1. PURPOSE
As Bahçeci Sağlık Anonim Şirketi (“Bahçeci”), we place great importance on protection of personal data. In this context, we pay attention to lawful processing and protection of personal data belonging to Bahçeci employees, visitors, sponsors, business partners, executives, prospective employees, interns, suppliers, employees and executives of cooperating institutions/sponsors/suppliers, third parties, and other people including but not limited to those listed herein (hereinafter, listed people shall be collectively referred to as “Data Subject”).
This Personal Data Protection and Privacy Policy (“Policy”) was prepared to process the personal data, which will be processed during the conduct of commercial and administrative activities of Bahçeci (that inherently include educational activities), in accordance with the legislative provisions and the law, particularly the Law no. 6698 on Protection of Personal Data (“KVKK”). In addition, the Policy aims to ensure that lawful processing of personal data is formulated as a policy and transparency is provided by informing Data Subjects about the personal data processed by our Company. In this context, as Bahçeci, we process personal data pursuant to the following principles and rules as described in detail in the Policy:
• In accordance with article 4 of KVKK, personal data are processed in compliance with the law and the rules of integrity, for certain, clear and legitimate purposes; accurately kept in an up-to-date manner within our Company on physical and electronic media; and stored in connection with the purpose of processing, in a limited and prudent manner, as long as stipulated in the applicable legislation or required for the purpose of processing.
• Necessary administrative and technical measures regulated in article 12 of the KVKK are taken.
• In compliance with article 20 of the Constitution and article 10 of the KVKK, during the collection of personal data, Data Subjects are informed and notified about the processing purpose of personal data, purpose of transferring and recipients of processed personal data, method of and legal grounds for collection of personal data, as well as the rights of the Data Subjects within the scope of article 11 of KVKK.
• If required in accordance with article 20 of the Constitution and article 5 of the KVKK, explicit consents of Data Subjects are obtained with respect to the processing of personal data.
• Our company pays attention to processing and protection of sensitive personal data in accordance with article 6 of the KVKK.
• Methods required for the Data Subjects to exercise their rights regulated in article 11 of the KVKK are being implemented within our Company.
• Our company acts in compliance with the legislation and the PDP Board regulations in transfer of personal data to domestic or overseas third parties pursuant to the requirements of the purpose of processing of personal data in accordance with articles 8 and 9 of the KVKK.
• Pursuant to article 7 of the KVKK and the provisions of the Regulation on Deletion, Destruction or Anonymization of Personal Data, our Company delete, destroys or anonymizes personal data by itself or upon request of the Data Subject in case of the cessation of reasons that require the processing of personal data. In this context, a Personal Data Retention and Destruction Policy was prepared.
2. SCOPE
The Policy covers all personal data processed by automatic or non-automatic means, which are part of any data recording system, in respect of the Data Subjects. Principal methods for processing of personal data by Bahçeci include printed documents, telephone, web site, online services, e-mail, social media and similar means, as well as verbal, written or electronic platforms.
3. IMPLEMENTATION and EFFECT
Processing and protection of personal data shall be primarily regulated within the scope of the KVKK and other effective legislation. As the legislative provisions may be amended over time, our Company might make changes to update the Policy as necessary. As Bahçeci, we accept that in case of an discrepancy between effective legislation and the Policy, effective legislation shall be applicable.
The Policy, drawn up by Bahçeci, took effect on 12/06/2019. The Policy is published on the web site of our Company www.bahceci.com and communicated to the Data Subjects upon their request. In case of an amendment to the Policy, effective date and relevant articles of the Policy shall be updated accordingly. Table of updates is provided in Annex – 2.
4. OUR PRINCIPLES
Our Company processes personal data pursuant to the following principles regulated in article 4 of the KVKK.
a. Processing in Compliance with the Law and the Rules of Integrity
Our company acts pursuant to the rule of integrity, the KVKK, and other applicable legislation in processing of personal data. Personal data is by no means collected and processed without informing the Data Subject. Personal data is not used in a manner that may lead to discrimination against the Data Subject or beyond the collection purpose of personal data. Personal data is processed in a prudent manner and in proportion to the purpose of its collection.
b. Ensuring that Personal Data is Accurate and Up-To-Date as Necessary
Our company ensures that the personal data, processed in consideration of fundamental rights of Data Subjects and its legitimate purposes, is accurate and up-to-date. Accordingly, it takes necessary measures. In this context, it established a system to ensure that the information of Data Subjects is accurate and up-to-date.
c. Processing with Certain, Clear and Legitimate Purposes
Our Company processes personal data for legitimate purposes in compliance with the rule of integrity. Accordingly, it pays attention to the principle of certainty and clarity in legal texts (explicit consents, disclosures, etc.) prepared within the scope of the law on processing of personal data. Clear and explicit statements that can be understood by the Data Subject are preferred over legal and technical terminology that can be understood only by experts in the field. Therefore, Data Subjects can easily understand the purpose for processing of their personal data. Our Company notifies the Data Subject about the purpose for processing of the personal data at the time of processing.
d. Being Connected to the Purpose of Processing, Limited and Prudent
Our Company processes personal data only for certain and valid purposes, and it does by no means process personal data for purposes that are not existent at the time of processing personal data and that are deemed to have the possibility of existing in the future. e.g. personal data processed for sales purposes is not used later for marketing purposes, and the Data Subject is informed if such personal data is to be processed for different purposes. In addition, personal data that is found out to be beyond the purpose is not processed.
e. Retention As Long As Stipulated in the Applicable Legislation or Required for the Purpose of Processing
Our Company retains personal data only as long as stipulated in the applicable legislation or required for the purpose of their processing. Initially, it is determined whether the legislation stipulates a period for retaining personal data. If such a period is determined, our Company acts in compliance with such period; however, in the absence of such a determination, our Company retains personal data as long as required for the purpose of their processing. In case the period expires or the reasons that require processing are not available anymore, our Company deletes, destroys or anonymizes personal data. Personal data is not retained in consideration of the possibility that a necessity might arise later.
5. DATA SECURITY
Our Company takes necessary technical and administrative measures to ensure that an appropriate level of security is provided for prevention of unlawful processing of and access to personal data, as well as the lawful protection of data that it processes pursuant to article 12 of the KVKK.
In this context, our Company performs necessary audits within itself oroutsources such audits pursuant to article 12 of the KVKK. As a result of such audits, nonconformities identified within the scope of internal operation of the Company are reported to the department related to the issue, and necessary activities are conducted to improve the measures that are taken.
Our Company established and implemented a system that ensures any acquisition of personal data by other parties via unlawful methods is notified as soon as possible to the Data Subject and the PDP Board.If deemed necessary by the PDP Board, this situation can be announced on the web site of the PDP Board or by another means.
Principal technical and administrative measures taken to ensure prevention of unlawful processing of and unlawful access to personal data, as well as lawful retaining of such data, are as follows:
• Technological investments to be made to ensure the security of personal data were planned upon determination of the costs for such investments.
• Employed personnel have knowledge in technical matters.
• Technical measures that are taken are reported to the relevant unit as required by the internal audit mechanism, upon which matters that pose risk are re-evaluated and necessary technological solution is created.
• Software and hardware involving antivirus systems and firewalls are installed.
• Backup programs suitable for secure storage of personal data are used.
• Employees are informed and trained about the law on protection of personal data, lawful processing of personal data, and measures to be taken to prevent unlawful access to personal data.
• Counseling services were received from an international consulting company in respect of the analysis of personal data processed within the company and actions that should be taken for compliance with the KVKK, personal data accessible by business units were reviewed, and actions were taken in respect of situations where access was deemed to be unnecessary.
• All activities conducted by out companies were analyzed in detail in respect of every business unit; as a result of which, activities performed by relevant business units were projected on a detailed and process-based personal data inventory.
• Pursuant to the inventory in question, activities were initiated throughout the Company, documents of the Company were examined in terms of the KVKK, necessary changes were made on such documents, and missing documents were drawn up to meet our legal obligations.
• Intra-company policies were drawn up to ensure the supervision of abovementioned measures and continuity of implementation.
• In line with the legal requirements in the inventory, personal data access and authorization processes are designed and implemented within the Company.
• Provisions stipulating that the recipients of personal data shall take necessary security measures for the protection of personal data and ensure that such measures are observed within their establishments are included in contracts made with parties to which our Company lawfully transfers personal data.
• It was ensured that our visitors were informed, and their explicit consents were obtained pursuant to the KVKK before processing their personal data.
6. METHOD FOR PROCESSING PERSONAL DATA
Your personal data are collected to the extent permitted and as limited by the applicable legislation and executed agreements, also by receiving your approval in case it is legally required to do so, by means of our Companies, our web site, written/digital applications made to our Company and other web sites, phone calls, e-mail communication, channels through which our Company or individuals and entities that are authorized to represent our Company, such as support service companies including organizations, contact(s) you or may contact you in the future.
Your personal data collected by these methods may be processed and transferred for the purposes specified in this article of the Policy pursuant to the conditions of and purposes for processing personal data, as specified in articles 5 and 6 of the Law no. 6698.
In addition, your personal data may be processed via cookies used on [ ] web site of Bahçeci. You can prevent installation of cookies by adjusting the settings of your browser accordingly. This might prevent you from being able to use the full range of services. For more information on the use of cookies on our page, please refer to our Cookie Policy published on the web site.
Our Company informs Data Subjects during collection of personal data pursuant to article 10 of the KVKK and the provisions of the Communique on Disclosure. In this context, our Company provides information on Bahçeci and identity of the representative, if any, the purpose for processing of personal data, purpose of transferring and recipients of processed personal data, method of and legal grounds for collection of personal data, as well as the rights of the Data Subjects within the scope of article 11 of KVKK. Within the scope of the obligation to inform as required pursuant to article 10 of the KVKK, our Company notifies the Data Subjects of the Data Subject groups, whose personal data are processed, the purposes for processing of the personal data of the Data Subject, and the retaining periods.
Another condition for the processing of personal data is the explicit consent of the Data Subject. In case explicit consent should be obtained, our Company provides the Data Subject with the opportunity to provide their explicit consent in respect of a certain subject, based on information, and with free will.
As a rule, our Company obtains explicit consents of Data Subjects to processing of personal data in writing. However, in case of the existence of any condition for processing of personal data, specified in article 5/2 or article 6/3 of the KVKK, explicit consent of the Data Subjects is not required. Such conditions are described below in detail.
a. Stipulation by the law
In case the activity regarding the processing of personal data is explicitly stipulated by the law, such data can be processed without explicit consent of the Data Subject.
(e.g. Documents requested from an employee for preparation of the personnel file stipulated in the Labor Law no. 4857)
b. Failure to obtain explicit consent of the Data Subject due to actual impossibility
Personal data can be processed without explicit consent of the Data Subject in case it is obligatory for our Company, in terms of life or bodily integrity of the Data Subject or another individual, to process personal data, and in case the Data Subject is unable to give consent due to actual impossibility or legal invalidity in this case.
(e.g. Sharing blood type information of an employee that had an accident with the occupational physician)
c. Being directly related to drawing up or performance of the contract
Personal data can be processed without explicit consent of the Data Subject if it is required to process personal data of the parties to the contract, provided that processing of personal data by our Company is directly related to and necessary for drawing up or performance of a contract.
(e.g. Recording address information of a real person to make delivery, provide services, etc.)
d. Performance of legal obligations of the company
If it is required for our Company, acting as a Data Controller, to fulfill its legal obligation; personal data can be processed without explicit consent of the Data Subject.
(e.g. Processing personal data of employees to carry out payroll processes)
e. Public disclosure of personal data by the Data Subject
Our Company may process personal data in a limited manner without explicit consent of the Data Subject, provided that such data are disclosed to the public by the Data Subject.
(e.g. Announcement of emergency contact information by the person)
f. Compulsory data processing for establishment or protection of a right
If it is required to process personal data for establishment, exercise or protection of a right, personal data can be processed without explicit consent of the Data Subject.
(e.g. Retaining and using, if necessary, personal data evidential personal data throughout the legal term of limitation)
g. Compulsory data processing for legitimate interest of our Company
Personal data of the Data Subject can be processed if it is required to process data for legitimate purposes of our Company, provided that rights and liberties of the Data Subject are not impaired.
(e.g. Processing of personal data in respect of employee performance for award and bonus programs to increase employee commitment)
7. METHOD FOR PROCESSING SENSITIVE PERSONAL DATA
Pursuant to article 6 of the KVKK, data in respect of race, ethnicity, political view, philosophical opinion, religion, denomination or other beliefs, appearance, association, foundation or union membership, medical condition, sexual orientation, criminal conviction and security measures, as well as biometric and genetic data are regulated as sensitive personal data, and processing of such information are subject to sensitive protection.
Our Company informs Data Subjects during collection of sensitive personal data pursuant to article 10 of the KVKK. In this context, our Company provides information on Bahçeci and identity of the representative, if any, the purpose for processing of sensitive personal data, purpose of transferring and recipients of processed sensitive personal data, method of and legal grounds for collection of sensitive personal data, as well as the rights of the Data Subjects within the scope of article 11 of KVKK. Within the scope of the obligation to inform as required pursuant to article 10 of the KVKK, our Company notifies the Data Subjects of the Data Subject groups, whose sensitive personal data are processed, the purposes for processing of the sensitive personal data of the Data Subject, and the retaining periods.
Sensitive personal data are processed by taking measures pursuant to the KVKK and performance/outsourcing of necessary audits. As a rule, another condition for the processing of sensitive personal data is the explicit consent of the Data Subject. Our Company provides the Data Subjects with the opportunity to provide their explicit consent in respect of a certain subject, based on information, and with free will.
As a rule, our Company obtains explicit consents of Data Subjects to processing of sensitive personal data in writing. However, in accordance with article 6/3 of the KVKK, in case of the existence of any condition specified in article 5/2 of the KVKK, explicit consent of the Data Subjects is not required.
8. OUR PURPOSES FOR PROCESSING PERSONAL DATA
Our Company processes personal data for the following purposes (without limitation) within the scope of performance of necessary studies and conduct of associated business processes by our business units in order to conduct our activities; ensuring legal, technical and commercial-occupational safety of our Company and the Data Subjects that have business relationships with our Company; planning and execution of trade and/or business strategies of the Company; performance of necessary studies and conduct of associated business processes by our business units in order to ensure that the Data Subjects utilize services provided by our Company; planning and execution of human resources policies and processes.
• Conducting activities of the company,
• Planning and execution of corporate communication,
• Planning and execution of Human Resources and occupational health and safety processes,
• Ensuring legal and commercial safety of entities in business relationship with out Company,
• Being able to inform you about news from and activities of the Company,
• Being able to coordinate with students and their parents, limited to the execution of educational activities,
• Contacting you using your information submitted via our e-mail addresses and form on our web site,
• Conducting accounting operations such as invoicing in exchange for our services,
• Ensuring audits that are deemed necessary, such as safety in business processes and planned periodical internal audit activity,
• Ensuring the security of our head office and clinics,
• Determination and implementation of commercial and business strategies of our Company,
• Providing requested services,
• Management of contractual processes and performance of contractual obligations,
• Implementation and supervision of workplace rules,
• Sending offers to prospective customers/parents regarding our services,
• Measurement of satisfaction regarding our services and improvement of our services accordingly; planning, supervision and execution of risk management, corporate sustainability, corporate management, strategic planning and information security processes; ensuring business continuity,
• Conducting our finance, communication, market research and purchasing operations,
• Sustaining our intra-company system and application management operations,
• Management of relations with our sponsors, suppliers and other business partners,
• Performance of photo and video shoots at organizations, management of marketing activities,
• Fulfillment of legal obligations arising from the legislation,
• Ensuring transport of goods and samples,
• Management of processes with public institutions and organizations such as Social Security Institution,
• Monitoring and prevention of misconduct and unauthorized operations.
In line with the abovementioned purposes, it is seen that most of the activities and processes conducted by our Company are within the scope of article 5/2 and 6/3 of the KVKK, and therefore do not require explicit consent of Data Subjects. However, explicit consent of Data Subjects is received in case conducted activities or processes are outside this scope.
9. TRANSFER OF PERSONAL DATA
In order to be able to achieve the purposes mentioned above, to the extent required for the fulfillment of legal obligations, and limited by these purposes; your personal data can be shared with our suppliers, sponsors, business partners (software companies that provide technical support services, companies that provide audit services, companies that provide e-commerce services, advertising agencies, vehicle rental companies, etc.) with which we cooperate and from which we receive services for performance of services provided by our medical Company, private insurance companies (health, retirement, life insurance, etc.), Social Security Institution, General Directorate of Security and other law enforcement agencies, General Directorate of Civil Registration, other relevant public institutions and organizations, courts, your authorized representatives, your employer, third parties that provide services to us including lawyers, tax consultants and auditors, regulatory and supervisory institutions and public authorities.
Your Personal Data can be stored and retained; classified as required by market research, financial and operational processes as well as marketing activities (on the condition that explicit consents are received at relevant points); updated in varying periods; transferred to 3rd Parties and/or suppliers and/or service providers and/or our foreign shareholders that we are affiliated with, as required by the service to the extent permitted by the legislation, pursuant to the law, and within the scope of the principles of confidentiality; transferred in accordance with our governing policies and for reasons stipulated by other authorities; stored; processed by means of reporting; issued as records and documents on electronic or paper media as a baseline for operations; transferred pursuant to conditions of and purposes for personal data processing specified under the KVKK in article 8 on the transfer of personal data and article 9 on overseas transfer of personal data.
Our Company can transfer personal data and sensitive personal data without explicit consent of the Data Subject provided that adequate measures stipulated by the PDP Board are taken if the conditions provided in articles 5/2 and 6/3 of the KVKK are met.
Your personal data shall always be processed in confidentiality and it shall not be shared with third parties that do not act on our behalf unless you consent in writing or by electronic means to sharing the data, reasons provided in article 5/2 of the KVKK are present, or we are legally required to do so.
Please also consider that we may share your personal data with other global companies in our network, and therefore we may utilize available technological products to be able to provide our services such as cloud computing technologies in the most efficient manner.
10. RECIPIENTS OF PERSONAL DATA AND PURPOSES FOR TRANSFER
Our Company notifies the recipient groups of personal data to the Data Subject pursuant to article 10 of the KVKK.Recipients, scope of such entities, and the purposes for data transfer are as follows.
TRANSFER RECIPIENTS DESCRIPTION PURPOSE OF DATA TRANSFER
Business Partner Defines the parties, with which our Company establishes business partnerships during the conduct of its commercial activities, for purposes such as sale, promotion and marketing, and after-sale support regarding the services of our Company. Limited to the purpose of ensuring fulfillment of purposes for establishment of the business partnership
Sponsors / Visitors (student and parent) Defines entities and/or employees/authorized signatories/other natural entities within companies receiving services from our Company. Limited to the purpose of providing services to our customers
Supplier Defines parties that provide services to our Company on a contractual basis subject to orders and instructions of our Company during the conduct of commercial activities of our Company, or employees/executives/other Data Subjects of such parties. Limited to the purpose of ensuring the provision of services outsourced by our Company from suppliers
Legally Competent Public Institutions and Organizations Public institutions and organizations authorized to receive information and documents from our Company pursuant to the provisions of the applicable legislation Limited to the purpose of request by the relevant public institutions and organizations under their authority
Legally Competent Private Law Entities Private law entities authorized to receive information and documents from our Company pursuant to the provisions of the applicable legislation Limited to the purpose of request by the relevant private law entities under their authority (e.g. Occupational Health and Safety Company)
11. RETENTION PERIODS OF PERSONAL DATA
Our Company retains general and sensitive personal data throughout the periods stipulated in the KVKK and other applicable legislation. Your personal data mentioned above can be transferred to physical archives and computing systems of our Company and/or suppliers and stored on both digital and physical media.
If the legislation does not stipulate a period for retaining personal data, personal data shall be retained for the period determined in consideration of the following criteria, and destroyed upon expiration of such period:
• The period recognized as the general practice in the industry within which the data controller operates pursuant to the processing purpose of the relevant data category,
• The period during which the legal relationship established with the Data Subject, which requires the processing of personal data in the relevant data category,
• The period during which the legitimate interest to be obtained by the data controller shall be valid pursuant to the law and the rules of integrity in connection with the processing purpose of the relevant data category,
• The period during which risks, costs and liabilities to be posed by the storage of data shall be legally effective in connection with the processing purpose of the relevant data category,
• Whether the maximum period to be determined is convenient for keeping the relevant data category accurate and, as necessary, up-to-date,
• The period during which the data controller is required to retain the personal data in the relevant data category pursuant to its legal obligation,
• The limitation period determined for assertion of a right by the data controller depending on the personal data in the relevant data category
If the processing purpose of personal data is no longer valid and the retaining periods determined by the applicable legislation and the Company have expired, personal data can be retained only for the purposes of constituting evidence in respect of possible legal disputes, being able to assert a relevant right depending on the personal data, or establishing a defense. In determination of the periods mentioned here, limitation periods intended for the assertion of the mentioned right, and retention periods based on examples in requests that were previously submitted to our Company about the same issues despite the expiration of limitation periods are determined. In this case, retained personal data cannot be accessed for any other purpose and such personal data is accessible only when it is required to be used in respect of the relevant legal dispute. Under these circumstances, personal data is deleted, destroyed or anonymized upon expiration of the period in question.
12. CATEGORIZATION OF PERSONAL DATA
Our Company processes personal data under the categories provided in the following table.
PERSONAL DATA CATEGORY DESCRIPTION
Identity Information All information on documents such as Driving License, Identity Card, Residence, Passport, Lawyer Identity Card, Marriage Certificate
Contact Information Information such as telephone number, address, e-mail
Customer/Parent/Student Information Information obtained and generated about the Data Subject as a result of operations conducted by our business units within the scope of our services
Information on Family Members and Relatives Information on family members and relatives of the Data Subject, information on families or relatives of visitor children for the purpose of protecting legal interests of employees
Operational Security Information Your personal data processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities
Risk Management Information Personal data processed to be able to manage our technical and administrative risks via methods utilized pursuant to the generally accepted legal, commercial practices in these fields and the rule of integrity
Personnel Information All kinds of personal data processed for the purpose of obtaining information to constitute basis for personnel rights of our Employees or natural entities in employment relationship with our Company
Prospective Employee Information Personal data processed in relation to individuals that made job applications to our company, or that were assessed as prospective employees in line with human resources needs of our Company pursuant to the rules of integrity, or that are in business relationships with our Company
Information on Benefits and Interests Your personal data processed for planning benefits and interests provided and to be provided to employees or other natural entities in business relationships with our Company, determination of objective criteria regarding eligibility for these, and follow-up of eligibility for these
Information on Legal Proceedings and Compliance Your personal data processed within the scope of determination and follow-up of our legal claims and rights, payment of our debts, and compliance with our legal obligations and policies of our Company
Supervision and Audit Information Your personal data processed within the scope of the legal obligations of our Company and compliance with Company policies
Sensitive Personal Data Data specified in article 6 of the KVKK
Request and Complaint Management Information Personal data in respect of receiving and evaluation of all kinds of requests or complaints submitted to our Company
Incident Management Information Information and assessments collected in respect of incidents that have the potential to affect our Company, employees, and shareholders
Audio/Visual Data Data in photographs and camera recordings, audio recordings and documents constituting copies of documents that contain personal data
13. CATEGORIZATION OF DATA SUBJECTS
Our Company processes the personal data for the following Data Subject categories, while implementation scope of the Policy is limited to the Data Subjects. Explanations regarding such people are provided in the following table.
Although categories of Data Subjects determined by our Company are as specified above, people outside these categories may submit their requests to our Company pursuant to the KVKK, and requests of such people shall also be taken into consideration within the scope of the Policy.
DATA SUBJECT CATEGORY DESCRIPTION
Customer (Visitor child, parent/relative and Sponsors) Natural entities receiving services from our company or our contracted sponsors operating within the park
Prospective Customer Natural entities that requested to utilize or showed interest in our Services, or that were considered to be potentially interested in compliance with practices and rules of integrity
Visitor Natural entities that accessed physical campuses owned or where an activity was organized by our Company for various purposes, or that visited our web sites
Third Party Third party natural entities (e.g. guarantor, attendant, family members and relatives) in relation with the abovementioned parties, whose personal data should be processed by our Company to ensure security of commercial transactions between our Company and such parties, or to protect the rights of such people and ensure their interests; or all natural entities, whose personal data should be processed by our Company for a certain purpose, even if it might not be explicitly mentioned within the scope of the Policy.
Prospective Employee Natural entities that made a job application to our Company by any means or disclosed their resumés and relevant information to our Company for examination.
Company Executive Board member of our Company and other natural entities (such as authorized signatories) authorized by our Company
Employees, Shareholders, Executives of Institutions that We Cooperate with Natural entities that work with institutions (including but not limited to business partners, suppliers, etc.), with which our Company is in any business relationship, including shareholders and executives of such institutions
14. PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED AT BAHÇECİ LOCATIONS
Security cameras are used to ensure security of our campuses. Our clinics conduct personal data processing activity by using security cameras.
Our Company aims to increase the quality of provided services, ensure their reliability, ensure safety of life and property of our Company, the Data Subject and other people, prevent misconduct, and protect legitimate interests of the mentioned parties within the scope of surveillance with security cameras.
Personal data processing activities carried out by our Company by means of security cameras are conducted pursuant to the Constitution, the KVKK and other applicable legislation.
Our Company processes personal data in connection with the purpose of processing, in a limited and prudent manner pursuant to article 4 of the KVKK. Surveillance, which might lead to intervention with the privacy of a person beyond security purposes, is not carried out. Data Subjects are informed about personal data processing activities conducted within this scope. However, their explicit consents are not obtained as our Company has legitimate interests.
Necessary technical and administrative measures are taken by our Company pursuant to article 12 of the KVKK in order to ensure the security of personal data obtained as a result of surveillance with cameras.
15. RETAINING RECORDS CONCERNING INTERNET ACCESS PROVIDED TO OUR VISITORS AT BAHÇECİ LOCATIONS
Our Company may provide internet access to our visitors that request such access as long as they remain within our buildings and Companies, to ensure security and for purposes specified in the Policy. In this case, logs regarding your internet access are recorded pursuant to the Law no. 5651 and mandatory provisions of the legislation regulated in accordance with such law; while these records are only processed upon request of competent public institutions and organizations or to fulfill our legal obligation during audit processes to be held within the Company.
Logs obtained in this context are accessible only by a limited number of Bahçeci employees. Employees of the Company, who have access to the mentioned records, access these records only upon requests received from competent legal institutions and organizations or to use these during audit processes, and share these with legally competent parties.
16. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
a. Obligation of Bahçeci to delete, destroy and anonymize personal data
In accordance with article 138 of Turkish Penal Code, article 7 of the KVKK, and article 7 of the Regulation on Deletion, Destruction or Anonymization of Personal Data, despite being processed pursuant to the provisions of applicable law, personal data is deleted, destroyed or anonymized at the discretion of our Company or upon request of the Data Subject in case of the cessation of reasons that require processing.In this Policy, the concepts of deletion, destruction and anonymization are used pursuant to the definitions provided in the Regulation on Deletion, Destruction or Anonymization of Personal Data. In this context, a Personal Data Retention and Destruction Policy was prepared.
Our Company reserves the right to reject the destruction request of the Data Subject in case our Company is entitled and/or obliged to retain personal data in accordance with article 5/2 of the KVKK.
b. Methods for deletion, destruction and anonymization of personal data
• Methods for Deletion and Destruction of Personal Data
Principles and procedures in respect of the techniques for deletion and destruction of personal data by Bahçeci are as follows:
• Physical Destruction: Personal data may also be processed by non-automated methods provided that they are part of any data recording system. When such data are deleted/destroyed, they are physically destroyed so that personal data cannot be used later.
• Secure Deletion from Software: During deletion/destruction of data processed completely or partially by automated means and stored on digital media, methods involving deletion of data in an unrecoverable manner from relevant software are used.
• Secure Deletion by an Expert: In certain cases, the Company may hire an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by an expert in the field in an unrecoverable manner.
• Redaction: Ensuring that personal data are converted into a illegible form.
Upon occurrence of abovementioned circumstances, Bahçeci fully complies with provisions of the KVKK, secondary legislation and other applicable legislation, and takes all kinds of administrative and technical measures to ensure data security.
• Methods for Anonymization of Personal Data
Anonymization of personal data means that personal data are converted into a form that cannot be associated under any circumstances with a natural entity, whose identity is known or can be determined, even by matching personal data with other data. Our Company is capable of anonymization of personal data upon cessation of reasons that require processing of personal data that are lawfully processed.
In accordance with article 28 of the KVKK, anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the KVKK and explicit content of the Data Subject shall not be required for such personal data.
Anonymization techniques that are commonly used by our Company are as follows:
• Masking
Ensuring that personal data cannot identify the individual by deleting or starring certain parts.
e.g. If the telephone number of the Data Subject is partially starred, it is considered masking.
• Consolidation
Means cumulation of data to reflect total values.
e.g. Indicating the number of female employees within the company as 40% and the number of male employees as 60%.
• Data Derivation
Replacement of available detailed data with more general counterparts.
e.g. Instead of providing day/month/year details of birth date information, directly inserting the age of the person constitutes anonymization by data derivation.
• Data Blending
Means blending values within the data set to eliminate the opportunity to identify individuals without impairing total benefit.
e.g. In a workplace where it is desired to obtain an average age, values reflecting ages of employees are interchanged to carry out data blending.
17. RIGHTS OF DATA SUBJECTS
Our Company notifies the rights of the Data Subject pursuant to article 10 of the KVKK, provides guidance to the Data Subject on how to exercise such rights, and our Company maintains necessary channels, internal operation, administrative and technical arrangements required pursuant to article 13 of the KVKK to assess the rights of the Data Subjects and to inform the Data Subjects as necessary.
a. Rights of Data Subjects
Data Subjects have the following rights:
• Finding out whether their personal data was processed,
• Requesting information in this regard if their personal data was processed,
• Finding out the purpose of processing for personal data and whether these were properly used,
• Being aware of the domestic or overseas third parties to which personal data were transferred,
• Requesting correction of incomplete or inaccurate personal data, and requesting notification of this procedure to third party recipients of the personal data,
• Requesting deletion or destruction of personal data in case of the cessation of reasons that require processing, and notification of this procedure to third party recipients of the personal data, despite the conduct of processing in compliance with the KVKK and other applicable provisions of the law,
• Objecting to development of a result to the detriment of the person upon analysis of processed data exclusively via automated systems,
• Requesting compensation of losses that might be incurred due to unlawful processing of personal data.
b. Events Where the Data Subject Cannot Exercise Their Rights
As the following circumstances are excluded from the scope of KVKK in accordance with a. 28 of the KVKK, Data Subjects cannot assert their rights specified in a. 11 of the KVKK.
• Processing personal data for official statistics and for purposes such as research, planning and statistics following anonymization.
• Processing personal data for artistic, historic, literary or scientific purposes or within the scope of freedom of expression provided that national defense, national security, public safety, public order, economic safety, the right to privacy or personal rights are not violated or no crime is committed.
• Processing personal data within the scope of preventive, protective and coordinated business activities conducted by legally appointed and authorized public institutions and organizations for the purpose of ensuring national defense, national security, public safety, public order, or economic safety.
• Processing of personal data by judicial authorities or executive bodies in respect of investigation, proceeding, trial or execution procedures.
In accordance with article 28/2 of the KVKK, the Data Subjects may not assert the rights other than their right to demand compensation as specified in a. 11 of the KVKK:
• Necessity of processing personal data for prevention of commission of a crime or criminal investigation.
• Processing personal data disclosed to the public by the Data Subject.
• Necessity of processing personal data by appointed and authorized public institutions and organizations, and public professional organizations, based on the authority granted by the law, to conduct supervision or regulation duties and for discipline investigations or proceedings.
• Necessity of processing personal data for protection of economic and financial interests of the State in respect of budgetary, taxational and financial matters.
c. Exercise of the Rights of the Data Subject
Data Subjects may submit their requests regarding their rights under article 11 of the KVKK to our Company free of charge via the following method:
INFORMATION REQUEST ON PROTECTION OF PERSONAL DATA LAW
Applicaiton of the form available on the web site, signing with wet signature, and personal delivery to the address Bahçeci Sağlık Hizmetleri A.Ş. Mahir İz Cad. No:31 Kat:2-3 Altunizade/İstanbul
Application of the form available on Bahçeci website, signing with wet signature, and delivery via notary public to the address Bahçeci Sağlık Hizmetleri A.Ş. Mahir İz Cad. No:31 Kat:2-3 Altunizade/İstanbul
Third parties cannot exercise the right to demand information, regulated in article 11 of the KVKK, on behalf of the Data Subjects. In order to enable the Data Subject to submit an application regarding personal data of another person, the Data Subject should submit a special power of attorney with wet signature and notarization, issued in the name of the person making the application.
If the procedure requested by Data Subjects require an additional cost, our Company shall charge the fee in the tariff determined by the PDP Board. The method for payment of such fee shall be specified in the Application Form. Applications shall not be taken into consideration unless such fee is paid in compliance with the described method.
d. The Right of the Data Subjects to File a Complaint with the PDP Board
Data Subjects may file a complaint with the PDP Board within thirty days from receiving the response of our Company and, in any case, sixty days from the date of application, provided that the application is rejected, the response is considered to be inadequate, or no response is given to the application in due time in accordance with a. 14 of the LPDD.
18. RESPONSE OF Bahçeci TO APPLICATIONS
If the Data Subjects submit their request to our Company, our Company shall finalize the relevant application as soon as possible and at the latest within thirty days based on the nature of the request.
Our Company may request information/documents from the Data Subject to identify whether the applicant is the Data Subject. Our Company may address questions to the Data Subject about their application to clarify the matters in the application.
Under the following circumstances, application of the applicant may be rejected by notifying the reason for rejection:
• Processing personal data for official statistics and for purposes such as research, planning and statistics following anonymization.
• Processing personal data for artistic, historic, literary or scientific purposes or within the scope of freedom of expression provided that national defense, national security, public safety, public order, economic safety, the right to privacy or personal rights are not violated or no crime is committed.
• Processing personal data within the scope of preventive, protective and coordinated business activities conducted by legally appointed and authorized public institutions and organizations for the purpose of ensuring national defense, national security, public safety, public order, or economic safety.
• Processing of personal data by judicial authorities or executive bodies in respect of investigation, proceeding, trial or execution procedures.
• Necessity of processing personal data for prevention of commission of a crime or criminal investigation.
• Processing personal data disclosed to the public by the Data Subject.
• Necessity of processing personal data by appointed and authorized public institutions and organizations, and public professional organizations, based on the authority granted by the law, to conduct supervision or regulation duties and for discipline investigations or proceedings.
• Necessity of processing personal data for protection of economic and financial interests of the State in respect of budgetary, taxation and financial matters.
• Possibility of the request of the Data Subject to obstruct rights and liberties of other people.
• Requests of the Data Subject that require disproportional effort.
• The fact that the requested information is a public information.
19. THE RELATIONSHIP BETWEEN THE POLICY AND OTHER DOCUMENTS OF THE COMPANY
The Policy is the essential regulation of our Company with respect to processing personal data. The Policy was drawn up to be implemented in harmony with other policies, procedures and processes drawn up by our Company with similar intentions. In case of any discrepancy between other policy or procedure texts drawn up by our Company with similar intentions, provisions of the Policy shall be taken into consideration regarding matters in respect of processing personal data.
Bahçeci Sağlık Hizmetleri A.Ş.
Mahir İz Cad. No:31 Kat:2-3 Altunizade/İstanbul
Ticaret Sicil No: 370646-0
https://bahceci.com
ANNEX – 1 ABBREVIATIONS
ABBREVIATIONS
Communiqué on Disclosure Obligation Communiqué on Principles and Procedures to be Observed in Performance of the Disclosure Obligation, published in the Official Gazette no. 30356 of March 10, 2018
Constitution The Constitution of the Republic of Turkey no. 2709 of November 7, 1982 published in the Official Gazette no. 17863 of November 9, 1982
Data Subject Means a natural entity whose personal data is processed, such as customers, employees in commercial relationships, customers, business partners, shareholders, executives, prospective employees, interns, visitors, suppliers, employees of cooperating institutions of Bahçeci and/or subsidiaries/affiliates of Bahçeci, third parties, and other entities including but not limited to those listed here.
Regulation on Deletion, Destruction or Anonymization of Personal Data Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette no. 30224 of October 28, 2017, which took effect as of January 1, 2018
KVKK The Law on Protection of Personal Data, which took effect upon being published in the Official Gazette no. 29677 of April 7, 2016
PDP Board Protection of Personal Data Board
PDP Institution Protection of Personal Data Institution
a. Article
e.g. Exempli Gratia
Policy Personal Data Protection and Privacy Policy of Bahçeci A.Ş.
Company Bahçeci Sağlık Hizmetleri A.Ş.
Turkish Penal Code Turkish Penal Code no. 5237 of September 26, 2004 published in the Official Gazette no. 25611 of October 12, 2004
ANNEX – 2 TABLE OF UPDATES
The Policy was updated on 12 June 2019. The changes in question involve.
4.9 / 5