PERSONAL DATA PROCESSING CLARIFICATION TEXT

In accordance with the provisions of the Law No. 6698 on the Protection of Personal Data (“KVKK”) and the European Union General Data Protection Regulation (GDPR), as Prof. Dr. Ercan Pınar, Ear, Nose and Throat Specialist, operating a Clinic/Practice at Mimar Sinan Mah. Şair Eşref Bulvarı Aygın Apt. No:62 İç Kapı No:6 Konak-İZMİR (hereinafter referred to as "Physician/Practice/Clinic/Employer"), as the Data Controller, we hereby inform you that your personal information will be recorded, stored, updated, disclosed to third parties where permitted by law, transferred, classified, and processed in the ways specified in the KVKK and GDPR. This is in accordance with the mutual rights and obligations arising from the aforementioned legal regulations.

Within the scope of the legal framework, we will record, store, and process your personal information necessary for establishing the Physician-Patient relationship and providing healthcare services (diagnosis, treatment, care services, etc.) for your benefit and public health in our archives. As a Clinic, we are obligated to record all information such as identification, address, telephone number, medical history, and other necessary information of the patient receiving services in order to provide healthcare services to you, in compliance with the Private Hospitals Law, Private Hospitals Regulation, Health Implementation Communiqué, Patient Rights Regulation, and other legislation. We are also obligated to organize all records and documents to be included in the medical patient file, which will be the basis for processing in electronic or paper format. For public health and preventive medicine services, we inform you that your personal data will be shared with the relevant authorities and individuals, particularly the Ministry of Health of the Republic of Turkey and Provincial Health Directorates, Public Health Centers, other units affiliated with the Ministry of Health, the Social Security Institution, and if you are using private health insurance, your insurance company, but not limited to these institutions, when requested by authorized bodies, by individuals appointed by authorized bodies, or within the scope of systems such as e-nabız, or when such information is required as part of our notification and/or reporting obligations.

PURPOSES, METHODS OF COLLECTION, AND LEGAL BASIS FOR PROCESSING PERSONAL DATA

Your personal data are processed for establishing and performing the Physician-Patient relationship and fulfilling contractual provisions, using it in services that we can offer to you; recording identification, address, tax number, and other necessary information including personal health data to identify the person performing/having the transaction done; arranging all records and documents that will be the basis for processing in electronic (internet/mobile, etc.) or paper format; complying with information storage, reporting, and notification obligations stipulated by legislation, competent institutions, and other authorities; increasing service quality with marketing and statistical activities, offering requested/other products/services, and your special category personal data are processed due to communication, information provision, and similar processes within the contractual relationship.

Your blood type, laboratory and imaging results, analyses, allergies, chronic diseases, venereal diseases, infectious diseases, data regarding previous surgeries/operations, enabız information, medications you use regularly, information regarding Covid-19 disease, medical treatments, prescription information, unhealthy habits, body analysis, and death information, as well as other health data and other Personal Data required for the treatment and procedures to be applied to you; are processed for creating patient files, preventive medicine, examination, medical diagnosis, treatment, and care services, performing check-ups after medical diagnosis and treatment processes, managing potential complication processes, contacting you directly, managing appointment processes, ensuring patient satisfaction and demand management, fulfilling legal and contractual obligations, maintaining information regarding your health data that needs to be kept according to the relevant legislation within the specified periods, obtaining consultation services from other relevant specialist physicians if necessary for the correct execution of your treatment, fulfilling legal obligations in accordance with the legislation within the scope of health tourism, planning transfer, accommodation, and interpreter services for patients/clients coming within the framework of health tourism, announcing innovations regarding medical treatment and procedures, informing third parties about the medical procedure performed, planning and managing health services and their financing, ensuring workplace safety, fulfilling responsibilities arising from the legal relationship established between the doctor and the patient, fulfilling financial and administrative obligations, ensuring technical and commercial security, and fulfilling public obligations.

The Personal Data and Special Category Personal Data mentioned above will be processed in accordance with the purposes and legislation mentioned above in order to perform the examinations, preventive medicine, medical diagnosis, treatment, and medical procedures to be applied to you and to fulfill the obligations related to your treatment. If you do not provide the relevant personal data, the legal obligations imposed on the Physician and the Practice, which will provide services in your medical treatment, will not be fulfilled properly, and your treatment and/or recovery processes will not be carried out successfully.

Other areas where your personal data may be processed include, but are not limited to: HR operations, Practice internal operations, legal, technical, and administrative activities, strategy, planning, and business partners/suppliers, customer management, customer satisfaction, planning and execution of corporate communication activities and events, planning and execution of Practice internal training programs, Practice Workplace Safety, Employee and Occupational Health and Safety Protection, after-sales service delivery, technical service delivery, execution of collection procedures, providing customers with product-service promotion, information, personalized advertising, campaigns, and other benefits, sending all kinds of service and commercial electronic messages, conducting surveys, providing various advantages through statistical analysis, conducting studies to improve service quality and providing better service, issuing invoices for our services, outsourcing, presenting the benefits of expert organizations to customers in order to obtain services in areas that are not within their area of expertise and to receive technology services, utilization due to the requirements of Practice activities. Identity verification, answering questions and complaints, taking necessary technical and administrative measures within the scope of data security, providing financial reconciliation with relevant business partners and other third parties regarding the products and services offered, providing necessary information in line with the requests and audits of regulatory and supervisory institutions and official authorities, maintaining information regarding data that must be stored according to the relevant legislation, ensuring the consistency of information, measuring customer satisfaction, in terms of employees; creating a personnel file, determining whether the employee is constantly capable of fulfilling the requirements of the job, making private health insurance, creating a health file, taking occupational safety measures, planning travels. In terms of job applicants: managing and planning the process of evaluating suitability for open positions. Publishing visual and auditory data of the Practice and its Employees, stands obtained in competitions, organizations, fairs, studies, and other activities within the scope of the field of activity, for the purpose of developing and sharing the work, fulfilling legal obligations, execution/follow-up of Practice financial reporting and risk management operations, execution/follow-up of legal affairs, creation and follow-up of visitor records. Planning and executing the use of machinery and equipment by employees, planning and executing sales transactions, planning and executing supply transactions, planning and executing collection transactions, planning and executing the use of the Clinic internet, common network, and computers in accordance with the laws, planning and executing Practice fairs, activities, social projects, product, and corporate promotion,

The above-mentioned purposes are for informational purposes, and any additions that may be added by us in order to carry out the future operational activities of the Practice will be announced with updates.

Your Personal Data, depending on the healthcare service provided;

• Through the health reports, laboratory and imaging results, analyses, health reports, and your declarations regarding your health data that you submit in order for a medical assessment to be made regarding the treatment to be applied to you, by coming to the Physician and the Practice for examination and treatment purposes,
• Through filling out the “Patient Information and Consent Form” regarding the treatment to be applied by the Physician and the Practice,
• Through the contact form you fill out on the corporate website of the Physician Practice,
• Through the emails you will send to the corporate email address of the Physician and the Practice,
• Through the photo/video recordings taken before, during, and/or after the medical procedure applied to you within the Physician Practice,
• Through your written/audio/visual (photo and/or video recording) messages sent to the Physician and the Practice by using remote connection applications service providers (whatsapp/zoom.us/facetime/skype/messenger/google/instagram/facebook, etc.) that you receive services from, by accepting their Privacy Policies and International Transfer Principles, in order for your diagnoses and check-ups to be done online via remote access by the Physician and the Practice, upon your request and when necessary,
• By sending direct messages and/or commenting on the profile accounts of the Physician and the Practice on social media accounts (instagram, youtube, facebook, twitter, linkedin, etc.) which you are already a user of, whose server is located abroad, by accepting their Privacy Policies and International Transfer Principles,
• Through the information you transfer, by allowing it to be automatically processed through the "contact us" or "get information" panels in the promotions and advertisements of the Physician and the Practice, on social media accounts (instagram, youtube, facebook, twitter, linkedin, google, etc.) that you are already a user of, whose server is located abroad, by accepting their Privacy Policies and International Transfer Principles,

are processed.

PERSONAL DATA PROCESSING CONDITIONS UNDER KVKK AND GDPR

Article 5/2 of the KVKK regulates the exceptions that make it possible to process personal data lawfully. Accordingly, the Practice may process personal data even if there is no explicit consent, provided that one of the other conditions (exceptions) written below exists. The basis of the personal data processing activity may be only one of the conditions stated below, or more than one of these conditions may be the basis of the same personal data processing activity.

These are: Explicitly stipulated in the laws, it is mandatory to process the personal data of a person who is unable to express his consent due to an actual impossibility or whose consent is not considered valid, in order to protect the life or bodily integrity of himself or another person, being directly related to the establishment or performance of the contract, the Clinic's Fulfillment of Legal Obligation, Personal Data Owner's Making His Personal Data Public, Being Mandatory to Process Data for the Establishment or Protection of a Right, Being Mandatory to Process Data for the Legitimate Interest of the Practice, provided that it does not harm the fundamental rights and freedoms of the data owner.

In addition, according to GDPR article 9/2/h, article 6/1/b, article 6/1/f, your data may be processed without requiring an explicit consent statement:

• In order to carry out examination, medical diagnosis, treatment, and care services, your Health Data, which is considered Special Category Personal Data, will be processed by the Clinic, which is under the obligation to keep secrets according to the Law, without requiring your explicit consent.
• Your Personal Data will be processed by the Clinic without requiring your explicit consent in order to perform your check-ups after medical diagnosis and treatment processes, to contact you directly, and to manage appointment processes.
• Your Personal Data will be processed by the Clinic, without requiring your explicit consent, in order to ensure patient satisfaction and demand management.

According to GDPR article 6/1/c, based on legal obligations, your Personal Data will be processed without obtaining your explicit consent in the following cases:

• Creation of a patient file.
• Preservation of information regarding your health data that needs to be stored in accordance with the relevant legislation.
• Carrying out the control of your fee payments and issuing invoices.
• Performing tax payments.
• Fulfilling the obligations under the Ministry of Health Regulations.
• Fulfilling the obligations under Health Tourism Regulations.
• Ensuring your data security.
• Fulfilling legal obligations before the Judicial Authorities.
• Fulfilling administrative obligations before Administrative Institutions and Organizations.

PERSONS/INSTITUTIONS TO WHOM PERSONAL DATA CAN BE TRANSFERRED

The persons, public institutions, and private public institutions permitted by legal provisions, the polyclinics and medical laboratories with which the physician and the practice have agreements, and the relevant persons, institutions, and organizations in case of consultation. Special category personal data can be transferred to domestic and foreign locations where services are received in order to carry out activities related to the purposes specified in the confidentiality agreements and in the legislation to which we are subject, and to carry out insurance and finance activities and provide insurance and finance services. Personal and special category personal data are stored in a secure environment that is not open to general use and are absolutely not shared with third parties unless there is no permission or a legal obligation.

Your Personal Data and Special Category Personal Data, which are collected in line with the conditions and purposes included in the Personal Data Processing Conditions specified in Articles 5 and 6 of the Law No. 6698, may be transferred to third parties and institutions by the Physician and Practice, in compliance with Articles 8 and 9 of the KVKK, for the purposes of carrying out, developing, and when necessary, obtaining consultation services from other specialist physicians for examination, preventive medicine, medical diagnosis, treatment, and care services, fulfilling administrative obligations related to health tourism legislation, planning the transfer, accommodation, and interpreter services of patients arriving within the framework of health tourism, establishing communication with patients, managing control appointment processes, planning and managing healthcare services and financing, fulfilling responsibilities arising from the legal relationship established between the doctor and the patient, fulfilling financial, legal, and administrative obligations, ensuring technical and commercial security, and fulfilling public obligations, promoting the medical services provided, to the extent that it is sufficient for the realization of the purpose, by concluding the necessary confidentiality agreements and ensuring all administrative and technical security measures required by the legislation.

In this context, your Personal Data processed by the Physician and Practice;

• To other specialist physicians for consultation purposes,
• To its Insured Employees,
• To its Suppliers,
• To Financial Advisor, Tax and Finance Consultants and Auditors
• To Legal Counsel
• To Database (Server) Providers
• To "Clinic Management Software" Service Provider
• To Web Consultant
• To Translators
• To Data Protection Officer
• To IT Consultant
• To Tourism Agencies
• To Public Institutions and Organizations authorized within the framework of the laws,
• Will be transferred to Judicial Authorities.

STORAGE OF PERSONAL DATA

The method of collecting personal data; your personal data can be collected verbally, in writing, or electronically through all kinds of digital channels such as questions, messages sent to our website, and phone calls.

The personal data we obtain is stored securely in physical or electronic environments for an appropriate period of time in order to fulfill the activities of the Physician and the Practice. Within the scope of these activities, the physician and the Practice act in accordance with the obligations stipulated in all relevant legislation, especially the KVKK, regarding the protection of personal data.

In accordance with the relevant legislation, if it is not permitted or obligatory to keep personal data for a longer period of time, in cases where the purposes of processing personal data cease to exist, the data will be deleted, destroyed, or anonymized by the Physician and the Practice ex officio, or upon the request of the data owner and by the different techniques that can be used, upon the request of the data owners. If personal data is deleted through these methods, this data will be destroyed in such a way that it cannot be used or retrieved again in any way.

In cases where the data controller has a legitimate interest, personal data may be stored, provided that the law permits this and does not harm the fundamental rights and freedoms of data owners, despite the fact that the purpose of processing and the periods specified in the relevant laws have expired. After the expiry of the aforementioned statute of limitations, personal data will be deleted, destroyed, or anonymized according to the procedure specified above.

MEASURES TAKEN FOR DATA SECURITY

The Practice takes all necessary technical and administrative measures to ensure the appropriate level of security necessary for the protection of personal data. The measures stipulated in Article 12(1) of the KVKK are as follows: To prevent the unlawful processing of personal data, To prevent unlawful access to personal data, To ensure the protection of personal data.

PROCESSING OF IMAGE RECORDS

In order to ensure the general and service-related security of the facilities and businesses, image recordings of visitors, employees, and other related persons are taken at the building entrances in accordance with the basic principles stipulated in the KVKK.

PROCESSING OF PERSONAL DATA OF BUSINESS PARTNERS

Within the scope of fulfilling the activities established with business partners such as medical laboratories, product purchase/sale suppliers, the Practice may process the personal data of the employees of business partners in order to ensure the functioning of the service activity for the purposes that are mandatory for the performance of the work or specified in the law, to fulfill human resources goals and policies, and to ensure the legal and commercial security of mutual work.

APPLICATION PROCEDURE AND RIGHTS

In accordance with Article 11 of the KVKK, your rights; By applying to us, regarding your personal data; a) to learn whether it has been processed, b) if processed, to request information about this, c) to learn the purpose of processing and whether it is used in accordance with its purpose, d) to know the third parties to whom it has been transferred domestically/abroad, e) if it has been processed incompletely/incorrectly, to request its correction, f) to request its deletion/destruction within the framework of the conditions stipulated in Article 7 of the KVKK, g) to request notification of the transactions made in accordance with the (d) and (e) clauses mentioned above to the 3rd parties to whom it has been transferred, h) to object to the emergence of a result against you due to the analysis with exclusively automatic systems, i) we inform you that you have the right to request compensation for the damage in case you suffer damage due to unlawful processing of personal data from our Practice.

The requests in your application will be finalized free of charge within a maximum of thirty days, depending on the nature of the request. However, if the transaction requires an additional cost for the Practice, the fee specified in the tariff determined in the Communiqué on Application Procedures and Principles to the Data Controller by the Personal Data Protection Board may be charged. In accordance with the first paragraph of Article 13 of the KVKK, Personal Data Right Holders can realize their request regarding the use of the mentioned rights with the methods and information specified in the "Communiqué on Application Procedures and Principles to the Data Controller", published in the Official Gazette dated March 10, 2018 and numbered 30356.

EXCEPTIONS TO THE RIGHT OF APPLICATION

According to Article 28 of the KVK Law, it will not be possible for personal data owners to assert their rights in the following matters.

• Processing personal data for research, planning, and statistical purposes by anonymizing it with official statistics
• Processing personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights, or constitute a crime
• Processing personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, and economic security
• Processing personal data by judicial authorities or enforcement authorities in connection with investigation, prosecution, trial, or execution procedures

According to Article 28/2 of the KVK Law; Provided that it is in accordance with the purpose and basic principles of the Law, the 10th article regulating the data controller's obligation to inform, the 11th article regulating the rights of the relevant person, excluding the right to request compensation for damages, and the 16th article regulating the obligation to register with the Data Controllers Registry, shall not be applied in the following cases:

• Personal data processing is necessary for the prevention or investigation of a crime
• Processing of personal data made public by the personal data owner himself
• Personal data processing is necessary for the performance of audit or regulation duties by public institutions and organizations that are authorized by law, and professional organizations with the status of public institutions, and for disciplinary investigation and prosecution
• Personal data processing is necessary for the protection of the state's economic and financial interests regarding budget, tax, and financial issues

RIGHTS OF DATA OWNERS UNDER GDPR

As a Data Subject, your Personal Data is also protected under the GDPR. In cases where the GDPR has jurisdiction (citizens of the European Union or residents of European Union countries), the rights of Data Subjects are as follows;

• Right of Access (GDPR Article 15): The data subject has the right to confirm by applying to the Clinic whether his personal data is being processed, and to learn the details in GDPR Article 15 if the personal data is being processed.
• Right of Rectification (GDPR Article 16): The Data Subject has the right to correct his changing personal data held by the Clinic at any time by applying.
• Right to Erasure (GDPR Article 17): The Data Subject has the right to request the deletion of his personal data held by the Clinic. If the matters specified in GDPR Article 17 occur, your personal data will be deleted by the Clinic without delay.
• Right to Restriction of Processing (GDPR Article 18):
  • If Data Subjects object to the accuracy of their Personal Data, they have the right to request the restriction of the use of the data as Data Subjects until the accuracy of the Personal Data is confirmed by the Clinic.
  • In cases where the Data Subject requests the deletion of his Personal Data because the Personal Data processing activity is illegal, he has the right to request the restriction of the use of the data until his request is fulfilled.
  • The Data Subject has the right to request the restriction of the use of his data in cases where the Clinic no longer needs his personal data in line with the processing purpose.

  In cases where Data Subjects object to the processing activity in accordance with GDPR Article 21/1, they have the right to request the restriction of the use of their data until it is verified whether the Clinic's legitimate reasons for data processing outweigh the Data Subject's legitimate reasons.

• Right to Data Portability (GDPR Article 20): The Data Subject has the right to request the transfer of his Personal Data held by the Clinic to another controller at any time by applying, if technically possible. However, this right can be used when data processing is based on consent or in cases required by the contract.
• Right to object (GDPR Article 21): The data subject has the right to object to the processing of Personal Data within the scope of GDPR article 6/1/e and (f), based on reasons related to his specific situation.

We would like to inform you that we continue our activities with the awareness that personal data security is at the forefront in all our products and services we offer you.

Consent and Approval

By reading and accepting this Clarification Text, you acknowledge, declare, and undertake that you are fully and completely informed about the data processing process carried out by the Physician and Practice, that you have learned your rights stipulated by the KVKK and GDPR, and that you freely and willingly consent to the PROCESSING of your Personal Data and Special Category Personal Data by the Physician and Practice within the scope of this Clarification Text.