GÜNEY TIP PRIVATE HEALTH SERVICES INC.
EGEMED KUŞADASI HOSPITAL
POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
The protection of personal data isoneof thetopprioritiesof GÜNEY TIP ÖZEL SAĞLIK HİZMETLERİ A.Ş. / Egemed Kuşadası Hospital. We exercise the necessary diligence regarding the security of personal data and place great importance on ensuring that patient privacy is respected and that all personal data belonging to our patients is processed and stored with the utmost care and to the best of our ability. In accordance with Law No. 6698 on the Protection of Personal Data, the Regulation on the Processing of Personal Health Data and the Protection of Privacy, and relevant legislation, the following fundamental principles have been adopted as our Company Policy for the Protection of Personal Data, covering our patients, their companions and visitors, all our employees, interns, and the staff of institutions and organizations with which we collaborate.
• Processing personal data in accordance with the law and the principles of good faith,
• Keeping personal data accurate and up to date as necessary,
• Processing personal data for specific, explicit, and legitimate purposes,
• Processing personal data in a manner that is relevant, limited, and proportionate to the purpose for which it is processed,
• Retaining personal data for the period required by applicable laws or for as long as necessary to fulfill the purpose for which it was processed,
• Informing and notifying data subjects,
• Establishing a system by taking the necessary measures to enable data subjects to exercise their rights,
• Conducting regular audits while taking the necessary measures to safeguard personal data,
• When transferring personal data to third parties in accordance with the requirements of the purpose of processing, to act in compliance with applicable legislation and the regulations and decisions of the Personal Data Protection Board,
• Demonstrating the necessary diligence in the processing and protection of special category personal data, Taking the necessary measures required of data controllers regarding the processing of special category personal data, as specified in Article 6 of the Personal Data Protection Law No. 6698 and in the Decision No. 2018/10 of the Personal Data Protection Board dated January 31, 2018,
• Deleting and destroying personal data in the manner and within the timeframe specified by law,
• Creating a Personal Data Inventory.
- PURPOSE
The primary purpose of this Policy is to provide information regarding the personal data processing activities conducted in compliance with the lawby GÜNEY TIP ÖZEL SAĞLIK HİZMETLERİ A.Ş./Egemed Kuşadası Hospitaland the measures taken to protect personal data. Within this scope, the Policy aims to ensure transparency by informing individuals whose personal data is processed by our Company, including our patients, visitors, employees, Company officials, employees of institutions with which we collaborate, shareholders and their representatives, and third parties, ensuring transparency by informing individuals whose personal data is processed by our Company. Personal data processedby GÜNEY TIP ÖZEL SAĞLIK HİZMETLERİ A.Ş./Egemed Kuşadası Hospitalmay vary depending on the health services provided and is collected through both automated and non-automated methods. Health data, including special category personal data and personal data collected verbally, in writing, or electronically through our patient representatives, physicians, healthcare professionals, employees, subcontractors and their employees, companies with which we have entered into any form of commercial collaboration, our call center, our website, online services, and similar channels, may be processed for the purposes listed below.
The provision of medical diagnosis, treatment, and care services; the protection of public health; preventive medicine; the planning and management of healthcare services and their financing; informing our patients about appointments; planning and managing our hospital’s internal procedures, conducting analyses to improve healthcare services, training and development of our staff, protecting our employees’ personnel processes and legal rights, monitoring and preventing fraud and unauthorized transactions, carrying out risk management and quality improvement activities, conducting research, complying with legal and regulatory requirements, billing for our services, verifying your identity, reporting newborns, verifying your relationship with institutions contracted with our hospital, sharing any information requested by private insurance companies regarding the financing of healthcare services, responding to any questions or complaints regarding our healthcare services, taking all necessary technical and administrative measures regarding data security for our hospital systems and applications, analyzing your use of healthcare services and storing your health data to improve and enhance the healthcare services we provide to you; retaining and archiving information regarding your health data that must be retained in accordance with applicable legislation; ensuring financial reconciliation regarding the healthcare services provided to you with our contracted institutions, banks, and all organizations (public and private) that collect healthcare expenses; sharing requested information with the Ministry of Health and other public institutions and organizations in accordance with applicable laws, measuring patient satisfaction, and enhancing patient satisfaction.
Personaldata is collected, processed, and stored.
- SCOPE
This policy covers the personal data of our patients, caregivers, visitors, Company officials, employees, interns, and the employees, shareholders, and officials of individuals, organizations, and institutions with whom we havea business partnershipor any other legal relationship, as well as third parties, processed by automated or non-automated means, as defined below.
First name, last name, Turkish ID number, passport number, or temporary Turkish ID number; place and date of birth; gender; marital status; hospital-specific protocol number; and other identifying data used to identify patients; contact information such as address, phone number, and email address; financial data such as payment and billing information; audio and digital information that can be obtained through electronic or non-electronic means; personal health data obtained during the provision of all medical diagnostic, examination, treatment, and care services, as well as general and special-category personal data; data related to private health insurance for the purposes of financing and planning health services, and Social Security Institution data; health and identification data submitted via websites; and all visual records (both digital and non-digital).
Depending on the group of data subjects, the scope of application of this policy may encompass the entire policy or only certain provisions thereof.
Personal data may also be processed when using the call center or website to access online services, on the Company’s internal intranet, during training, when participating in events organized by the hospital, or when visiting websites.
- DEFINITIONS
|
Data Controller |
The person who determines the purposes and means of processing personal data and manages the location where the data is systematically stored (data recording system). In this Protocol, this refers toGÜNEY TIP ÖZEL SAĞLIK HİZMETLERİ A.Ş./Egemed Kuşadası Hospital. |
|
Data Processor |
A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. |
|
Data Subject |
A natural person whose personal data is processed. For example, patients, employees, and interns. |
|
Patient |
A person who has sought medical examination or treatment at our company and has received outpatient or inpatient care. |
|
Third Person |
Third-party individuals associated with the aforementioned parties, for the purpose of ensuring the security of our company’s commercial transactions with them or protecting the rights and safeguarding the interests of such individuals. |
|
Visitor |
Individuals who have entered our company’s physical premises for various purposes or who have visited our websites. |
|
Personal Data |
Any information relating to an identified or identifiable natural person. |
|
Sensitive Personal Data |
Data related to race, ethnic origin, political opinion, philosophical beliefs, religion, denomination, or other beliefs; attire; membership in associations, foundations, or trade unions; health; sexual life; criminal convictions; and security measures, as well as biometric and genetic data, are considered special category data. |
|
Processing of Personal Data |
Any operation performed on personal data, such as the collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or restriction of use of such data, whether carried out wholly or partly by automated means or by non-automated means provided that it forms part of a data filing system. |
- IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION
Our Personal Data Processing and Protection Policy is implemented in accordance with applicable laws and regulations. GÜNEY TIP PRIVATE HEALTH SERVICES INC. / Egemed Kuşadası HospitalOurPersonalData Processing and Protection Policy has been prepared in compliance with current laws, regulations, and other applicable legislation, as well as the decisions of the Personal Data Protection Authority.
This policy has been developed by integratingthe practicesofGÜNEY TIP ÖZEL SAĞLIK HİZMETLERİ A.Ş./Egemed Kuşadası Hospitalwithin the framework of the rules established by relevant legislation. The personal data mentioned above may be processed as necessary in accordance with the provisions of the Health Services Framework Law No. 3359, the Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Its Affiliated Institutions, the Private Hospitals Regulation, the Regulation on the Processing of Personal Health Data and the Protection of Privacy, and other Ministry of Health regulations, etc. and other applicable legal provisions. Personal data will be transferred to the physical archives and information systems of our hospitals and/or suppliers. Personal data will be protected in both digital and physical environments in accordance with the legal retention periods defined in Company procedures, consistent with the timeframes specified in the relevant laws.
- THE RELATIONSHIP BETWEEN THE HOSPITAL’S POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA AND OTHER POLICIES AND PROCEDURES
The Hospital has established fundamental policies and procedures regarding the protection and processing of personal data, in accordance with the principles set forth in this Policy. By linking these policies and procedures to the Hospital’s core policies in other areas, harmonization is also ensured among the processes the Hospital operates under different policy principles for similar purposes.
- HOSPITAL POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA: GOVERNANCE STRUCTURE
The hospital has established a governance structure to ensure compliance with legal regulations and to enforce its Policy on the Protection and Processing of Personal Data.
Pursuant to a decision by the Hospital’s senior management, a “Contact Person” has been appointed to oversee this Policy and other policies and procedures related to it within the Hospital. The duties of the Contact Person are outlined below:
⦁Develop and submit for approval by senior management the fundamental policies regarding the protection and processing of personal data.
⦁To determine how policies regarding the protection and processing of personal datawill be implemented and monitored, and to submit matters related to internal hospital assignments and coordination within this framework to senior management for approval.
⦁Identify the necessary steps to ensure compliance with the PersonalData Protection Law and related legislation; submit these steps to senior management for approval; oversee their implementation and ensure coordination.
⦁To raise awareness regarding the protection and processing of personaldata both within the hospital and among the institutions with which the hospital collaborates.
⦁Identify risks that may arise from the hospital’spersonal data processing activities and ensure that necessary measures are taken; submit improvement recommendations to senior management for approval.
⦁Design training programs on the protection of personaldata and the implementation of related policies, and ensure their implementation.
⦁To resolve datasubjects’ requests to the greatest extent possible.
⦁To coordinate the implementation of information and training activities to ensure that datasubjects are informed about personal data processing activities and their legal rights.
⦁Prepare changes to the core policies regarding the protection and processing of personal dataand submit them to senior management for approval.
⦁Monitor developments and regulations regarding the protection of personal data; provide recommendations to senior management on the necessary actions to be taken within the hospital in accordance with these developments and regulations.
⦁Coordinate relations with the PersonalData Protection Board and Agency.
⦁Carry out other duties related to the protection of personal data as assigned by the hospital’ssenior management
- INFORMATION AND NOTIFICATION OF THE DATA SUBJECT
In accordance with Article 10 of the Personal Data Protection Law, we inform data subjects at the time of collecting their personal data. In this context, our Company informs data subjects during the collection of their personal data regarding the Company’s identity, the purposes for which the personal data will be processed, to whom and for what purposes the processed personal data may be transferred, the method and legal basis for collecting personal data, and the rights of the data subject under Article 11 of the Personal Data Protection Law.
Article 20 of the Constitution establishes that everyone has the right to be informed about personal data concerning them. In line with this, Article 11 of the Personal Data Protection Law lists the right to request information among the rights of the data subject. In this context, our company provides the necessary information within the prescribed timeframe when a data subject requests information, in accordance with Article 20 of the Constitution and Article 11 of the Personal Data Protection Law.
Our company informs data subjects and other relevant parties about its policy on the protection of personal data by publishing it on its website, through publicly available documents within the building where the company conducts its operations, and by other means, thereby ensuring accountability and transparency in its personal data processing activities. Additionally, our company informs data subjects about its activities and the relevant provisions of the law through various methods, particularly when seeking their explicit consent.
- ENSURING THE SECURITY OF PERSONAL DATA
Our company takes the necessary technical and administrative measures to ensure an adequate level of security in order to prevent the unlawful processing of personal data it handles and to ensure the secure storage of such data; in this context, it regularly conducts or commissions the necessary audits.
The measures taken by our company to ensure “data security” in accordance with Article 12 of the Personal Data Protection Law are listed below.
• Our company takes technical and administrative measures, in accordance with technological capabilities and implementation costs, to ensure the lawful processing of personal data. Employees are informed that they may not disclose personal data they have learned to third parties in violation of the provisions of the Personal Data Protection Law (KVKK) or use such data for purposes other than those for which it was collected, and that this obligation continues even after they leave their positions. Accordingly, the necessary commitments are obtained from them, and “Confidentiality Agreements” are entered into with these individuals.
• Our company implements technical and administrative measures to prevent the disclosure, access, or transfer of personal data due to negligence or unauthorized access, as well as any other form of unlawful access.
• Our company works to raise awareness among data processors—such as business partners and suppliers to whom we have transferred personal data—regarding the prevention of unlawful processing of personal data, the prevention of unauthorized access to such data, and the assurance of lawful data retention; we obtain the necessary commitments from them and enter into “Confidentiality Agreements” with them.
• As the data controller for our company, we comply with the obligations we are required to fulfill when processing personal data, as well as the legal, administrative, and technical measures we have implemented in this regard.
• We enter into contracts with data processors—such as suppliers, business partners, and service or consulting providers—with whom our company maintains relationships, ensuring that these contracts are consistent with the nature of the data processing activities they perform.
• Our company conducts the necessary audits internally through a designated contact person. The results of these audits are documented and reported using audit forms, and the necessary actions are taken to improve the measures implemented.
• In accordance with Article 12 of the Personal Data Protection Law, our company operates a system that ensures the prompt notification of the relevant data subject and the Personal Data Protection Board in the event that personal data processed in compliance with the law is obtained by others through unlawful means, and has established a “PERSONAL DATA BREACH RESPONSE PLAN” for this purpose.
- PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA
GÜNEY TIP ÖZEL SAĞLIK HİZMETLERİ A.Ş./Egemed Kuşadası Hospitalmeticulously protects personaldata using its technical and administrative resources. The security measures implemented by our company are maintained at the highest level, taking into account technological capabilities and potential risks.
Under Law No. 6698, data concerning individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, denomination, or other beliefs; attire; membership in associations, foundations, or trade unions; health; sexual life; criminal convictions; and security measures, as well as biometric and genetic data, are defined as special category personal data.
We strictly adhere to the adequate measures that data controllers must take when processing special category personal data, as stipulated in Article 6 of the Personal Data Protection Law No. 6698 and in Decision No. 2018/10 of the Personal Data Protection Board dated January 31, 2018. In this context, our Company;
1.We have established a separate policy (POLICY ON THE PROTECTION AND PROCESSING OF SENSITIVE PERSONAL DATA) and procedures that are systematic, clearly defined, manageable, and sustainable, specifically designed to ensure the security of sensitive personal data.
2.For employees involved in the processing of special-category personal data,
a)Regular training sessions are conducted on the law, related regulations, and the security of special-category personal data,
b)Non-disclosure agreements are being entered into,
c)The scope and duration of access permissions for users authorized to access the data are clearly defined,
c)Authorization checks are conducted periodically,
d)The access rights of employees who have been reassigned or have left the company are immediately revoked. In this context, the equipment assigned to them by the data controller is retrieved.
3.Electronic environments in which special-category personal data is processed, stored, and/or accessed,
a)The data is protected using cryptographic methods,
b)Cryptographic keys are stored securely in separate environments,
c)Transaction logs for all actions performed on the data are securely logged,
c)Security updates for the environments where the data is stored are continuously monitored; necessary security tests are conducted regularly; and the test results are documented and stored in the Data Protection folder,
d)User authorizations are set up for the software used to access the data; security tests for this software are conducted regularly; and the test results are documented and stored in the Data Protection folder,
e)A two-factor authentication system is provided for remote access to data,
4.In physical environments where special-category personal data is processed, stored, and/or accessed;
a)Appropriate security measures (against electrical faults, fire, flooding, theft, etc.) are taken based on the nature of the environment where sensitive personal data is stored,
b)By ensuring the physical security of these areas, unauthorized entry and exit are prevented,
5.Regarding the transfer of special category personal data;
a)When data is transferred via email, it is transmitted in encrypted form, if necessary, using a corporate email address or a Registered Electronic Mail (KEP) account,
b)If the data must be transferred via media such as USB drives, CDs, or DVDs, it must be encrypted using cryptographic methods, and the cryptographic key must be stored on a separate medium,
c)If data is being transferred between servers in different physical locations, the transfer is carried out by establishing a VPN between the servers or using the SFTP method,
(c)When data is transmitted in paper form, necessary precautions are taken against risks such as theft, loss, or unauthorized access to the documents, and the documents are sent in the format of “classified documents,”
In addition to the measures specified above, technical and administrative measures aimed at ensuring the appropriate level of security as outlined in the Personal Data Security Guide published on the Personal Data Protection Authority’s website are also taken into account.
- Raising Awareness and Monitoring the Protection and Processing of Personal Data by Business Units
GÜNEY TIP ÖZEL SAĞLIK HİZMETLERİ A.Ş./Egemed Kuşadası Hospital ensures that periodic training sessions are conducted for its departments to raise awareness regarding the prevention of unlawful processing of personal data, the prevention of unlawful access to personal data, and the safeguarding of personal data.
Systems are being established to raise awareness among hospital staff regarding the protection of personal data, and the hospital works with consultants as needed on this matter.
In this regard, our hospital evaluates participation in relevant training programs, seminars, and informational sessions, and updates and renews its training programs in line with updates to the relevant regulations.
- Raising Awareness and Monitoring the Protection and Processing of Personal Data Among Business Partners and Suppliers
GÜNEY TIP ÖZEL SAĞLIK HİZMETLERİ A.Ş./Egemed Kuşadası Hospital provides its business partners with the necessary information to prevent the unlawful processing of personal data, prevent unauthorized access to such data, and raise awareness regarding the secure storage of data. The contracts, protocols, and confidentiality agreements entered into between the institution and its business partners include references to the necessary warnings and cautions required under the Personal Data Protection legislation.
Users authorized to access and process personal data receive ongoing training on the necessity of securing information systems and networks, as well as on what steps they can take to enhance security, and are kept informed accordingly.
All users are aware that they share responsibility for the security of the information system components they use and their personal data.
- GENERAL PROVISIONS REGARDING THE PROCESSING OF PERSONAL DATA
GÜNEY TIP PRIVATE HEALTH SERVICES INC./ Egemed Kuşadası Hospital, in the course of its personaldata processing activities
- General principles
- Conditions for the processing of personal data
- Conditions for the processing of special categories of personal data
is acting appropriately.
- PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH GENERAL PRINCIPLES
In accordance with Article 20 of the Constitution and Article 4 of the Personal Data Protection Law, our company processes personal data in a manner that is accurate and up-to-date, compliant with the law and the principles of good faith, and for specific, explicit, and legitimate purposes; such processing is carried out in a manner that is relevant to the purpose, limited, and proportionate.
Our company retains personal data for as long as required by law or as necessary to fulfill the purpose of processing such data.
In accordance with Article 20 of the Constitution and Article 5 of the Personal Data Protection Law, our company processes personal data based on one or more of the conditions set forth in Article 5 of the Personal Data Protection Law regarding the processing of personal data.
Our company complies with the regulations governing the processing of special categories of personal data in accordance with Article 6 of the Personal Data Protection Law.
Our company acts in accordance with the regulations and decisions established by the Personal Data Protection Board regarding the transfer of personal data, as provided for in Articles 8 and 9 of the Personal Data Protection Law.
- Processing in Compliance with the Law and the Principle of Good Faith
Our company acts in accordance with the principles established by legal regulations regarding the processing of personal data, as well as the general principles of good faith and fairness. Our company takes into account the requirement of proportionality in the processing of personal data and does not use personal data for purposes other than those for which it was collected.
- Ensuring That Personal Data Is Accurate and, Where Necessary, Up-to-Date
Our company takes the necessary measures to ensure that the personal data it processes is accurate and up-to-date, while taking into account the fundamental rights of data subjects and its own legitimate interests.
- Processing for Specific, Explicit, and Legitimate Purposes
Our company clearly and precisely defines the legitimate and lawful purposes for processing personal data. Our company processes personal data only to the extent necessary for the services it provides. The purposes for which personal data will be processed by our company are disclosed prior to the commencement of any personal data processing activities.
- Relevant to the Purpose for Which They Are Processed, Limited, and Proportionate
Our company processes personal data in a manner that is appropriate for achieving the specified purposes and refrains from processing personal data that is not relevant to or necessary for achieving those purposes.
- Retention for the Period Specified in the Relevant Legislation or as Necessary for the Purpose for Which the Data Is Processed
Our Company retains personal data only for as long as required by applicable legislation or as necessary for the purpose for which it was processed. In this context, our Company first determines whether applicable legislation specifies a retention period for personal data; if a period is specified, we comply with that period; if no period is specified, we retain personal data for as long as necessary for the purpose for which it was processed. Upon the expiration of the retention period or the cessation of the reasons necessitating the processing, personal data is deleted, destroyed, or anonymized by our company, depending on the nature of the data.
- Processing of Personal Data in Compliance with the Conditions for Processing
The protection of personal data is a constitutional right. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may be processed only in cases provided for by law or with the explicit consent of the individual. In accordance with this principle and in compliance with the Constitution, our company processes personal data only in cases provided for by law or with the explicit consent of the individual.
Although the legal basis for the processing of personal data by our company may vary, all personal data processing activities are conducted in accordance with the general principles set forth in Article 4 of Law No. 6698.
The data subject’s explicit consent is one of the legal bases that enables the lawful processing of personal data. In addition to explicit consent, personal data may also be processed if any of the other conditions listed below are met. The basis for a personal data processing activity may be any one of the conditions listed below, or multiple conditions may serve as the basis for the same personal data processing activity. The conditions listed below apply to data processing.
•Obtaining Informed Consent
The protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted only for the reasons specified in the relevant provisions of the Constitution and only by law, without infringing upon their essence. Pursuant to Article 20, Paragraph 3 of the Constitution, personal data may be processed only in cases provided for by law or with the explicit consent of the individual. GÜNEY TIP PRIVATE HEALTH SERVICES INC. / Egemed Kuşadası Hospital, in accordance with this principle and in compliance with the Constitution, processes personal data only in cases provided for by law or with the individual’s explicit consent.
•Exceptions Where Explicit Consent Is Not Required for the Processing of Personal Data
GÜNEY TIP PRIVATE HEALTH SERVICES INC. / Egemed Kuşadası Hospitalmay process personal data without explicit consent if any of the following conditions set forth in the Laware met:
–Explicitly Provided for by Law
The data subject’s personal data may be processed lawfully, provided that such processing is expressly provided for by law and is limited to the scope of the relevant legal regulation.
-Failure to Obtain the Data Subject’s Explicit Consent Due to Practical Impossibility
Personal data may be processed without explicit consent if it is necessary to protect the life or physical integrity of the individual—who is unable to express consent due to actual impossibility or whose consent is not legally valid—or of another person.
–Directly Related to the Formation or Performance of the Contract
Personal data may be processed if such processing is necessary for the conclusion or performance of a contract, provided that it is directly related to the contract.
–Fulfilling Our Company’s Legal Obligations
GÜNEY TIP ÖZEL SAĞLIK HİZMETLERİ A.Ş./Egemed Kuşadası Hospitalmay process the personal data of the data subject if it is necessary to fulfill its legalobligations.
–Disclosure of Personal Data by the Data Subject
Personal data that has been made public by the data subject themselves—in other words, data that has been disclosed to the public in any way—may be processed without explicit consent.
–When Data Processing Is Necessary for the Establishment or Protection of a Right
Personal data may be processed without requiring explicit consent if such processing is necessary for the establishment, exercise, or defense of a legal claim.
–The necessity of data processing for the legitimate interests of our company
Provided that such processing does not infringe upon the data subject’s fundamental rights and freedoms, personal data may be processed without requiring explicit consent if such processing is necessary for the legitimate interests ofGÜNEY TIP ÖZEL SAĞLIK HİZMETLERİ A.Ş./Egemed Kuşadası Hospital.
- PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA IN ACCORDANCE WITH THE REQUIREMENTS
In processing special category personal data under the Personal Data Protection Law, our company acts in accordance with the regulations set forth in the Personal Data Protection Law.
Article 6 of the Personal Data Protection Law defines certain personal data as "sensitive personal data" if processed unlawfully, as it carries the risk of causing harm to individuals or leading to discrimination. These include data related to race, ethnic origin, political opinions, philosophical beliefs, religion, denomination, or other beliefs; attire and clothing; membership in associations, foundations, or trade unions; health; sexual life; criminal convictions and security measures; as well as biometric and genetic data.
Pursuant to Article 6, Paragraph 3 of the Personal Data Protection Law, our Company may collect data related to HEALTH AND SEXUAL LIFE—which constitute special category personal data—without requiring the explicit consent of individuals. Our Company processes these data, which it collects without requiring explicit consent, in accordance with Paragraph 4 of Article 6 of the KVK and the sufficient measures specified in the Personal Data Protection Board’s Decision No. 2018/10, regarding the processing of special category personal data. In this context, our company;
1.Establishing a separate policy and procedure for the security of special category personal data that is systematic, clearly defined, manageable, and sustainable,
2.For employees involved in the processing of special-categorypersonal data,
a)Providing regular training on the law, related regulations, and the security of special-category personal data,
b)Entering into confidentiality agreements,
c)Clearly defining the scope and duration of access permissions for users authorized to access the data,
(c)Conducting periodic authorization checks,
d)The immediate revocation of access rights for employees who have changed roles or left the company. In this context, the return of any equipment assigned to them by the data controller,
3-If the environments where specialcategory personal data is processed, stored, and/or accessed are electronic environments,
a)The protection of data using cryptographic methods,
b)The secure storage of cryptographic keys in different environments,
c)Secure logging of transaction records for all operations performed on the data,
(c)Continuously monitoring security updates for the environments where the data is stored, regularly conducting or having conducted the necessary security tests, and documenting the test results,
d)If data is accessed via software, user authorizations for such software must be established; security tests for such software must be conducted regularly; and test results must be documented;
e)If remote access to the data is required, a two-factor authentication system must be provided,
4-Environments where special category personal data is processed, stored, and/or accessed; if the environment is a physical one,
a)Ensure that adequate security measures (against electrical faults, fire, flooding, theft, etc.) are in place, depending on the nature of the environment where sensitive personal data is stored,
b)Ensuring the physical security of these environments to prevent unauthorized access,
5-If special categories of personal data are to be transferred
a)If data must be transferred via email, it must be transmitted in encrypted form using a corporate email address or a Registered Electronic Mail (KEP) account,
b)If the data must be transferred via media such as USB drives, CDs, or DVDs, it must be encrypted using cryptographic methods, and the cryptographic key must be stored on a separate medium,
c)If data is being transferred between servers in different physical environments, data transfer must be performed by establishing a VPN between the servers or using the sFTP method,
(c)If data must be transferred in paper form, necessary precautions must be taken against risks such as theft, loss, or unauthorized access, and the documents must be sent in the “classified documents” format,
In addition to the measures outlined above, we take the utmost care to comply with the requirements regarding the implementation of technical and administrative measures aimed at ensuring the appropriate level of security, as specified in the Personal Data Security Guide published on the Personal Data Protection Authority’s website.
- Personal data processing activities at building entrances and within buildings, and website visitors
The hospital’s personal data processing activities conducted at the entrances to the facility and within the premises are carried out in compliance with the Constitution, Law No. 5188 on Private Security Services, Article 49 of the Private Hospitals Regulation, the Law on the Protection of Personal Data No. 6698, and other relevant legislation.
To ensure security, our hospital conducts personal data processing activities involving video surveillance of our buildings and facilities, as well as the tracking of visitor entries and exits. Through the use of security cameras and the recording of visitor entries and exits, our hospital carries out personal data processing activities.
In this regard, our hospital operates in compliance with the Constitution, the Law on the Protection of Personal Data, and other relevant legislation.
- CAMERA SURVEILLANCE ACTIVITIES CONDUCTED AT THE ENTRANCES TO AND INSIDE THE SÖKE EGEMED PRIVATE HOSPITAL BUILDING AND FACILITIES
As part of our security camera monitoring activities, our hospital aims to improve the quality of the services we provide, ensure their reliability, safeguard the security of the hospital, our patients, and other individuals, and protect our patients’ interests regarding the services they receive.
⦁Legal Basis for Video Surveillance Activities
The hospital’s video surveillance activities are conducted in accordance with Law No. 5188 on Private Security Services, Article 49 of the Private Hospitals Regulation, and relevant legislation.
⦁Conducting Surveillance Activities Using Security Cameras in Compliance with Data Protection Law
The hospital conducts video surveillance for security purposes in compliance with the provisions of the Personal Data Protection Law.
The hospital conducts security camera monitoring activities to ensure security in its buildings and facilities, in accordance with the purposes set forth in the law and the conditions for processing personal data specified in the law.
⦁Notice Regarding Surveillance Activities Using Cameras
The hospital informs the data subject in accordance with Article 10 of the Law.
The aim is thus to prevent any infringement of the data subject’s fundamental rights and freedoms, and to ensure transparency and the provision of information to the data subject.
With regard to the hospital’s video surveillance activities: This Policy is published on our hospital’s website (online policy disclosure), and notices informing visitors that surveillance is in progress are posted at the entrances to the areas where surveillance takes place (on-site notification).
⦁The Purpose of Conducting Surveillance Activities Using Cameras and the Principle of Limitation to That Purpose
In accordance with Article 4 of the Law, the hospital processes personal data in a manner that is relevant, limited, and proportionate to the purpose for which it is processed.
The hospital’s use of video surveillance is limited to the purposes outlined in this policy. Accordingly, the coverage areas, number, and timing of security camera monitoring are implemented only to the extent necessary to achieve security objectives and are strictly limited to that purpose. At our hospital, video surveillance is conducted solely for security purposes at the entrance to the administrative building, on every floor, and in outdoor areas. Individuals are not subject to surveillance in areas where such monitoring could result in an intrusion into their privacy that exceeds security objectives (for example, restrooms, which are private areas).
⦁Ensuring the Security of Collected Data
In accordance with Article 12 of the Law, the hospital takes the necessary technical and administrative measures to ensure the security of personal data obtained through video surveillance activities.
⦁Retention Period for Personal Data Obtained Through Video Surveillance Activities
In accordance with the Private Hospitals Regulation, camera recordings are retained for at least two months. After that, they are automatically deleted.
⦁Who Has Access to the Information Obtained Through Monitoring and to Whom This Information Is Disclosed
Only a limited number ofEgemed Kuşadası Hospitalemployees have access to the recordings stored and retained in the digital environment. Live camera feeds can be viewed by security personnel and hospital officials. The limited number of individuals with access to the recordings have signed a confidentiality agreement pledging to protect the confidentiality of the data they access.
- RETENTION OF RECORDS RELATED TO INTERNET ACCESS PROVIDED TO VISITORS AT THE SÖKE EGEMED BUILDINGS AND FACILITIES
To ensure security and for the purposes outlined in this Policy, our Hospital may provide internet access to visitors who request it while they are on our premises. In this case, log records related to your internet access are recorded in accordance with the provisions of Law No. 5651 on the Regulation of Publications Made on the Internet and the Fight Against Crimes Committed Through Such Publications, and the relevant regulations issued pursuant to this Law; and these records are processed solely upon request by authorized public institutions and organizations or to fulfill our legal obligations during internal audit processes conducted within the hospital.
Only a limited number of Hospital employees have access to the log records obtained in this context. Hospital employees with access to these records may access them solely for the purpose of responding to requests from authorized public institutions and organizations or for use in audit processes, and they share them only with legally authorized individuals. The limited number of individuals with access to the records have signed a confidentiality agreement pledging to protect the confidentiality of the data they access.
- WEBSITE VISITORS
On the websites owned by the hospital, technical tools (such as cookies) are used to record users’ online activities on the sites in order to ensure that visitors’ interactions align with their intended purposes, to display personalized content to them, and to conduct online advertising activities.
Detailed information regarding the protection and processing of personal data in connection with these activities is available on the Hospital’s website in the “Cookie Policy” document.
- TRANSFER OF PERSONAL DATA
Our company may transfer the personal data and special category personal data of data subjects to third parties, provided that it takes the necessary security measures in accordance with the purposes of personal data processing and within legal limits. In this regard, our company acts in compliance with the provisions set forth in Article 8 of the Personal Data Protection Law.
Your personal data will be processed in accordance with the Law and other applicable legislation, and for the purposes stated above, by Egemed Hospitals, Medical Centers, Group Companies, Universities, the Ministry of Health and its affiliated units, family health centers, private insurance companies (health, pension, life insurance, and similar), the Social Security Institution, the General Directorate of Security and other law enforcement agencies, judicial authorities, the General Directorate of Population, the Turkish Pharmacists’ Association, and all public institutions and organizations (without being limited to the aforementioned), laboratories with which we collaborate for medical diagnosis, medical centers and third parties providing healthcare services, the healthcare facility to which the patient is referred or to which the patient applies on their own, your authorized representatives, the institution you are affiliated with and/or employed by, lawyers, tax and social security authorities, etc. including third parties from whom we receive consulting services, regulatory and supervisory bodies and official authorities, your insurance company within or outside the country, our suppliers, support service providers, and business partners from whom we receive services or with whom we collaborate.
- TRANSFER OF PERSONAL DATA ABROAD
GÜNEY TIP ÖZEL SAĞLIK HİZMETLERİ A.Ş./Egemed Kuşadası Hospitaltransfers personal data andspecial category personal data only to the individual’s insurance company,limited to those who receive services from our company under an international health insurance policy.
- Conditions for the Erasure, Destruction, and Anonymization of Personal Data
Personal data will be deleted, destroyed, or anonymized upon the expiration of the purpose of processing, at the request of the data subject, and/or upon the expiration of the retention periods established by applicable laws and the company.
Personal data may be retained in accordance with the standards and/or time limits specified by law for the purpose of fulfilling legal obligations, such as serving as evidence in potential legal disputes, asserting rights related to personal data, or establishing a defense. When determining the retention periods for this purpose, the statute of limitations applicable to the assertion of the relevant right is taken as the basis. In such cases, access to the stored personal data is not permitted for any other purpose, and access to the relevant personal data is granted only when it is necessary for use in the relevant legal dispute.
While personal data of a personal and sensitive nature pertaining to individuals visiting our company’s premises is collected in accordance with applicable procedures, the data subjects in question are informed of this through texts displayed in a visible manner within our company or made available in other ways (such as on our website).
In this context, the personal data of our employees, job applicants, interns, patients, visitors, and any other individuals whose personal data is held byGÜNEY TIP ÖZEL SAĞLIK HİZMETLERİ A.Ş./ Egemed Kuşadası Hospital,the processing of personal data is conducted in compliance with the law under the Personal Data Processing and Protection Policy and this Personal Data Retention and Destruction Policy.
- DATA SUBJECT RIGHTS, CONTACT CHANNELS, AND THE EVALUATION OF DATA SUBJECT REQUESTS
Our company places the utmost importance on implementing the necessary channels, internal procedures, and administrative and technical measures in accordance with the Personal Data Protection Law to assess the rights of data subjects and provide them with the required information.
Data subjects, pursuant to Article 11 of the Personal Data Protection Law No. 6698;
• The right to know whether personal data is being processed,
• The right to request information regarding the processing of personal data,
• The right to know the purpose of the processing of personal data and whether it is being used in accordance with that purpose,
• The right to know the third parties to whom personal data is transferred, whether within the country or abroad,
• The right to request the correction of personal data if it has been processed inaccurately or incompletely,
• The right to request the erasure or destruction of personal data,
• The right to request that third parties to whom personal data has been disclosed be notified in the event of the correction, deletion, or destruction of such data,
• The right to object to a decision made solely through the automated processing of personal data that produces an effect concerning the individual,
• You have the right to request compensation for any damages incurred as a result of the unlawful processing of your personal data.
Data subjects may submit requests regarding the rights listed above to our Company or via the Company’s website www.egemed.com.tr/anasayfa/ by filling out the “PERSONAL DATA PROTECTION APPLICATION FORM” available there, and may submit them to our Company via a registered electronic mail (KEP) address, a secure electronic signature, or a mobile signature. Depending on the nature of your request and the method of submission, our Company may request additional verification solely to determine whether the application belongs to you and to protect your rights.
If you specify in the Application Form which right, as outlined in Article 11 of the Law, you are seeking to exercise and submit this information to our Company, it will enable us to respond to your request more quickly and effectively.
Our company processes requests free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the process incurs additional costs, a fee in accordance with the tariff set by the Personal Data Protection Board may be charged.
- ENTRY INTO FORCE OF THE POLICY
GÜNEY TIP PRIVATE HEALTH SERVICES INC. / Egemed Kuşadası Hospital, DataProtection and Processing Policy was finalized on December 23, 2019, with registration in VERBİS. In the event that the entire Policy or specific provisions are revised, the effective date of the Policy for the revised provision is the date on which that provision is revised and published.
The policy is available on our company’s website (www.egemed.com.tr/anasayfa/).
GÜNEY TIP PRIVATE HEALTH SERVICES INC.
EGEMED Kuşadası Hospital
Contact: TürkmenNeighborhood, Ant Street, No. 23,Kuşadası,AYDIN
444 10 81