy and the preservation of all personal data of our patients by processing them in the best possible way and with care. This policy has been prepared in order to protect and process the personal data of our patients, as well as companions, visitors and employees of institutions and organizations we cooperate with, within the framework of the basic principles in the legislation.

The purpose of this Policy is to ensure transparency by informing the persons whose personal data is processed, especially our patients, companions, visitors, employees and institution officials, employees of the institutions we cooperate with, officials and third parties within the scope of the personal data processing activity carried out by our polyclinic in accordance with the legislation. In this context, administrative and technical measures are taken to process and protect personal data in accordance with the Law No. 6698 and the relevant legislation. Within the scope of this policy, natural persons whose personal data are processed are defined as Data Subject, Relevant Person or Personal Data Owner.

Explicit Consent: Consent about a specific subject, based on information and expressed with free will.

Anonymization: It is the change of personal data in such a way that it loses its quality as personal data and this situation cannot be undone. For example masking, aggregation, data corruption etc. making personal data incapable of being associated with a natural person with techniques. It is possible to anonymize personal data for various purposes, but in accordance with the request and / or consent of the person concerned, without violating the scope of KVKK and express consent. Necessary measures will be taken in our polyclinic to prevent the anonymized personal data from being made identifiable by various methods.

Employees, Shareholders and Officials of the Institutions We Collaborate with: Refers to the real persons, including the shareholders and officials of these institutions, who work in the institutions (such as but not limited to business partners, suppliers) with which we have any business relationship.

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, means all kinds of operations performed on data such as classification or prevention of use.

Personal Data: Means any information relating to an identified or identifiable natural person. All information that makes the person identifiable is arranged as personal data, and information such as TR Identity Number, Name and Surname, e-mail address, telephone number, residence address, date of birth, bank account number can be given as examples of personal data.

Special Quality Personal Data: Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data refers to data of special nature.

Third Party: Refers to the third party real persons who are related to the above-mentioned parties in order to ensure the security of commercial transactions or to protect the rights of the aforementioned persons and to obtain benefits. (For example, employees or officials of the company from which service is received, Companion etc.)

Data Processor: Refers to the natural and legal person who processes personal data on behalf of the data controller based on the authority given by him. For example, the IT firm that holds our Data.

Data Controller: It refers to the person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system).

Within the scope of KVKK, our polyclinic has the title of data controller and has been registered in the VERBIS system. A team (Personal Data Controller Team) has been established from our practice. In cases where a decision is required, the Personal Data Supervisor team takes the opinion of a lawyer/lawyer who is an expert on personal data, and after the approval of the management, the decision taken is put into practice.

Although the personal data processed may vary depending on the health services provided, they are collected by physical and/or digital methods. Our patients, physicians, healthcare personnel, etc. Special quality personal data and general quality personal data, especially health data collected verbally, in writing or digitally through our employees, subcontractors and their employees and companies engaged in all kinds of commercial activities, our call center, the website of our polyclinic, online services and similar means is processed for the following and other purposes that may arise in the future:

• Execution of medical diagnosis, treatment and care services,

• Protection of public health,

• Planning and management of preventive medicine health services and financing,

• To inform our patients about the appointment

• Planning and managing internal procedures,

• Analyzing for the purpose of improving the fulfillment of health services in accordance with the legislation,

• Carrying out risk management and quality improvement activities,

• Conducting research,

• Fulfilling legal and regulatory requirements,

• Invoicing for our services,

• Confirmation of your identity

• Confirmation of your relationship with the contracted institutions,

• Sharing all kinds of information requested by private insurance companies within the scope of financing health services,

• To be able to answer all your questions and complaints about our health services,

• Taking all necessary technical and administrative measures within the scope of data security,

• Ensuring financial reconciliation regarding the health services offered to you with the institutions we have contracted with, banks and all institutions (public and private) from which health expenditures are collected,

• Sharing the requested information with the Ministry of Health and other public institutions and organizations in accordance with the relevant legislation,

• Measuring patient satisfaction, increasing patient satisfaction,

• It may be collected and processed for purposes such as fulfilling our contracts and legal obligations.

CATEGORIZATION OF PROCESSED PERSONAL DATA

Identity Information: All information about the identity of the person in documents such as driver’s license, identity card, passport, attorney ID, marriage certificate.

Contact Information: Information for contacting the data owner such as phone number, address, residence, e-mail

Location Data: Data that clearly belongs to an identified or identifiable natural person and is included in the data recording system, which helps to determine the location of the data owner.

Family Members and Relatives: Information about the family members and relatives of the personal data owner, which is clearly belonging to an identified or identifiable natural person and is included in the data recording system, which is processed in order to protect the legal interests of the relevant Institution and the data owner.

Physical Space: Records such as camera recordings, fingerprint records and personal data related to documents, visual and audio recordings

Transaction Security Information: Personal data processed to ensure our technical, administrative, legal and commercial security while conducting our activities

Financial Information: Personal data processed for information, documents and records showing all kinds of financial results

Employee Candidate Information: Personal data processed about individuals who have applied to be an employee (cv or resume information)

Personnel Information: Payroll Information, Disciplinary Investigation, SSI information, employment entry-exit document records, property declaration information, resume information, information about performance evaluation reports, interview results, content of the employment contract, information about starting work, information about termination of employment. personal data

Legal Action: Personal data processed within the scope of our legal obligations with the determination and follow-up of our legal receivables and rights and the performance of our debts

The above personal data are included in the Health Services Basic Law No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliates, Regulation on Private Hospitals, Regulation on Personal Health Data and regulations of the Ministry of Health, etc. It can be processed within the framework of the provisions of the legislation and transferred to the physical archives and information systems of our polyclinic and/or our suppliers.

Our practice accepts that personal data will be processed in accordance with the following principles:

• Compliance with the law and the rule of honesty,

•Ensuring that personal data is accurate and up-to-date when necessary,

• Processing for specific, explicit and legitimate purposes,

• Being connected, limited and restrained with the purpose for which they are processed,

• Preservation for the period required by the relevant legislation or for the purpose for which they are processed.

The express consent of the personal data owner is only one of the legal bases that allow the processing of personal data in accordance with the law. Apart from express consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the conditions stated below, or more than one of these conditions may be the basis of the same personal data processing activity. In case the processed data is special quality personal data, the following conditions apply:

• Finding the Explicit Consent of the Personal Data Owner,

• Clearly Provided in Laws,

• Failure to Obtain Explicit Consent of the Related Person Due to Actual Impossibility

• Direct Concern with the Establishment or Performance of the Contract

• Fulfilling the Legal Obligation of the Practice:

• Publicizing the Personal Data of the Personal Data Owner:

• Mandatory Data Processing for the Establishment or Protection of a Right:

the health institution that you have duly authorized, third parties that we receive consultancy from, regulatory and supervisory institutions and official authorities, our suppliers that we benefit from or cooperate with, our support service providers and the personal data processing specified in Articles 8 and 9 of the Law. may be shared within the framework of its terms and purposes. Your personal data is not shared with foreign countries.

• Obligatory Data Processing for the Legitimate Interest of Our Practice, (The expression “legitimate interests of the practice can in no way be contrary to the principles determined by the KVKK, the purpose of processing personal data, and cannot interfere with the essence of the right guaranteed by the Constitution.”)

Special categories of personal data are processed by our practice in the following cases, provided that adequate measures to be determined by the Personal Data Protection Board are taken:

• If the personal data owner has express consent or,

• If there is no explicit consent of the personal data owner; Special categories of personal data other than the health and sexual life of the personal data owner, in cases stipulated by the laws,

• Special categories of personal data relating to the health and sexual life of the personal data owner, only for the purposes of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, or persons or authorized institutions and organizations under the obligation of keeping confidentiality. processed by organizations.

TECHNICAL AND ADMINISTRATIVE MEASURES

Our practice takes the necessary technical and administrative measures according to the technological possibilities and application costs regarding the following issues in accordance with the provisions of Article 12 of the KVKK and the provisions of the Regulation, the general principles stated above, and the decisions of this Policy and the Personal Data Protection Board:

• Required software and hardware have been determined. Strong passwords are used on computers and e-mail accounts.

• What needs to be protected in terms of protecting customer information was conveyed to our personnel through trainings, and their responsibilities with business contracts were written. (Confidentiality Agreements) This obligation continues even after the persons concerned leave their positions.

• Necessary infrastructure has been established for the backup of all data.

• Employees who can access data on computers have been identified.

• Customer files and information are only given to the persons concerned, to their relatives to whom they have given written consent, to the relevant public institutions and organizations within the framework of their legislation, and to the competent judicial authorities in judicial cases.

• Before starting to process personal data, the Authority fulfills the obligation to inform the relevant persons.

• Personal data processing inventory has been prepared.

• The personal data owners in question are enlightened on these issues through texts posted in our practice or made available to our guests in other ways.

Your personal data shall be processed by our polyclinic, the Ministry of Health, its sub-units and family medicine centers, private insurance companies (health, pension and life insurance and similar), Social Security Institution, General Directorate of Security and other law enforcement agencies, General Directorate of Population, Turkey Pharmacists Union, prosecutor’s office and courts, laboratories in the country or abroad with which we cooperate for medical diagnosis, medical centers and third parties providing health services, the health institution to which the patient is referred or the patient himself applies, your representatives duly authorized, the representatives we receive consultancy from. It may be shared with third parties, regulatory and supervisory institutions and official authorities, our suppliers whose services we benefit from or cooperate with, and our support service providers within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law. Your personal data is not shared with foreign countries.

Regarding the processed personal data, the person concerned, learning whether personal data is processed, requesting information about it if it has been processed, accessing and requesting personal health data, learning whether it is used in accordance with the purpose, learning the third parties to which it is transferred, requesting correction in case of wrong processing, personal data have the right to request the deletion or destruction of the data, to request the correction of the transferred third parties in case of wrong processing, to object to the adverse result by analyzing through automated systems, to demand the compensation of the damage suffered due to the unlawful processing of personal data. The above-mentioned rights can be exercised by applying to our practice with a petition.

Personal data processing activities are carried out by our practice by using security cameras and recording images at guest entrances and exits. In this context, our polyclinic acts in accordance with the Personal Data Protection Law and security legislation.

Only authorized employees and/or supplier company employees have access to the records recorded and maintained in the digital environment. Camera records are kept for 2 months.

This Policy is deemed to have entered into force after its publication on the website.