DATA PROTECTION ACT

PATIENT INFORMED CONSENT FORM

POLICY ON THE PROCESSING, PROTECTION, AND DISPOSAL OF PERSONAL DATA

As Dr. Çağrı ALTUNTAŞ (“the Clinic”), in accordance with our responsibilities regarding the protection and legal safeguarding of personal data—which is recognized as a constitutional right—our Clinic places great importance on the secure handling of your personal data.

The purpose of this policy is to establish the methods and principles to be followed to ensure that the Clinic processes and protects personal data in compliance with the Law on the Protection of Personal Data (KVKK), published in the Official Gazette dated April 7, 2016, and numbered 29677.

1. STATEMENT ON POLICY

The protection of personal data is a matter of great importance to Dr. Çağrı ALTUNTAŞ (“the Clinic”) and is among our top priorities. The Clinic takes the necessary care to protect the personal data of our Patients, Employees, Job Applicants, Shareholders, Dentists, Visitors, employees, shareholders, and authorized representatives of institutions with which we collaborate, as well as Third Parties.

The Clinic has established the following matters as official policy:

  • Processing personal data in accordance with the law and the principles of good faith,

  • Keeping personal data accurate and up-to-date when necessary,

  • Processing personal data for specific, explicit, and legitimate purposes,

  • Processing personal data in a manner that is relevant, limited, and proportionate to the purpose for which it is processed,

  • Retaining personal data for the period prescribed by applicable legislation or as necessary for the purpose for which it is processed,

  • Informing and notifying data subjects,

  • Establishing the necessary system for data subjects to exercise their rights,

  • Taking necessary measures to safeguard personal data,

  • Acting in compliance with applicable legislation and the Personal Data Protection Board’s regulations when transferring personal data to third parties in accordance with the requirements of the processing purpose,

  • Exercising the necessary diligence in the processing and protection of special category personal data.

In this context, the Clinic takes the necessary administrative and technical measures to protect personal data processed in accordance with applicable laws and regulations.

1.2. DEFINITIONS

  • Explicit consent: Consent that is specific to a particular matter, based on information provided, and freely given.

  • Anonymization: The process of modifying personal data in such a way that it loses its status as personal data, and this change is irreversible. For example, using techniques such as masking, aggregation, or data obfuscation to ensure that personal data can no longer be linked to a specific individual.

  • Application Form: The “Form Regarding Applications to Be Submitted by the Data Subject (Data Owner) to the Data Controller Pursuant to the Personal Data Protection Law No. 6698,” which contains the application to be made by data subjects to exercise their rights.

  • Job Applicant: Natural persons who have applied for a job at the Clinic through any means or have submitted their resume and relevant information for the Clinic’s review.

  • Employees, Shareholders, and Authorized Representatives of Institutions We Collaborate With: Natural persons, including employees, shareholders, and authorized representatives of institutions with which the Clinic has any type of business relationship (business partners, suppliers, and any other entities, regardless of their name or designation, without limitation to these examples).

  • Business Partner: Parties with whom the Clinic has established a business partnership—either directly or in potential future locations—to carry out various projects or receive services in collaboration with contracted Clinics, healthcare centers, hospitals, and universities.

  • Processing of personal data: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or restriction of use.

  • Data subject: A natural person whose personal data is processed. For example, users of websites and mobile applications.

  • Personal data: Any information relating to an identified or identifiable natural person.

  • Special category personal data: Data related to race, ethnic origin, political opinions, philosophical beliefs, religion, denomination, or other beliefs; attire; membership in associations, foundations, or trade unions; health; sexual life; criminal convictions and security measures; as well as biometric and genetic data.

  • Patient: Natural persons who receive or will receive products and services provided by the Clinic, to whom general information regarding these products is provided, opportunities are communicated, and communication is established regarding these products and services. This information is also used for marketing activities, product/service offers, modeling, reporting, scoring, risk monitoring, intelligence, current or new product development, and the identification of potential Patients.

  • Clinical Shareholder: Natural persons who are shareholders of the clinic.

  • Clinical Authorized Representative: Authorized dentists at the clinic.

  • Supplier: Parties that provide services to the clinic on a contractual basis in accordance with the clinic’s orders and instructions while the clinic conducts its healthcare activities.

  • Clinic Patients: Natural persons whose personal data is obtained through business relationships with Community Clinics that may be established in the future within the borders of the Republic of Turkey or in other countries, as part of operations conducted by the Clinic’s business units, regardless of whether they have any contractual relationship with the Clinic.

  • Third Party: Natural persons whose personal data is processed under this Policy but who are not otherwise defined in the Policy (e.g., former employees).

  • Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. For example, a cloud computing company that stores the Clinic’s data, a call center company that conducts calls on behalf of the Clinic by providing outsourced support services, etc.

  • Data controller: The person who determines the purposes and means of processing personal data on behalf of the Clinic and manages the location where data is systematically stored (data recording system).

  • Visitor: Natural persons who have entered the Clinic’s physical premises for various purposes or who visit the Clinic’s websites, web, and mobile applications.

1.3 ABBREVIATIONS

  • Data Protection Law: The Law on the Protection of Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette No. 29677, dated April 7, 2016.

  • KVK Board: Personal Data Protection Board.

  • KVK Authority: Personal Data Protection Authority.

  • Clinic: Dr. Çağrı ALTUNTAŞ.

  • Policy: The Clinic’s Policy on the Processing, Protection, and Destruction of Personal Data.

  • Turkish Penal Code (“TCK”): The Turkish Penal Code No. 5237, dated September 26, 2004, published in the Official Gazette No. 25611, dated October 12, 2004.

1.4 PURPOSE OF THE POLICY

The primary purpose of this Policy is to provide information regarding the Clinic’s lawful processing of personal data, the administrative and technical measures adopted to protect personal data, and the existing and potential systems in place; and, within this scope, to ensure transparency by informing individuals whose personal data is processed by our Clinic—including, but not limited to, Job Applicants, Clinic Shareholders, Clinic Officials, Visitors, employees, shareholders, and officials of collaborating institutions, as well as all Third Parties whose personal data may be processed or recorded under any name or title—regarding these matters.

1.5 SCOPE

This Policy applies to all personal data processed automatically or through non-automated means—provided such processing forms part of a data recording system—regarding Job Applicants, Clinic Shareholders, Clinic Authorized Representatives, Visitors, employees, shareholders, and authorized representatives of institutions with which we collaborate, and all Third Parties, regardless of the name or title under which they operate. The scope of application of this Policy may encompass the entire Policy or only certain provisions thereof.

1.6 IMPLEMENTATION OF THIS POLICY AND RELEVANT LEGISLATION

This Policy has been established in accordance with the relevant legal regulations in force regarding the processing and protection of personal data. In the event of any inconsistency between the applicable legislation and this Policy, the Clinic acknowledges that the applicable legislation shall prevail.

2. MATTERS RELATED TO THE PROTECTION OF PERSONAL DATA

The Clinic processes personal data in accordance with Article 12 of the Personal Data Protection Law, takes the necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing and/or access to personal data and to ensure the protection of personal data, and conducts or has conducted the necessary audits within this scope.

2.1. Ensuring the Security of Personal Data

2.1.1. Technical and Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

To ensure the lawful processing of personal data, the Clinic implements technical and administrative measures using technological resources appropriate to its administrative and financial structure.

(i) Technical Measures Taken to Ensure the Lawful Processing of Personal Data

  • To ensure that personal data is processed and stored in compliance with the law, the Clinic has established an internal technical infrastructure; personal data processing activities carried out within the Clinic are monitored through the technical systems in place, and periodic internal audits are conducted.

  • Depending on the technical requirements, either staff is hired or an outsourcing service is utilized.

  • Appropriate software is used for application and web security.

  • We are establishing the technical infrastructure to ensure the security of the databases where your personal data will be stored.

  • We use antivirus systems, firewalls, and similar software or hardware security products, and we implement security systems that keep pace with technological advancements.

  • We hire employees with expertise in technical matters and obtain support services as needed.

(ii) Administrative Measures Taken to Ensure the Lawful Processing of Personal Data To ensure the lawful processing of personal data by the Clinic, Clinic staff are informed and trained on data protection laws and the lawful processing of personal data, and internal policies are established. Provisions prohibiting the processing, disclosure, and use of personal data—except as provided by Clinic directives and legal exceptions—are included in the contracts and documents governing the legal relationship between the Clinic and its employees. Employee awareness is raised regarding these matters, and audits are conducted. We are establishing policies and procedures regarding access to personal data within our Clinic, including for Clinic physicians and staff; we are informing and training our staff on the lawful protection and processing of personal data; and in the contracts we enter into with our staff and/or the Policies we establish, we document the measures to be taken in cases where personal data is processed unlawfully by our clinic staff, and we establish and maintain legal relationships with data processors or their partners with whom we collaborate, enabling us to audit their personal data processing activities as necessary.

2.1.2. Technical and Administrative Measures Taken to Prevent Unauthorized Access to Personal Data

The clinic implements technical and administrative measures, taking into account the nature of the data to be protected, available technological capabilities, and implementation costs, to prevent the negligent or unauthorized disclosure, access, or transfer of personal data, as well as any other form of unlawful access.

(i) Technical Measures Taken to Prevent Unauthorized Access to Personal Data

  • Technical measures are being implemented in line with technological advancements, and these measures are periodically updated and revised.

  • Access permissions are restricted, and permissions are reviewed on a regular basis.

  • Software and hardware, including antivirus systems and firewalls, are being installed.

  • We employ staff with expertise in technical matters.

  • Applications that collect personal data undergo regular security scans to identify vulnerabilities. Any vulnerabilities found are promptly addressed.

(ii) Administrative Measures Taken to Prevent Unauthorized Access to Personal Data

  • Employees are being trained on the technical measures to be taken to prevent unauthorized access to personal data.

  • Employees are informed that they may not disclose the personal data they have obtained to any third party in violation of the provisions of the Personal Data Protection Law, nor may they use such data for purposes other than those for which it was collected; they are also informed that this obligation will continue indefinitely even after they leave their positions, and the necessary commitments are obtained from them accordingly.

  • Provisions are being added to the contracts entered into by the clinic with the parties to whom personal data is lawfully transferred, stipulating that such parties will take the necessary security measures to protect personal data and ensure compliance with these measures within their own organizations.

2.1.3. Storage of Personal Data in Secure Environments

The clinic takes the necessary technical and administrative measures, in accordance with available technological capabilities and implementation costs, to ensure that personal data is stored in secure environments and to prevent its destruction, loss, or alteration for unlawful purposes.

(i) Technical Measures Taken to Store Personal Data in Secure Environments

  • Systems that are in line with technological advancements are used to store personal data in secure environments.

  • Expert assistance is sought for technical matters.

  • To ensure the secure storage of personal data, backup and antivirus software are used in compliance with the law.

(ii) Administrative Measures Taken to Ensure the Secure Storage of Personal Data

  • Employees are trained to ensure that personal data is stored securely.

  • In cases where the clinic engages an external service provider for the storage of personal data due to technical requirements, the contracts entered into with the relevant companies stipulate that personal data is transferred in compliance with the law; these contracts also include provisions stating that the recipients of the personal data will take the necessary security measures to protect the data and ensure compliance with these measures within their own organizations.

2.1.4. Oversight of Measures Taken Regarding the Protection of Personal Data

In accordance with Article 12 of the Personal Data Protection Law, the clinic conducts or commissions the necessary audits within its own organization. If required based on the results of these audit reports, corrective actions are implemented.

2.1.5. Measures to Be Taken in the Event of Unauthorized Disclosure of Personal Data

The Clinic has established an internal procedure to ensure that, in the event personal data processed in accordance with Article 12 of the Personal Data Protection Law is obtained by others through unlawful means, this situation is reported to the relevant data subject and the Personal Data Protection Board as soon as possible. If deemed necessary by the Personal Data Protection Board, this situation may be announced on the Board’s website or through other means.

2.2. Protection of the Data Subject’s Legal Rights; Channels Through Which the Data Subject May Contact Our Company and Submit Requests, and the Evaluation of Such Requests

The Clinic implements the necessary channels, internal procedures, and administrative and technical arrangements in accordance with Article 13 of the Personal Data Protection Law to evaluate requests from data subjects and provide them with the required information. If data subjects submit their requests regarding the rights listed below in writing to the Clinic, the Clinic will process the request free of charge within thirty days at the latest, depending on the nature of the request. However, if the Personal Data Protection Board has established a fee, the Clinic will charge the fee specified in the tariff determined by the Personal Data Protection Board. Data subjects have the right to:

  • Learn whether their personal data is being processed,

  • Request information if their personal data has been processed,

  • Learn the purpose of processing personal data and whether they are used in accordance with their purpose,

  • Know the third parties to whom personal data is transferred domestically or abroad,

  • Request correction of personal data if it is incomplete or incorrectly processed, and request that the operation carried out within this scope be notified to third parties to whom personal data has been transferred,

  • Request the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist, despite the fact that it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and request that the operation carried out within this scope be notified to third parties to whom personal data has been transferred,

  • Object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,

  • Demand compensation for damages in case of damage due to unlawful processing of personal data.

2.3. PROTECTION OF SPECIAL CATEGORY PERSONAL DATA

Special category personal data is defined by the KVK Law as data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. The Clinic acts with sensitivity in protecting special category personal data, which is determined as “special category” by the KVK Law and processed lawfully. In this context, special category personal data is not collected by the Clinic unless necessary. If collected, the technical and administrative measures taken for the protection of personal data are carefully applied to special category personal data, and the necessary audits are provided within the Clinic.

2.4. RAISING AWARENESS OF CLINIC EMPLOYEES ON THE PROTECTION AND PROCESSING OF PERSONAL DATA AND INTERNAL AUDIT

The Clinic trains its employees to increase awareness regarding the prevention of unlawful processing of personal data, prevention of unlawful access to data, and ensuring data retention.

2.5. RAISING AWARENESS AND AUDITING OF BUSINESS PARTNERS AND SUPPLIERS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

The Clinic provides information to its Business Partners and Suppliers to increase awareness regarding the prevention of unlawful processing of personal data, prevention of unlawful access to data, and ensuring data retention. Information is not transferred and processing is not allowed unless required by the service/project element. Data sharing is carried out by taking all necessary legal measures, provided that the activity is limited solely to the realization of the purpose of the activity.

3. MATTERS RELATED TO THE PROCESSING OF PERSONAL DATA

In accordance with Article 4 of the KVK Law, the Clinic engages in personal data processing activities that are lawful and in accordance with the rules of good faith; accurate and up-to-date when necessary; specific, explicit, and legitimate; relevant, limited, and proportionate to the purpose. The Clinic retains personal data for the period prescribed by law or required by the purpose of personal data processing. The Clinic processes personal data based on one or more of the conditions specified in Article 5 of the KVK Law regarding the processing of personal data. In accordance with Article 10 of the KVK Law, the Clinic informs data subjects and provides the necessary information if data subjects request information. The Clinic acts in accordance with the regulations prescribed for the processing of special category personal data pursuant to Article 6 of the KVK Law. In accordance with Articles 8 and 9 of the KVK Law, the Clinic complies with the regulations stipulated in the law and put forward by the KVK Board regarding the transfer of personal data.

3.1. PROCESSING PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES PRESCRIBED IN THE LEGISLATION

3.1.1. Processing in Accordance with Law and Good Faith

The Clinic acts in accordance with the principles brought by legal regulations and the general rule of trust and good faith in the processing of personal data. In this context, the Clinic takes into account proportionality requirements in the processing of personal data and does not use personal data beyond what is required by the purpose.

3.1.2. Ensuring Personal Data is Accurate and Up-to-Date When Necessary

The Clinic ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of personal data subjects and its own legitimate interests. It takes the necessary measures in this direction.

3.1.3. Processing for Specific, Explicit, and Legitimate Purposes

The Clinic clearly and precisely determines the legitimate and lawful purpose of processing personal data. The Clinic processes personal data as much as is connected with and necessary for the commercial activities it conducts. The purpose for which personal data will be processed by the Clinic is put forward before the personal data processing activity begins.

3.1.4. Being Relevant, Limited, and Proportionate to the Purpose for Which They Are Processed

The Clinic processes personal data in a manner suitable for the realization of the determined purposes and avoids processing personal data that is not related to or needed for the realization of the purpose. Personal data processing activities aimed at meeting needs that may arise subsequently are not carried out by the Clinic.

3.1.5. Retention for the Period Prescribed in the Relevant Legislation or Required for the Purpose for Which They Are Processed

The Clinic retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, the Clinic first determines whether a period is prescribed for the retention of personal data in the relevant legislation. If a period is determined, it acts in accordance with this period; if a period is not determined, it stores personal data for the period required for the purpose for which they are processed. In the event of the expiration of the period or the disappearance of the reasons requiring its processing, personal data is deleted, destroyed, or anonymized by the Clinic. Personal data is not stored by the Clinic with the possibility of future use.

3.2. INFORMMING AND ENLIGHTENING THE DATA SUBJECT

In accordance with Article 10 of the KVK Law, the Clinic enlightens Personal Data Subjects during the collection of personal data. In this context, the Clinic provides information regarding the identity of its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the personal data subject. Article 11 of the KVK Law also counts the “right to request information” among the rights of the personal data subject. In this context, the Clinic provides the necessary information in case the Personal Data Subject requests information in accordance with Article 11 of the KVK Law.

3.3. PROCESSING OF SPECIAL CATEGORY PERSONAL DATA

The Clinic complies sensitively with the regulations prescribed in the KVK Law in processing personal data determined as “special category” by the KVK Law. In Article 6 of the KVK Law, certain personal data that carry the risk of causing victimization or discrimination when processed unlawfully are determined as “special category”. These data are race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. In accordance with the KVK Law, special category personal data is processed by the Clinic in the following cases, provided that adequate measures to be determined by the KVK Board are taken:

  • If the personal data subject has explicit consent, or

  • If the personal data subject does not have explicit consent, special category personal data other than the health and sexual life of the personal data subject, in cases prescribed by law; special category personal data relating to the health and sexual life of the personal data subject can only be processed by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing.

3.4. TRANSFER OF PERSONAL DATA

The Clinic can transfer the personal data and special category personal data of the personal data subject to third parties by taking the necessary security measures in line with lawful personal data processing purposes. The Clinic acts in accordance with the regulations prescribed in Article 8 of the KVK Law in this direction.

3.4.1. Transfer of Personal Data

The Clinic can transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the KVK Law listed below, in line with legitimate and lawful personal data processing purposes:

  • If the personal data subject has explicit consent,

  • If there is a clear regulation in the law regarding the transfer of personal data,

  • If it is mandatory for the protection of the life or physical integrity of the personal data subject or someone else, and the personal data subject is unable to disclose his consent due to actual impossibility or his consent is not granted legal validity;

  • If it is necessary to transfer the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract,

  • If personal data transfer is mandatory for the Clinic to fulfill its legal obligation,

  • If personal data has been made public by the personal data subject,

     

  • If personal data transfer is mandatory for the establishment, exercise, or protection of a right,

     

  • If personal data transfer is mandatory for the legitimate interests of the Clinic, provided that it does not harm the fundamental rights and freedoms of the personal data subject.

     

3.4.2. Transfer of Special Category Personal Data

The Clinic, by showing necessary care, taking necessary security measures, and taking adequate precautions prescribed by the KVK Board, can transfer the special category personal data of the personal data subject to third parties in the following cases in line with legitimate and lawful personal data processing purposes:

  • If the personal data subject has explicit consent, or

  • If the personal data subject does not have explicit consent;

    • Special category personal data other than the health and sexual life of the personal data subject (race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and dress, membership in associations, foundations or trade unions, criminal convictions and security measures, as well as biometric and genetic data), in cases prescribed by law,

    • Special category personal data relating to the health and sexual life of the personal data subject can only be transferred by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing.

3.5. TRANSFER OF PERSONAL DATA ABROAD

The Clinic can transfer the personal data and special category personal data of the personal data subject to third parties by taking necessary security measures in line with lawful personal data processing purposes. Personal data can be transferred by the Clinic to foreign countries declared to have adequate protection by the KVK Board (“Foreign Country with Adequate Protection”) or, in the absence of adequate protection, to foreign countries where data controllers in Turkey and the relevant foreign country undertake an adequate protection in writing and have the permission of the KVK Board (“Foreign Country Where Data Controller Undertaking Adequate Protection is Located”). The Clinic acts in accordance with the regulations prescribed in Article 9 of the KVK Law in this direction.

3.5.1. Transfer of Personal Data Abroad

The Clinic can transfer personal data to Foreign Countries with Adequate Protection or Where a Data Controller Undertaking Adequate Protection is Located, in line with legitimate and lawful personal data processing purposes, if the personal data subject has explicit consent or if the personal data subject does not have explicit consent under the following conditions:

  • If there is a clear regulation in the law regarding the transfer of personal data,

  • If it is mandatory for the protection of the life or physical integrity of the personal data subject or someone else, and the personal data subject is unable to disclose his consent due to actual impossibility or his consent is not granted legal validity;

  • If it is necessary to transfer the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract,

  • If personal data transfer is mandatory for the Clinic to fulfill its legal obligation,

  • If personal data has been made public by the personal data subject,

     

  • If personal data transfer is mandatory for the establishment, exercise, or protection of a right,

     

  • If personal data transfer is mandatory for the legitimate interests of the Clinic, provided that it does not harm the fundamental rights and freedoms of the personal data subject.

     

3.5.2. Transfer of Special Category Personal Data Abroad

The Clinic, by showing necessary care, taking necessary security measures, and taking adequate precautions prescribed by the KVK Board, can transfer the special category personal data of the personal data subject in line with legitimate and lawful personal data processing purposes to Foreign Countries with Adequate Protection or Where a Data Controller Undertaking Adequate Protection is Located under the following conditions:

  • If the personal data subject has explicit consent, or

  • If the personal data subject does not have explicit consent;

    • Special category personal data other than the health and sexual life of the personal data subject (race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and dress, membership in associations, foundations or trade unions, criminal convictions and security measures, as well as biometric and genetic data), in cases prescribed by law,

    • Special category personal data relating to the health and sexual life of the personal data subject can only be transferred within the scope of being processed by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing.

4. CATEGORIZATION OF PERSONAL DATA, PROCESSING PURPOSES AND RETENTION PERIODS

In accordance with Article 10 of the KVK Law, within the scope of the obligation to inform, the Clinic notifies the personal data subject which personal data subject groups’ personal data it processes, the processing purposes of the personal data subject’s personal data, and the retention periods.

4.1. CLASSIFICATION OF PERSONAL DATA AND DATA SUBJECTS

Within the Clinic; in line with the legitimate and lawful personal data processing purposes of the Clinic, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the KVK Law, by complying with the general principles specified in Article 4 of the KVK Law and all obligations regulated in the KVK Law, and limited to the subjects within the scope of this Policy (Community Clinic Patient, Visitor, Third Party, Job Applicant, Clinic Shareholder, Clinic Official, Employees, Shareholders, and Officials of Institutions We Collaborate With), personal data in the classes specified below are processed by informing the relevant persons in accordance with Article 10 of the KVK Law.

EXPLANATIONS ON CLASSIFICATIONS

  • Identity Information: Data containing information about the identity of the person, clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system; documents such as driver’s license, identity card, and passport containing information such as name-surname, T.C. identity number, nationality information, mother’s name-father’s name, place of birth, date of birth, gender, as well as information such as tax number, SGK number, signature information, vehicle license plate, etc.

  • Contact Information: Information such as phone number, address, e-mail address, fax number, IP address, clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system.

     

  • Location Data: Information that determines the location of the personal data subject within the framework of operations conducted by the Clinic, during the use of products and services of Community Clinics or while the employees of the institutions we collaborate with use Clinic vehicles; GPS location, travel data, etc., clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system.

  • Family Members and Relative Information: Information about the family members (e.g., spouse, mother, father, child), relatives, and other persons who can be reached in emergencies of the personal data subject, processed within the framework of operations conducted by Clinic employees, regarding the products and services offered by Community Clinics or for the purpose of protecting the legal and other interests of the Clinic and the personal data subject, clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system.

  • Physical Space Security Information: Personal data relating to records and documents taken at the entry to the physical space, during the stay inside the physical space; such as camera records, fingerprint records, and records taken at the security point, clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system.

  • Financial Information: Personal data processed regarding any financial results created according to the type of legal relationship established by the Clinic with the personal data subject, and records, documents, and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information, clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system.

  • Visual/Auditory Information: Data contained in documents that are copies of documents containing personal data, photo and camera records (excluding records falling under Physical Space Security Information), voice records, expense documents, receipts, invoices, shopping information, clearly belonging to an identified or identifiable natural person.

  • Personnel Information: Any personal data processed for the purpose of obtaining information that will form the basis for the creation of personal rights of natural persons who have a working relationship with the Clinic, clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system.

  • Special Category Personal Data: Data specified in Article 6 of the KVK Law, clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system.

  • Request/Complaint Management Information: Personal data relating to the receipt and evaluation of any request or complaint directed to the Clinic, clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of a data recording system.

  • Patient: Natural persons whose personal data is obtained lawfully through business relationships, marketing activities, and/or existing software web and mobile applications within the scope of treatments conducted by Clinic employees, regardless of whether they have any contractual relationship with the Clinic.

  • Visitor: Natural persons who have entered the physical premises owned by the Clinic for various purposes or who visit the websites and mobile applications.

  • Third Party: Other natural persons who do not fall within the scope of this Policy and the Clinic Employees Personal Data Protection and Processing Policy.

  • Job Applicant: Natural persons who have applied for a job at the Clinic through any way or have opened their resume and related information to the review of our Clinic.

  • Clinic Shareholder: Natural persons who are shareholders of the Clinic.

  • Clinic Official: Dentists working in the clinic.

  • Employees, Shareholders, and Officials of Institutions We Collaborate With: Natural persons, including employees, shareholders, and officials of institutions with which the Clinic has any kind of business relationship (such as business partners, suppliers, but not limited to these).

4.2. PURPOSES OF PROCESSING PERSONAL DATA

The Clinic processes personal data limited to the purposes and conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the KVK Law. These purposes and conditions are:

  • The relevant activity regarding the processing of your personal data is clearly prescribed in the Laws,

  • The processing of your personal data by the Clinic is directly related to and necessary for the establishment or performance of a contract,

  • The processing of your personal data is mandatory for the Clinic to fulfill its legal obligation,

  • Provided that your personal data has been made public by you; processing by the Clinic in a limited manner for the purpose of making public,

  • The processing of your personal data by the Clinic is mandatory for the establishment, exercise, or protection of the rights of the Clinic or you or third parties,

  • It is mandatory to conduct personal data processing activities for the legitimate interests of the Clinic, provided that it does not harm your fundamental rights and freedoms,

  • It is mandatory to conduct personal data processing activities by the Clinic for the protection of the life or physical integrity of the personal data subject or someone else, and in this case, the personal data subject is unable to disclose his consent due to actual or legal invalidity,

  • It is prescribed in the laws in terms of special category personal data other than the health and sexual life of the personal data subject,

  • In terms of special category personal data relating to the health and sexual life of the personal data subject, it is processed by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing.

In this context, the Clinic processes your personal data for the following purposes:

  • Planning and execution of corporate sustainability activities,

  • Creation of new organizations, business ideas, and health service campaigns to provide better service to users regarding Clinic activities,

  • Tracking user satisfaction,

  • Event management,

  • Management of relationships with business partners or suppliers,

  • Execution of Clinic personnel procurement processes,

  • Supporting the personnel procurement processes of contracted clinics,

  • Execution/tracking of Clinic financial and health services reporting and risk management operations,

  • Execution/tracking of Clinic legal affairs,

  • Planning and execution of corporate communication activities,

  • Execution of corporate governance activities,

  • Realization of clinics and partnership law transactions,

  • Request and complaint management,

  • Ensuring the security of Clinic values,

  • Supporting clinics in compliance with relevant legislation,

  • Supporting the planning and execution processes of fringe benefits and benefits to be provided to the Clinic and its senior executives,

  • Planning and execution of audit activities to ensure that the activities of the Clinic are carried out in accordance with Clinic procedures and relevant legislation,

  • Supporting the realization of Clinic and partnership law transactions,

  • Realization of studies aimed at protecting the reputation of the Clinic,

  • Giving information arising from the legislation to authorized organizations,

  • Creation and tracking of visitor records.

In the event that the processing activity carried out for the aforementioned purposes does not meet any of the conditions prescribed within the scope of the KVK Law, your explicit consent regarding the relevant processing process is obtained by the Clinic.

4.3. RETENTION PERIODS OF PERSONAL DATA

The Clinic stores personal data for the period prescribed in the relevant laws and legislations, if any. If a period is not regulated in the legislation regarding how long personal data should be stored, Personal Data is processed for the period required for its processing in accordance with the practices of the Clinic and the customs of commercial life depending on the activity conducted while processing that data, and then deleted, destroyed, or anonymized.

If the processing purpose of personal data has ended and the end of the retention periods determined by the relevant legislation and the Clinic has been reached; personal data can only be stored for the purpose of constituting evidence in possible legal disputes or asserting the relevant right bound to personal data or establishing a defense. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for asserting the mentioned right and the examples in the requests directed to the Clinic on the same issues previously despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose, and access to the relevant personal data is provided only when it needs to be used in the relevant legal dispute. Here too, after the expiration of the mentioned period, personal data is deleted, destroyed, or anonymized.

5. THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED AND THE PURPOSES OF TRANSFER

In accordance with Article 10 of the KVK Law, the Clinic notifies the personal data subject of the person groups to whom personal data is transferred. The Clinic, in accordance with Articles 8 and 9 of the KVK Law, can transfer the personal data of data subjects managed by the Policy to the person categories listed below:

  1. To Clinic business partners,

  2. To Clinic suppliers,

  3. To affiliates and bound Clinics,

  4. To Clinic shareholders,

  5. To Clinic officials,

  6. To Legally Authorized public institutions and organizations,

  7. To legally authorized private law persons.

The scope of the above-mentioned persons to whom transfer is made and the data transfer purposes are specified below:

  • Business Partner: Defines the parties with whom the Clinic establishes a business partnership for purposes such as conducting commercial activities of the Clinic personally or together with Community Clinics for various projects, fulfilling the establishment purposes of the business partnership, receiving services, etc. (Limited to ensuring the fulfillment of the establishment purposes of the business partnership).

  • Supplier: Defines contracted institutions that offer services to the Clinic on a contract basis in accordance with the orders and instructions of the Clinic while conducting commercial activities of the Clinic. (Limited to ensuring that the services required for the fulfillment of the commercial activities of the Clinic, which the Clinic procures externally from the supplier, are offered to the Clinic).

  • Contracted Institutions: Limited to ensuring the execution of health services activities with the Clinic’s contracted health institutions.

  • Shareholders: Natural persons who are shareholders of the Clinic. (Limited to the purposes of the activities conducted by the Clinic within the scope of corporate law, event management, and corporate communication processes according to the relevant legislation provisions).

  • Clinic Officials: Dentists working in the clinic.

  • Legally Authorized Public Institutions and Organizations: Public institutions and organizations authorized to receive information and documents from the Clinic according to the relevant legislation provisions. (Limited to the purpose requested by the relevant public institutions and organizations within their legal authority).

  • Legally Authorized Private Law Persons: Private law persons authorized to receive information and documents from the Clinic according to the relevant legislation provisions. (Limited to the purpose requested by the relevant private law persons within their legal authority).

6. PROCESSING PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW

The Clinic informs the personal data subject about the personal data it processes in accordance with Article 10 of the KVK Law.

6.1. PROCESSING OF PERSONAL DATA AND SPECIAL CATEGORY PERSONAL DATA

6.1.1. Processing of Personal Data

The explicit consent of the personal data subject is only one of the legal bases that make it possible to process personal data lawfully. Apart from explicit consent, personal data can also be processed in the presence of one of the other conditions written below. The basis of the personal data processing activity can be only one of the following conditions, as well as more than one condition can be the basis of the same personal data processing activity. Although the legal bases for the processing of personal data by the Clinic differ, action is taken in accordance with the general principles specified in Article 4 of the KVK Law in any personal data processing activity. 

  1. Presence of Explicit Consent of the Personal Data Subject,

  2. Clear Regulation in the Laws,

  3. Inability to Obtain Explicit Consent of the Relevant Person Due to Actual Impossibility,

  4. Direct Relation to the Establishment or Performance of a Contract,

  5. Fulfillment of the Legal Obligation of the Clinic,

  6. Making Personal Data Public by the Personal Data Subject,

  7. Mandatory Data Processing for the Establishment or Protection of a Right,

  8. Mandatory Data Processing for the Legitimate Interest of the Clinic.

6.1.2. Processing of Special Category Personal Data

Special category personal data is processed by the Clinic in the absence of explicit consent of the personal data subject only in the following cases, provided that adequate measures to be determined by the KVK Board are taken:

  1. Special category personal data other than the health and sexual life of the personal data subject, in cases prescribed by law,

  2. Special category personal data relating to the health and sexual life of the personal data subject can only be processed by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing.

7. PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED AT BUILDING, FACILITY ENTRANCES AND INSIDE THE FACILITY AND WEBSITE AND MOBILE APPLICATION VISITORS

Personal data processing activities conducted by the Clinic at building facility entrances and inside the facility are carried out in accordance with the KVK Law and other relevant legislation. For the purpose of ensuring security by the Clinic, personal data processing activities aimed at monitoring with security cameras in Clinic buildings and facilities and tracking guest entries and exits are conducted. By using security cameras and recording guest entries and exits, personal data processing activities are carried out by the Clinic.

7.1. CAMERA MONITORING ACTIVITY CONDUCTED AT COMPANY BUILDING, FACILITY ENTRANCES AND INSIDE

In this section, explanations regarding the camera monitoring system at the location of the Clinic will be made and information will be given on how personal data, privacy, and fundamental rights of the person are protected. The Clinic, within the scope of security camera monitoring activity, carries purposes such as protecting the interests related to ensuring the security of the Clinic and other persons.

7.1.1. Legal Basis of Camera Monitoring Activity

The camera monitoring activity conducted by the Clinic is continued in accordance with the Law on Private Security Services and relevant legislation.

7.1.2. Conducting Security Camera Monitoring Activity According to KVK Law

In conducting camera monitoring activity for security purposes by the Clinic, action is taken in accordance with the regulations contained in the KVK Law. The Clinic conducts security camera monitoring activities for the purposes prescribed in the relevant legislation in force for the purpose of ensuring security in its buildings and facilities and in accordance with the personal data processing conditions listed in the KVK Law.

7.1.3. Announcement of Camera Monitoring Activity

The personal data subject is informed by the Clinic in accordance with Article 10 of the KVK Law. The Clinic notifies the camera monitoring activity with more than one method regarding the general issues it informs. Thus, it is aimed to prevent damage to the fundamental rights and freedoms of the personal data subject, to ensure transparency and to inform the personal data subject. Regarding the camera monitoring activity by the Clinic; this Policy is published on the Clinic website (online policy regulation) and a notification text stating that monitoring will be conducted is hung at the entrances of the areas where monitoring is conducted (on-site informing).

7.1.4. Purpose of Camera Monitoring Activity and Limitation to the Purpose

The Clinic processes personal data in a relevant, limited, and proportionate manner to the purpose for which they are processed in accordance with Article 4 of the KVK Law. The purpose of continuing the video camera monitoring activity by the Clinic is limited to the purposes listed in this Policy. In this direction, the monitoring areas, number, and when monitoring will be conducted of the security cameras are implemented as sufficient and limited to achieve the security purpose. Monitoring is not conducted in areas that may result in interference exceeding security purposes with the privacy of the person (for example, toilets).

7.1.5. Ensuring the Security of Obtained Data

Necessary technical and administrative measures are taken by the Clinic to ensure the security of personal data obtained as a result of camera monitoring activity in accordance with Article 12 of the KVK Law.

7.1.6. Retention Period of Personal Data Obtained by Camera Monitoring Activity

Detailed information regarding the retention period of personal data obtained through camera monitoring activity by the Clinic is included in the Personal Data Retention Periods article of this Policy.

7.1.7. Who Has Access to Information Obtained as a Result of Monitoring and to Whom This Information is Transferred

Only a limited number of Clinic employees have access to live camera images and records recorded and stored in digital environment. A limited number of people who have access to records declare that they will protect the confidentiality of the data they access with a confidentiality agreement.

7.2. TRACKING OF GUEST ENTRIES AND EXITS CONDUCTED AT COMPANY BUILDING, FACILITY ENTRANCES AND INSIDE

For the purpose of ensuring security and the purposes specified in this Policy by the Clinic, personal data processing activities aimed at tracking guest entries and exits in Clinic buildings and facilities are conducted. While obtaining the names and surnames of persons coming to the Clinic buildings as guests, or through texts hung within the Clinic or offered to the access of guests in other ways, the mentioned personal data subjects are informed within this scope. Data obtained for the purpose of tracking guest entry-exit is processed only for this purpose and the relevant personal data is recorded in the data recording system in physical environment.

7.3. RETENTION OF RECORDS REGARDING INTERNET ACCESS PROVIDED TO OUR VISITORS IN COMPANY BUILDINGS AND FACILITIES

For the purpose of ensuring security and the purposes specified in this Policy by the Clinic; internet access can be provided to our Visitors who request it during the period you stay within our buildings and facilities by the Clinic. In this case, log records regarding your internet access are recorded according to the mandatory provisions of Law No. 5651 and the legislation regulated according to this Law; these records are processed only when requested by authorized public institutions and organizations or for the purpose of fulfilling our relevant legal obligation in audit processes to be conducted within the Clinic. Only a limited number of Clinic employees have access to log records obtained within this framework. Clinic employees who have access to the mentioned records access these records only to use them in requests coming from authorized public institutions and organizations or audit processes and share them with legally authorized persons. A limited number of people who have access to records declare that they will protect the confidentiality of the data they access with a confidentiality agreement.

7.4. WEBSITE AND MOBILE APPLICATION VISITORS

The Clinic records internet movements within the site through technical means (e.g. Cookies-cookie) on the websites it owns, for the purpose of ensuring that persons visiting these sites perform their visits in accordance with the visit purposes, showing them customized content, and engaging in online advertising activities. Detailed explanations regarding the protection and processing of personal data relating to these activities made by the Clinic are included in the “Privacy Policy” texts of the relevant websites and mobile applications.

8. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

As regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law, despite being processed in accordance with the relevant law provisions, personal data is deleted, destroyed, or anonymized based on the Clinic’s own decision or upon the request of the personal data subject in the event that the reasons requiring its processing cease to exist. In this context, the Clinic fulfills its relevant obligation with the methods explained in this section.

8.1. Techniques for Deletion and Destruction of Personal Data

The Clinic can delete or destroy personal data based on its own decision or upon the request of the personal data subject in the event that the reasons requiring its processing cease to exist, despite being processed in accordance with the relevant law provisions. The deletion or destruction techniques most commonly used by the Clinic are listed below:

  1. Physical Destruction,

  2. Secure Deletion Software,

  3. Sending to a Specialist for Secure Deletion.

8.2. Techniques for Anonymizing Personal Data

Anonymization of personal data means making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. The Clinic can anonymize personal data when the reasons requiring the processing of personal data processed lawfully cease to exist. In accordance with Article 28 of the KVK Law; anonymized personal data can be processed for purposes such as research, planning, and statistics. Such processings are outside the scope of the KVK Law, and the explicit consent of the personal data subject will not be sought. Since personal data processed by being anonymized will be outside the scope of the KVK Law, the rights regulated in Section 9 of the Policy will not be valid for these data. The anonymization techniques most commonly used by the Clinic are listed below:

  1. Masking,

  2. Aggregation,

  3. Data Derivation,

  4. Data Shuffling (Permutation).

9. RIGHTS OF PERSONAL DATA SUBJECTS; METHOD IN THE EXERCISE AND EVALUATION OF THESE RIGHTS

The Clinic notifies the personal data subject of his rights in accordance with Article 10 of the KVK Law, guides the personal data subject on how to use these rights, and the Clinic conducts the necessary channels, internal operations, administrative, and technical regulations in accordance with Article 13 of the KVK Law for the evaluation of the rights of personal data subjects and making the required notification to personal data subjects.

9.1 RIGHTS OF DATA SUBJECT AND THE EXERCISE OF THESE RIGHTS

9.1.1. Rights of Personal Data Subject

Personal data subjects possess the following rights:

  1. Learn whether their personal data is being processed,

  2. Request information if their personal data has been processed,

  3. Learn the purpose of processing personal data and whether they are used in accordance with their purpose, 

  4. Know the third parties to whom personal data is transferred domestically or abroad. 

  5. Request correction of personal data if it is incomplete or incorrectly processed, and request that the operation carried out within this scope be notified to third parties to whom personal data has been transferred.

  6. Request the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist, despite the fact that it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and request that the operation carried out within this scope be notified to third parties to whom personal data has been transferred,

  7. Object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,

  8. Demand compensation for damages in case of damage due to unlawful processing of personal data.

9.1.2. Cases Where the Personal Data Subject Cannot Assert His Rights

Personal data subjects cannot assert their rights listed in 9.1.1 since the following cases are kept outside the scope of the KVK Law pursuant to Article 28 of the KVK Law:

  1. Processing of personal data for purposes such as research, planning, and statistics by being anonymized with official statistics.

  2. Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights or constitute a crime. 

  3. Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security. 

  4. Processing of personal data by judicial authorities or execution organs regarding investigation, prosecution, trial, or execution proceedings.

Pursuant to Article 28/2 of the KVK Law; in the cases listed below, personal data subjects cannot assert their other rights listed in 9.1.1, except for the right to demand compensation for damages:

  1. Personal data processing is necessary for the prevention of committing a crime or for crime investigation.

  2. Processing of personal data made public by the personal data subject himself.

  3. Personal data processing is necessary for the execution of supervision or regulation duties and for disciplinary investigation or prosecution by authorized and competent public institutions and organizations and professional organizations in the nature of public institutions, based on the authority given by the law.

  4. Personal data processing is necessary for the protection of the economic and financial interests of the State regarding budget, tax, and financial matters.

9.1.3. Exercise of Rights by the Personal Data Subject

Personal Data Subjects will be able to convey their requests regarding their rights listed under Heading 9.1.1 of this section to the Clinic free of charge by filling out and signing the Application Form with information and documents to determine their identity and with the methods specified below or other methods determined by the Personal Data Protection Board:

  1. Conveying a wet-signed copy of the form found at https://cagrialtuntas.com personally by hand or through a notary public to the address Harbiye Mah. Teşvikiye Cad. No:17 Şişli / İstanbul after filling it out.

  2. Sending the form via registered electronic mail to [email protected] after filling out the form found at https://cagrialtuntas.com and signing it with your “secure electronic signature” within the scope of the Electronic Signature Law No. 5070.

In order for third parties to make an application request on behalf of personal data subjects, there must be a special power of attorney issued through a notary public by the data subject on behalf of the person who will apply.

9.1.4. Right of the Personal Data Subject to Complain to the KVK Board

The personal data subject can complain to the KVK Board within thirty days from the date he learns the answer of the Clinic and in any case within sixty days from the application date, in cases where the application is rejected, the answer given is found insufficient, or the application is not answered in time pursuant to Article 14 of the KVK Law.

9.2 RESPONSE OF THE CLINIC TO APPLICATIONS

Applications regarding personal data processing activities of Community Clinics must be made to the relevant Community Clinic. Applications must be made to the Clinic only in cases where the Clinic is considered the data controller within the scope of the KVK Law. This situation may exist in cases where the Clinic collects personal data directly from the relevant person or where data sharing between the relevant Community Clinic and the Clinic is considered a data transfer from data controller to data controller within the scope of the KVK Law. Apart from these, applications regarding personal data processing activities where the relevant Community Clinic is considered the data controller must be made to the relevant Community Clinic, not to the Clinic.

9.2.1. Procedure and Period of the Clinic to Answer Applications

The Clinic will conclude the relevant request free of charge within thirty days at the latest according to the nature of the request of the personal data subject. However, in the event that a fee is prescribed by the KVK Board, the fee in the tariff determined by the KVK Board will be charged from the applicant by the Clinic.

9.2.2. Information the Clinic Can Request from the Applicant Personal Data Subject

The Clinic can request information from the relevant person in order to determine whether the person applying is the personal data subject. The Clinic can direct a question to the personal data subject regarding his application in order to clarify the matters contained in the application of the personal data subject.

9.2.3. Right of the Clinic to Reject the Application of the Personal Data Subject

The Clinic can reject the application of the person applying by explaining its reason in the following cases:

  1. Processing of personal data for purposes such as research, planning, and statistics by being anonymized with official statistics.

  2. Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights or constitute a crime.

  3. Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security. 

  4. Processing of personal data by judicial authorities or execution organs regarding investigation, prosecution, trial, or execution proceedings.

  5. Personal data processing is necessary for the prevention of committing a crime or for crime investigation.

  6. Processing of personal data made public by the personal data subject himself.

  7. Personal data processing is necessary for the execution of supervision or regulation duties and for disciplinary investigation or prosecution by authorized and competent public institutions and organizations and professional organizations in the nature of public institutions, based on the authority given by the law.

  8. Personal data processing is necessary for the protection of the economic and financial interests of the State regarding budget, tax, and financial matters.

  9. Possibility of the request of the personal data subject to prevent the rights and freedoms of other persons.

  10. Requests requiring disproportionate effort have been made.

  11. The requested information is publicly available information.

APPLICATION FORM

Personal data subjects defined as the relevant person in the Personal Data Protection Law No. 6698 (“KVKK”) (hereinafter referred to as the “Applicant”) have been granted certain rights to make requests regarding the processing of their personal data in Article 11 of the KVKK.

In this framework, applications to be made “in writing” to Dt. Çağrı ALTUNTAŞ (“Clinic”) can be conveyed to us in writing by taking a printout of this form;

  1. By applying in person as the Applicant,

  2. In writing with documents proving that you are the applicant himself.

Applicant’s Contact Information:

  • Name:

  • Surname:

  • TC Identity Number:

  • E-mail:

  • Phone Number:

  • Address:

Please indicate your relationship with our Company:

(Such as customer, business partner, job applicant, former employee, third-party company employee, shareholder)

  • [ ] Customer

  • [ ] Visitor

  • [ ] Business Partner

  • [ ] Former Employee, Years of Work: ………………………

  • [ ] Job Application / Resume Sharing Date: ………………………………………………………………..

  • [ ] Third Party Company Employee. (Please specify the company you work for and your position information)………………………………………………………………………………

  • [ ] Other: ……………………………………………………..

Please specify your request within the scope of the KVK Law in detail:

………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………

Please choose the method of notifying you of our response to your application:

  • [ ] I want it sent to my address.

  • [ ] I want it sent to my e-mail address with the extension ……@………. (If you choose the e-mail method, we will be able to respond to you faster.)

  • [ ] I want to receive it by hand. (In case of receipt by proxy, there must be a notary-approved power of attorney or authorization document clearly regulating this authority.)

This application form has been prepared in order to determine your relationship with our Company, to determine your personal data processed by our Company fully, if any, and to answer your relevant application correctly and within the legal period. For the purpose of eliminating legal risks that may arise from unlawful and unfair data sharing and especially ensuring the security of your personal data, our Company reserves the right to request additional documents and information (copy of identity card or driver’s license, etc.) for identity and authorization determination. In the event that the information regarding your requests conveyed within the scope of the form is not correct and up-to-date or an unauthorized application is made, our Company does not accept responsibility for requests originating from the mentioned wrong information or unauthorized application, if the contact information is not confirmed.

  • Application Date:

  • Applicant (Personal Data Subject) Name Surname:

  • Signature: