PERSONAL DATA PROTECTION LAW

Disclosure Text

Patient Illumination

PERSONAL DATA PROCESSING, PROTECTION AND DESTRUCTION POLICY

Dt. Çağrı ALTUNTAŞ (“Clinic”), our Clinic attaches importance to the safe use of your data in line with our responsibilities regarding the protection of personal data regulated as a constitutional right and legal assurance.

The purpose of this policy is to regulate the methods and principles to be followed to ensure that our Clinic processes and protects personal data by the Law on the Protection of Personal Data (KVKK) published in the Official Gazette dated April 7, 2016, and numbered 29677.

EXPLANATION OF THE POLICY

Protection of personal data is of great sensitivity for Dt. Çağrı ALTUNTAŞ (“Clinic”) and is among the priorities of our Clinic. Our Clinic pays due attention to the protection of the personal data of our Patients, Employees, Employee Candidates, Shareholders, Visitors of Dentists, Employees, Shareholders and Authorities of the institutions it cooperates with and Third Parties;

  • Processing personal data by the law and good faith,
  • Keeping personal data accurate and updated when necessary,
  • Processing personal data for specific, explicit, and legitimate purposes,
  • Processing personal data in connection with the purpose for which they are processed, limited, and measured,
  • Retaining personal data for the period stipulated in the relevant legislation or for the period required for the purpose for which they are processed,
  • Informing and enlightening personal data subjects,
  • Establishing the necessary system for personal data subjects to exercise their rights,
  • Taking necessary measures for the protection of personal data,
  • To act by the relevant legislation and the regulations of the PDP
  • Board in transferring personal data to third parties in line with the requirements of the purpose of processing,
  • Showing the necessary sensitivity to the processing and protection of special categories of personal data
  • It makes its issues a Clinic policy. In this context, necessary administrative and technical measures are taken by the Clinic for the protection of personal data processed by the relevant legislation.

1.2. DEFINITIONS

Explicit consent: Consent on a specific subject, based on information and expressed with free will.

Anonymization: Changing personal data in such a way that it loses its data nature and this situation cannot be reversed. Ex: Masking, aggregation, data corruption, etc. Making personal data impossible to associate with a natural person through techniques.

Application Form: “Form Regarding the Applications to be made to the Data Controller by the Relevant Person (Personal Data Owner) by Law No. 6698 on the Protection of Personal Data”, which includes the application to be made by personal data owners to exercise their rights.

Employee Candidate: Natural persons who have applied for a job at the Clinic by any means or who have opened their CV and related information to the Clinic’s review.

Employees, Shareholders, and Authorities of the Institutions We Cooperate with: Natural persons, including, but not limited to, employees, shareholders, and officials of the institutions with which the Clinic has any kind of business relationship (including, but not limited to, business partners, suppliers and under whatever name and name).

Business Partner: Parties with whom the Clinic has established business partnerships for purposes such as conducting various projects and receiving services together with contracted Clinics, health centers, hospitals, universities, etc. while conducting its commercial activities.

Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system.

Personal data subject: The natural person whose personal data is processed. For example; website and mobile application users.

Personal data: Any information relating to an identified or identifiable natural person.

Sensitive personal data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions, and security measures, and biometric and genetic data.

Patient: All persons who are contacted about all products and services within the scope of the Clinic’s health activities for purposes such as offering products and services by the Clinic, providing general information about these products and communicating opportunities, communicating about the product and service to be purchased/to be purchased by persons in this regard, as well as being used in marketing activities in this regard, product/service offering, modeling, reporting, scoring, risk monitoring, intelligence, existing or new product studies, and potential Patient identification,

Clinic Shareholder: Real persons who are shareholders of the clinic

Clinic Authorized Dentists authorized in the clinic

Supplier: Parties that provide services to the Clinic on a contractual basis by the Clinic’s orders and instructions while carrying out the Clinic’s health activities.

Clinic Patient: Natural persons whose personal data are obtained through the business relationship of the Community Clinics that may be established in the Republic of Turkey or other countries in the future within the scope of the operations carried out by the business units of the Clinic, regardless of whether they have any contractual relationship with the Clinic.

Third Person: Natural persons (e.g. former employees) whose personal data are processed within the scope of the Policy, who are not defined differently within the scope of the Policy.

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. For example, a cloud computing company that holds/stores the Clinic’s data, a call-center company that makes calls on behalf of the Clinic by providing outsourcing support services, etc.

Data Controller: The person who determines the purposes and means of processing personal data on behalf of the Clinic and manages the place where the data is systematically kept (data recording system).

Visitor: Natural persons who have entered the physical premises of the Clinic for various purposes or who visit the Clinic’s websites, web and mobile applications.

1.3 ABBREVIATIONS

KVK Law Law on the Protection of Personal Data dated March 24, 2016 and numbered 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677

Personal Data Protection Board 

KVK Institution Personal Data Protection Authority

Clinic Dt. Çağrı ALTUNTAŞ

Policy: Clinical Personal Data Processing, Protection and Destruction Policy,

Turkish Criminal Code (“TCK”): Turkish Penal Code dated September 26, 2004, and numbered 5237; published in the Official Gazette dated October 12, 2004, and numbered 25611.

 

1.4 PURPOSE OF THE POLICY

The main purpose of this Policy is to make explanations about the personal data processing activity carried out by the Clinic by the law and the administrative and technical measures adopted for the protection of personal data and the existing systems that can be developed, and in this context, to provide transparency by informing the persons whose personal data are processed by our Clinic, especially Employee Candidates, Clinic Shareholders, Clinic Authorities, Visitors, Employees, Shareholders and Authorities of the Collaborating Institution and all Third Parties whose personal data may be processed and recorded under any name and name.

1.5 SCOPE

This Policy is related to all personal data of Employee Candidates, Clinic Shareholders, Clinic Authorities, Visitors, Employees, Shareholders, Authorities of the Institutions we are in cooperation with, and all Third Parties under any name and name, processed automatically or non-automatically provided that they are part of any data recording system. The scope of application of this Policy may be the entire Policy or only some of its provisions.

1.6 IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION

This Policy has been established within the framework of the relevant legal regulations in force regarding the processing and protection of personal data. In the event of any inconsistency between the legislation in force and the Policy, the Clinic accepts that the legislation in force shall prevail.

  1. MATTERS RELATING TO THE PROTECTION OF PERSONAL DATA

The clinic processes personal data in accordance with Article 12 of the Personal Data Protection Law, takes the necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing and/or access to personal data and to ensure the protection of personal data, and conducts or commissions the necessary audits in this regard.

2.1. ENSURING THE SECURITY OF PERSONAL DATA

2.1.1. Technical and Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

The Clinic takes technical and administrative measures to ensure the lawful processing of personal data, using technological means appropriate to the Clinic’s administrative and financial structure.

(i) Technical Measures Taken to Ensure the Lawful Processing of Personal Data

The main technical measures taken by the Clinic to ensure the lawful processing of personal data are listed below:

  • The Clinic organises its internal technical structure to ensure the processing and storage of personal data in compliance with the legislation. Personal data processing activities carried out within the Clinic are monitored by established technical systems, and periodic internal audits are conducted.
  • Where necessary for technical matters, either personnel employment or external resource support services are provided.
  • Appropriate programmes are used for applications and web security.
  • We establish the technical infrastructure to ensure the security of the databases where your personal data will be stored.
  • We use antivirus systems, firewalls, and similar software or hardware security products, and we establish security systems in line with technological developments.
  • We employ staff who are experts in technical matters and obtain support services as required.

(ii) Administrative Measures Taken to Ensure the Lawful Processing of Personal Data

To ensure the lawful processing of personal data by the Clinic; Clinic employees are informed and trained on data protection law and the lawful processing of personal data, and internal Clinic policies are established. Records imposing an obligation not to process, disclose or use personal data, except for Clinic instructions and exceptions imposed by law, are included in the contracts and documents governing the legal relationship between the Clinic and its employees, and employee awareness is raised and audits are conducted in this regard. We establish policies and procedures for accessing personal data within our Clinic, including Clinic physicians and employees, inform and train our employees on the lawful protection and processing of personal data, and record the measures to be taken in the event of unlawful processing of personal data by our Clinic employees in the contracts we conclude with our employees and/or in the Policies we establish. We record the measures to be taken in cases where personal data is processed unlawfully by our Clinic Staff, and we establish and monitor legal relationships with data processors or partners of data processors with whom we work, enabling us to monitor their personal data processing activities as necessary.

2.1.2. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The clinic takes technical and administrative measures to prevent the disclosure, access, transfer or any other unlawful access to personal data due to negligence or unauthorised actions, based on the nature of the data to be protected, technological capabilities and implementation costs.

(i) Technical Measures Taken to Prevent Unlawful Access to Personal Data

The main technical measures taken by the clinic to prevent unlawful access to personal data are listed below:

  • Technical measures are being taken in line with technological developments, and the measures taken are periodically updated and renewed.
  • Access rights are restricted and permissions are regularly reviewed.
  • Software and hardware containing virus protection systems and firewalls are being installed.
  • Personnel knowledgeable in technical matters are employed.
  • Applications that collect personal data are regularly subjected to security scans to identify security vulnerabilities. Any vulnerabilities found are addressed.

(ii) Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The main administrative measures taken by the clinic to prevent unlawful access to personal data are listed below:

  • Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.
  • Employees are informed that they may not disclose personal data they have learned to others in violation of the provisions of the Personal Data Protection Law, nor may they use such data for purposes other than those specified, and that this obligation shall continue indefinitely even after they leave their positions. Accordingly, the necessary undertakings are obtained from them.
  • Contracts concluded by the clinic with persons to whom personal data is transferred in accordance with the law shall include provisions stipulating that the persons to whom personal data is transferred shall take the necessary security measures for the protection of personal data and shall ensure compliance with these measures within their own organisations.

2.1.3. Storage of Personal Data in Secure Environments

The clinic takes the necessary technical and administrative measures, in accordance with technological capabilities and implementation costs, to ensure that personal data is stored in secure environments and to prevent its destruction, loss or alteration for unlawful purposes.

(i) Technical Measures Taken for the Secure Storage of Personal Data

The main technical measures taken by the clinic to store personal data in secure environments are listed below:

  • Systems that are compatible with technological developments are used to store personal data in secure environments.
  • Expert support is available for technical matters.
  • Backup and anti-virus programmes are used in accordance with the law to ensure that personal data is stored securely.

(ii) Administrative Measures Taken for the Secure Storage of Personal Data

The main administrative measures taken by the clinic to store personal data in secure environments are listed below:

  • Employees are trained to ensure that personal data is stored securely.
  • Where the clinic outsources the storage of personal data due to technical requirements, the contracts concluded with the relevant companies to which personal data is transferred stipulate that the recipients of the personal data shall take the necessary security measures to protect personal data and shall ensure compliance with these measures within their own organisations.

2.1.4. Audit of Measures Taken Regarding the Protection of Personal Data

The clinic conducts or commissions the necessary audits within its own organisation in accordance with Article 12 of the Personal Data Protection Law. Where necessary, improvement activities are carried out based on the results of these audit reports.

2.1.5. Measures to be Taken in the Event of Unauthorised Disclosure of Personal Data

The Clinic has established an internal procedure to ensure that, in accordance with Article 12 of the Personal Data Protection Law, any unlawful acquisition of personal data processed by the Clinic by third parties is reported to the relevant data subject and the Personal Data Protection Board as soon as possible. If deemed necessary by the Personal Data Protection Board, this situation may be announced on the Personal Data Protection Board’s website or by other means.

2.2. ENSURING THE DATA SUBJECT’S LEGAL RIGHTS ARE RESPECTED; THE CHANNELS THROUGH WHICH THEY WILL COMMUNICATE WITH OUR COMPANY AND SUBMIT THEIR REQUESTS, AND THE EVALUATION OF THESE REQUESTS

The Clinic implements the necessary channels, internal procedures, administrative and technical arrangements in accordance with Article 13 of the Personal Data Protection Law to evaluate the requests of personal data subjects and provide them with the required information. If data subjects submit their requests regarding the rights listed below to the Clinic in writing, the Clinic shall process the request free of charge within thirty days at the latest, depending on the nature of the request. However, if the Personal Data Protection Board stipulates a fee, the Clinic shall charge the fee specified in the tariff determined by the Personal Data Protection Board. Data subjects may exercise their rights by submitting their requests in writing to the Clinic.

  • To find out whether personal data is being processed,
  • Requesting information regarding the processing of personal data,
  • Learning the purpose of processing personal data and whether it is being used for its intended purpose,
  • Knowing the third parties to whom personal data is transferred within or outside the country,
  • The right to request the rectification of personal data that has been processed inaccurately or incompletely, and to request that the third parties to whom the personal data has been transferred be informed of the rectification.
  • Despite having been processed in accordance with the KVK Law and other relevant legal provisions, the right to request the deletion or destruction of personal data when the reasons for processing no longer exist, and to request that this action be communicated to third parties to whom the personal data has been transferred.
  • Objecting to a decision being made solely through the automated processing of personal data that adversely affects the individual,
  • In the event that they suffer damage due to the unlawful processing of personal data, they have the right to request compensation for the damage.

2.3. PROTECTION OF SENSITIVE PERSONAL DATA

Special category personal data is defined by the Personal Data Protection Law as data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire and clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. The Clinic acts with sensitivity in protecting special category personal data defined as “special category” by the Personal Data Protection Law and processed in accordance with the law. In this context, the Clinic does not collect special category personal data unless necessary, and if it does, the technical and administrative measures taken to protect personal data are carefully applied to special category personal data, and the necessary controls are ensured within the Clinic.

2.4. Increasing Awareness Among Company Employees Regarding the Protection and Processing of Personal Data and Internal Audit

The clinic trains its staff to raise awareness about preventing the unlawful processing of personal data, unauthorised access to data, and ensuring data protection.

2.5. Increasing Awareness and Monitoring of Business Partners and Suppliers Regarding the Protection and Processing of Personal Data

The Clinic provides information to its Business Partners and Suppliers to raise awareness regarding the prevention of unlawful processing of personal data, the prevention of unlawful access to data, and ensuring the protection of data. Unless required by the service/project element, information is not transferred, its processing is not permitted, and data sharing is carried out only to the extent necessary for the purpose of the activity, with all necessary legal measures taken.

  1. MATTERS RELATING TO THE PROCESSING OF PERSONAL DATA

The Clinic processes personal data in accordance with Article 4 of the Personal Data Protection Law; in compliance with the law and principles of good faith; accurately and, where necessary, up to date; for specific, explicit and legitimate purposes; and in a manner that is relevant, limited and proportionate to the purpose. The Clinic retains personal data for the period stipulated by law or required for the purpose of processing personal data. The Clinic processes personal data based on one or more of the conditions set out in Article 5 of the Personal Data Protection Law regarding the processing of personal data. The Clinic informs personal data owners in accordance with Article 10 of the KVK Law and provides the necessary information when personal data owners request information. The Clinic acts in accordance with the regulations stipulated for the processing of special category personal data in accordance with Article 6 of the KVK Law. The Clinic acts in accordance with the regulations stipulated in the law and established by the Personal Data Protection Board regarding the transfer of personal data, in accordance with Articles 8 and 9 of the Personal Data Protection Law.

3.1. Processing of personal data in accordance with the principles set out in the legislation

3.1.1. Processing in accordance with the law and the principle of fairness

The Clinic acts in accordance with the principles established by legal regulations regarding the processing of personal data and the general rules of good faith and fairness. In this context, the Clinic takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than those required.

3.1.2. Ensuring Personal Data is Accurate and Up-to-Date When Necessary

The clinic ensures that the personal data it processes is accurate and up to date, taking into account the fundamental rights of data subjects and its own legitimate interests. It takes the necessary measures to this end.

3.1.3. Processing for Specific, Clear and Legitimate Purposes

The clinic clearly and precisely determines the legitimate and lawful purpose of personal data processing. The clinic processes personal data to the extent necessary for its commercial activities and in connection with them. The purpose for which personal data will be processed by the clinic is stated before the personal data processing activity commences.

3.1.4. Being relevant, limited and proportionate to the purpose for which they are processed

The clinic processes personal data in a manner that is appropriate for achieving the specified purposes and avoids processing personal data that is not relevant or necessary for achieving the purpose. The clinic does not carry out personal data processing activities aimed at meeting needs that may arise at a later date.

3.1.5. Retention of Data for the Period Required by Relevant Legislation or Necessary for the Purpose for Which They Are Processed

The Clinic retains personal data only for as long as is necessary for the purpose for which it was processed or as specified in the relevant legislation. In this context, the Clinic first determines whether the relevant legislation specifies a period for the retention of personal data; if a period is specified, it acts in accordance with that period; if no period is specified, it retains personal data for as long as is necessary for the purpose for which it was processed. Upon expiry of the period or cessation of the reasons requiring processing, personal data is deleted, destroyed or anonymised by the Clinic. Personal data is not retained by the Clinic for potential future use.

3.2. INFORMING AND NOTIFYING THE DATA SUBJECT

The Clinic informs Data Subjects about the processing of their personal data in accordance with Article 10 of the Personal Data Protection Law. In this context, the Clinic provides information on the identity of its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal basis for collecting personal data, and the rights of the personal data owner. Article 11 of the Personal Data Protection Law lists the “right to request information” among the rights of the personal data owner. In this context, the Clinic provides the necessary information in accordance with Article 11 of the Personal Data Protection Law when the Data Subject requests information.

3.3. Processing of Special Category Personal Data

The clinic strictly complies with the regulations stipulated in the Personal Data Protection Law when processing personal data classified as “special category” under the Personal Data Protection Law. Article 6 of the Personal Data Protection Law defines certain personal data as “special category” data, which, if processed unlawfully, carries the risk of causing harm or discrimination to individuals. These data include race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. In accordance with the KVK Law, the Clinic processes special category personal data in the following circumstances, provided that sufficient measures determined by the KVK Board are taken:

  • If the data subject has given explicit consent or
  • If the data subject has not given explicit consent, special category personal data other than that relating to the data subject’s health and sex life may only be processed in the cases provided for by law; Special category personal data relating to the data subject’s health and sex life may only be processed by persons or authorised institutions and organisations subject to a duty of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.

3.4. TRANSFER OF PERSONAL DATA

The clinic may transfer the personal data and special category personal data of the data subject to third parties, provided that it takes the necessary security measures in accordance with the purposes of processing personal data that are compliant with clinical law. In this regard, the clinic acts in accordance with the provisions set out in Article 8 of the Personal Data Protection Law.

3.4.1. Transfer of Personal Data

The Clinic may transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Personal Data Protection Law, in accordance with legitimate and lawful personal data processing purposes:

  • If the data subject has given explicit consent,
  • If there is an explicit provision in the laws regarding the transfer of personal data,
  • If it is necessary to protect the life or physical integrity of the data subject or another person, and the data subject is unable to give consent due to actual impossibility or their consent is not legally valid;
  • If the transfer of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract,
  • If the transfer of personal data is necessary for the Clinic to fulfil its legal obligations,
  • If personal data has been made public by the data subject,
  • Where the transfer of personal data is necessary for the establishment, exercise or defence of legal claims,
  • Provided that it does not infringe upon the fundamental rights and freedoms of the data subject, if the transfer of personal data is necessary for the legitimate interests of the Clinic.

3.4.2. Transfer of Special Category Personal Data

The clinic may transfer the data subject’s special category personal data to third parties in the following circumstances, provided that it exercises due diligence, takes necessary security measures, and implements the adequate safeguards prescribed by the Personal Data Protection Board, in accordance with legitimate and lawful purposes of personal data processing.

  • If the data subject has given explicit consent, or
  • If the data subject has not given explicit consent;

–Sensitive personal data other than that relating to the data subject’s health and sex life (such as data regarding race, ethnic origin, political opinions, philosophical beliefs, religion, denomination, or other beliefs; attire; membership in associations, foundations, or trade unions; criminal convictions and security measures; as well as biometric and genetic data), in cases provided for by law,

–Sensitive personal data concerning the data subject’s health and sexual life may only be processed by persons or authorized institutions and organizations subject to a duty of confidentiality for the purposes of protecting public health, preventive medicine, the provision of medical diagnosis, treatment, and care services, and the planning and management of health services and their financing.

3.5. TRANSFER OF PERSONAL DATA ABROAD

The Clinic may transfer the data subject’s personal data and special category personal data to third parties by taking the necessary security measures in accordance with the purposes of personal data processing. The Clinic may transfer such data to foreign countries declared by the Personal Data Protection Board to have adequate protection (“Foreign Countries with Adequate Protection”) or, in the absence of adequate protection, to foreign countries where data controllers in Turkey and the relevant foreign country have provided a written commitment to adequate protection and where the Personal Data Protection Board has granted its approval (“Foreign Country Where a Data Controller Committing to Adequate Protection Is Located”), personal data may be transferred. In this regard, the Clinic acts in accordance with the provisions set forth in Article 9 of the Personal Data Protection Law.

3.5.1. Transfer of Personal Data Abroad

If the data subject has given explicit consent in accordance with legitimate and lawful purposes for the processing of personal data, or if the data subject has not given explicit consent;

  • If there is an explicit provision in the law regarding the transfer of personal data,
  • If it is necessary to protect the life or physical integrity of the data subject or another person, and the data subject is unable to express consent due to actual impossibility, or if their consent is not legally valid;
  • If the transfer of personal data belonging to the parties to the contract is necessary, provided that it is directly related to the conclusion or performance of the contract,
  • If the transfer of personal data is necessary for the Clinic to fulfill its legal obligations,
  • If personal data has been made public by the data subject,
  • If the transfer of personal data is necessary for the establishment, exercise, or defense of a legal claim,
  • Provided that such transfer does not infringe upon the fundamental rights and freedoms of the data subject, the Clinic may transfer personal data to foreign countries where a data controller is located that provides adequate protection or has committed to providing adequate protection, if such transfer is necessary for the Clinic’s legitimate interests.

3.5.2. Transfer of Special Category Personal Data Abroad

The clinic, by exercising due diligence, taking necessary security measures, and implementing the adequate safeguards prescribed by the Personal Data Protection Board, processes the data subject’s special category personal data in accordance with legitimate and lawful purposes of personal data processing;

  • If the data subject has given explicit consent, or
  • If the data subject has not given explicit consent;

–Sensitive personal data other than that relating to the data subject’s health and sex life (such as data regarding race, ethnic origin, political opinions, philosophical beliefs, religion, denomination, or other beliefs; attire; membership in associations, foundations, or trade unions; criminal convictions and security measures; as well as biometric and genetic data), in cases provided for by law,

–Sensitive personal data regarding the data subject’s health and sexual life may only be processed by persons or authorized institutions and organizations subject to a duty of confidentiality, and for the planning and management of health services and their financing, may be transferred to foreign countries where the data controller is located and which provide adequate protection or have committed to providing adequate protection, provided such processing is carried out by persons or authorized institutions and organizations subject to a duty of confidentiality.

4. CATEGORIZATION OF PERSONAL DATA, PURPOSES OF PROCESSING, AND RETENTION PERIODS

In accordance with Article 10 of the Personal Data Protection Law, the Clinic informs data subjects, as part of its obligation to provide information, regarding which categories of personal data it processes, the purposes for which such data is processed, and the retention periods for such data.

4.1. CLASSIFICATION OF PERSONAL DATA AND DATA SUBJECTS

At the Clinic; in accordance with the Clinic’s legitimate and lawful purposes for processing personal data, and based on and limited to one or more of the conditions for processing personal data specified in Article 5 of the Personal Data Protection Law, in compliance with the general principles set forth in the Personal Data Protection Law—particularly the principles regarding the processing of personal data outlined in Article 4—and all obligations established under the Personal Data Protection Law, and limited to the subjects covered by this Policy (Community Clinics Patient, Visitor, Third Party, Job Applicant, Clinic Shareholder, Clinic Authorized Representative, Employees, Shareholders, and Authorized Representatives of Institutions We Collaborate With), personal data in the categories specified below is processed in accordance with Article 10 of the KVK Law, provided that the relevant individuals are informed.

EXPLANATIONS REGARDING CLASSIFICATIONS

Identity Information: Data that clearly pertains to a specific or identifiable natural person; processed either partially or fully automatically, or non-automatically as part of a data recording system; data containing information regarding the person’s identity; documents such as driver’s licenses, ID cards, and passports containing information such as first name, last name, Turkish ID number, nationality, mother’s name, father’s name, place of birth, date of birth, and gender, as well as information such as tax ID number, Social Security number, signature information, vehicle license plate, etc.

Contact Information: Information clearly belonging to an identified or identifiable natural person; processed either partially or fully automatically, or non-automatically as part of a data recording system; such as phone number, address, email address, fax number, and IP address

Location Data: Information clearly attributable to an identified or identifiable natural person; processed either partially or fully automatically, or non-automatically as part of a data filing system; information that determines the location of the data subject within the scope of operations conducted by the Clinic, during the use of the Clinic’s products and services, or while employees of institutions with which we collaborate are using Clinic tools; GPS location, travel data, etc.

Family Members and Close Relatives Information: Information clearly pertaining to an identified or identifiable natural person; processed either partially or fully automatically, or non-automatically as part of a data recording system; Within the scope of operations conducted by Clinic staff, information regarding the data subject’s family members (e.g., spouse, mother, father, child), close contacts, and other individuals who can be reached in emergencies, in connection with the products and services offered by Community Clinics or for the purpose of protecting the legal and other interests of the Clinic and the data subject

Physical Premises Security Information: Personal data clearly attributable to an identified or identifiable natural person; processed either partially or fully automatically, or non-automatically as part of a data recording system; personal data related to records and documents collected upon entry to physical premises and during the stay within such premises; such as camera recordings, fingerprint records, and records collected at security checkpoints.

Financial Information: Personal data clearly belonging to an identified or identifiable natural person; processed either partially or fully automatically, or non-automatically as part of a data recording system; Personal data processed in relation to information, documents, and records reflecting any financial outcome created based on the type of legal relationship established between the Clinic and the data subject, as well as data such as bank account numbers, IBAN numbers, credit card information, financial profiles, asset data, and income information

Visual/Audio Information: Data clearly belonging to an identified or identifiable natural person; photographs and camera recordings (excluding recordings falling under Physical Premises Security Information), audio recordings, and data contained in documents that are copies of documents containing personal data, as well as expense documents, receipts, invoices, and shopping information

Personal Data: Any personal data that clearly pertains to an identified or identifiable natural person; processed either partially or fully automatically, or non-automatically as part of a data filing system; and processed for the purpose of obtaining information that will form the basis for the personal rights of natural persons in an employment relationship with the Clinic

Sensitive Personal Data: Data clearly pertaining to an identified or identifiable natural person; processed either partially or fully automatically, or non-automatically as part of a data recording system; data specified in Article 6 of the Personal Data Protection Law

Request/Complaint Management Information: Personal data clearly belonging to an identified or identifiable natural person; processed either partially or fully automatically, or non-automatically as part of a data recording system; and relating to the receipt and evaluation of any requests or complaints directed to the Clinic.

Patient: Natural persons whose personal data is collected in accordance with the law within the scope of treatments conducted by Clinic staff, regardless of whether they have any contractual relationship with the Clinic, through business relationships, marketing activities, and/or existing software, web, and mobile applications

Visitor: Natural persons who have entered the Clinic’s physical premises for various purposes or who have visited its websites or mobile applications

Third Party: Other natural persons not covered by this Policy or the Clinic Employees’ Personal Data Protection and Processing Policy

Job Applicant: Natural persons who have applied for a job at the Clinic through any means or have made their resume and related information available for review by the Clinic

Clinic Shareholder: Natural persons who are shareholders of the Clinic

Clinic Authorized Personnel: Dentists employed at the Clinic

Employees, Shareholders, and Authorized Personnel of Institutions We Collaborate With: Natural persons, including employees, shareholders, and authorized personnel of institutions with which the Clinic maintains any type of business relationship (such as business partners or suppliers, but not limited to these)

4.2. PURPOSES OF PROCESSING PERSONAL DATA

The Clinic processes personal data solely for the purposes and under the conditions specified in Article 5, Paragraph 2, and Article 6, Paragraph 3, of the Personal Data Protection Law. These purposes and conditions are as follows:

  • The Clinic’s processing of your personal data is expressly provided for by law
  • The processing of your personal data by the Clinic is directly related to and necessary for the conclusion or performance of a contract
  • The processing of your personal data is necessary for the Clinic to fulfill its legal obligations
  • Provided that your personal data has been made public by you, the Clinic may process such data solely for the purpose of such public disclosure
  • The processing of your personal data by the Clinic is necessary for the establishment, exercise, or defense of the rights of the Clinic, you, or third parties
  • Provided that it does not infringe upon your fundamental rights and freedoms, the processing of personal data is necessary for the Clinic’s legitimate interests
  • The processing of personal data by the clinic is necessary to protect the life or physical integrity of the data subject or another person, and in such cases, the data subject is unable to give consent due to physical or legal incapacity
  • With respect to special categories of personal data other than those relating to the data subject’s health and sex life, such data must be provided for by law
  • With regard to special categories of personal data concerning the data subject’s health and sexual life, such data may be processed by persons subject to a duty of confidentiality or by authorized institutions and organizations for the purposes of protecting public health, preventive medicine, and the provision of medical diagnosis, treatment, and care services, as well as the planning and management of health services and their financing.

In this context, the Clinic processes your personal data for the following purposes:

  • Planning and implementation of corporate sustainability initiatives
  • Developing new organizational structures, business ideas, and healthcare campaigns to provide better service to patients regarding clinical activities,
  • Monitoring patient satisfaction
  • Event management
  • Managing relationships with business partners or suppliers
  • Execution of clinical staff recruitment processes
  • Providing support for staff recruitment processes at affiliated clinics
  • Execution and monitoring of clinical financial and healthcare service reporting and risk management processes
  • Execution and monitoring of clinical legal affairs
  • Planning and execution of corporate communication activities
  • Execution of corporate governance activities
  • Execution of clinical and partnership legal affairs
  • Request and complaint management
  • Ensuring the security of clinical assets
  • Providing support to clinics regarding compliance with relevant regulations
  • Providing support for the planning and implementation of processes related to benefits and perks for clinic and senior management
  • Planning and conducting audit activities to ensure that the clinic’s operations are conducted in accordance with clinical procedures and relevant regulations
  • Providing support for the execution of the clinic’s and partnership law-related transactions
  • Conducting initiatives to protect the clinic’s reputation
  • Providing information to authorized bodies as required by law
  • Creating and tracking visitor records

If the processing activity carried out for the aforementioned purposes does not meet any of the conditions set forth under the Personal Data Protection Law, the Clinic will obtain your explicit consent regarding the relevant processing process.

4.3. RETENTION PERIODS FOR PERSONAL DATA

The Clinic retains personal data for the period specified in applicable laws and regulations, where such retention is required by law. If no retention period is specified in the applicable laws regarding how long personal data must be retained, the data is processed for the period necessary to fulfill the activities conducted while processing such data, in accordance with the Clinic’s practices and commercial customs, and is subsequently deleted, destroyed, or anonymized. If the purpose of processing personal data has ceased and the retention periods established by applicable legislation and the Clinic have also expired, personal data may be retained solely for the purpose of serving as evidence in potential legal disputes, asserting a right related to the personal data, or establishing a defense. In determining these retention periods, the statute of limitations applicable to the assertion of the relevant right is taken into account, and retention periods are established based on examples from previous requests made to the Clinic regarding the same matters, even after the statute of limitations has expired. In such cases, access to the retained personal data is not permitted for any other purpose, and access to the relevant personal data is granted only when it is necessary for the resolution of the relevant legal dispute. Here as well, once the aforementioned period expires, personal data is deleted, destroyed, or anonymized.

  1. THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED AND THE PURPOSES OF SUCH TRANSFERS
    The Clinic informs the data subject of the categories of recipients to whom personal data is transferred, in accordance with Article 10 of the Personal Data Protection Law. In accordance with Articles 8 and 9 of the Personal Data Protection Law, the Clinic may transfer the personal data of data subjects governed by this Policy to the following categories of recipients:

    (i) The Clinic’s business partners,

    (ii) The Clinic’s suppliers,

    (iii) Affiliated and subsidiary Clinics,

    (iv) The Clinic’s shareholders,

    (v) Clinic officials,

    (vi) Public institutions and organizations authorized by law,

    (vii) Private entities authorized by law

    The scope of the recipients listed above and the purposes of data transfer are specified below.

Definition of Parties to Whom Data May Be Transferred Purpose of Data Transfer

Business Partner: Refers to parties with whom the Clinic has established a business partnership for limited purposes, such as conducting business activities—either directly or in collaboration with Community Clinics—to ensure the fulfillment of the objectives of the partnership for various projects, or to receive services.

Supplier: Refers to contracted entities that provide services to the Clinic on a contractual basis in accordance with the Clinic’s orders and instructions while the Clinic conducts its commercial activities. (Limited to ensuring that services necessary for the Clinic to carry out its commercial activities are provided to the Clinic through external sources from the supplier.)

Contractual Entities: The Clinic’s contractual healthcare institutions, limited to ensuring the provision of healthcare services.

Shareholders: Natural persons who are shareholders of the Clinic (limited to the purposes of the activities conducted by the Clinic within the scope of clinic law, event management, and corporate communications processes, in accordance with the provisions of applicable legislation)

Clinic Officials: Dentists employed at the Clinic

Legally Authorized Public Institutions and Organizations: Public institutions and organizations authorized to obtain information and documents from the Clinic in accordance with applicable laws and regulations (limited to the purpose requested within the scope of the legal authority of the relevant public institutions and organizations)

Legally Authorized Private Entities: Private entities authorized to obtain information and documents from the Clinic in accordance with applicable laws and regulations (limited to the purpose for which such private entities request such information and documents within the scope of their legal authority)

  1. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE CONDITIONS SET FORTH IN THE LAW
    The Clinic informs the data subject regarding the personal data it processes in accordance with Article 10 of the Personal Data Protection Law.

7.1. PROCESSING OF PERSONAL DATA AND SPECIAL CATEGORIES OF PERSONAL DATA

7.1.1. Processing of Personal Data

The data subject’s explicit consent is only one of the legal bases that enables the lawful processing of personal data. In addition to explicit consent, personal data may also be processed if any of the other conditions listed below are met. The legal basis for a personal data processing activity may be any one of the conditions listed below, or multiple conditions may serve as the basis for the same personal data processing activity. Although the legal bases for the processing of personal data by the Clinic may vary, all personal data processing activities are conducted in accordance with the general principles set forth in Article 4 of the Personal Data Protection Law.

(i) The Data Subject’s Explicit Consent

(ii) Explicit Provision in the Law

(iii) Inability to Obtain the Data Subject’s Explicit Consent Due to Practical Impossibility

(iv) Direct Relevance to the Conclusion or Performance of a Contract

(v) The Clinic’s Compliance with a Legal Obligation

(vi) The Data Subject’s Disclosure of Their Personal Data

(vii) The Necessity of Data Processing for the Establishment or Protection of a Right

(viii) The Necessity of Data Processing for the Clinic’s Legitimate Interest

7.1.2. Processing of Special Category Personal Data

The Clinic processes special category personal data—other than data concerning the data subject’s health and sexual life—only with the data subject’s explicit consent, or, in the absence thereof, under the following conditions provided that adequate safeguards determined by the Personal Data Protection Board are implemented:

(i) Special category personal data other than that concerning the data subject’s health and sexual life may be processed in cases provided for by law,

(ii) Special category personal data relating to the data subject’s health and sexual life may be processed only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, as well as the planning and management of health services and their financing, by persons or authorized institutions and organizations subject to a duty of confidentiality.

  1. PERSONAL DATA PROCESSING ACTIVITIES AT BUILDING AND FACILITY ENTRANCES, WITHIN BUILDINGS AND FACILITIES, AND REGARDING WEBSITE AND MOBILE APP VISITORS

    Personal data processing activities conducted by the Clinic at building and facility entrances and within the premises are carried out in compliance with the Personal Data Protection Law and other relevant legislation. To ensure security, the Clinic conducts personal data processing activities involving security camera monitoring and the tracking of visitor entries and exits at its buildings and facilities. The Clinic conducts personal data processing activities through the use of security cameras and the recording of visitor entries and exits.

8.1. CAMERA SURVEILLANCE ACTIVITIES CONDUCTED AT THE ENTRANCES TO AND WITHIN THE COMPANY’S BUILDINGS AND FACILITIES

This section provides an explanation of the video surveillance system at the Clinic’s location and informs you about how personal data, privacy, and fundamental rights are protected. The Clinic conducts video surveillance activities to protect its interests, such as ensuring the safety of the Clinic and other individuals.

8.1.1. Legal Basis for Camera Surveillance Activities

The camera surveillance activities conducted by the Clinic are carried out in compliance with the Law on Private Security Services and relevant legislation.

8.1.2. Conducting Camera Surveillance Activities in Compliance with the Personal Data Protection Law

In conducting camera surveillance activities for security purposes, the Clinic acts in accordance with the provisions of the Personal Data Protection Law. The Clinic engages in security camera surveillance activities to ensure security within its buildings and facilities, in accordance with the purposes outlined in applicable legislation and the conditions for processing personal data specified in the Personal Data Protection Law.

8.1.3. Notification of Video Surveillance Activities

The Clinic informs data subjects in accordance with Article 10 of the Personal Data Protection Law. The Clinic provides notification regarding camera surveillance activities through multiple methods, in addition to the general information it discloses. This is intended to prevent harm to the fundamental rights and freedoms of data subjects, as well as to ensure transparency and the proper informing of data subjects. Regarding the clinic’s video surveillance activities: This Policy is published on the clinic’s website (online policy disclosure), and notices stating that surveillance is in progress are posted at the entrances to the areas where surveillance is conducted (on-site notification).

8.1.4. Purpose of Video Surveillance and Limitation to That Purpose

In accordance with Article 4 of the Personal Data Protection Law, the Clinic processes personal data in a manner that is relevant, limited, and proportionate to the purpose for which it is processed. The purpose of the video surveillance activities conducted by the Clinic is limited to the purposes listed in this Policy. Accordingly, the monitoring areas, number of security cameras, and timing of monitoring are implemented in a manner that is sufficient to achieve security objectives and strictly limited to those objectives. Areas where monitoring could result in an intrusion into an individual’s privacy that exceeds security objectives (e.g., restrooms) are not subject to monitoring.

8.1.5. Ensuring the Security of Collected Data

In accordance with Article 12 of the Personal Data Protection Law, the Clinic takes the necessary technical and administrative measures to ensure the security of personal data collected as a result of video surveillance activities.

8.1.6. Retention Period for Personal Data Obtained Through Video Surveillance Activities

Detailed information regarding the retention period for personal data obtained through video surveillance activities is provided in the “Retention Periods for Personal Data” section of this Policy.

8.1.7. Who Has Access to Information Obtained Through Surveillance and to Whom Such Information Is Disclosed

Access to live camera footage and recordings stored in digital format is restricted to a limited number of Clinic employees. The limited number of individuals with access to the recordings have signed a confidentiality agreement, thereby committing to protect the confidentiality of the data they access.

8.2. TRACKING OF VISITOR ENTRY AND EXIT AT AND WITHIN COMPANY BUILDINGS AND FACILITIES

The Clinic processes personal data to monitor guest entries and exits at its buildings and facilities for the purposes of ensuring security and as specified in this Policy. When the names and surnames of individuals visiting the Clinic’s buildings as guests are collected, or through texts posted at the Clinic or otherwise made available to guests, the data subjects are informed of this processing. Data collected for the purpose of tracking guest entries and exits is processed solely for this purpose, and the relevant personal data is recorded in a physical data recording system.

8.3. RETENTION OF RECORDS RELATED TO INTERNET ACCESS PROVIDED TO VISITORS AT THE COMPANY’S BUILDINGS AND FACILITIES

To ensure security and for the purposes specified in this Policy, the Clinic may provide internet access to Visitors who request it while they are on our premises. In such cases, log records related to your internet access are recorded in accordance with the provisions of Law No. 5651 and the relevant regulations issued pursuant to this Law; these records are processed only upon request by authorized public institutions and organizations or to fulfill our legal obligations during audit processes conducted within the Clinic. Within this framework, access to the log records is limited to a restricted number of Clinic employees. Clinic employees with access to the aforementioned records access them solely for the purpose of responding to requests from authorized public institutions and organizations or for use in audit processes, and share them only with legally authorized individuals. The limited number of individuals with access to the records have signed a confidentiality agreement, thereby committing to protect the confidentiality of the data they access.

8.4. Website and Mobile App Visitors

On the websites owned by the Clinic, technical tools (e.g., cookies) are used to record users’ online activities on the sites in order to ensure that visitors can navigate the sites in a manner consistent with their visit objectives, to display personalized content to them, and to conduct online advertising activities.

Detailed explanations regarding the protection and processing of personal data in connection with these activities are provided in the “Privacy Policy” sections of the relevant websites and mobile applications.

  1. Conditions for the Erasure, Destruction, and Anonymization of Personal Data

Although personal data is processed in accordance with the relevant provisions of the Turkish Penal Code, Article 138, and the Personal Data Protection Law, Article 7, such data will be deleted, destroyed, or anonymized at the Clinic’s discretion or upon the data subject’s request if the grounds for its processing no longer exist. In this context, the Clinic fulfills its relevant obligations using the methods described in this section.

TECHNIQUES FOR THE ERASURE, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

9.1. Techniques for the Deletion and Destruction of Personal Data

Even if personal data has been processed in accordance with the relevant legal provisions, the Clinic may delete or destroy such data at its own discretion or upon the request of the data subject if the reasons necessitating its processing no longer exist. The most commonly used deletion or destruction techniques by the Clinic are listed below:

(i) Physical Destruction

(ii) Secure Deletion Software

(iii) Secure Deletion by a Specialist (Sending to a Specialist for Secure Deletion)

9.2. Techniques for Anonymizing Personal Data

The anonymization of personal data refers to the process of rendering personal data incapable of being associated with any identified or identifiable natural person, even when combined with other data. The Clinic may anonymize personal data when the reasons necessitating the processing of such data, which was processed in compliance with the law, no longer exist. In accordance with Article 28 of the Personal Data Protection Law (KVK Law), anonymized personal data may be processed for purposes such as research, planning, and statistics. Such processing falls outside the scope of the KVK Law, and the explicit consent of the data subject will not be required. Since personal data processed in an anonymized form falls outside the scope of the Personal Data Protection Law, the rights outlined in Section 10 of the Policy will not apply to such data. The anonymization techniques most commonly used by the Clinic are listed below.

(i) Masking

(ii) Aggregation

(iii) Data Derivation

(iv) Data Shuffling (Permutation)

  1. RIGHTS OF DATA SUBJECTS; METHODS FOR EXERCISING AND EVALUATING THESE RIGHTS

The Clinic informs data subjects of their rights in accordance with Article 10 of the Personal Data Protection Law, provides guidance to data subjects on how to exercise these rights, and the Clinic implements the necessary channels, internal procedures, and administrative and technical measures in accordance with Article 13 of the Personal Data Protection Law to assess data subjects’ rights and provide them with the required information.

10.1 RIGHTS OF DATA SUBJECTS AND THE EXERCISE OF THESE RIGHTS

10.1.1. Rights of Data Subjects

Data subjects have the following rights:

(1) To learn whether personal data is being processed,

(2) To request information regarding the processing of personal data if it has been processed,

(3) To learn the purpose of the processing of personal data and whether it is being used in accordance with that purpose,

(4) To know the third parties to whom personal data has been transferred within or outside the country,

(5) The right to request the correction of personal data if it has been processed incompletely or incorrectly, and to request that the third parties to whom the personal data has been transferred be notified of such correction,

(6) To request the erasure or destruction of personal data if the reasons necessitating its processing no longer exist, even if it was processed in accordance with the provisions of the Personal Data Protection Law and other relevant laws, and to request that the third parties to whom the personal data was transferred be notified of this action,

(7) To object to a decision made solely through the automated processing of data that adversely affects the individual,

(8) To request compensation for damages incurred due to the unlawful processing of personal data.

10.1.2. Cases Where Data Subjects Cannot Exercise Their Rights

Pursuant to Article 28 of the Personal Data Protection Law, data subjects cannot exercise the rights listed in Section 10.1.1 regarding the following cases, as they are excluded from the scope of the Personal Data Protection Law:

(1) The processing of personal data for purposes such as research, planning, and statistics by anonymizing it through official statistics.

(2) The processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public order, economic security, the privacy of private life, or personal rights, nor constitutes a crime.

(3) The processing of personal data within the scope of preventive, protective, and intelligence activities conducted by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order, or economic security.

(4) The processing of personal data by judicial authorities or enforcement agencies in connection with investigative, prosecutorial, judicial, or enforcement proceedings.

Pursuant to Article 28(2) of the Personal Data Protection Law, data subjects may not exercise the rights listed in Section 10.1.1, except for the right to claim compensation for damages, in the following cases: (1) Where the processing of personal data is necessary for the prevention of a crime or for a criminal investigation.

(2) The processing of personal data that has been made public by the data subject themselves.

(3) Where the processing of personal data is necessary for the performance of supervisory or regulatory duties, or for disciplinary investigations or proceedings, by public institutions and organizations, or professional organizations with the status of public institutions, acting pursuant to the authority granted by law.

(4) Where the processing of personal data is necessary for the protection of the State’s economic and financial interests in matters related to the budget, taxes, and financial affairs.

10.1.3. Exercise of Rights by Data Subjects

Data subjects may submit requests regarding the rights listed under Section 10.1.1 of this chapter to the Clinic free of charge by completing and signing the Application Form, accompanied by information and documents verifying their identity, using the methods specified below or other methods determined by the Personal Data Protection Board:

(1) Submitting a hand-delivered or notarized copy of the form, available at https://cagrialtuntas.com, to the address: Harbiye Mah. Vali Konağı Cad. 30/3, Şişli/IST.

(2) After filling out the form available at https://cagrialtuntas.com and signing it with a “secure electronic signature” , and the form bearing the secure electronic signature must be sent via registered email to [email protected]. For third parties to submit a request on behalf of data subjects, a special power of attorney issued by a notary public in the name of the person making the request must be provided by the data subject.

10.1.4. The Data Subject’s Right to File a Complaint with the Personal Data Protection Board

Pursuant to Article 14 of the Personal Data Protection Law, the data subject may file a complaint with the Personal Data Protection Board within thirty days from the date they receive the Clinic’s response, and in any case within sixty days from the date of the request, in the event that the request is rejected, the response is deemed insufficient, or no response is provided within the prescribed timeframe.

10.2 THE CLINIC’S RESPONSE TO REQUESTS

Requests regarding the personal data processing activities of Community Clinics must be submitted to the relevant Community Clinic. Requests should only be submitted to the Clinic in cases where the Clinic is considered the data controller under the Personal Data Protection Law. This applies when the Clinic directly collects personal data from the data subject or when the data sharing between the relevant Community Clinic and the Clinic constitutes a data transfer from one data controller to another under the Personal Data Protection Law. In all other cases, requests regarding personal data processing activities for which the relevant Community Clinic is considered the data controller must be submitted to the Community Clinic, not to the Clinic.

10.2.1. The Clinic’s Procedure and Timeframe for Responding to Requests

The Clinic will process the relevant request free of charge within thirty days at the latest, depending on the nature of the data subject’s request. However, if the Personal Data Protection Board has established a fee, the Clinic will collect the fee from the applicant in accordance with the schedule determined by the Board.

10.2.2. Information the Clinic May Request from the Data Subject Making the Request

The Clinic may request information from the relevant individual to determine whether they are the data subject. The Clinic may ask the data subject questions regarding their request to clarify the matters outlined in the request.

10.2.3. The Clinic’s Right to Reject a Data Subject’s Request

The Clinic may reject a data subject’s request in the following circumstances, provided it explains the grounds for such rejection:

(1) The processing of personal data for purposes such as research, planning, and statistics by anonymizing it through official statistics.

(2) The processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public order, economic security, the privacy of private life, or personal rights, nor constitutes a crime.

(3) The processing of personal data within the scope of preventive, protective, and intelligence activities conducted by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order, or economic security.

(4) The processing of personal data by judicial authorities or enforcement agencies in connection with investigative, prosecutorial, judicial, or enforcement proceedings.

(5) The necessity of processing personal data for the prevention of a crime or for a criminal investigation.

(6) The processing of personal data that has been made public by the data subject themselves.

(7) The processing of personal data is necessary for the performance of supervisory or regulatory duties, or for disciplinary investigations or proceedings, by public institutions and organizations, as well as professional associations with the status of public institutions, acting within the authority granted by law.

(8) The processing of personal data is necessary for the protection of the State’s economic and financial interests in matters related to the budget, taxes, and financial affairs.

(9) Where the data subject’s request is likely to infringe upon the rights and freedoms of others.

(10) Where the request involves disproportionate effort.

(11) Where the requested information is publicly available.

APPLICATION FORM

Under the Law on the Protection of Personal Data No. 6698 (“KVKK”), data subjects defined as “data subjects” (hereinafter referred to as the “Applicant”) are granted the right to make certain requests regarding the processing of their personal data under Article 11 of the KVKK.

In this context, written requests submitted to Dr. Çağrı ALTUNTAŞ (“Clinic”) must be made by printing this form and:

1-) Submitting the request in person as the Data Subject, or

2-) Sending the request in writing along with documents proving that you are the Data Subject.

Applicant’s Contact Information:

First Name:

Last Name:

Turkish ID Number:

Email:

Phone Number:

Address:

  1. Please indicate your relationship with our company. (e.g., customer, business partner, job applicant, former employee, employee of a third-party company, shareholder)

☐ Customer

☐ Visitor

☐ Business partner

☐ Former Employee, Years of Service: ………………………

☐ I Submitted a Job Application / Uploaded My Resume Date:………………………………………………………………..

☐ I am an employee of a third-party company. (Please specify the name of the company you work for and your position.)

………………………………………………………………………………

☐ Other: ……………………………………………………..

  1. Please provide a detailed description of your request under the Personal Data Protection Law:

…………………..…………….……………………………….……………………………….…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..…………….……………………………….……………………………….…………………………………………………………………………………………………

  1. Please select how you would like to be notified of our response to your application:

☐ I would like it to be sent to my address.

☐ I would like it sent to my email address ending in ……@………. (If you choose the email option, we will be able to respond to you more quickly.)

☐ I would like to pick it up in person. (If someone else is picking it up on your behalf, a notarized power of attorney or authorization document explicitly granting this authority is required.)

This application form has been prepared to identify your relationship with our Company, to fully identify any personal data processed by our Company, and to ensure that your request is responded to accurately and within the legally prescribed timeframe. To mitigate legal risks arising from unlawful or unjustified data sharing and, in particular, to ensure the security of your personal data, our Company reserves the right to request additional documents and information (such as a copy of your ID card or driver’s license) for the purpose of verifying your identity and authorization. If the information provided regarding your requests in this form is inaccurate or outdated, or if an unauthorized application is made, or if contact information is not verified, our Company shall not be held liable for any claims arising from such incorrect information or unauthorized applications.

Application Date:

Applicant (Data Subject) First Name and Last Name:

Signature: