04/10/2022

Policy on Protection and Processing of Personal Data

Within the framework of superior service quality, respect for the rights of individuals, transparency and honesty principles of the Data Controller Cinik Aesthetic (ERC Estetik Turizm Sağlık Hizmetleri Tic. Ltd. Sti.) in line with the regulations determined by the Personal Data Protection Law, It is critical to protect the personal data of its customers, employees, and other real people with whom it has a relationship. We place a high value on patient privacy and all personal data belonging to our patients to be kept in the best possible way and to be processed and preserved with care. This policy has been created to protect and process the personal data of our patients, as well as hospital attendants, visitors, and employees of institutions and organizations with which we collaborate, within the framework of the basic legislative principles.

The purpose of this Policy is to provide transparency by informing the individuals whose personal data is processed, particularly our patients, companions, visitors, employees and institution officials, employees of the institutions with which we collaborate, officials, and third parties within the scope of the personal data processing activity carried out by our polyclinic in accordance with the legislation. In this context, administrative and technical measures are implemented to process and protect personal data in accordance with Law No. 6698 and the relevant legislation. Within the scope of this policy, natural persons whose personal data are processed are defined as Data Subject, Relevant Person or Personal Data Owner.

Explicit Consent: Consent on a specific subject freely given and based on information.

Anonymization of Personal Data: It is the change of personal information in a way that it becomes unusable and cannot be reversed. For instance, using methods like masking, aggregation, data corruption, etc. to prevent the association of personal data with a natural person. It is possible to anonymize personal data for various purposes in accordance with the request and / or consent of the Data Owner, without violating the scope of KVKK and consent. Our Polyclinic will take the necessary precautions to stop the anonymized personal data from being made identifiable in any way.

Employees, Shareholders and Authorities of Our Collaborations: It refers to the natural persons who work for the institutions with which we have any type of business relationship, including the shareholders and authorities of these institutions (such as business partners, suppliers, but not limited to these.).

Processing of Personal Data: It refers to all kinds of operations performed on data such as obtaining fully or partially automated or non-automated provided that it is a part of any data recording system, recording, storing, preserving, changing, rearranging, disclosing, transferring, receiving, making it obtainable, classifying or preventing its use.

Personal Data: It refers to any information relating to an identified or identifiable natural person. Personal data refers to all information that can be used to identify a specific person, and information such as TR Identity Number, Name and Surname, e-mail address, telephone number, residence address, date of birth, bank account number can be given as examples of personal data.

Sensitive Personal Data: Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data refer to Sensitive Personal Data.

Third Party: Refers to the third party natural persons who are related to the above-mentioned parties in order to ensure the security of commercial transactions or to protect the rights of the mentioned persons and to obtain benefits. (For instance, employees or representatives of the business providing the service, a hospital attendant, etc.)

Data Processor: It refers to the natural and legal person who processes personal data on data controller’s behalf based on the authority given by the data controller. For example, the IT firm that stores our Data.

Data Controller: It refers to the person who chooses the purposes and tools for processing personal data and manages the location where the information is systematically stored (data recording system).

Within the scope of KVKK, our polyclinic has the title of data controller and has been registered in the VERBIS system. A team (Personal Data Supervisor Team) has been established in our company. When a decision must be made, the Personal Data Controller team consults with a legal expert or lawyer who specializes in personal data, and with management approval, the decision is implemented.

The personal data processed may vary depending on the health services provided and are collected by physical and/or digital methods. Especially our employees, such as our patients, physicians, health personnel, subcontractors and their employees and companies that engage in all kinds of commercial activities, especially health data collected verbally, written or digitally through our call center, the website of our polyclinic, online services and similar means, sensitive personal data and general personal data may be processed for the following and other purposes that may arise in the future:

  • Execution of diagnosis, treatment and care services,
  • Protection of public health,
  • Planning and management of preventive medicine health services and financing,
  • Informing our patients about the appointment
  • Planning and managing internal procedures,
  • Fulfilment of health services in accordance with the legislation, analysis for improvement,
  • Risk management and quality improvement,
  • Research
  • Fulfilling legal and regulatory requirements,
  • Invoicing for provided services,
  • Verification of your identity
  • Verifying your relationship with contracted health care providers,
  • Sharing all kinds of information requested by private insurance companies within the scope of financing health services,
  • Answering all your questions and complaints about our health services,
  • Taking all necessary technical and administrative measures within the scope of data security,
  • ensuring the financial reconciliation of the medical services provided to you with the contracted health care providers, banks, and all organizations (public and private) from which health expenditures are collected,
  • In accordance with the relevant laws, sharing the requested information with the Ministry of Health and other public institutions and organizations,
  • Measuring patient satisfaction, increasing patient satisfaction,
  • Fulfilling our contracts and legal obligations

 

Categorization of Processed Personal Data

Identity Information: All information about the identity of the person in documents such as driver’s license, identity, passport, attorney identity, marriage certificate

Contact Information: Information for contacting the data owner such as phone number, address, residence, e-mail

Location Data: Data that are used to locate the data owner and which are included in the data recording system and clearly belong to an identified or identifiable natural person

Family Members and Relatives: It refers to the information about the family members and relatives of the personal data owner, which is clearly belonging to an identified or identifiable natural person and is included in the data recording system, which is processed in order to protect the legal interests of both the relevant Institution and the data owner

Physical Space: Personal data related to records and documents such as camera recordings, fingerprint records, visual and audio recordings

Transaction Security Information: Personal data processed to ensure our technical, administrative, legal and commercial security while carrying out our business

Financial Information: Personal data processed to ensure our technical, administrative, legal and commercial security while carrying out our business.

Employee Candidate Information: Personal data processed about individuals who have applied to be an employee (cv or resume information)

Personnel Information: Personal data related to Payroll Information, Disciplinary Investigation, SSI information, employment entry-exit document records, property declaration information, resume information, information about performance evaluation reports, interview results, content of employment contract, information about starting and termination of employment

Legal Transaction: Personal data processed within the scope of our legal obligations, determination and follow-up of our legal receivables and rights, and performance of our debts

The above personal data may be processed within the framework of the Health Services Basic Law No. 3359, the Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliates, Regulation on Private Hospitals, Regulation on Personal Health Data and regulations of the Ministry of Health, etc. and may be transferred to the physical archives and information systems of our polyclinic and/or our suppliers.

Our company acknowledges that personal data will be processed in accordance with the following principles:

  • Compliance with the law and honesty,
  • Ensuring that personal data is accurate and up-to-date when necessary,
  • Processing for specific, explicit and legitimate purposes,
  • Being connected, limited and restrained with the purpose for which they are processed,
  • Preservation for the period required by the relevant legislation or for the purpose for which they are processed.

One of the legal bases that permits the processing of personal data in accordance with the law is the owner’s explicit consent. In addition to explicit consent, one of the other circumstances listed below may also result in the processing of personal data. The basis of the personal data processing activity may be only one of the conditions stated below, or more than one of these conditions may be the basis of the same personal data processing activity. In case the processed data is sensitive personal data, the following conditions apply:

  • Explicit Consent of the Personal Data Owner,
  • Bright-lined in Law,
  • Failure to have the Explicit Consent of the Person Related to the Cause of Practical Impossibility
  • Direct relation with the drawing up or execution of the Contract
  • The Company’s Fulfillment of its Legal Obligation:
  • Making Personal Data Public by the Personal Data Owner:
  • Obligatory Data Processing for the Establishment or Protection of a Right:
  • Obligatory Data Processing for Our Company’s Legitimate Interest, (The expression of the company’s legitimate interests cannot under any circumstances be contrary to the principles set forth in the KVKK, the purpose of processing personal data, and cannot interfere with the essence of the right guaranteed by the Constitution.)

Sensitive of personal data are processed by our company in the following cases, provided that adequate measures determined by the Personal Data Protection Board are taken:

  • If the personal data owner has explicit consent, or
  • If the personal data owner does not have explicit consent, sensitive personal data other than the health and sexual life of the personal data owner are processed in the cases prescribed by law,
  • Sensitive personal data related to the health and sexual life of the personal data owner are processed only by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.

 

Technical and Administrative Measures

Our company takes the necessary technical and administrative measures according to the technological possibilities and implementation cost regarding the following issues, based on the provisions of Article 12 of the KVKK and the provisions of the Regulation, the general principles stated above, and the decisions of this Policy and the Personal Data Protection Board:

  • Required software and hardware have been determined. Strong passwords are used on computers and e-mail accounts.
  • Our employees have received training on the data that must be protected in order to protect customer information, and their responsibilities with regard to business contracts have been outlined. (Confidentiality Agreements) This obligation continues even after the persons concerned leave their positions in the company.
  • The necessary infrastructure has been established for the backup of all data.
  • Employees who can access data on computers have been determined.
  • Customer files and information are accessible only to the individuals concerned, their relatives to whom they have given written consent, the relevant public institutions and organizations within the boundaries of their legislation, and the competent judicial authorities in judicial cases.
  • Before processing personal data, the Authority fulfills the obligation to inform the relevant persons.
  • Personal data processing inventory has been prepared.
  • The personal data owners in question are enlightened on these subjects through texts posted in our polyclinic or made available to guests in other ways.

Your personal data may be shared with our polyclinic, the Ministry of Health, its sub-units and family practice centers, private insurance companies (health, pension and life insurance, etc.), Social Security Institution, General Directorate of Security and other law enforcement agencies, General Directorate of Population, Pharmacists Association of Turkey, Attorney Generalship and courts, laboratories in Turkey or abroad that we cooperate for medical diagnosis, medical centers and third parties providing health services, the health institution to which the patient is referred or the patient himself applied, your representatives duly authorized, third parties we receive consultancy from, regulatory and supervisory institutions and official authorities, our suppliers whose services we benefit from or cooperate with, support service providers within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law. Your personal data is not shared with foreign countries.

Regarding the processed personal data, the person concerned has the right to learn whether the personal data is processed or not, request information about it if it has been processed, access and request personal health data, learn whether it is used for its intended purpose, learn the third parties to whom it has been transferred, request their correction in case of wrong processing, request the deletion or destruction of personal data, request the notification of the correction to the transferred third parties in case of wrong processing, object to the unfavourable result by analyzing through automated systems and demand the compensation of the damage suffered due to the unlawful processing of personal data. The above-mentioned rights can be exercised by applying to our company with a petition.

Our Company performs personal data processing operations by installing security cameras and taking pictures at the entrances and exits of visitors. In this context, our polyclinic acts in accordance with the Personal Data Protection Law and security legislation.

Only authorized employees and/or supplier company employees have access to the records recorded and maintained in the digital environment. Camera records are kept for 2 months.

This Policy is deemed to have entered into effect after its publication on the website.