Özel Maslak Cerrahi Tıp Merkezi

MASLAK HEALTH GROUP

PERSONAL DATA STORAGE AND DISPOSAL POLICY

  1. ENTRANCE
    • Purpose of the Policy

The processing of personal data obtained by Maslak Health Group pursuant to Article 20 of the Constitution titled “Privacy of Private Life” and the Law No. 6698 on the Protection of Personal Data (“Law”) and applicable regulations and communiqués  patients, relatives, suppliers, interns, visitors and other relevant third parties ) protection of fundamental rights and freedoms, especially the privacy of private life, and that the data controller who processes personal data performs data processing activities in accordance with the law, protection, storage and processing of personal data obtained. The purpose of this Policy is to determine the principles for its destruction when necessary.

  • Scope of the Policy

Obtaining, recording, storing, preserving, changing all kinds of information relating to an identified or identifiable natural person as personal data by Maslak Health Group as a data controller fully or partially automatically or non-automatically provided that it is a part of any data recording system, Since all kinds of transactions such as reorganization, disclosure, transfer, takeover, making available, classification or prevention of use are considered as data processing activities, establishing the procedures and principles of the data processing activity carried out by Maslak Health Group determines the scope of this Policy.

  • Implementation of the Policy and Related Legislation

Your personal data and personal health data are for the purposes explained in this policy text and Health Services Basic Law No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Affiliates, Regulation on Private Hospitals, Regulation on the Processing of Personal Health Data and Protection of Privacy, related regulations and It has been prepared in accordance with the rules set forth in the regulations, communiqués, decisions and guides published by the Board, especially the Law No. 6698. provisions and rules will find application area. All communiqués published by the Board,

 

  • Enforcement of the Policy

The policy was published on the website of Maslak Health Group https://www.maslaksaglik.com and entered into force on the date of its publication.

  1. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

According to Article 12 of the Law No. 6698, the data controller;

  • To prevent the unlawful processing of personal data,
  • To prevent unlawful access to personal data,
  • To ensure the protection of personal data

It is obliged to take all necessary administrative and technical measures to ensure the appropriate level of security for the purpose.

For the reasons explained, Maslak Health Group implements security measures to prevent unlawful processing of personal data, transfer and disclosure to third parties, unauthorized access and security deficiencies arising through other means. Explanations on the administrative and technical measures taken VI. It is included in the ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA.

2.2. Protection of Private Personal Data

Among the sensitive personal data, the health data of the persons concerned, without seeking the explicit consent of the relevant person, but for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning health services and financing and management purposes, persons or authorized institutions and can be processed by organizations. In addition, regardless of the type, all sensitive personal data can only be processed in accordance with the law if adequate measures determined by KVKK are taken.

Your personal data that you share with us within the scope of our clinical activities; For the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services provided by Maslak Health Group, with automatic or non-automatic methods, planning and management of health services and financing; Obtaining, recording, storing, changing through all channels including social media applications such as internet site, survey, social responsibility and verbal, written, visual or electronic media, via hotline/call center, internet site, verbal, written and similar channels, collected and rearranged. Any operation performed on data within the scope of KVKK is considered as “processing of personal data”.

In addition, your personal data may be processed when you use our hotline or internet page for information, appointment, complaint or other purposes, when you visit our clinic or website, and when you browse this site.

The data that is sensitive due to its nature and may cause victimization or discrimination of the data owner if it is in the hands of third parties is accepted as “Special “Qualified Personal Data” within the scope of the Law. Sensitive personal data includes data related to the person’s race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric data. and genetic data. Special categories of personal data cannot be processed without the explicit consent of the data subject. All necessary measures are taken by Maslak Health Group to protect sensitive personal data, and it is essential that such data are not collected and processed as much as possible.

III. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Compliance with the Principles Established in the Legislation

The principles to be applied in the processing of your personal data in accordance with Article 4 of the Law are as follows:

  • Compliance with the law and the rule of honesty,
  • Being accurate and up-to-date when necessary,
  • Processing for specific, explicit and legitimate purposes,
  • Being connected, limited and restrained with the purpose for which they are processed,
  • To be kept for the period required by the relevant legislation or for the purpose for which they are processed.

3.2. Personal Data Processing Conditions

Personal data obtained by Maslak Healthcare Group cannot be processed without the explicit consent of the person concerned, with the exception of the exceptions stipulated in the Law. Your personal data may be processed without express consent in the following cases:

  • clearly stipulated in the law,
  • It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid,
  • It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
  • It is mandatory for the data controller to fulfill its legal obligation,
  • The person concerned has been made public by himself,
  • Data processing is mandatory for the establishment, exercise or protection of a right,
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3. Exceptions to Obligation to Obtain Explicit Consent

expressly stipulated in the law

One of the data processing conditions is that it is expressly stipulated in the law. The provisions in the laws regarding the processing of personal data may create a data processing condition. In such a case, the explicit consent of the person concerned is not sought.

actual impossibility

The personal data of the person concerned can be processed without explicit consent in cases where it is necessary for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid.

Being directly related to the establishment or performance of the contract

In the event that data processing is deemed necessary during the conclusion of a contract to which the data owner is a party or during the performance of the contract, the processing of personal data may come to the fore without obtaining explicit consent.

Maslak Health Group fulfilling its legal obligations

Maslak Health Group, as the data controller, may process personal data without obtaining explicit consent for the purpose of fulfilling legal obligations.

Being made public by the person concerned

Personal data made public by the data subject, in other words, personal data disclosed to the public in any way, can be processed without express consent. Even in this case, the publicized personal data cannot be used for purposes other than its intended use.

Obligatory for the establishment, use and protection of a right

In cases where it is necessary for the establishment, exercise or protection of a right, it is possible to process the personal data of the person concerned without his explicit consent.

Obligatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

If the processing of personal data is obligatory for the data controller and the data processing will not harm the fundamental rights and freedoms of the data subject, personal data may be processed without obtaining explicit consent.

The legitimate interest of the data controller is the interest and benefit to be obtained as a result of the processing to be carried out. Benefit of the data controller; It must relate to a legitimate, sufficiently effective, specific and already existing interest to compete with the fundamental rights and freedoms of the person concerned. It should be a process that is related to the current activities of the data controller and will benefit him in the near future.

3.4. Processing of Private Personal Data

The processing of sensitive personal data is subject to Article 6 of the Law, and it is prohibited to be processed without the explicit consent of the person concerned.

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are of special nature. is personal data. The data included in this scope is limited and cannot be expanded through interpretation.

Due to its nature, special quality personal data is data that, if learned, may cause discrimination and victimization of the person concerned. Therefore, they need to be protected much more strictly than other personal data.

Special categories of personal data other than health and sexual life

Special categories of personal data other than personal data related to health and sexual life can be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws.

Special categories of personal data regarding health and sexual life

Special categories of personal data regarding health and sexual life can only be processed by persons or authorized institutions and organizations that are under the obligation of confidentiality for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.

3.5. Clarifying and Informing the Personal Data Owner

During the acquisition of personal data, data owners are informed by Maslak Health Group as data controller or by persons authorized by it. The procedures and principles regarding the information provided are specified in the Clarification Texts on the Protection of Personal Data published by Maslak Health Group, and the information includes the following elements in brief:

  • Identity of the data controller and its representative, if any,
  • For what purpose personal data will be processed,
  • To whom and for what purpose personal data can be transferred,
  • Method and legal reason for collecting personal data,
  • Rights of the person concerned as indicated in Article 11 of the Law.
  1. Identity of the data controller and representative

According to Article 10 of the Law, personal data obtained from data owners (employees, employee candidates, patients, patient relatives, suppliers, pharmacies, visitors, interns and other relevant third parties) are processed by Maslak Health Group in the capacity of data controller, and the communication of the relevant unit   It can be obtained from the [email protected] e-mail address or https://www.maslaksaglik.com.

  1. Purposes of processing personal data

The processing of personal data is carried out for specific, clear and legitimate purposes and is based on informing the data owners. The purposes for which your collected data are processed   are included in the V. CATEGORIZATION AND PROCESSING PURPOSE OF PERSONAL DATA PROCESSED BY MASLAK HEALTH GROUP of the Policy.

Persons to whom personal data are transferred and the purposes for which they are transferred

Within the framework of the data controller’s obligation to inform the data owner, the persons to whom personal data are transferred and the purposes for which they are transferred should be clearly stated. Personal data cannot be transferred to third parties without the explicit consent of the data owner. Recipient groups to whom personal data is transferred by Maslak Health Group and the purpose of transfer IV. It is shown in the section TRANSFERRING PERSONAL DATA.

Method and legal reason for personal data collection

In accordance with Articles 5 and 6 of the Law, the data controller must clearly state on which basis the personal data processing conditions are based. Data collection method and mediation are determined by the data controller. The processing conditions of personal data, that is, the conditions of compliance with the law, are listed in a limited number in the Law (art. 5-6) and these conditions cannot be extended.

The data controller, Maslak Health Group, evaluates whether the purpose of the personal data processing activity is primarily based on one of the processing conditions other than express consent, if this purpose does not meet at least one of the conditions other than the express consent specified in the Law, then the explicit consent of the person for the continuation of the data processing activity is taken. going.

TRANSFERRING PERSONAL DATA

4.1. Domestic Transfer

Personal data cannot be transferred without the explicit consent of the person concerned. However:

  • In the second paragraph of Article 5,
  • Provided that adequate measures are taken, the third paragraph of Article 6

If one of the conditions specified is present, it can be transferred without seeking the explicit consent of the person concerned.

Accordingly, provided that it is clearly stipulated in the law (1), is compulsory for the protection of the life or bodily integrity of a person or another person whose consent is not legally valid or who is unable to express his consent due to actual impossibility (2), and is directly related to the establishment or performance of a contract. It is necessary to process the personal data of the parties (3), it is mandatory for the data controller to fulfill its legal obligation (4), the data subject has been made public by himself (5), the data processing is mandatory for the establishment, exercise or protection of a right (6), Provided that it does not harm the fundamental rights and freedoms of the data subject, the personal data of the data subject is required without the express consent of the data controller, if data processing is necessary for the legitimate interests of the data controller.can be transferred to individuals.

Your personal data and personal health data are for the purposes explained in this policy text and Health Services Basic Law No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Affiliates, Law on Protection of Personal Data No. 6698, Regulation on Private Hospitals, Processing of Personal Health Data and Within the framework of the Privacy Protection Regulation and related regulations;

Ministry of Health, Social Security Institution, General Directorate of Security and other law enforcement agencies, CIMER, SABİM, Ministry of Labor, General Directorate of Population, courts and enforcement offices, Turkish Pharmacists Association for the purpose of fulfilling our contractual and legal obligations and carrying out administrative, commercial and economic activities of our clinic. , regulatory and supervisory institutions, insurance companies, representatives authorized by patients, cooperated laboratories and other centers and Electronic Medical Records and Electronic Health Records systems.

Information on the recipient groups to which your personal data processed by Maslak Healthcare Group is transferred, is included in the Annex 4 – Third Parties to which Personal Data are Transferred and Purposes of Transfer of this Policy.

4.2. International Transfer

Personal data cannot be transferred abroad without the explicit consent of the person concerned. In so far, the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the Law and in the foreign country to which the personal data will be transferred;

  • Availability of adequate protection
  • In case of lack of adequate protection, data controllers in Turkey and in the relevant foreign country undertake in writing to provide adequate protection and the Board has permission,

may be transferred abroad without seeking the explicit consent of the person concerned, provided that the

CATEGORIZATION OF PERSONAL DATA PROCESSED BY MASLAK HEALTH GROUP  AND PURPOSE OF PROCESSING

Data subject data subjects The data categorization obtained by Maslak Health Group and the purposes pursued in the processing of personal data are shown in the relevant sections of the clarification texts on our website for each category of data subject.

ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA

Administrative and technical measures are taken by Maslak Health Group in order to keep personal data safe and to prevent unlawful processing and access to personal data.

In order to ensure personal data security, all personal data processed by Maslak Health Group is determined and the probability of the risks that may arise regarding the protection of this data are determined; While determining these risks, whether the personal data is sensitive personal data (1), what degree of confidentiality it requires due to its nature (2), and the nature and quantity of the damage that may arise in the case of a security breach (3) are taken into account.

After defining and prioritizing these risks; control and solution alternatives to reduce or eliminate the said risks; cost, applicability and usefulness should be evaluated in line with the principles, necessary technical and administrative measures are planned and put into practice.

6.1.  Administrative Measures

Even if employees have limited information about attacks that will harm personal data security and cyber security, it is of great importance to ensure personal data security. For this reason, awareness and information activities are carried out in our internal organization as a data controller.

Providing necessary training on issues such as not revealing and sharing personal data unlawfully, conducting awareness activities for employees and creating an environment where security risks can be determined; It is ensured that everyone working with the data controller, regardless of their position, determines their roles and responsibilities regarding personal data security in their job descriptions and that employees are aware of their roles and responsibilities in this regard.

On the other hand, confidentiality agreements are signed as part of the recruitment processes of the employees, and a disciplinary process is carried out if the employees do not comply with the security policies and procedures.

In case of any change in the policies and procedures regarding personal data security, trainings are provided to inform and explain the change to the employees, and the information about the threats to data security and security is kept up-to-date.

Personal data should be accurate and up-to-date when necessary in accordance with Article 4(b) and (d) of the Law, and should be kept for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, the data processed are processed in accordance with the principles and rules that must be observed in data processing activities and are kept for the period required for the purpose for which they are processed. It is shown in the STORAGE AND DISPOSAL OF PERSONAL DATA.

The table below provides a summary of the administrative measures taken to ensure data security:

Administrative Measures

Preparation of Personal Data Processing Inventory

Corporate Policies (Access, Information Security, Use, Storage and Disposal etc.)

Contracts (Between Data Controller-Data Controller, Data Controller-Data Processor)

Privacy Commitments

In-house Periodic and/or Random Audits

Risk Analysis

Employment Contract, Disciplinary Regulation (Adding Legal Provisions)

Corporate Communication (Crisis Management, Informing the Board and Relevant Person, Reputation Management, etc.)

Education and Awareness Activities (Information Security and Law)

Notification to Data Controllers Registry Information System (VERBIS)

Personal Data Security Policies and Procedures

Rapid Reporting of Personal Data Security Issues

Monitoring Personal Data Security

Establishing Disciplinary Arrangements Containing Data Security Provisions for Employees

Reducing Personal Data As Much As Possible

Preparation and Implementation of Institutional Policies on Access, Information Security, Use, Storage and Disposal

Removal of Authorities in this Area of ​​Employees with a Change in Job or Leaving the Job

Including Data Security Provisions in Signed Contracts

Identification of Current Risks and Threats

Conducting In-house Periodic and/or Random Inspections

Protocols and Procedures for Special Quality Personal Data Security have been determined and their implementation

Raising Awareness of Data Processing Service Providers on Data Security

6.2.  Technical Measures

Firewalls and gateways are used among the measures taken to protect my information technology systems containing personal data against unauthorized access and threats by third parties over the internet. With the firewall used, violations of the information network are stopped, and with the gateway, employees’ access to websites or online platforms that pose a threat to personal data security is restricted.

In addition, regular checks are made regarding the proper functioning of the software and hardware and whether the security measures taken for the systems are sufficient. Access to systems containing personal data is restricted, and within this scope, employees are granted access to the extent necessary for their jobs and duties, and their authorities and responsibilities, and access to the relevant systems is provided by using a user name and password. While creating the aforementioned passwords, numbers or letter sequences associated with personal information that can be easily guessed are avoided as much as possible.

Access authorization and control matrices are created within the data controller organization, and products such as antivirus and antispam, which regularly scan the information system network and detect dangers, are used to protect against malicious software.

In order to ensure data security, necessary measures are taken to ensure that documents in paper media containing personal data and servers, backup devices, CD, DVD, USB and other similar storage devices are only accessible to authorized personnel and to increase physical security in this regard.

In the table below, the administrative measures taken to ensure data security

summary given:

Technical Measures

Authority Matrix

Authority Control

Access Logs

User Account Management

Network Security

Application Security

Encryption

Intrusion Detection and Prevention Systems

Data Loss Prevention Software

Backup

Firewalls

Current Anti-Virus Systems

Deletion, Destruction, or Anonymization

Key Management

VII. BUILDING, FACILITY ENTRANCES AND PERSONAL DATA PROCESSING IN THE BUILDING AND FACILITY

7.1. Camera Monitoring Activity at Building, Facility Entrances and Inside

Within the scope of the Law on Private Security Services, camera monitoring is carried out in order to ensure security in the Maslak Health Group building, working areas, common areas, parking lot and its surroundings, and to protect the interests of ensuring the safety of Maslak Health Group and other persons. The camera monitoring activity is carried out in accordance with the Law and is carried out within the scope of the data processing conditions listed both in the Law and in this Policy.

 

7.2. Monitoring of Guest Entrance and Exit Carried out at Building, Facility Entrances and Inside

Identity information of guests visiting Maslak Health Group is subject to personal data processing in order to control and monitor entrances and exits to Maslak Health Group building and to ensure security. The personal data processed within the scope of this activity are only limited to the guests’ entry and exit, and the relevant personal data is recorded in the data recording system in electronic or physical environment.

VIII. STORAGE AND DISPOSAL OF PERSONAL DATA

8.1. Retention Periods of Personal Data

Your personal data held by Maslak Health Group are kept for as long as the data processing activity is necessary; In the event that the obligation to delete, destroy or anonymize personal data arises, it is deleted, destroyed or anonymized within the first periodic destruction period following the date of occurrence of this obligation.

Maslak Health Group acts in accordance with the general principles set forth in article 4 of the Law and the technical and administrative measures set forth in article 12 in the deletion, destruction or anonymization of your personal data.

All transactions regarding the deletion, destruction or anonymization of personal data are recorded by us and are kept during the processing of personal data for at least 30 years in accordance with the legal obligation.

Personal data specialist personnel assigned by Maslak Health Group regarding the storage and destruction of data is the person responsible for the execution and supervision of the personal data storage and destruction policy.

8.2. Obligation to Delete, Destroy and Anonymize Personal Data

Personal data processed by Maslak Health Group are in accordance with the provisions of the “Regulation on the Deletion, Destruction or Anonymization of Personal Data” published in the Official Gazette dated 28 October 2017 and numbered 30224 prepared by the Law on Article 7 and the Personal Data Protection Board. In the event that the reasons for its processing disappear, it is deleted, destroyed or anonymized ex officio or upon the request of the relevant data owner.

 

Deletion of personal data

Deletion of personal data is the process of making personal data inaccessible and non-reusable for relevant users.

All necessary technical and administrative measures are taken to ensure that the deleted personal data cannot be accessed and reused for the relevant users.

Destruction of personal data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

Anonymization of personal data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

All kinds of technical and administrative measures are taken by Maslak Health Group to anonymize your personal data, and they are anonymized by applying methods in accordance with our personal data retention and destruction policy.

8.3. Deletion, Destruction and Anonymization Techniques of Personal Data

The techniques for deletion, destruction or anonymization of personal data processed by Maslak Health Group are shown below, and which of the techniques to apply may vary depending on the nature of the personal data processed.

For this, first of all, determining the personal data that is the subject of deletion, destruction or anonymization (1), identifying the relevant users for each personal data using an access authorization and control matrix or a similar system (2), accessing the relevant users, It is necessary to determine the authorizations and methods such as retrieval and reuse (3), and to close and eliminate the access, retrieval, reuse authorization and methods of the relevant users within the scope of personal data (4).

The way to delete personal data   is as follows:

  • Issuing a delete command in cloud or application-type solutions,
  • Blackening, cutting or making invisible data in paper media,
  • Deletion of data on removable media using appropriate software.

The way to destroy personal data   is as follows:

  • Physical destruction by melting, burning or pulverizing optical media and magnetic media,
  • Other destruction in paper or electronic form.
  1. RIGHTS OF THE PERSONAL DATA OWNER AND THE USE OF THESE RIGHTS

9.1. Rights of Personal Data Owner

In accordance with the Law No. 6698, in the capacity of data owner:

  • Learning whether your personal data is processed,
  • If your personal data has been processed, requesting information about it,
  • To learn the purpose of processing your personal data and whether they are used in accordance with the purpose,
  • Knowing the third parties to whom personal data is transferred at home or abroad,
  • Requesting correction of personal data if it is incomplete or incorrectly processed,
  • To request the deletion or destruction of your personal data within the framework of the conditions stipulated in the article,
  • Requesting notification of third parties to whom personal data has been transferred, regarding the correction, deletion or destruction of data in case of incomplete or incorrect processing,
  • Objecting to the emergence of a result against you by analyzing your processed data exclusively through automated systems,
  • You have the right to demand the compensation of the damage in case of any damage due to the unlawful processing of your personal data.

9.2. Exercise of Personal Data Owner’s Rights

Requests by the data subject regarding the implementation of the Law, contact e-mail  [email protected]  or Ayazağa, Mustafa Kemal Atatürk Cd 1-2, 34396 Sarıyer/İstanbul

address to Maslak Health Group in written form. For application requests, the “Data Owner Application Form” published on the website of Maslak Health Group should be used.

9.3. Maslak Health Group Responding to Applications

Depending on the nature of the application request, Maslak Health Group is finalized as soon as possible. This period cannot exceed 30 days after the request is properly served to us. In so far, if the transaction requires any cost, a fee may be charged according to the tariff determined by the Personal Data Protection Board.

APPENDIX – 1: Definitions

Explicit consent:  Consent on a specific subject, based on information and expressed with free will,

Anonymization:  Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data,

Recipient group:  The natural or legal person category to which personal data is transferred by the data controller,

Direct identifiers:  identifiers that, by themselves, directly reveal, disclose and distinguish the person with whom they are in a relationship,

Indirect identifiers : Identifiers that come together with other identifiers, revealing, disclosing and making distinguishable the person they are in a relationship with,

Relevant person:  The real person whose personal data is processed,

Relevant user:  Real or legal persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,

Destruction:  Deletion, destruction or anonymization of personal data,

Law:  Law on Protection of Personal Data No. 6698, dated 24/3/2016,

Blackening:  Processes such as scratching, painting and icing all of the personal data in a way that cannot be associated with an identified or identifiable natural person,

Recording medium:  Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system,

Personal data:  Any information relating to an identified or identifiable natural person,

Processing of personal data:  Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as the classification or prevention of its use,

Board : Personal Data Protection Board,

Institution : Personal Data Protection Authority,

Data processor : The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,

Data registration system:  The registration system in which personal data is processed and structured according to certain criteria,

Data controller:  The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Identity Information : Your name, surname, TC identity number, passport number or temporary TC identity number, place and date of birth, marital status, gender, insurance or patient protocol number and other identification data by which we can identify you;

Contact Information : Your address, telephone number, e-mail address and other communication data, your voice call records kept by customer representatives or patient services in accordance with call center standards, and your personal data obtained when you contact us via e-mail, letter or other means;

Accounting Information : Your financial data such as your bank account number, IBAN number, credit card information, billing information; your data on private health insurance and your Social Security Institution data for the purpose of financing and planning health services; If you visit our clinic, your footage of camera recordings kept for security and inspection purposes,

Health Information:  Your personal data regarding all kinds of health and sexual life obtained during or as a result of medical diagnosis, treatment and care services, including but not limited to your laboratory results, test results, examination data, appointment information, prescription information Maslak Health Group If you apply for a job, your other personal data, including the CV provided in this regard, and any personal data related to your service contract if you are a Maslak Health Group employee or related employee.

APPENDIX – 2: Personal Data Owners (Relevant Persons)

Data Subject Categories

Explanation

Worker

It refers to the people working in the clinic.

Employee Candidate

It refers to real persons who apply for a job by sending a CV or other methods to the Klinik.

Intern

It refers to the people who use the profession they are trained in the clinic practically to increase their professional knowledge.

Patient

It refers to the real persons who benefit from the services offered by the Clinic.

The relatives of the patient

It refers to the companions or relatives of the patients who use the services offered by the Clinic.

supplier

It refers to natural persons and legal entity employees from whom services are provided.

Visitor

Refers to the 3rd person visiting the Clinic.

Other Related Third Parties

Refers to the people who apply to the Clinic, other than those who communicate.

 

APPENDIX – 3: Third Parties to whom Personal Data is Transferred

Transferred Person/Unit

Purpose of Transfer

Ministry of Health

Transfer of information that needs to be transferred in accordance with public health and legislation.

Social Security Institution

Transferring information for the purpose of realizing the transactions of the Employees, Employee Candidates and Patients within the scope of Social Security.

Authorized Public Institutions and Organizations

Limited sharing/transfer of information and documents requested by the Clinic by relevant public institutions and organizations.

suppliers

Transfer of personal data limited to the provision of services received from suppliers.

 

Any personal data obtained by Maslak Health Group can be processed for the purposes listed; confirming your identity, protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and financing, planning and management of the operation of our clinic and daily operations, supply of medicines, informing you about the appointment if you make an appointment, risk management and quality improvement activities, making evaluations in order to improve health services, conducting research, fulfilling legal and regulatory requirements, confirming your relationship with the institutions contracted with the clinic, billing for our health services,

ANNEX-5: Periods

Personal Data Category

Storage Time

Legal Basis

Health Data  (Biometric and genetic and examination data, laboratory, test, analysis and examination results, check-up and prescription information, patient records and health data including but not limited to, and patient close information when necessary)

30 Years from the end of the personal data processing activity

Private Hospitals Regulation, Turkish Penal Code

All Records Related to Accounting and Financial Transactions

10 years

Law No. 6102, Law No. 213

Cookies and Logs

6 Months – Maximum 2 Years

Internet Law No. 5651

Traffic Information on Online Visitors

2 years

Law No. 5651

Personal Data Regarding Suppliers

10 Years after the legal relationship ends

Law No. 6102, Law No. 6098 and Law No. 213

Personal Data Protection Board Transactions

10 years

Personal Data Protection Authority Personal Data Retention and Destruction Policy Published by KVKK

Contracts

10 Years From The Termination Of The Agreement

Law No. 6102 and Law No. 6098

Human Resources Processes

10 Years From End of Activity

Labor Law No. 4857 and Related Legislation

Visitor   Registration

2 Years From Event Ending

Personal Data Protection Authority Personal Data Retention and Destruction Policy Published by KVKK

Data on Personal Files Stored under the Labor Law

10 Years from the end of the Business Relationship

Labor Law No. 4857 and Related Legislation and Turkish Code of Obligations No. 6098

Data Collected under OHS Legislation  (Health reports, OHS Trainings, Occupational Health and Safety records, etc.)

15 Years from the end of the Business Relationship

Occupational Health and Safety Law No. 6331 and Related Legislation

Data kept within the scope of SGK Legislation  (Recruitment declarations, bonus/service documents, etc.)

10 Years from the end of the Business Relationship

Social Insurance and General Health Insurance Law No. 5510 and Related Legislation

Job Application If Application Is Not Accepted, Data Regarding Candidate Applications  (CV, Curriculum Vitae, Cover Letter,  Application Form  etc.)

1 year

Industry practices apply.

Personal Data Processed in Contractual Relationships

10 Years After Contract Termination

Turkish Code of Obligations No. 6098

Personal Data Regarding Tax Records

5 years

Tax Procedure Law No. 213

Personal Data Processed for Security Purposes in Accordance with CCTV Cameras  (Camera Records)

90 Days

Industry Custom

Traffic Information Processed during Use of the Office Internet Network, Internet Login and Remote Connection  (IP address, start and end time of the service provided, type of service used, amount of data transferred and subscriber identity information, if any, etc.)

2 years

Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts

Personal Data of a Dead Person

At least 20 Years

Regulation on Personal Health Data published in the Official Gazette dated 21.06.2018 and numbered 30808