NISANTASI - ISTANBUL
Personal Data Protection and Clarification Text
INTRODUCTIONWithin the framework of this Personal Data Protection and Processing Policy ("Policy"), Akademi Grup Estetik Medikal Sağlik Hizmetleri Gida Turizm Otomotiv İnşaat Müşavirlik Sanayi Ve Ticaret Limited Şirketi (hereinafter referred to as RENE CLİNİC. ), the principles adopted in the execution of personal data processing activities carried out by RENE CLİNİC and the general policies in terms of compliance of RENE CLİNİC's data processing activities with the regulations contained in the Personal Data Protection Law No. 6698 ("Law") are explained and thus informs the personal data owners about the provisions of the law and general principles adopted by our Company.
Your personal data are processed and reasonably protected within the scope of this Policy.
PURPOSE OF THE POLICY
The main purpose of this Policy is to set out the principles regarding the personal data processing activity carried out by RENE CLİNIC in accordance with the law and the protection of personal data, and to ensure transparency by enlightening and informing the persons whose personal data are processed by our company in this context.
SCOPE OF THE POLICY
This Policy; Regarding your personal data processed by RENE CLINIC; The principles of processing personal data and personal health data, the purposes and conditions of processing this data, the transfer and destruction of this data domestically and abroad, and the practices and principles regarding your rights on the processed data are notified to you below.
ACCESS AND UPDATE
The Policy is published on our Company's website and made available to the relevant persons upon the request of the personal data owners and updated when necessary. (Your personal data that we collect and process must be accurate and up-to-date when necessary in accordance with Article 4 of the Personal Data Processing Law No. 6698. For this reason, in case of any change in your personal data, you can notify your current and accurate personal information through the application methods described in the Clarification Text on our website).
Our Company reserves the right to make changes in the Policy in parallel with legal regulations.
In case of any conflict between the legislation in force, particularly the Law, and the regulations set forth in this Policy, the provisions of the legislation shall apply.
DEFINITIONS
The definitions used in this Policy are given below:
Explicit consent
Consent on a specific subject, based on information and expressed with free will
Anonymization
Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data
Personal data
Any information relating to an identified or identifiable natural person
Processing of personal data
All kinds of operations performed on personal data such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system
KVK Law
Law No. 6698 on the Protection of Personal Data
KVK Board
Personal Data Protection Board
KVK Authority
Personal Data Protection Authority
Sensitive personal data
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data
Data owner
The real person whose personal data is processed, who is considered as "data subject" in the KVK Law
Data Controller
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
Data processor
A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller
Data Controllers Registry
Data controllers registry (VERBIS) kept by the Presidency under the supervision of the Personal Data Protection Board
Data Inventory
The inventory that RENE CLİNİC creates and details the personal data processing activities that it carries out depending on its business processes by associating them with the personal data processing purposes, the recipient group to which personal data is transferred and the relevant personal data owner group.
PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA
Within RENE CLİNİC; In line with the legitimate and lawful personal data processing purposes of RENE CLİNİC, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the KVK Law, in accordance with the general principles specified in the KVK Law and all obligations regulated in the KVK Law, especially the principles specified in Article 4 regarding the processing of personal data. In accordance with the legitimate and lawful personal data processing purposes of PDP Law, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the PDP Law and limited to them, primarily the principles specified in Article 4 regarding the processing of personal data, in compliance with the general principles specified in the PDP Law and all obligations regulated in the PDP Law, and not limited to the personal data owners within the scope of this Policy (Product and Service Recipient / Patient, Potential Product and Service Recipient, Employees, Employee Candidates, Visitors, Supplier Employees, Supplier Authorities, Parent / Guardian / Representative, Relative of Employee, Relative of Employee Candidate, Persons to be Contacted in Case of Emergency, Witness, Interpreter, Consultant, Consultant, and Reference Person);
To ensure that the relevant persons benefit from the services provided within the scope of the fulfillment of the requirements of the transactions regarding the services we provide and the performance of the service,
To fulfill our legal obligations under the Basic Law No. 3359 on Health Services, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliated Organizations, Regulation on Private Health Institutions for Outpatient Diagnosis and Treatment, Regulation on the Processing of Personal Health Data and Ensuring Privacy and other relevant regulations;
Protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing,
Responding to all your questions and complaints regarding the health services you receive,
Measuring, increasing and researching patient satisfaction.
Billing for the services you receive,
Providing information about the services you receive, complementary services and new services
If you make an appointment, you will be informed about the appointment,
Fulfillment of information sharing, reporting and information obligations stipulated by Public Institutions and all authorities upon request in accordance with the relevant legislation,
Fulfillment of information and document retention obligations arising from legal regulations,
For the education and information of other patients and the public, promotion, volume increase, scientific research and training purposes in accordance with your explicit consent,
And without limitation, it will be processed within the personal data processing conditions and purposes specified in Articles 5 and 6 of Law No. 6698.
Rene Clinic has created a personal data inventory in accordance with the Regulation on Data Controllers' Registry issued by the Personal Data Protection Authority. This data inventory includes data categories, data source, data processing purposes, data processing process, recipient groups to whom data is transferred and retention periods.
In this context, Rene Clinic includes, but is not limited to, the following types of data categories.
Identity Information
Name, surname, patient protocol number, information written in your identity card, including but not limited to name, surname, mother's name, father's name, place of birth, date of birth, marital status, religion, blood type, province, district and neighborhood where registered and information written in your identity card.
Contact Information
Your contact data such as home phone number, mobile phone number, residence address or other address information, e-mail address, etc. requested from you or provided by you in order to contact you. Your voice call records kept in accordance with customer representatives or call center standards.
Health Data
Examination data, diagnosis and operation information, medical background data, medical ancestry data, laboratory results, medical imaging results, test results, examination appointment information, prescription information, medication information, pre- and post-operation photographs, three-dimensional visual data, clinical follow-up videos, all interviews and correspondence with the doctor in digital environment (e-mail, SMS, social media, digital messaging platforms, etc.) during the pre-examination consultation, diagnosis, treatment and follow-up process, social, family and sexual life personal data obtained during the execution of the services or as a result thereof, all kinds of health information and data (blood group information, blood type information, social media, digital messaging platforms, etc.) obtained during the execution of the services.All kinds of health information and data (blood group information, personal health information and health report) obtained during the execution of services or as a result thereof, all kinds of health information and data (blood group information, personal health information and health report) received while creating the personal file.
Personal Information
- Photocopy of identity card,
- Population registration sample,
- Certificate of Residence,
- Health report,
- Copy of diploma,
- Criminal record,
- Photo.
- Proof of family status,
- Proof of military service,
- Employment Contract / Service Contract,
- SSI employment declaration,
- Your criminal record (criminal record),
- Information and documents regarding your health condition.
Process Security
- IP address information, website login and logout information, password and password information
Physical Space Security
-Camera recordings of employees and visitors, etc.
Audio and Visual Recordings
-Audio and visual recordings, etc.
Customer Transaction
-Call center records, such as invoice, order information, request information,
Professional Experience
-Diploma information, Courses attended, Vocational training information, Certificates, etc.
Legal Action
-Information in correspondence with judicial authorities, information in the case file, etc,
Marketing
-Past service information, survey, cookie records, information obtained through campaign work.
Bank Account Information (Finance)
- Bank account number, IBAN number, other information about the bank card.
Biometric Data
-Biometric signature for identity verification and monitoring obligation,
Other
- Signature, income information, document number
GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
Compliance with Law
Our Company carries out its personal data processing activities in accordance with the law and honesty rules in accordance with the PDP Law and relevant legislation, especially the Constitution. In this context, our Company takes action by determining the legal grounds that will require the processing of personal data, takes into account the requirements of proportionality, does not use personal data for purposes other than those required by the purpose, and does not carry out processing activities without the knowledge of the persons.
Data is Accurate and Up-to-Date When Necessary
Our Company ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests, and takes the necessary measures in this direction. In this context, data on all categories of persons are tried to be kept up-to-date, and all kinds of administrative and technical measures are taken to ensure their accuracy and currency.
Specific, Legitimate and Clear Purpose
Our Company processes personal data only for legitimate purposes that are clearly and precisely determined and does not engage in data processing activities other than these purposes. The purpose for which personal data will be processed by our Company is determined before the processing activity and is also recorded in the "Personal Data Inventory".
Data being relevant, limited and proportionate to the purpose for which they are processed
Personal data are processed by our Company to the extent necessary to fulfill the specified purposes. Data processing activities are not carried out with the assumption that they can be used later. In this context, processes are constantly reviewed and the principle of reducing personal data is tried to be realized.
Retention of Personal Data for as Long as Necessary and Deletion Afterwards
Our Company retains personal data only for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. In this context, our Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period of time is determined, it acts in accordance with this period, takes into account the legal and criminal statute of limitations in this context and keeps personal data for the period required for the purpose for which they are processed. In the event that the period expires or the reasons requiring processing disappear, personal data are deleted, destroyed or anonymized according to our Company's "Data Destruction Policy".
CONDITIONS OF PROCESSING PERSONAL DATA
Personal data may only be collected, processed or used within the scope of the legal bases set out below.
Open Consent
In Article 3 of the Law, explicit consent is defined as "consent regarding a specific subject, based on information and expressed with free will". In addition, paragraph 3 of Article 20 of the Constitution stipulates that personal data can only be processed in cases stipulated by law or with the explicit consent of the person. Explicit consent is stipulated as a fundamental ground of lawfulness in Law No. 6698 in terms of both sensitive personal data and non-sensitive personal data. Accordingly, according to the Law,
Article 5, paragraph 1: "Personal data cannot be processed without the explicit consent of the person concerned",
Article 6, paragraph 2: "Processing of sensitive personal data without the explicit consent of the data subject is prohibited",
Article 8, paragraph 1: "Personal data cannot be transferred without the explicit consent of the data subject",
Article 9, paragraph 1 stipulates that "Personal data cannot be transferred abroad without the explicit consent of the person concerned" and in this direction, our company processes personal data by obtaining explicit consents declared with free will and obtained in a provable manner (in writing, electronically or verbally recorded). In case of processing special categories of personal data, explicit consents will be obtained in writing when necessary.
Process managers who process personal data are obliged to check the existence and validity of the explicit consent of the relevant data subject when collecting the personal data they process. If it is determined that there is no explicit consent (except for the following exceptions), data processing will not be carried out.
Processing of Personal Data without Explicit Consent
In the presence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject.
8.2.1 Explicitly provided for by law,
8.2.2 It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
8.2.3 It is necessary to process personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of a contract.
8.2.4 It is mandatory for the data controller to fulfill its legal obligation,
8.2.5 It has been made public by the data subject himself/herself,
8.2.6 Data processing is mandatory for the establishment, exercise or protection of a right,
8.2.7 Provided that it does not harm the fundamental rights and freedoms of the data subject, data can be processed without explicit consent in cases such as the processing of data is mandatory for the legitimate interests of the data controller.
Processing of Special Categories of Personal Data
Our company shows special sensitivity in the processing of special categories of personal data, the protection of which is believed to be more critical for data subjects in various respects. In this context, provided that adequate measures determined by the Board are taken, such data are not processed without the explicit consent of the data subjects. However, special categories of personal data other than data related to health and sexual life may be processed without the explicit consent of the data subject in cases stipulated by law. However, data relating to health and sexual life may be processed without the explicit consent of the data subject, provided that adequate measures are taken and in the presence of the reasons listed below:
Protection of public health,
Preventive medicine,
Medical diagnosis,
Carrying out treatment and care services,
Planning and management of health services and financing.
The KVKK Committee will be informed in every case where special categories of personal data need to be processed.
TRANSFER OF PERSONAL DATA
Rene Clinic may transfer the personal data of data owners to third parties and institutions within the scope of the personal data processing conditions specified in Articles 5 and 6 of the KVK Law No. 6698 and limited to the purposes specified in this Policy, in accordance with Articles 8 and 9 of the KVK Law.
The scope of the persons to whom data is transferred and the purposes of data transfer are stated above and in the clarification text. Persons and organizations to whom data is transferred;
The Ministry of Health and its sub-units, the Social Security Institution, private insurance companies, law enforcement agencies and all kinds of judicial authorities, your authorized representatives, lawyers, tax and financial advisors and auditors, including third parties, regulatory and supervisory institutions, private hospitals that we have contracted for operations requiring surgery, and our service providers from whom we receive information technology support (server, hosting, software, cloud computing, etc.) within the framework of the personal data processing conditions specified in Articles 8 and 9 of Law No. 6698 and the purposes specified above.
Domestic Transfer of Personal Data;
In accordance with Article 8 of the KVK Law, the transfer of personal data within the country will be possible provided that one of the conditions specified in section 8 of this Policy titled "Conditions for Processing Personal Data" (processing conditions) is met.
Transfer of Personal Data Abroad;
In accordance with Article 9 of the KVK Law, in the event that personal data is transferred abroad without explicit consent, in addition to the fulfillment of the conditions regarding domestic transfers, the existence of one of the following issues is sought:
The country to be transferred is among the countries with adequate protection as declared by the Board,
Or
In the absence of adequate protection in the country of transfer, the data controllers in Turkey and the relevant foreign country undertake in writing to provide adequate protection and the Board's permission is obtained.
Transfer of Sensitive Personal Data Abroad
Our Company, by taking the necessary security measures and taking adequate measures stipulated by the KVK Board; In line with legitimate and lawful personal data processing purposes, our Company may transfer the personal data owner's special quality data to Foreign Countries with Adequate Protection or to Foreign Countries where there is a Data Controller Committed to Adequate Protection in the following cases.
If the personal data subject has explicit consent or,
If the personal data subject does not have explicit consent;
Sensitive personal data other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data), in cases stipulated by law,
Personal data of special nature related to the health and sexual life of the personal data owner can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
The relevant employee making the transfer is responsible for ensuring compliance with the obligations to be complied with during the transfer of sensitive data.
RIGHTS OF PERSONS CONCERNED
Rene Clinic will respond to the requests of the data subjects whose personal data it processes within the scope of the rights specified below within 30 days:
Learn whether personal data is being processed,
Request information if their personal data has been processed,
To learn the purpose of processing personal data and whether they are used for their intended purpose,
To know the third parties to whom personal data are transferred domestically or abroad,
To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
Although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
In case of damage due to unlawful processing of personal data, to demand compensation for the damage.
Data subjects may apply within the scope of the above-mentioned rights with the information and documents that will identify their identities and by the methods specified below or by other methods determined by the Personal Data Protection Board with the KVKK application form on the website.
PRIVACY and DATA SECURITY MEASURES;
All personal data processed within Rene Clinic is confidential and is subject to the provisions of Article 12 of the Law;
a) To prevent unlawful processing of personal data,
b) To prevent unlawful access to personal data,
c) To ensure the preservation of personal data,
It takes all necessary technical and administrative measures to ensure the appropriate level of security for its purpose.
Technical Measures Taken to Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
Rene Clinic has taken all kinds of technical and technological security measures to protect your personal data and protects your personal data against possible risks. For example
Network security and application security are ensured.
Employees who are reassigned or leave their jobs are no longer authorized in this area.
Up-to-date anti-virus systems are used.
Firewalls are used.
Personal data security issues are reported quickly.
Personal data security is monitored.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
Security of environments containing personal data is ensured.
Personal data is minimized as much as possible.
Personal data is backed up and the security of backed up personal data is also ensured.
Extra security measures are taken for personal data transferred via paper and the relevant document is sent in the format of a confidential document.
If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using a KEP or corporate mail account.
Penetration test is applied.
Encryption is performed. Access to systems containing personal data is provided by using a user name and password.
Administrative Measures to Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
A management framework has been established to initiate and control information security operation and implementation within the organization.
KVKK Committee and contact person were appointed and their job descriptions were determined.
KVKK Application channels have been determined.
Violation, request/complaint management workflows have been determined.
Principles, policies and procedures regarding the processing and protection of personal data have been determined.
Data Processing and Retention Policy has been established.
Personal Data Processing and Protection Policy has been established.
A Policy on the Security of Sensitive Personal Data has been established.
Existing risks and threats have been identified within the scope of processed personal data.
Training and awareness raising activities are carried out for employees on personal data security.
Confidentiality commitments are made.
Disclosure text has been published for employees, customers, suppliers, etc.
Processes for obtaining explicit consent have been identified and implemented.
Internal periodic and/or random audits are conducted and commissioned. Confidentiality and security weaknesses revealed as a result of the audits are eliminated.
Measures to be Taken in Case of Unlawful Disclosure of Personal Data
In the event that the processed personal data is obtained by others illegally, our Company will notify the relevant data subject and the Board as soon as possible (maximum 72 hours).
CONDITIONS FOR THE DESTRUCTION (ERASURE, DESTRUCTION AND ANONYMIZATION) OF PERSONAL DATA
Pursuant to Article 138 of the Turkish Penal Code, Article 7 of the KVK Law and the "Regulation on Deletion, Destruction and Anonymization of Personal Data" issued by the Authority; Although it has been processed in accordance with the provisions of the relevant law, personal data is deleted, destroyed or anonymized upon Rene Clinic's own decision or upon the request of the personal data owner if the reasons requiring its processing disappear. Rene Clinic has established a Policy in this regard in accordance with the provisions of the regulation and in accordance with this Policy, destruction is made according to the nature of the data. In accordance with this regulation, periodic destruction dates have been determined by Rene Clinic and a calendar has been created according to which periodic destruction will be carried out at various intervals with the commencement of the obligation.
EXECUTION
A management structure has been established by Rene Clinic to ensure that the execution of this Policy complies with the regulations of the KVK Law.
A Personal Data Protection Committee ("Committee") has been established within Rene Clinic in accordance with the decision of the senior management of the Company to manage this Policy and other Policies related and related to this Policy.
EFFECTIVE DATE OF THE POLICY
This Policy entered into force on 09.04.2021.
RENE CLINIC