TurkishPRIVATE DAISY POLYCLINIC
PERSONAL DATA PROTECTION AND PROCESSING POLICY
1. INTRODUCTION
PRIVATE DAİSY POLYCLINIC (“ DAİSY CLINIC ”), owned by SONGÜL DURUR ZEVZİR, attaches utmost importance to protecting the fundamental rights and freedoms of individuals, especially based on the privacy of private life regulated in Article 20 of the Constitution, in the protection and processing of personal data. In this context, DAİSY KLINİK pays attention to the legal protection and processing of personal data in accordance with the Personal Data Protection Law No. 6698 (” KVKK “) and the European Union General Data Protection Regulation (” GDPR “) and acts with this understanding in all its planning and activities.
Ensuring the security of people’s Personal Data is one of the primary goals of DAİSY KLINİK. For this reason, DAİSY KLINİK takes the necessary security measures in accordance with the applicable legislation in order to process personal data of individuals safely and to prevent any unlawful access or leakage of these data.
1.1 PURPOSE OF THE POLICY
The purpose of the Personal Data Protection and Processing Policy (” Policy “) is to protect and process personal data processed by fully or partially automatic means or non-automatic means, provided that it is part of any data recording system, in accordance with the purpose of KVKK and GDPR. To inform Personal Data Owners about its obligations and the procedures and principles it will comply with. In line with the purpose of the Policy, it is aimed to ensure full compliance with the legislation in the protection and processing of personal data activities carried out by DAİSY KLINİK and to protect the right to privacy and data security of Personal Data Owners.
1.2 SCOPE OF THE POLICY
This Policy; It has been prepared for Customers (Patients/Clients), Employees, Employee Candidates and Visitors, provided that they are real persons, and will be applied within the scope of these specified persons. DAİSY KLINİK’s purpose in publishing this Policy on its website is to inform Data Owners about the protection and processing of personal data and data security. This Policy will not apply to legal entities in any capacity.
This Policy will apply to the above-mentioned Data Owners in case their personal data is processed by DAİSY KLINİK by fully or partially automatic or non-automatic means provided that it is part of any data recording system. This Policy will not apply if the data is not included in the scope of “Personal Data” within the scope specified below or if the personal data processing activity carried out by DAİSY KLINİK is not carried out in the ways specified above.
1.3 DEFINITIONS
The concepts used in the implementation of this Policy have the following meanings:
| Explicit Consent | It is consent regarding a certain subject, based on informed consent and expressed with free will. |
| Lighting Obligation | It is the obligation of the data controller to inform the persons whose personal data it processes, by whom, for what purposes and on what legal grounds these data may be processed, and to whom it may be transferred, and for what purposes. |
| Related User | Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data. |
| Destruction | It refers to the deletion, destruction or anonymization of personal data. |
| Processing of Personal Data | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using Personal Data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. It is any operation performed on data, such as blocking. |
| KVK Board | It is the Personal Data Protection Board. |
| Personal Data Owner | It refers to the Patients, Clients, Employees, Employee Candidates and Visitors whose Personal Data (including sensitive personal data) is processed. |
| Personal Data | It is any information regarding an identified or identifiable natural person. |
| Institution/Audit Mechanism | It is the Personal Data Protection Authority consisting of the Board and the Presidency. |
| Automatically Processing Data | Computer, phone, watch, etc. It is a processing activity that takes place automatically, without human intervention, within the scope of pre-prepared algorithms through software or hardware features, carried out by devices with processors. |
| Special Personal Data | Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special quality data. |
| Record | It is the Data Controllers Registry. |
| DAISY CLINIC | It is a PRIVATE DAISY POLYCLINIC. |
| Data Processor | It is a natural or legal person who processes Personal Data on behalf of the data controller, based on the authority given by the data controller. |
| Data Recording System | It refers to the recording system in which Personal Data is structured and processed according to certain criteria. |
| Data Category | It is a class of personal data belonging to a group or groups of data subjects in which personal data is grouped according to their common characteristics. |
| Data Subject Person Group | It is the relevant person group whose personal data the data controller processes. |
| Data Controller | It is the natural or legal person who determines the purposes and means of processing Personal Data and is responsible for establishing and managing the data recording system. |
1.4 ENFORCEMENT OF THE POLICY
The Policy principles, which were issued by DAİSY KLINİK and entered into force on 01.07.2021, are published on the corporate websites of DAİSY KLINİK and made available to Data Owners.
2. PROTECTION OF PERSONAL DATA
2.1 SECURITY OF PERSONAL DATA
DAİSY KLINİK takes all necessary administrative and technical measures to ensure the appropriate level of security in order to store personal data safely in accordance with KVKK and GDPR and to prevent unlawful processing and access of personal data. Administrative and technical measures taken regarding the security of personal data are regulated in detail in DAİSY KLINİK’s Personal Data Storage and Destruction Policy.
2.2 AUDIT
DAİSY KLINİK carries out the necessary inspections and has them carried out in order to establish the data security described above and to ensure the regularity and continuity of the measures taken. The technical measures taken by DAİSY KLINİK are audited by authorized persons in six-month periods a year, and the administrative measures are audited by persons authorized by DAİSY KLINİK.
2.3 PRIVACY
All necessary administrative and technical measures are taken by DAİSY KLINİK to ensure that the Data Processor does not disclose the personal data he/she has learned within the scope of his/her duty to anyone else, contrary to the provisions of KVKK, GDPR and Policy, and does not use it for purposes other than processing. In this context, information and training activities are carried out for Clinic employees about KVKK, GDPR and Policy, and relevant employees are made to sign confidentiality agreements as part of the recruitment process. Policies are also communicated to Suppliers and Data Processors who provide outsourced services and Privacy Commitments are taken.
2.4 UNAUTHORIZED DISCLOSURE OF PERSONAL DATA
If the personal data processed by DAİSY KLINİK is obtained by others through illegal means, DAİSY KLINİK carries out the necessary procedures to notify the Data Owner and the KVK Board about this situation within the periods determined by the KVK Board. If deemed necessary by the KVK Board, this situation is announced on the KVK Board’s website or by another method deemed appropriate by the KVK Board.
2.5 RESPECT OF THE LEGAL RIGHTS OF RELATED PERSONS
DAİSY KLINİK observes all legal rights of the relevant persons regarding the implementation of the Policy and the Law and takes all necessary measures to protect these rights.
2.6 PROTECTION OF SPECIAL PERSONAL DATA
Data regarding individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data of special quality is personal data. DAİSY KLINİK is aware that Special Personal Data is data that may cause the Data Owner to be victimized or discriminated against if learned by others, and therefore, it carefully takes adequate measures determined by the Board to protect such personal data processed in accordance with the law. In this context; It has a separate policy (Security of Special Personal Data Policy) that is systematic, has clear rules, is manageable and sustainable.
3. PROCESSING AND TRANSFER OF PERSONAL DATA
3.1 GENERAL PRINCIPLES IN THE PROCESSING AND TRANSFER OF PERSONAL DATA
Personal Data is processed by DAİSY KLINİK in accordance with the procedures and principles stipulated in KVKK, GDPR and this Policy. DAİSY KLINİK complies with the following principles when processing personal data.
a) Compliance with the Law, the Rules of Honesty and the Principle of Transparency
DAİSY KLINİK processes personal data in accordance with the relevant legislation and the requirements of the code of honesty and uses it within these limits. In accordance with the principle of compliance with the rule of honesty, DAİSY KLINİK takes into account the interests and reasonable expectations of the relevant persons while trying to achieve its goals in data processing. It acts to prevent the emergence of consequences that the Data Owner does not expect and does not need to expect. In accordance with the principle, it also ensures that such data processing activity is transparent to the data subject; Acts in accordance with its lighting and warning obligations.
b) Being Accurate and Up to Date When Necessary
DAİSY KLINİK ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights and legitimate interests of the Data Owners. In this context, it carefully takes into account issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated. DAİSY KLINİK always keeps the channels open to ensure that the personal data owner’s information is accurate and up-to-date. Keeping personal data accurate and up-to-date is necessary to protect the interests of DAİSY KLINİK as well as to protect the fundamental rights and freedoms of the Data Owner.
c) Processing for Specific, Clear and Legitimate Purposes
DAİSY KLINİK clearly and precisely determines the purpose of data processing and ensures that this purpose complies with the law. The legality of the purpose means that the personal data processed by DAİSY KLINİK is related to and necessary for the healthcare service in which it operates. DAİSY KLINİK does not process data for purposes other than these stated purposes. In this respect, it shows sensitivity in complying with the principle of certainty and clarity in legal transactions and texts in which the purposes of personal data processing are explained.
d) Being Related to the Purpose for which they are Processed, Limited, Proportionate and Necessary
DAİSY KLINİK pays attention to ensure that the personal data processed are suitable for the achievement of the specified purposes and avoids the processing of data that is not relevant or needed to achieve the purpose, and does not collect or process personal data for purposes that do not exist and are expected to be realized later. It also limits the data processed to only what is necessary to achieve the purpose. Within the scope of the principle of proportionality, it establishes a reasonable balance between data processing and the purpose it is intended to achieve.
e) Preservation for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
If there is a period stipulated in the relevant legislation for the storage of data, DAİSY KLINİK complies with these periods; Otherwise, it retains personal data only for the period necessary for the purpose for which they are processed. If there is no valid reason for further storage of personal data by DAİSY KLINİK, the data in question is deleted, destroyed or anonymized. Procedures regarding the storage and destruction of personal data are regulated in detail in DAİSY KLINİK’s Personal Data Storage and Destruction Policy.
f) Compliance with Integrity and Confidentiality Principles
Personal data is processed by DAİSY KLINİK by taking the necessary technical and administrative measures in order to ensure appropriate security against loss, destruction, damage or protection of personal data.
g) Compliance with the Accountability Principle
DAİSY KLINİK has fulfilled its obligation in accordance with the rules of protection of personal data in its processing activities, and in case of any complaint or ex officio review, it will be able to submit documents proving to the audit institutions that these measures have been taken.
3.2 CONDITIONS FOR PROCESSING PERSONAL DATA
DAİSY KLINİK does not process personal data without the explicit consent of the Data Owner. Personal data can only be processed without the explicit consent of the Data Owner if one of the following conditions is met.may be:
a) Clearly Provided in Laws
DAİSY KLINİK may process personal data without seeking the explicit consent of the Data Owner, in cases clearly stipulated by law.
b) It is Necessary for the Protection of the Life or Physical Integrity of the Person Who Is Unable to Express His Consent Due to Actual Impossibility or whose Consent Is Not Recognized as Legally Valid.
DAİSY KLINİK may process personal data without seeking explicit consent to protect the life or physical integrity of individuals in cases where consent cannot be disclosed or is not valid.
c) It is Necessary to Process Personal Data of the Parties to the Contract, Provided That It is Directly Related to the Establishment or Performance of a Contract
In case it is necessary to process personal data of the parties to the contract directly related to the establishment or execution of a contract, DAİSY KLINİK may process the personal data of the Data Owner without seeking explicit consent, limited to this purpose, as a matter of ordinary course of life.
d) It is mandatory for DAİSY KLİNİK to fulfill its legal obligations
DAİSY KLINİK, as the Data Controller, may process the Data Owner’s personal data without seeking explicit consent when necessary in order to fulfill its legal obligations.
e) It has been made public by the Relevant Person Himself
DAISY CLINIC; The personal data of the Data Owner, which has been made public by the Data Owner, in other words, has been disclosed to the public in any way, may be processed on a limited basis for the purpose of publicization, as it is accepted that the legal interest to be protected in the processing of such data, which has been made public by the Data Owner and thus become known to everyone, is eliminated.
f) Data Processing is Necessary for the Establishment, Exercise or Protection of a Right
DAİSY KLINİK may process the personal data of the Data Owner without seeking explicit consent, in cases where data processing is mandatory for the exercise or protection of a legally legitimate right.
g) It is mandatory for our clinic to process data for its legitimate interests, provided that it does not harm the fundamental rights and freedoms of the relevant persons.
DAİSY KLINİK may process the Data Owner’s personal data in cases where processing of personal data is necessary to ensure the legitimate interests of the Data Owner, provided that it does not harm the Data Owner’s fundamental rights and freedoms protected under KVKK, GDPR and the Policy. DAİSY KLINİK shows the necessary sensitivity to comply with the basic principles regarding the protection of personal data and to observe the balance of interests of DAİSY KLINİK and personal data owners. What is meant by legitimate interest; Legitimate is an effective, specific and existing interest that competes with the fundamental rights and freedoms of the Data Owner. DAİSY KLINİK takes additional protective measures to prevent harm to the rights of the Data Owner. A reasonable balance is maintained between the interests of our clinic and the fundamental rights and freedoms of the person concerned.
3.3 CONDITIONS FOR PROCESSING SPECIAL PERSONAL DATA
DAİSY KLINİK does not process sensitive personal data without the explicit consent of the Data Owner. Special categories of personal data can only be processed without the express consent of the relevant person if one of the following conditions is met:
· Clearly Provided in Laws
Special personal data of the Data Owner, other than his health and sexual life, may be processed without the express consent of the Data Owner in cases clearly provided for by law.
· For the Purpose of Protection of Public Health, Preventive Medicine, Execution of Medical Diagnosis, Treatment and Care Services, Planning and Management of Health Services and Financing
Data Owner’s personal data of special nature regarding his health and sexual life, for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, persons or authorized institutions and organizations who are under the obligation of confidentiality. can be processed by.
3.4 CONDITIONS FOR TRANSFER OF PERSONAL DATA
DAİSY KLINİK can transfer personal data to third parties on a limited basis and based on one or more of the following personal data processing conditions, in accordance with Articles 8 and 9 of the KVKK and Articles 45 and 49 of the GDPR, by taking the necessary security measures:
- The Data Owner has explicit consent,
- There is a clear regulation in the law regarding the transfer of personal data,
- Personal data transfer is mandatory to protect the life or physical integrity of the Data Owner or someone else and the relevant person is unable to express his/her consent due to actual impossibility or his/her consent is not given legal validity,
- It is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
- Personal data transfer is mandatory for DAİSY KLINİK to fulfill its legal obligations,
- Personal data has been made public by the Data Owner,
- Personal data transfer is mandatory for the establishment, exercise or protection of a right,
- Personal data transfer is mandatory for DAİSY KLINİK’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the Data Owner.
Special personal data can be transferred based on one of the following conditions and provided that adequate precautions are taken:
- The relevant person must have explicit consent,
- If the person concerned has special personal data other than his or her health and sexual life, there is a clear regulation in the law regarding the transfer of this data.
- If the relevant person has special personal data regarding his/her health and sexual life, these data may be used by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. can be transferred by organizations.
4. PERSONAL DATA CATEGORIES AND DATA SUBJECT PERSON GROUPS
4.1 Personal Data Categories
Personal data is processed by DAİSY KLINİK by categorizing it as follows:
| Identity | Name-Surname, TR Identity Number and/or Passport Number and/or Temporary TR Identity Number, place and date of birth, marital status, gender, profession, signature and other identity data that can identify real persons |
| Communication | Address (residence, workplace), telephone number (declared home/workplace fixed and/or mobile phone numbers), e-mail address, social media accounts, IP address and other contact data |
| personnel | CV, title information; employment entry-exit certificate records; social security/retirement information, payroll information and other personnel data |
| Physical Space Security | Security camera recordings and other physical space security data |
| finance | Personal data processed regarding information, documents and records showing the results of all kinds of financial relations established by DAİSY KLINİK with personal data owners, as well as bank account information, credit card information, and other financial information. |
| Audiovisual Records | Photo/camera data taken outside the scope of physical location security of personal data owners |
| Communication Records | Communication data that can be obtained through DAİSY KLINİK’s communication and information systems: Corporate telephone call records, corporate mail and e-mail records and their contents, etc. |
| Customer Transaction | Satisfaction information about our clinic’s patients, invoice, receipt information, etc. |
| SPECIAL PERSONAL DATA | |
| Health Information | Blood type, allergies, chronic diseases, data on previous applications/operations, regularly used medications, analysis and imaging results, prescription information, body analysis and measurement information, medical history, skin analysis information, hormonal tests, venereal disease information. , anesthesia information, information regarding Covid-19 disease, medical treatments and other health data |
| Biometric Data | Image, audio, video data |
Data Subject Person Groups
Only natural persons can benefit from the protection of this Policy and the Law. Personal data owners in this scope are grouped as follows:
| Employee Candidate | They are real persons who have applied for a job at our clinic by any means or have made their CV and relevant information available for review by our clinic. |
| Customer | They are patients or clients who come to our clinic. |
| Worker
|
They are individuals working within DAİSY CLINIC. |
| Visitor | All real persons who have entered the physical premises of our clinic for various purposes or visited our websites for any purpose. |
5. METHOD AND LEGAL REASON FOR COLLECTING PERSONAL DATA
5.1 METHOD OF COLLECTING PERSONAL DATA
Your Personal Data may be processed by real or legal persons authorized by DAİSY KLINİK in the capacity of ” DATA PROCESSOR/PROCESSOR “; It is recorded physically and electronically by taking verbal, written, camera and photo recordings, and is processed by obtaining your explicit consent in cases stipulated by KVKK and GDPR.
- Job application forms,
- Personnel information forms,
- Various documents submitted to DAİSY KLINİK,
- Mails and e-mails sent to DAİSY KLINİK,
- corporate phones,
- Photo/Video recordings,
- Websites,
- Log Recording Devices (Firewall),
- Patient Information Forms,
- Analysis Results,
- Health Information Forms, service providers whose servers are located abroad (whatsapp/instagram/facebook/messanger/linkedin/youtube/zoomus/Google/Hotmail/yahoo etc.).
5.2 LEGAL REASON FOR COLLECTING PERSONAL DATA
DAİSY KLINİK collects personal data based on one of the following legal reasons in accordance with Articles 5 and 6 of the Law and Articles 6 and 9 of the GDPR:
- Explicit consent of the person concerned,
- It is clearly stipulated in the law;
- Personal data has been made public by the relevant person himself,
- It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
- If the Data Owner has special personal data regarding his health and sexual life, these data are for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment, operation and maintenance services, planning and management of health services and their financing,
- It is mandatory for DAİSY KLINİK to fulfill its legal obligations,
- Data processing is mandatory for the establishment, exercise or protection of a right,
- It is mandatory for DAİSY KLINİK to process data for its legitimate interests, provided that it does not harm the fundamental rights and freedoms of the persons concerned.
6. PURPOSES OF PROCESSING PERSONAL DATA
6.1 Matching of Data Subject Person Groups with the Purposes of Processing Regarding Personal Data Categories
The matching of data subject groups, whose definitions and scopes are given above, with the processing purposes of personal data categories is presented below:
- Employee Candidate
Data Categories : Identity, Communication, Personnel, Professional Experience, Physical Space Security
Processing Purposes : Conducting Emergency Management Processes, Conducting Information Security Processes, Conducting Employee Candidate Selection and Placement Processes, Conducting Application Processes for Employee Candidates, Ensuring Physical Space Security, Conducting Communication Activities
- Patient/Client
Data Categories : Identity, Communication, Financial, Customer Transaction, Physical Location Security, Health Data, Biometric Data
Purposes of Processing : to create a patient file, to carry out examination, preventive medicine, medical diagnosis, treatment, operation and care services, to carry out health checks after medical diagnosis, treatment and operation processes, to communicate one-on-one with patients, to manage appointment processes, to carry out patient satisfaction and demand management. To be able to fulfill legal and contractual obligations, to preserve information regarding your health data that must be kept in accordance with the relevant legislation within the specified periods, to ensure clinic security, to receive consultation from another relevant specialist physician when necessary in order to carry out the treatments correctly, to fulfill legal obligations in accordance with the legislation within the scope of health tourism. To be able to plan the transfer and accommodation services of patients/clients coming within the framework of health tourism, to announce innovations regarding medical treatments and practices, to provide medical information to third parties about the applied medical procedures, to carry out promotional and marketing activities regarding medical practices applied within the framework of the International Health Tourism Promotion legislation, To be able to plan and manage health services and their financing, to fulfill the responsibilities arising from the legal relationship established between the doctor and the patient, to fulfill financial and administrative obligations, to ensure technical and commercial security and to fulfill public obligations.
- Worker
Data Categories : Identity, Communication, Personnel, Finance, Visual and Audio Information, Physical Space Security,
Purposes of Processing : Execution of Emergency Management Processes, Execution of Information Security Processes, Fulfillment of Employment Contract and Legislation Obligations for Employees, Execution of Fringe Benefits and Benefits Processes for Employees, Execution of Activities in Compliance with the Legislation, Ensuring Physical Space Security, Execution / Audit of Business Activities, Organization and Event Management
- Visitor
Data Categories : Physical Space Security
Purposes of Processing : Execution of Emergency Management Processes, Execution of Information Security Processes, Ensuring Physical Space Security
6.2 Personal Data Processing Activities Performed in Physical Locations
In order to ensure the security of our clinic, entrances and exits are recorded and an appointment tracking system is used. Employees’ data processing activities are carried out within the authorization matrix created by DAİSY KLİNİK and the necessary confidentiality agreements are signed with the employees.
6.3 Personal Data Processing Activities Performed on the Website
Traffic information of online visitors visiting our website is automatically processed for the purpose of carrying out information security processes. On the other hand, in accordance with Law No. 5651 and other legislation, hosting providers have the obligation to record and store website traffic information.
6.4 Personal Data Processing Activities Performed Through Communication Channels
Phone, email etc. Communications made through channels are audited and recorded by DAİSY KLINİK for the purpose of conducting/supervising business activities and tracking requests/complaints.
Data Owners are required to use these channels only within the scope of their business activities.
7. PURPOSES OF TRANSFER OF PERSONAL DATA AND PERSONS/ORGANIZATIONS TO WHICH THEY ARE TRANSFERRED
7.1 Purposes of Transfer of Personal Data
DAİSY KLINİK transfers personal data limited to the following purposes within the framework of the conditions specified in Articles 8 and 9 of the KVKK and Articles 45 and 49 of the GDPR:
- To carry out examination, preventive medicine, medical diagnosis, treatment, operation and maintenance services,
- Managing complication processes,
- Getting a consultation,
- Fulfilling obligations in accordance with the Ministry of Health Legislation,
- Fulfilling obligations in accordance with International Health Tourism Legislation,
- Meeting the transportation, accommodation and translator needs of Health Tourist patients,
- Fulfilling administrative obligations before Provincial Health Directorates and District Health Directorates,
- Providing medical information to third parties regarding the health services provided,
- Conducting Employee Candidate Selection and Placement Processes,
- Carrying out the application processes of employee candidates,
- Fulfillment of Employment Contract and Legislation Obligations for Employees,
- Execution of Fringe Benefits and Benefits Processes for Employees,
- Conducting Activities in Compliance with Legislation,
- Carrying out Finance and Accounting Affairs,
- Execution/Audit of Business Activities,
- Carrying out Business Continuity Ensuring Activities,
- Execution of Risk Management Processes,
- Ensuring and auditing data security,
- Execution of Contract Processes,
- Providing Information to Authorized Persons, Institutions and Organizations.
7.2 Persons/Organizations to whom Personal Data is Transferred
DAİSY KLINİK can transfer personal data to the following persons and organizations by applying all kinds of administrative and technical security measures stipulated by the legislation, limited to the data subject groups and data required by the purpose of transfer:
- To other specialist physicians for consultation,
- Insured Employees,
- To its suppliers,
- Financial Advisors, Tax and Finance Consultants and Auditors
- Legal Advisor
- Database (Server) Providers
- “Clinical Management Software System” Service Providers
- translators
- Data Protection Officer
- IT Consultant
- Web Consultant
- Tourism Agencies
- Public Institutions and Organizations authorized within the framework of the law,
- To the Judicial Authorities.
8. DESTRUCTION AND STORAGE PERIOD OF PERSONAL DATA
8.1 Destruction of Personal Data
- Without prejudice to the provisions regarding the destruction of personal data in other laws, DAİSY KLINİK may process the personal data it has processed in accordance with the provisions of KVKK and other laws, ex officio or upon the request of the relevant person, in accordance with the Personal Data Storage and Destruction Policy, in case the reasons requiring processing are eliminated. deletes, destroys or anonymizes it.
- Deletion of personal data refers to the process of making personal data inaccessible and unusable for the relevant users in any way.
- Destruction of data; It refers to the process of making personal data inaccessible, irretrievable and unusable by anyone.
- Anonymization of data, masking of personal data, variable extraction, generalization, etc. It refers to the process of making it impossible to associate it with an identified or identifiable natural person in any way, even if it is matched with other data using techniques.
8.2 Storage Periods of Personal Data
DAİSY KLINİK stores personal data in accordance with the periods stipulated in the laws and other legislation. If there is no retention period stipulated in the laws and other legislation, personal data is stored for the period required to achieve the purpose of processing that personal data in accordance with DAİSY KLINİK’s Personal Data Storage and Destruction Policy, and is then deleted, destroyed or deleted within the framework of periodic destruction periods. is made anonymous.
9. PERSONAL DATA OWNER’S RIGHTS ACCORDING TO KVKK AND GDPR
9.1 DATA SUBJECT’S RIGHTS ACCORDING TO GDPR
As a Data Owner, your Personal Data is also protected in accordance with the GDPR. In cases where GDPR falls within the jurisdiction (European citizens or residents of Europe), the rights of Data Owners are as follows;
- Right of Access (GDPR article 15): The data owner has the right to confirm by contacting DAİSY KLINİK whether personal data relating to him/her is being processed or not, and to learn the details in GDPR article 15 in case personal data are processed.
- Right to Correction (Article 16 of the GDPR): The Data Owner has the right to have the changed personal data held by DAİSY KLINİK corrected at any time by contacting us.
- Right to Deletion (GDPR article 17): The Data Owner has the right to request the deletion of his personal data held by DAİSY KLINİK. If the issues specified in Article 17 of the GDPR occur, your personal data will be deleted by DAİSY KLINİK without delay.
- Right to Restriction of Processing (Article 18 GDPR):
- If the Data Owner objects to the up-to-dateness of the Personal Data, the Data Owner has the right to request the restriction of the use of the data until the accuracy of the Personal Data is confirmed by DAİSY KLINİK.
- If the Personal Data processing activity is illegal and the Data Owner objects to the deletion of Personal Data, the Data Owner has the right to request the restriction of the use of the data.
- Although DAİSY KLINİK no longer needs your personal data, if we want to establish and enforce your rights, the Data Owner has the right to request the restriction of the use of the data.
- Until it is verified whether DAİSY KLINİK’s legitimate reasons outweigh the legitimate reasons of the Data Owner, the Data Owner has the right to request the restriction of the use of the data if he objects to the processing activity in accordance with Article 21/1 of the GDPR.
- Right to Data Transfer (GDPR article 20): The Data Owner has the right to request the transfer of his/her Personal Data held by DAİSY KLINİK to another controller at any time, if technically possible. However, you can exercise this right when data processing is based on your consent or when required by contract.
- Right to Object (Article 21 GDPR):
- The Data Subject has the right to object, on grounds relating to his or her particular situation, to processing of Personal Data, including profiling, pursuant to point (e) or (f) of Article 6(1) of the GDPR. DAİSY KLINİK cannot process your Personal Data unless it can demonstrate a strong legitimate reason, such as overriding the interests, rights and freedoms of the Data Owner or the establishment, exercise or protection of a legal right.
- The Data Subject has the right to object at any time to processing of Personal Data for marketing purposes, including profiling to the extent that Personal Data is related to such direct marketing.
- If the Data Owner objects to the processing of Personal Data for direct marketing purposes, the Personal Data will no longer be processed for such purposes.
9.2 DATA OWNER’S RIGHTS ACCORDING TO KVKK
The rights that natural persons whose Personal Data are processed have in accordance with Article 11 of the KVKK are as follows;
- Learning whether personal data is processed or not,
- Requesting information if personal data has been processed,
- Learning the purpose of processing personal data and whether they are used for their intended purpose,
- Knowing the third parties to whom personal data is transferred at home or abroad,
- Requesting correction of personal data in case personal data has been processed incompletely or incorrectly and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
- Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the provisions of KVKK and other relevant laws, and requesting that the transaction carried out in this context be notified to third parties to whom personal data has been transferred,
- Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,
- Request compensation for damages in case of damage due to unlawful processing of personal data.
In case data owners have rights or requests that they want to exercise from the rights listed above; They can submit their written applications, in which they clearly and understandably state which of the rights specified in Article 11 of the KVKK, they wish to exercise, with a wet signature and documents proving their identity, to DAİSY KLINİK’s address in person, send it through a notary or by signing it with a secure e-signature. They can be sent to DAİSY KLİNİK’s corporate e-mail address info@daisypoliklinik.com or via other methods specified in KVKK. In applications, it is mandatory to include name-surname, signature, TR ID number/passport number/temporary ID number, residence or workplace address, e-mail address, telephone and fax number, and the elements subject to the request, in accordance with the ” Communiqué on the Procedures and Principles of Application to the Data Controller” .
DAİSY KLINİK will finalize the request free of charge as soon as possible and within thirty (30) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee at the tariff determined by the Personal Data Protection Board will be charged.
EFFECTIVE DATE: 01.07.2021
UPDATE DATE: 01.07.2021