Personal Data Protection and Processing Policy

1.      PURPOSE AND SCOPE OF THE POLICY

Processing and protecting personal data in accordance with the law,

Data controller title: Prof. Dr. Mustafa Sofikerim
Data controller address: Acıbadem, Ataşehir Hospital, Atatürk Mah, Turgut Özal Blv. No:11/A, 34000 Ataşehir/Istanbul.

Data controller phone                     : 0530 240 65 89
Data controller email                    : mustafafasofikerim@yahoo.com
Data controller website: https://mustafasofikerim.com.tr/

It is of great importance for the data controller. This Personal Data Processing and Protection Policy (“Policy”) has been prepared in order to ensure that personal data processing activities comply with the Personal Data Protection Law No. 6698 and the regulations, circulars and directives issued within the scope of this law, and to harmonize the company as a whole with the KVKK legislation. In addition, this Policy determines the principles, procedures and principles of personal data processing, storage and security.

2.      DEFINITIONS

Among the legal and technical terms included in this Policy;

Explicit Consent Consent regarding a specific subject, based on information and expressed with free will,
Related User Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,
Destruction Deletion, destruction or anonymization of personal data,
Law Personal Data Protection Law No. 6698 dated 24.3.2016,
recording media Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system,
Personal Data Any information regarding an identified or identifiable natural person,
Personal DataProcessing Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data such as blocking,
Personal DataDeletion Deletion of personal data; making personal data inaccessible and unusable in any way for Relevant Users,
Personal DataDestruction The process of making personal data inaccessible, irretrievable and reusable by anyone,
Board Personal Data Protection Board,
Special Qualified PersonalData Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data,
Periodic Destruction In case all the conditions for processing personal data specified in the law are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy and to be carried out ex officio at recurring intervals,
Relevant Person / Data Owner The real person whose personal data is processed,
Data Controller The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

It expresses.

3. PROCESSING OF PERSONAL DATA

3.1 Basic Principles Followed in the Processing of Personal Data

Personal data will be processed in accordance with the basic principles specified in the law. In this context, personal data;

  • It will be processed in accordance with the law and the rule of honesty.
  • Personal data will be ensured to be accurate and updated when necessary.
  • It will be processed for specific, explicit and legitimate purposes.
  • They will be used and disclosed in a limited and measured manner in connection with the legal purpose for which they are processed.
  • They will be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

3.2 Conditions for Processing Personal Data

Personal data that are not of special nature may be processed in the presence of at least one of the following legal reasons or by obtaining the explicit consent of the relevant person.

  • Clearly stipulated in law
  • Processing of the data of the parties is necessary for the performance of the contract
  • It is mandatory for the data controller to fulfill its legal obligation
  • Data processing is mandatory for the establishment, exercise or protection of a right
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3 Processing of Special Personal Data

The procedures and principles to be followed when processing special personal data are explained in detail in the Processing of Special Personal Data Policy prepared and published by our company.

Policy on Processing of Special Personal Data;
https://mustafasofikerim.com.tr/ You can reach us from our website

3.4 Disclosure of the Personal Data Owner

Relevant persons are informed in accordance with the Law. In this context, relevant persons are informed about the identity of the data controller, the purposes for which personal data will be processed, to whom it will be transferred, the method by which it is collected, the legal reason and the following rights of the relevant person.

Rights of Relevant Persons;

  • Learning whether personal data is processed or not,
  • Requesting information if personal data has been processed,
  • Learning the purpose of processing personal data and whether they are used for their intended purpose,
  • Knowing the third parties to whom personal data is transferred at home or abroad,
  • Requesting correction of personal data if they are incomplete or incorrectly processed,
  • Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
  • Requesting updates or deletions regarding personal data to be notified to transferred third parties,
  • Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,
  • Requesting compensation for damage in case of damage due to illegal processing of personal data

To exercise your rights listed above:

  • From our clinic whose address is written above.
  • Internet mentioned above from our site you will get Data Owner Application FormYou must fill out the form completely and send it with a wet signature to the clinic address by hand, by mail or via a notary public, or to our e-mail address above via your e-mail address that you have previously notified us and registered in our system.

Applications made as stated above will be responded to free of charge as soon as possible and within 30 (thirty) days at the latest. However, if the transaction subject to your request causes an additional cost, the Clinic will charge the fee at the tariff determined by the Personal Data Protection Board.

4. PURPOSES OF PROCESSING PERSONAL DATA

It is processed for the purposes listed below, in accordance with the basic principles set out in Article 4 of the Law and based on at least one of the processing conditions of personal data and special personal data specified in Articles 5 and 6 of the Law.

  • Carrying out the application processes of employee candidates
  • Fulfillment of obligations arising from employment contracts and legislation for employees
  • Carrying out fringe benefits and benefits processes for employees
  • Carrying out activities in accordance with the legislation
  • Carrying out financial and accounting affairs
  • Ensuring physical space security
  • Follow-up and execution of legal affairs
  • Carrying out communication activities
  • Carrying out occupational health and safety activities
  • Execution of contract processes
  • Follow-up of requests and complaints
  • Ensuring the security of movable goods and resources
  • Providing information to authorized persons, institutions and organizations
  • Carrying out treatments and plans regarding oral and dental health
  • Carrying out promotional activities is processed limited to its purposes.

5.  STORAGE PERIOD AND DESTRUCTION OF PERSONAL DATA

In accordance with the provisions of the Law and the Regulation on Deletion, Destruction or Anonymization of Personal Data, personal data are stored for the period necessary for the purpose for which they are processed and in accordance with the periods stipulated in the legal legislation governing the relevant activity.

First of all, it is determined whether the relevant legislation provides for a period of storage of personal data. If a period is specified in the legislation, it is stored until this period, or if there is no legal period, it is stored for the period necessary for the purpose for which it is processed.

The storage periods determined separately for each category of personal data in accordance with the specified criteria are shown in the table below. Personal data is destroyed by the specified destruction methods within six-month periodic destruction periods starting from the end of these periods, or within thirty days at the latest if the relevant person applies.

Storage periods of personal data; 

PROCESSED DATA CONTACT CATEGORY STORAGE PERIOD
ID information Worker 15 years after termination of active employment relationship
Employee Candidate It will not be stored if the job application is rejected.
Patient 20 years from the end of treatment
Companion During service
Real Persons Providing External Services 10 years from end of service
Contact information Worker 15 years after termination of active employment relationship
Employee Candidate It will not be stored if the job application is rejected.
Patient 20 years from the end of treatment
Companion During service
Real Persons Providing External Services 10 years from end of service
Personal Health Data Worker 15 years after termination of active employment relationship
Employee Candidate It will not be stored if the job application is rejected.
Patient 20 years from the end of treatment
Criminal Conviction and Security Measures Information Worker 15 years after termination of active employment relationship
Employee Candidate It will not be stored if the job application is rejected.
personnel Worker 10 years after termination of active employment relationship
Employee Candidate It will not be stored if the job application is rejected.
Legal action Employee and Patient 10 years from the end of the legal process
Transaction Security Employee and Patient 2 years
Customer Transaction Patient 20 years
Real Persons Providing External Services 10 years from end of service
finance Patient 20 years
Worker 10 years
Camera Recordings For All Groups of People 2 months
Professional experience Worker 10 years after termination of active employment relationship
Employee Candidate If the job application process is negative, it is not stored
Audiovisual Records Worker 15 years after termination of active employment relationship
Patient 20 years after treatment ends
Employee Candidate If the job application process is negative, it is not stored

6. TRANSFER OF PERSONAL DATA

6.1  Transfer of Personal Data Domestically

Processed personal data may be transferred to the third parties listed below.

Personal data of our personnel;

  • In case of a legal dispute, upon request, to judicial authorities and party lawyers, limited to the requested personal data.
  • Identity and contact information are shared with an authorized financial advisor for the purpose of following up legal obligations.
  • Identity and financial information is sent to the contracted bank for salary payment.
  • Identity, contact, health, photograph, diploma and criminal conviction data are submitted to the district/provincial health directorate for the purpose of applying for a personnel work certificate.
  • Identity and title information is sent to the Health Personnel Tracking System within the Ministry of Health.
  • Identity information is submitted to the Social Security Institution for the purpose of employment declaration.
  • Identity and financial information must be submitted to the tax office for tax return.
  • Identity and family information must be submitted to the tax office for minimum subsistence allowance.
  • To the software company that is the developer of workplace computer programs for archiving purposes.

Personal data of patients receiving service;

  • In case of a legal dispute, upon request, to judicial authorities and party lawyers, limited to the requested personal data.
  • Identity, health and insurance information of those who receive service within the scope of private insurance are provided to private insurance companies.
  • Identity, contact, health and companion information will be sent to the health institution to be referred in case the patient is referred.
  • In accordance with the Private Hospitals Regulation, the software company that is the developer of the patient registration program for the purpose of archiving patient files

Personal data obtained from real persons providing services;

  • In case of legal dispute, judicial authorities and party lawyers upon request
  • Authorized financial advisor in accordance with legal obligations,
  • Contracted bank for payments
  • Software company that develops workplace computer programs for archiving

Personal data obtained from other groups of individuals;

In case of a legal dispute, it can be transferred to judicial authorities and party lawyers upon request.

7.  PROTECTION OF PERSONAL DATA

Our business, as stated in Article 12 of the Law;

  • To prevent unlawful processing of personal data,
  • To prevent unlawful access to personal data,
  • In order to ensure the protection of personal data, it takes the necessary technical and administrative measures to ensure the appropriate level of security and carries out or has the necessary inspections carried out to implement the measures taken.

7.1  Measures Taken to Protect Personal Data

1.1 Administrative Measures

  • There are disciplinary regulations for employees that include data security provisions.
  • Training and awareness activities on data security are carried out for employees at regular intervals.
  • Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
  • Confidentiality commitments are made.
  • The signed contracts contain data security provisions.
  • Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.

Personal data security policies and procedures have been determined.

Personal data security issues are reported quickly.

Personal data security is monitored.

Necessary security measures are taken regarding entry and exit to physical environments containing personal data.

The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.

The security of environments containing personal data is ensured.

Personal data is reduced as much as possible.

Periodic and/or random audits are carried out within the institution.

Protocols and procedures for the security of special personal data have been determined and implemented.

If special personal data is to be sent via e-mail, it must be sent encrypted and using a KEP or corporate mail account.

The authorization scope and duration of users who are authorized to access sensitive personal data are clearly defined.

Inventory allocated to employees who change positions or leave their jobs is returned.

A personal data inventory has been prepared.

Deletion, destruction or anonymization processes are carried out periodically.

1.2  Technical Measures

Network security and application security are ensured.

Security measures are taken within the scope of supply, development and maintenance of information technology systems.

An authority matrix has been created for employees.

Access logs are kept regularly.

The authorities of employees who change their duties or leave their jobs in this area are removed.

Up-to-date anti-virus systems are used.

Firewalls are used.

User account management and authorization control system is implemented and these are also monitored.

Log records are kept without user intervention.

Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.

Cyber security measures have been taken and their implementation is constantly monitored.

Specially qualified persons' data transferred on portable memory, CD, DVD media is encrypted.

Periodic authorization checks are carried out for employees who have access to sensitive personal data.

Security updates for the environments where the data is stored are constantly monitored, necessary security tests are performed or performed regularly and the test results are recorded.

Security tests of software that access sensitive personal data are carried out regularly and the test results are recorded.

A two-stage authentication system is used for remote access to sensitive personal data.

If personal health data is to be transferred between servers in different physical environments, the transfer is made by establishing a VPN between the servers or using sFTP methods.

For personal data stored in digital environment, periodic deletion, destruction or anonymization processes are carried out.

 7.2    Precautions to be Taken in Case of Data Breach

If the personal data processed by our clinic/office is obtained by others through illegal means, our business will notify the data owner and the Board as soon as possible after learning of the violation.

Following the identification of the persons affected by the violation in question by our clinic/practice, the relevant persons will be notified directly to the contact address of the relevant person as soon as possible.

In the violation notification to be made to the relevant person;

  • When the violation occurred,
  • Which personal data were affected by the breach,
  • Possible consequences of the violation,
  • Measures taken or proposed to be taken to reduce the effects of the violation,
  • The name and contact details of the contact person who will ensure that the relevant person receives information about the data breach will be included.

8.  RIGHTS OF PERSONAL DATA OWNERS AND THE USE OF THESE RIGHTS

8.1   Rights of Personal Data Owner

Personal data owners have the following rights:

  • Learning whether personal data is processed or not,
  • Requesting information if personal data has been processed,
  • Learning the purpose of processing personal data and whether they are used for their intended purpose,
  • Knowing the third parties to whom personal data is transferred at home or abroad,
  • Requesting correction of personal data in case personal data has been processed incompletely or incorrectly and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
  • Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the law and other relevant legal provisions, and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
  • Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,
  • Request compensation for damages in case of damage due to unlawful processing of personal data.

8.2   Exercise of Personal Data Owner's Rights

Personal data owners,

  • From our clinic whose address is written above.
  • From our website https://mustafasofikerim.com.tr/

what they will acquire Data Owner Application FormThey can exercise their rights listed above and listed in Article 11 of the Law by filling in the form with a wet signature and delivering it by hand, by mail or through a notary to the address of the data controller specified above.

8.3   Responding to Applications

If the personal data owner submits his request regarding the rights listed above and in Article 11 of the Law to our Clinic in accordance with the procedure, the clinic will finalize the relevant request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

9. COORDINATION OF PERSONAL DATA PROTECTION AND PROCESSING PROCESSES

The data controller or authorized personnel coordinates the protection and processing of personal data.

10.  UPDATES TO THE POLICY

Our clinic has the right to make changes to this Personal Data Processing and Protection Policy due to changes in legislation, in accordance with the Board decisions or in line with developments in the sector or the field of informatics. Changes made in this context are immediately recorded in the text and explanations regarding the changes are added to the updates table below.

Updates Table

Personal Data Processing and Protection Policy has entered into force.

11.  FINAL PROVISIONS

This Personal Data Storage and Destruction Policy is prepared by the data controller;