PERSONAL DATA PROCESSING AND PROTECTION POLICY

1. PURPOSE AND SCOPE

As the practice of Prof. Dr. Ercan Pınar, an Ear, Nose, and Throat Specialist, located at Mimar Sinan Mah. Şair Eşref Bulvarı Aygın Apt. No:62 İç Kapı No:6 Konak-İZMİR (hereinafter referred to as "Physician/Clinic/Practice/Employer"), we place importance on the protection of personal data of all real persons we contact in any way and on fulfilling the requirements of the Law on Protection of Personal Data No. 6698, which is regulated as a constitutional right, and in accordance with the provisions of the European Union General Data Protection Regulation (GDPR) when carrying out our activities.

This Personal Data Protection Policy has been prepared to inform you about the processes related to the collection, use, sharing, and storage of personal data by Prof. Dr. Ercan Pınar, an Ear, Nose, and Throat Specialist, located at Mimar Sinan Mah. Şair Eşref Bulvarı Aygın Apt. No:62 İç Kapı No:6 Konak-İZMİR. In the process of processing and protecting personal data, the provisions of the relevant legislation in force will be primarily applied.

The main purpose of this Personal Data Protection and Processing Policy ("Policy") is to reveal the rules, measures, duties, and responsibilities within the scope of personal data protection legislation adopted by the Physician and the Practice with a methodological approach and to ensure transparency in the measures we implement for the protection of personal data within this scope.

2. DEFINITIONS AND ABBREVIATIONS

The terms used in the implementation of this Policy express the meanings given below.

• Employees: Refers to the employees of the Physician and the Practice.
• Contact Person: Is the person responsible for following up on personal data processing activities within the Physician and the Practice and the implementation of KVK Policies and Procedures on an individual basis.
• Personal Data: Refers to any kind of information regarding a real person whose identity is specified or can be specified. For example; name, surname, address, telephone number, date of birth, place of birth, eye color, T.C. identification number.
• Personal Data Subject: Is the real person whose personal data is processed. For example; employee, visitor, customer, Interested Person
• Processing of Personal Data: Is any kind of operation performed on personal data by fully or partially automated means or by non-automated means provided that it is part of any data recording system. For example; obtaining, recording, storing, changing, transferring.
• KVK Law: Refers to the Law No. 6698 on the Protection of Personal Data.
• GDPR: European Union General Data Protection Regulation

3. PRINCIPLES OF PROCESSING PERSONAL DATA

The Physician and the Practice processes personal data in accordance with the procedures and principles stipulated in the KVKK and other laws. The following principles are complied with in the processing of personal data:

• a) Being in accordance with the law and honesty rules:

  The Physician and the Practice processes personal data in accordance with the legal legislation, the law, and the rules of honesty. It provides information to personal data owners.

• b) Being accurate and up-to-date when necessary:

  The Physician and the Practice takes the necessary measures to ensure that the personal data it processes is accurate and up-to-date.

• c) Being processed for specific, explicit, and legitimate purposes:

  The Physician and the Practice clearly and definitely determines the legitimate and legal purpose of processing personal data. The Physician and the Practice processes personal data in connection with and as much as necessary for the service it provides.

• ç) Being related, limited, and measured to the purposes for which they are processed:

  The Physician and the Practice processes personal data in order to realize the purposes determined within the scope of the service it provides, and refrains from receiving, processing, and storing personal data that is not necessary for the realization of the purpose.

• d) Being stored for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed:

  The Physician and the Practice stores personal data in accordance with the provisions of legal legislation. At the end of the period, personal data is deleted, anonymized, or destroyed.

CONDITIONS FOR PROCESSING PERSONAL DATA

The Physician and the Practice complies with the following conditions in accordance with the provisions of the KVKK No. 6698 when processing personal data:

1. (1) Personal data cannot be processed without the explicit consent of the relevant person.

   Personal data is processed only with the explicit consent of the data owner/relevant person. In this direction, patients are informed about the subject and their explicit consents based on free will are obtained.

2. (2) In the presence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the relevant person:
   • a) Explicitly stipulated in the laws.
   • b) It is mandatory to protect the life or bodily integrity of the person who is unable to express his consent due to an actual impossibility or whose consent is not legally valid, or another person.
   • c) If it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract.
   • ç) It is mandatory for the data controller to fulfill his legal obligation.
   • d) Being made public by the relevant person himself.
   • e) It is mandatory to process data for the establishment, use, or protection of a right.
   • f) It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.

CONDITIONS FOR PROCESSING SPECIAL CATEGORY PERSONAL DATA

The Physician and the Practice complies with the regulations specified in the processing of special category personal data specified in the KVKK No. 6698.

KVKK “ARTICLE 6- (1) The race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, associations, foundations or union memberships, health, sexual life, criminal convictions, and security measures of persons, as well as biometric and genetic data, are defined as special category personal data".

The Physician and the Practice processes special category personal data;

• Processes it with the explicit consent of the data subject,
• Personal data other than health and sexual life is processed without seeking the explicit consent of the relevant person in the cases stipulated in the laws,
• Personal data related to health and sexual life is processed by persons or authorized institutions and organizations that are under the obligation of confidentiality, without seeking the explicit consent of the data subject, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning, and management of health services and their financing.

METHODS OF COLLECTING AND PROCESSING PERSONAL DATA

In accordance with Articles 4, 5, and 6 of the Law on the Protection of Personal Data and within the scope of Articles 5, 7, 9, and 10 of the Regulation, it processes the personal data of real persons based on the Personal Data Processing Inventory, which must be organized and include the information below.

1. Data category
2. Purposes and legal basis for processing personal data
3. Transferred recipient/recipient groups
4. Groups of persons who are the subject of data
5. Maximum retention period required for the purposes for which personal data is processed
6. Transfer to foreign countries
7. Administrative and technical measures taken regarding data security

THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY THE PHYSICIAN AND THE PRACTICE AND THE PURPOSES OF TRANSFER

The Physician and the Practice carefully complies with the conditions regulated in the KVKK, without prejudice to the provisions in other laws, regarding the sharing of personal data with third parties. In this context, personal data is not transferred by the Physician and the Practice to third parties without the explicit consent of the data owner. However, in the presence of one of the following conditions regulated by the KVKK, personal data may also be transferred by the Physician and the Practice without obtaining the explicit consent of the data owner:

• Explicitly stipulated in the laws,
• If it is mandatory to protect the life or bodily integrity of the person who is unable to express his consent due to an actual impossibility or whose consent is not considered legally valid, or another person.
• If it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract,
• If it is mandatory for the data controller to fulfill his legal obligation,
• Being made public by the data owner himself,
• If it is mandatory to process data for the establishment, use, or protection of a right,
• It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner. Provided that sufficient measures are taken; With regard to special category personal data other than health and sexual life, if stipulated in the laws, and with regard to special category personal data related to health and sexual life,

• For the protection of public health,
• Preventive medicine,
• Medical diagnosis,
• For the performance of treatment and care services,
• For purposes such as planning and management of health services and their financing, your personal data may be transferred without explicit consent. The conditions specified in the processing conditions of these data are also complied with in the transfer of special category personal data.

In addition, according to GDPR article 9/2/h, article 6/1/b, article 6/1/f, your data may be processed without requiring an explicit consent statement:

• In order to carry out examination, medical diagnosis, treatment, and care services, your Health Data, which is considered Special Category Personal Data, will be processed by the Clinic, which is under the obligation to keep secrets according to the Law, without requiring your explicit consent.
• Your Personal Data will be processed by the Clinic without requiring your explicit consent in order to perform your check-ups after medical diagnosis and treatment processes, to contact you directly, and to manage appointment processes.
• Your Personal Data will be processed by the Clinic, without requiring your explicit consent, in order to ensure patient satisfaction and demand management.

According to GDPR article 6/1/c, based on legal obligations, your Personal Data will be processed without obtaining your explicit consent in the following cases;

• Creation of a patient file.
• Preservation of information regarding your health data that needs to be stored in accordance with the relevant legislation.
• Carrying out the control of your fee payments and issuing invoices.
• Performing tax payments.
• Fulfilling the obligations under the Ministry of Health Regulations.
• Fulfilling the obligations under Health Tourism Regulations.
• Ensuring your data security.
• Fulfilling legal obligations before the Judicial Authorities.
• Fulfilling administrative obligations before Administrative Institutions and Organizations.

STORAGE OF PERSONAL DATA WITHIN THE SCOPE OF THE RELEVANT LEGISLATION

The Physician and the Practice stores personal data in a safe manner in physical or electronic environments for an appropriate period of time in order to fulfill the activities of our company, in accordance with the KVKK and other relevant legal provisions. It first examines whether there is a period for storing personal data and acts in accordance with this period. If there is no legal period, the necessary period is determined and personal data is stored in accordance with this period. At the end of the period, personal data is deleted, destroyed, or anonymized.

However, in cases where the data controller has a legitimate interest, personal data may be stored until the end of the general statute of limitations period (ten years) regulated in the Code of Obligations, provided that the processing purpose and the periods specified in the relevant laws have expired and do not harm the fundamental rights and freedoms of the data owners. In this context, the Physician and the Practice provides the necessary training to the relevant units within its organization and ensures awareness.

MEASURES TAKEN FOR DATA SECURITY

The Physician and the Practice takes all necessary technical and administrative measures to ensure the appropriate level of security necessary for the protection of personal data.

The measures stipulated in Article 12(1) of the KVKK are as follows:

• To prevent the unlawful processing of personal data,
• To prevent unlawful access to personal data,
• To ensure the protection of personal data.

The measures taken by the Physician and the Practice in this context are listed below:

Administrative Measures

• The Physician and the Practice carries out the necessary audits to ensure the implementation of the provisions of the Law.
• If personal data is obtained by others through illegal means, the Physician and the Practice notifies the relevant person and the Board as soon as possible.
• Regarding the sharing of personal data, it ensures data security through framework contracts, consent forms, and data subject explicit consent forms or provisions to be added to the contracts with the persons with whom personal data is shared.
• It employs personnel who are knowledgeable and experienced about the processing of personal data and provides its personnel with the necessary KVK trainings.

Technical Measures

• The Physician and the Practice employs knowledgeable and experienced persons in order to ensure data security and provides its personnel with the necessary KVK trainings.
• It performs the necessary internal controls within the scope of the established systems.
• It ensures the provision of the technical infrastructure that will prevent and/or observe the leakage of personal data outside the institution and the creation of the relevant matrices.

RIGHTS OF PERSONAL DATA OWNERS IN ACCORDANCE WITH ARTICLE 11 OF KVKK

Within the framework of Article 11 of the Personal Data Protection Law No. 6698 (KVKK), personal data owners may apply to the address of the Physician and the Practice and;

• a- To learn whether personal data is being processed,
• b- If personal data has been processed, to request information about this,
• c- To learn the purpose of processing personal data and whether they are being used in accordance with their purpose,
• ç- To know the third parties to whom personal data is transferred domestically or abroad,
• d- To request correction of personal data if it has been processed incompletely or incorrectly,
• e- To request the deletion or destruction of personal data in accordance with the KVKK and other relevant legal provisions,
• f- To request notification of these transactions to the third parties to whom personal data has been transferred, if your personal data has been corrected, deleted, or destroyed,
• g- To object to the emergence of a result against you due to the analysis of your processed personal data exclusively through automatic systems,
• ğ- You have the right to request compensation for the damage in case you suffer damage due to the unlawful processing of personal data.

RIGHTS OF DATA OWNERS UNDER GDPR

As a Data Subject, your Personal Data is also protected under the GDPR. In cases where the GDPR has jurisdiction (citizens of the European Union or residents of European Union countries), the rights of Data Subjects are as follows;

• Right of Access (GDPR Article 15): The data subject has the right to confirm by applying to the Clinic whether his personal data is being processed, and to learn the details in GDPR Article 15 if the personal data is being processed.
• Right of Rectification (GDPR Article 16): The Data Subject has the right to correct his changing personal data held by the Clinic at any time by applying.
• Right to Erasure (GDPR Article 17): The Data Subject has the right to request the deletion of his personal data held by the Clinic. If the matters specified in GDPR Article 17 occur, your personal data will be deleted by the Clinic without delay.
• Right to Restriction of Processing (GDPR Article 18):
  • If Data Subjects object to the accuracy of their Personal Data, they have the right to request the restriction of the use of the data as Data Subjects until the accuracy of the Personal Data is confirmed by the Clinic.
  • In cases where the Data Subject requests the deletion of his Personal Data because the Personal Data processing activity is illegal, he has the right to request the restriction of the use of the data until his request is fulfilled.
  • The Data Subject has the right to request the restriction of the use of his data in cases where the Clinic no longer needs his personal data in line with the processing purpose.

  In cases where Data Subjects object to the processing activity in accordance with GDPR Article 21/1, they have the right to request the restriction of the use of their data until it is verified whether the Clinic's legitimate reasons for data processing outweigh the Data Subject's legitimate reasons.

• Right to Data Portability (GDPR Article 20): The Data Subject has the right to request the transfer of his Personal Data held by the Clinic to another controller at any time by applying, if technically possible. However, this right can be used when data processing is based on consent or in cases required by the contract.
• Right to object (GDPR Article 21): The data subject has the right to object to the processing of Personal Data within the scope of GDPR article 6/1/e and (f), based on reasons related to his specific situation.

We would like to inform you that we continue our activities with the awareness that personal data security is at the forefront in all our products and services we offer you.