fbpx

Personal Data Protection and Processing Policy

 

As the data controller, the private practice of Assoc. Prof. Dr. Güncel Öztürk,, places great importance on the protection of personal data belonging to its clients, employees, and other natural persons with whom it is in contact, in accordance with the regulations set forth by the Law on the Protection of Personal Data and within the framework of the principles of superior service quality, respect for individuals’ rights, transparency, and integrity. Great importance is attached to ensuring that patient privacy and all personal data belonging to our patients are processed and stored in the best possible way and with due care. This policy has been prepared in order to protect and process the personal data of our patients as well as companions, visitors, and employees of institutions and organizations we cooperate with, in accordance with the fundamental principles set out in the legislation.

The purpose of this Policy is to ensure transparency by informing data subjects—primarily our patients, companions, visitors, employees, and institutional officials, as well as employees and officials of institutions we cooperate with and third parties—whose personal data are processed within the scope of personal data processing activities carried out by our practice in compliance with the legislation. Within this scope, the administrative and technical measures required for the processing and protection of personal data are taken in accordance with Law No. 6698 and relevant legislation. Under this policy, natural persons whose personal data are processed are referred to as Data Subjects, Relevant Persons, or Personal Data Owners.

 

Explicit Consent: Consent regarding a specific matter, based on being informed, and declared with free will.

Anonymization: The modification of personal data in such a way that it loses its personal data nature and this cannot be reversed. For example, rendering personal data unassociable with a real person through techniques such as masking, aggregation, data distortion, etc. Anonymization of personal data for various purposes is possible only in a manner that does not violate the scope of KVKK and explicit consent, and in line with the data subject’s request and/or consent. Necessary measures will be taken within our practice to prevent anonymized personal data from being made identifiable through various methods.

Employees, Shareholders, and Authorized Persons of Institutions We Cooperate With: Refers to natural persons, including employees, shareholders, and authorized persons of institutions with which we have any kind of business relationship (such as business partners, suppliers, but not limited to these).

Processing of Personal Data: Refers to any operation performed on data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making accessible, classifying, or preventing the use of personal data, fully or partially by automated means or, provided that it is part of a data recording system, by non-automated means.

Personal Data:Refers to any information relating to an identified or identifiable natural person. All information that makes a person identifiable is regulated as personal data; Turkish ID number, name and surname, e-mail address, phone number, residential address, date of birth, bank account number, etc. can be given as examples of personal data.

Special Category Personal Data:Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are considered special category personal data.

Third Party: Refers to third-party natural persons associated with the parties mentioned above in order to ensure the security of commercial transactions between them or to protect the rights of the mentioned persons and provide benefits. (For example, employees or authorized persons of service providers, companions, etc.)

Data Processor: Refers to the natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller. For example, the IT company that stores our data.

Data Controller: Refers to the person who determines the purposes and means of processing personal data and manages the place where data are kept systematically (data recording system).

 

Within the scope of KVKK, our practice holds the title of data controller and has registered with the VERBİS system. A team (Personal Data Controller Team) has been established within our practice. In situations requiring a decision, the Personal Data Controller Team implements the decision after obtaining the opinion of a legal expert/lawyer specialized in personal data and upon the management’s approval.

 

Although the processed personal data may vary depending on the healthcare services provided, they are collected by physical and/or digital methods. Special category personal data—primarily health data—and general personal data collected verbally, in writing, or digitally through our patients, physicians, healthcare staff, etc., our employees, subcontractor companies and their employees, companies involved in all commercial activities, our call center, our practice’s website, online services, and similar means are processed for the purposes listed below and other purposes that may arise in the future:

 

  • Carrying out medical diagnosis, treatment, and care services,
  • Protecting public health,
  • Planning and managing the financing of preventive medicine and healthcare services,
  • Being able to notify our patients about appointments
  • Planning and managing internal procedures,
  • Conducting analyses for the purpose of improving healthcare services by ensuring they are delivered in compliance with legislation,
  • Performing risk management and quality improvement activities,
  • Conducting research,
  • Fulfilling legal and regulatory requirements,
  • Issuing invoices in return for our services,
  • Verifying your identity
  • Verifying your relationship with contracted institutions,
  • Sharing all kinds of information requested by private insurance companies within the scope of financing healthcare services,
  • Being able to respond to all kinds of questions and complaints regarding our healthcare services,
  • Taking all necessary technical and administrative measures within the scope of data security,
  • Ensuring financial reconciliation regarding the healthcare services provided to you with contracted institutions, banks, and all organizations (public and private) that collect healthcare expenses,
  • Sharing requested information with the Ministry of Health and other public institutions and organizations pursuant to relevant legislation,
  • Measuring patient satisfaction, increasing patient satisfaction,
  • Being able to fulfill our contracts and legal obligations, and similar purposes may be collected and processed.

 

CATEGORIZATION OF PROCESSED PERSONAL DATA

 

Identity Information: All information regarding a person’s identity contained in documents such as driver’s license, ID card, passport, bar association ID, marriage certificate

Contact Information:Information for contacting the data subject such as phone number, address, residence, e-mail

Location Data:Data that clearly belongs to an identified or identifiable natural person and is included in the data recording system, enabling the determination of the data subject’s location

Family Members and Relatives Information: Information about the family members and relatives of the personal data owner, which clearly belongs to an identified or identifiable natural person and is included in the data recording system, processed to protect the legal interests of the relevant Institution and the data subject

Physical Space: Records such as camera recordings, fingerprint records, and personal data regarding records and documents, visual and audio recordings

Transaction Security Information:Personal data processed to ensure our technical, administrative, legal, and commercial security while carrying out our activities

Financial Information: Personal data processed related to any information, document, and records showing financial outcomes

Job Applicant Information:Personal data processed regarding individuals who have applied to become an employee (CV or résumé information)

Personnel Information:Information related to payroll information, disciplinary investigation, SSI (SGK) information, employment entry-exit document records, asset declaration information, résumé information, performance evaluation reports, interview results, the content of the Employment Contract, start of employment information, termination information

Legal Transaction:Personal data processed within the scope of our legal obligations and for the determination, follow-up of our legal receivables and rights, and the performance of our debts

 

The personal data above may be processed within the framework of legislative provisions such as the Fundamental Law on Health Services No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Its Affiliated Institutions, the Regulation on Private Hospitals, the Regulation on Personal Health Data, and the regulations of the Ministry of Health, and may be transferred to physical archives and information systems belonging to our practice and/or our suppliers.

 

Our practice acknowledges that it will process personal data in accordance with the following principles:

  • Compliance with the law and the rule of good faith,
    •Ensuring that personal data are accurate and, when necessary, kept up to date,
    •Processing for specific, explicit, and legitimate purposes,
    •Being relevant, limited, and proportionate to the purpose for which they are processed,
    •Retaining for the period stipulated in relevant legislation or required for the purpose of processing

The data subject’s explicit consent is only one of the legal bases that allow personal data to be processed lawfully. Apart from explicit consent, personal data may also be processed if any one of the other conditions written below exists. The legal basis of a personal data processing activity may be only one of the conditions stated below, or more than one of these conditions may constitute the basis for the same processing activity. If the processed data are special category personal data, the conditions below apply:

 

  • The Data Subject’s Explicit Consent Exists,
  • Explicitly Prescribed by Laws,
  • Inability to Obtain the Data Subject’s Explicit Consent Due to Actual Impossibility
  • Directly Related to the Establishment or Performance of a Contract
  • The Practice Fulfills Its Legal Obligation:
  • The Data Subject Has Made Their Personal Data Public:
  • Processing Is Mandatory for the Establishment or Protection of a Right:
  • Processing Is Mandatory for Our Practice’s Legitimate Interest, (The expression of the practice’s legitimate interests may in no way contravene the principles determined by KVKK or the purpose of processing personal data, and may not constitute an interference with the essence of a right guaranteed by the Constitution.)

 

Special category personal data are processed by our practice, provided that adequate measures to be determined by the Personal Data Protection Board are taken, in the following cases:

  • If the data subject has explicit consent, or
  • If the data subject does not have explicit consent; special category personal data other than the data subject’s health and sexual life may be processed in cases prescribed by law,
  • Special category personal data relating to the data subject’s health and sexual life may be processed only for the purposes of protecting public health, preventive medicine, carrying out medical diagnosis, treatment and care services, and planning and managing the financing of health services, by persons under an obligation of confidentiality or authorized institutions and organizations.

 

TECHNICAL AND ADMINISTRATIVE MEASURES

In accordance with Article 12 of KVKK and the provisions of the Regulation, the general principles stated above, this Policy, and the decisions of the Personal Data Protection Board, our practice takes the necessary technical and administrative measures, considering technological possibilities and implementation costs, regarding the issues listed below:

  • Necessary software and hardware have been determined. Strong passwords are used on computers and e-mail accounts.
  • Items that must be protected in terms of protecting customer information have been communicated to our personnel through trainings, and responsibilities have been set out in writing through employment contracts. (Confidentiality Agreements) This obligation continues even after the relevant persons leave their positions.
  • The necessary infrastructure has been established for the purpose of backing up all data.
  • Employees who can access data on computers have been determined.
  • Customer files and information are provided only to the data subjects themselves, to their relatives for whom they have given written approval, to relevant public institutions and organizations within the framework of legislation, and to competent judicial authorities in judicial cases.
  • Before starting personal data processing, the institution fulfills its obligation to inform the relevant persons.
  • A personal data processing inventory has been prepared.
  • Data subjects are informed on these matters through texts posted within our practice or otherwise made accessible to guests.

 

Your personal data may be shared, in accordance with the fundamental principles stipulated by the Law and within the scope of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law and for the purposes stated above, with the Ministry of Health, its affiliated sub-units and family medicine centers, private insurance companies (health, retirement and life insurance and similar), the Social Security Institution, the General Directorate of Security and other law enforcement units, the General Directorate of Civil Registration, the Turkish Pharmacists’ Association, prosecutor’s offices and courts, laboratories, medical centers and third parties providing healthcare services located domestically or abroad with whom we cooperate for medical diagnosis, the healthcare institution to which the patient is referred or the healthcare institution the patient applies to, your representatives duly authorized by you, third parties from whom we receive consultancy, regulatory and supervisory bodies and official authorities, our suppliers, support service providers, and those whose services we benefit from or with whom we cooperate, within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law.

 

With regard to processed personal data, the relevant person has the right to learn whether personal data are processed, to request information if processed, to access and request their personal health data, to learn whether they are used in accordance with the purpose, to learn the third parties to whom they are transferred, to request correction in case of incorrect processing, to request deletion or destruction of personal data, to request that the correction be notified to third parties to whom data have been transferred in case of incorrect processing, to object to a result arising to their detriment by analysis via automated systems, and to request compensation for damages incurred due to unlawful processing of personal data. These rights may be exercised by applying to our practice with a petition.

The processing of personal data is carried out by our practice through the use of security cameras and taking image recordings at guest entry and exit points. In this scope, our practice acts in accordance with the Law on the Protection of Personal Data and security legislation.

 

Only authorized employees and/or employees of the supplier company have access to records stored and preserved in digital environments. Camera recordings are stored for 2 months.