As Bahçeci Sağlık Hizmetleri A.Ş. (“Bahçeci”), we consider that the protection of personal data is of great importance. In this context, we give great importance to process and protect the personal data of Bahçeci and/or Bahçeci’s employees, patients, business partners, officials, candidate employees, interns, visitors, suppliers, employees and authorized persons of the institutions / customers / suppliers, third parties and other persons not listed here (these persons will hereinafter be named as “Related Person” or “Related Persons”)
- Pursuant to Article 4 of KVKK, personal data is processed for specific, clear and legitimate purposes in accordance with the rules of law and principles of honesty, and it is kept accurate and up-to-date in both physical and electronic environments within our Center for the duration predicted in the legislation or foreseen for the purposes they are processed.
- Necessary administrative and technical measures mentioned under Article 12 of KVKK are taken.
- Related Persons are informed in accordance with Article 20 of the Constitution and article 10 of Law No. 6698 and information will be provided about the acquisition of personal data, for which purpose the personal data can be transferred and to whom the data will be transferred to, the method of collecting personal data and the legal reason within the scope of rights of Related Persons in accordance with article 11 of KVKK.
- Pursuant to Article 20 of the Constitution and Article 5 of KVKK, the explicit consent of the Related Persons is required for the processing of personal data.
- Our center is sensitive to the processing and protection of private personal data in accordance with Article 6 of KVKK.
- Necessary methods are set up for the Related Persons to exercise their rights under Article 11 of KVKK.
- Our Center acts in compliance with the legislation and the regulations of the KVK Board regarding the transfer of personal data to third parties in Turkey or abroad in accordance with the requirements of the purpose of processing of the personal data in accordance with Articles 8 and 9 of KVKK.
- In accordance with the provisions of Article 7 of KVKK and the Regulation on Deleting, Destroying or Anonymization of Personal Data; our Center shall delete, destroy or anonymize personal data upon request of the Related Person or when the reasons to process the personal data are removed. In this context, Personal Data Storage and Disposal Policy has been prepared.
The policy covers all personal data either automatically processed or processed by using non-automated methods upon the condition of being a part of any data recording system.
3. APPLICATION AND ENFORCEMENT
The processing and protection of personal data will be regulated primarily within the framework of KVKK and other applicable legislation. Since the provisions of legislation may change over time, our Center may update the Policy from time to time by making some amendments.
If there is any inconsistency between the legislation and the policy in enforced in Bahçeci, we agree that the applicable legislation will be applied.
Our Center carries out the necessary work to comply with the provisions of the current legislation.
The Policy prepared by Bahçeci has entered into force on 15.10.2018. Policy is published on www.bahceci.com, the website of our Center, and transferred to Related Persons upon their request. KVK Board is responsible for the implementation of the policy throughout the Center. In the event of a change in the Policy, the effective date of the Policy and the relevant articles shall be updated accordingly. Update chart is in Annex-2.
4. OUR PRINCIPLES
Our Center processes the personal data within the framework of principles arranged in article 4 of KVKK.
a. Processing in Accordance with Law and Principle of Honesty
Our Center acts in accordance with the rule of honesty, KVKK and other relevant legislation in the processing of personal data. Personal data is in never collected and processed without the knowledge of the Related Person. Personal data are not used in a way that causes injustice against the Related Person or in a way to exceed the intended purposes of personal data. Personal data is processed in a measured and proportional manner with the purpose.
b. Ensuring that Personal Data is Accurate and Updated When Necessary
Our Center ensures that the personal data processed is accurate and up-to-date, taking into account the fundamental rights and the legitimate interests of the Related Persons. Our Center takes the necessary measures. In this context, the system has been established to ensure that the information about the Related Persons is correct and up-to-date.
c. Processing with Definite, Open and Legitimate Purposes
We process personal data for legitimate purposes in accordance with the honesty rule of our Center. In this respect, we are sensitive to the principle of certainty and clarity in the legal texts (open consent, disclosures, etc.) prepared within the context of the processing of personal data. Instead of the legal and technical terminology that can only be understood by experts, we prefer clear statements that can be understood by the Related Person. Thus, Related Persons can easily understand the reason of processing of their personal data. Our Center provides information to the Related Person during the processing of personal data about the purpose.
d. Being Associated, Limited and Proportional with the Processing Purposes
Our center only processes personal data with a specific and valid purpose, and does not process any personal data for purposes that are not available during the processing of personal data but are considered to occur in the future. For example, we do not use the personal data processed for the purpose of marketing at a later point of time and, if personal data is to be processed for different purposes, we inform Related Persons accordingly. In addition, personal data which are not within the intended purpose are not processed (eg, information on family members of the patient is not collected for marketing purposes).
e. Retaining the Information for the Period Foreseen in the Relevant Legislation and for the period required for purposes
Our Center maintains personal data only for the period specified in the relevant legislation or for the purpose for which they were processed. First of all, it is determined whether the relevant legislation foresees any period for the retaining of personal data. If such a period is specified, our Center acts in accordance with this period and in case of absence of any such period, our Center keeps the personal data for the time required for the purpose for which it was processed. In cases of expiration of the period or the removal of reasons for processing, the personal data is deleted, destroyed or anonymized by our Center. Personal data is not stored for any future requirements.
5. DATA SAFETY
In accordance with Article 12 of KVKK, our Center takes the necessary technical and administrative measures to ensure that the data is not subject to any unauthorized processing or access and it is protected at a safety level as required by Law.
In this context, in accordance with Article 12 of KVKK, the necessary audits are performed or made internally by the Company. The results of this audit are reported to the relevant department within the scope of the internal functioning of the Center and the necessary activities are carried out to improve the measures taken.
Our center has established and commissioned the system to inform the Related Person and KVK Board as soon as possible in cases where personal data is obtained in an unauthorized way by third persons. If deemed necessary by the KVK Board, this may be announced on the website of the KVK Board or by any other method.
The main technical and administrative measures taken to prevent unauthorized access to personal data, to prevent unlawful access to such data and to ensure the legal protection of personal data are as follows:
- Technological investments to ensure the security of personal data are planned by determining the costs of these investments.
- Personnel with required technical knowledge is employed.
- The technical measures taken are periodically reported to the relevant personnel by the internal audit mechanism, the risk bearing issues are reviewed and the necessary technological solutions are generated.
- Software and hardware including virus protection systems and firewalls are installed.
- Appropriate backup programs are used to ensure safe storage of personal data.
- Employees are informed and trained about the protection of personal data and processing of personal data in accordance with the law and about the precautions to prevent any illegal access. In the training, personnel are informed that they cannot disclose the personal data they have learned to third parties by acting against the provisions of Law No. 6698 and that they cannot use such data for any other purposes than the processing purposes and that this liability will last after they quit their job.
- Consultancy services was purchased from an international consultancy company for the analysis of data processed within the Center and for compliance with Law No. 6698; and the personal data accessed by work units are reviewed, and work was initiated regarding the cases where access is considered as unnecessary.
- All activities carried out by our center have been analyzed by taking all work units into consideration and as a result of this analysis, the activities carried out by related work units are reflected in a detailed and process based personal data inventory.
- Within the scope of this inventory, work was initiated throughout the Center in order to fulfill our legal obligations, documents in center were examined in terms of Law No. 6698 and necessary changes were made on these documents and missing documents were prepared.
- In-house policies were prepared to ensure the supervision of the above measures and the continuity of their implementation.
- In accordance with the legal requirements in the process-based inventory, access and authorization processes of personal data are designed and implemented within the Center.
- Regarding the contracts concluded with the persons whose personal data are transferred in accordance with the law by our Center (e.g. companies from which services are procured), new provisions are included in order to ensure that the third parties to whom the personal data is transferred will take the necessary safety precautions to protect the personal data and they will ensure that their organizations comply with these precautions.
- Before the personal data of our patients were processed, it has been ensured that they are informed in accordance with KVKK and their express consent is sought.
6. METHOD TO PROCESS PERSONAL DATA
Your personal data is collected within the limits and permission of relevant legislation and the agreements between you and our test tube baby centers, website, mobile or digital applications, social media, call center, patient interviews, SMS, support service organizations, including written / digital applications made to the website of our Center and other websites, and in cases where legally required, your consent is obtained, by means of accessing to the databases of various institutions and organizations in certain cases. Personal data can be processed through the social media accounts of our Center and you can be therefore contacted for the purposes of communication, providing information about our services, asking your questions and executing the marketing activities.
The personal data collected by the legal reasons mentioned above can be processed and transmitted within the scope of personal data processing conditions and purposes stated in the articles 5 and 6 of the Law no 6698.
In addition, your personal data can be processed with the cookies that are used in bahceci.com, which is the website of Bahceci.
In accordance with Article 10 of KVKK and the provisions of the Communique on Disclosure, our Center provides information to the Related Persons during the acquisition of personal data. In this context, our Center discloses the Related Person the identity of Bahçeci or any representative, the purpose of processing the data, how the processed data will be transferred and for what purposes, method of personal data collection and its legal reason in accordance with Article 11 of KVKK. Our Center informs the Related Persons about which Related Person groups’ personal data is processed, purposes of data processing of Related Persons and retaining periods in accordance with Article 10 of KVKK.
One of the terms of processing of personal data is the explicit consent of the Related Person. In cases where explicit consent is required, our Center provides the Related Person with the opportunity to express his/her explicit consent on a particular subject, on the basis of information and on free will.
As a rule, our Center receives explicit consent of the Relevant Persons in writing for the processing of personal data. However, in case of the existence of any of the personal data processing conditions referred to in Article 5/2 or Article 6/3 of KVKK, the explicit consent of the Related Persons is not sought. These conditions are explained in detail below.
a) In cases where clearly stated in laws
If the relevant activity related with the processing of personal data is clearly stipulated in the law, the personal data may be processed without the explicit consent of the Related Person.
(E.g. Documents requested from the Employee the creation of the personal file as stated in the Labor Law numbered 4857)
b) Not Obtaining the explicit consent of Related Person due to actual impracticability
In cases where processing of personal data by our Center is compulsory for the protection of Related Person or someone else’s life or body integrity and if the Related Person is unable to explain his/her consent due to the actual impracticability or legal invalidity, personal data may be process without explicit of related personnel.
(E.g. Sharing the blood group information of the employee subject to an accident with the workplace physician)
c) Being in direct relation with the establishment or execution of Contract
In cases where processing of personal data by our Center is necessary for the parties of the contract, provided that it is directly related and necessary to the establishment or performance of a contract, the personal data may be processed without the explicit consent of the Related Person.
(E.g. Registration of real person’s address information for delivery of a notification)
d) Center fulfilling its legal obligation
Personal data may be processed without the express consent of the Related Person if it is compulsory for our Center, which is the Data Officer, to fulfill its legal obligation.
(E.g.: Processing personal data of employees in order to arrange payrolls)
e) Related Person making his/her personal data Public
Personal data may be processed in a limited manner by our Center without the express consent of the Related Person, provided that personal data is publicized by the Related Person.
(E.g. To announce contact information in case of emergency)
f) Data processing being mandatory for the establishment, use or protection of a right
If the personal data processing is mandatory for the establishment, use or protection of a right, the personal data may be processed without the explicit consent of the Related Person.
(E.g. Retaining of personal data with the nature of proof – contract, invoice, etc. – which must be kept for the statutory limitation period and used if necessary)
g) Processing of personal data is compulsory for the legitimate interest of our Center
Personal data of the Related Person may be processed if data processing is required for the legitimate interests of our Center, provided that it does not harm the rights and freedoms of the Related Person.
(E.g. Processing of personal data related to employee performance in order to implement awards and bonuses that increase employee loyalty)
7. METHOD TO PROCESS SPECIAL QUALITY PERSONAL DATA
Article 6 of KVKK has arranged information such as race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, costumes and attire, association, foundation or union membership, health, sexual life, criminal convictions and security measures with data related to biometric and genetic data as special quality personal data and subjected the processing of these data to more sensitive protection.
In accordance with Article 10 of KVKK, our Center provides information to the Related Persons during the acquisition of personal data. In this context, our Center discloses the Related Person the identity of Bahçeci or any representative, the purpose of processing the special quality data, how the processed special quality data will be transferred and for what purposes, method of special quality personal data collection and its legal reason in accordance with Article 11 of KVKK. Our Center informs the Related Persons about which Related Person groups’ special quality personal data is processed, purposes of special quality data processing of Related Persons and retaining periods in accordance with Article 10 of KVKK
Special quality personal data are processed by taking the necessary measures and performing the necessary inspections. As a rule, one of the processing conditions of special quality personal data is the explicit consent of the Related Person. Our Center provides the opportunity to express their explicit consent to the Related Persons on a specific issue, based on information and on free will.
As a rule, our center obtains the explicit consent of the Related Persons in writing for the processing of special quality personal data. However, in case of the existence of any of the conditions referred to in Article 5/2 or Article 6/3 of KVKK, the explicit consent of the Related Persons is not sought. In addition to that, Article 6/3 of KVKK arranges that in order to protect the public health, to carry out the services such as preventive medicine, medical diagnosis, treatment and care, to plan the financing and health services and management of those; personal data related with health and sexual life can be processed by individuals under confidentiality obligation and authorized institutions. Since our center is a medical treatment center within this scope; while we treat our patients’ personal health data that is required for treatment, we do not seek the explicit consent from them at each time that we process their personal data.
8. OUR PURPOSES FOR PROCESSING OF PERSONAL DATA
Our center processes the personal data for carrying out the necessary work by our business units and carrying out the related business processes, providing legal, technical and commercial-work security of the Relevant Persons who are in business relationship with our Center, planning and execution of the Center’s commercial and/or business strategies, to carry out the relevant business processes to benefit the Relevant Persons from the services provided by our Center and planning and execution of human resources policies. Following purposes are part of this Policy:
- Planning and execution of recruitment and dismissal processes of Company employees and management of human resources and personal processes,
- Planning and execution of sub-employer personnel processes,
- Planning of call center processes and realization of necessary organization,
- Planning and execution of contact information,
- Execution of occupational health and safety processes,
- Submitting bids regarding our services, campaign processes, market research activities
- Management of patient satisfaction processes,
- Planning and realization of personalized sales and marketing activities,
- Ensuring that our activities are carried out in accordance with the procedures of our center or the relevant legislation,
- Performing the financial processes, financial research and risk management regarding the services received from our Center; planning and execution of these financial risk processes,
- Planning, auditing and execution of corporate sustainability, corporate governance, strategic planning and information security processes; ensuring business continuity, execution of administrative procedures
- Execution of the business with our business partners in the sectors that vary according to the needs and management of relations,
- Maintaining intra-system and application management operations,
- Management of the processes executed with our suppliers and business partners,
- Planning and execution of communication with our patients and potential patients,
- Planning and execution of patient records and medical treatment plans, organization of information and appointments,
- Carrying out of private health insurance transactions for the financing and planning of health services,
- Initiating and execution of treatment processes,
- Fulfillment of legal obligations arising from the legislation,
- Sharing medical data and medical reports on the patient’s history with the relevant parties upon request,
- Management of processes at public institutions such as Ministry of Health, Civil Registry, SSI,
- Execution of services on protection of public health, preventive medicine, medical diagnosis, treatment and care,
- Ensuring communication with Bahçeci centers abroad, carrying out necessary activities,
- Conducting analysis for the purpose of improving the health services,
- Monitoring and prevention of abuse and unauthorized transactions.
In accordance with the above objectives, a large part of the activities and processes carried out by our Center are within the articles 5/2 and 6/3 of KVKK and therefore the explicit consent of Related Persons is not required. However, in the event that the activities or processes are not within this scope, the explicit consent of the Related Persons is sought.
9. TRANSFER OF PERSONAL DATA
Your personal data will be shared with the third parties mentioned below to the extent necessary to achieve the above-mentioned objectives and fulfill the obligations arising from the law; our suppliers, business partners (software companies that provide technical support, company providing ultrasound device services, medical diagnostic and diagnostic services such as software, etc.), Ministry of Health, affiliated units and family practice centers, private insurance companies (health, retirement and life insurance), Social Security Institution, Security General Directorate and other law enforcement agencies, General Directorate of the Census and other relevant governmental agencies and organizations, Turkey Pharmacists Association, courts, laboratories in Turkey or abroad collaborated with for medical diagnosis, medical centers and third parties providing health services, the healthcare provider to which the patient is referred or the patient applied by himself/herself, the representatives authorized by you, third parties, regulatory and supervisory agencies and governmental agencies, domestic or foreign systems and / or the Group of Companies to which our medical center is affiliated, including the institutions, lawyers, tax consultants and auditors you are working with, and the companies within enterprise.
In addition, Bahçeci uses cloud technology as a requirement of the data economy and the technical details of its activities are transferred obtained personal datas to abroad.
Personal Data can be stored and retained, classified for medical research and reasons, financial and operational processes and marketing activities, updated in different periods, and to the extent permitted bu legislation, within the framework of laws and confidentiality principles required by the service, they may be transferred to third persons and/or suppliers and/or service providers and/or our domestic and foreign shareholders; and in accordance with the policies we are bound by, they may be transmitted, stored and reported in electronic or paper environment for reporting purposes. They may also be transferred within the data processing terms and purposes stated in Article 8 and 9 of KVKK on transfer of personal data and transfer of such data abroad.
In the event that the requirements of Article 5/2 and Article 6/3 of KVKK are met, our Center may transfer the personal data and special quality personal data without the explicit consent of the Related Person and by taking adequate measures foreseen by the KVK Board.
10. TRANSFEREES OF PERSONAL DATA AND PURPOSES OF TRANSFER
According to the Law on Protection of Personal Data (KVKK), our Center informs Relevant Persons about the transferees of personal data. Transferees, the scope of such persons and transfer purposes are explained below.
|TRANSFEREE PERSON AND INSTITUTIONS||DEFINITION||PURPOSE OF TRANSFER|
|Business Partner||A business partner is a party with which our center establishes partnership for various purposes such as the sales, promotion and marketing of and after-sales support for the services of our Center,||Up to a degree in order to perform the purposes of business partnership|
|Patient||A patient is a person who receives medical service from our Center.||Up to a degree in order to provide medical services for our patients.|
|Supplier||A supplier is a party which permanently provides service for our Center during our Center’s commercial activities according to the orders and instructions of our Center.||Up to a degree in order to supply the necessary services in order for our Center to perform medical diagnosis and treatment activities which our Center procures externally from a supplier|
|Legally Authorized State Institutions and Organizations||They are state institutions and organizations which are authorized to request information and certificates from our Center according to the provisions of relevant legislation.||Up to a degree requested by the relevant state institutions and organizations according to the legal authority|
|Legally Authorized Private Entities||They are private entities which are authorized to request information and certificates from our Center according to the provisions of relevant legislation.||Up to a degree requested by the relevant private entities according to their legal authority (For example; Occupational Health and Safety Center)|
11. PRESERVATION TERM OF PERSONAL DATA
Our Center preserves personal data and special quality personal data according to a limited period of time as specified by KVKK or other regulations.
If the relevant regulation does not specify a period of time during which personal data can be preserved, personal data is preserved for a period of time determined according to the following criteria and subsequently eliminated.
- The period accepted as a general practice in the sector in which a data controller performs activities for the processing of relevant data category,
- The period maintained by the legal relationship established with a relevant person which requires the processing of personal data pertaining to a relevant data category,
- The period during which the legitimate interests of a data controller apply for the processing of a relevant category of data in compliance with the provisions of law and good faith,
- The period during which the risks, costs and responsibilities of data preservation legally continues according to the processing purpose of a relevant category of data,
- Convenience of keeping a relevant category of data as accurate and, if necessary, updated for a maximum period of time to be determined,
- The period during which a data controller is obliged to preserve the personal data of a relevant category of data according to legal liability,
- Period of limitation determined for data controller’s claim of a right as regards to the personal data of a relevant category of data
If the processing purpose of personal data expires and the preservation time specified by the relevant regulation and the Center terminates, personal data can be preserved only in order to serve as a proof in possible legal disputes and to claim a right or make a defense in relation to personal data. The periods of preservation are determined based on the limitation periods for claiming the rights specified and, if limitation periods expire, on the examples of previous claims against our Center on similar subjects. In such case, personal data is not accessed for any other purpose and is only used when personal data is required for use in a relevant legal dispute. After such period is over, personal data is deleted, eliminated or anonymized.
12. CATEGORIZATION OF PERSONAL DATA
At our Center, personal data is processed under the following categories described in the table.
|PERSONAL DATA CATEGORY||EXPLANATION|
|Credentials||All the information on a certificate such as Driver’s License, Identity Card, Certificate of Residence, Passport, Attorney’s ID and Marriage Certificate.|
|Contact Information||Information such as telephone number, address, e-mail and social media account|
|Patient Information||Health information obtained or produced about a relevant person in consequence of the operations of our departments according to treatment services|
|Family and Relative Information||Information about a Relevant Person’s family members and relatives obtained in order to protect the legal interests of employees|
|Process Security Information||Personal data processed in order to ensure the protection of our technical, administrational, legal and commercial security while performing our commercial activities|
|Risk Management Information||The personal data processed with widely accepted legal and commercial practices and in good faith in order for us to be able to manage all technical and administrational risks|
|Personnel Information||Any type of personal data processed for obtaining information which serves as a base for the personal rights of real persons who have a working relationship with our Center or who are our employees|
|Employee Candidate Information||The processed personal data about the persons who applied to be employees of our Center or who are evaluated as employee candidate to meet the requirement of the human resources of our Center according to commercial practices and good faith or who are in working relationship with our Center|
|Fringe Benefits and Interests Information</td>||The personal data processed for planning the fringe benefits and interests provided or to be provided to the employees or other real persons who are in working relationship with our Center, for determining the objective criteria for gaining right to these rights and benefits and monitoring the progress for such.|
|Legal Procedure and Compliance Information||The personal data processed for the determination, monitoring and performance of our legal rights and liabilities and for compliance with the legal liabilities and policies of our Center|
|Audit and Inspection Information||The personal data processed for compliance with the legal liabilities and policies of our Center|
|Special Quality Personal Data||The data specified in article 6 of KVKK|
|Request and Complaint Management Information||The personal data for receiving and evaluating any request or complaint addressed to our Center|
|Incident Management Information||The information and evaluations about the incidents which potentially may affect our Center, employees and shareholders|
|Visual/Audio Information||The information in the copies of documents that contain photograph and camera records, audio records and personal data|
13. CATEGORIZATION OF RELEVANT PERSONS
Our Center processes the personal data of the Relevant Person categories specified below and the implementation of the Policy is limited to the Relevant Persons. The explanations of these persons are given in the following table.
The categories of the Relevant Persons are limited as specified above. The persons that do not belong to such categories can address their requests to our Center according to KVKK. These requests will also be evaluated in compliance with the Policy.
|Relevant Person Category||Explanation|
|Patient||Real persons who have treatment service at our Center|
|Potential Patient||Real persons who requested our services or the persons who are evaluated to comply with practice rules and good faith to get our services|
|Visitor||Real persons who gained access to the physical facilities of our Center or of an organization or who visited our website|
|Third Party||Third party real persons related with the foregoing persons in order to ensure commercial procedure safety among the above persons or to protect their aforementioned rights and to obtain benefits (For example; guarantor, family members and relatives) or all real persons whose information are to be processed by our Center due to any purpose|
|Employee Candidate||Real persons who applied through any method to work at our Center or whose resume and relevant information are opened to the assessment of our Center|
|Group Center Employee||The representatives and employees of the group Centers of our Center which are abroad|
|Center Official||Real persons who are authorized by our Center or the board of directors of Center (for example; authorized signatories)|
|The Employees, Shareholders and Authorized Persons of the Institution with which We Collaborate||Real persons including the employees, shareholders and authorized persons of the institutions with which we are in a working relationship of any kind (including but not limited to business partner, supplier etc.)|
14. PERSONAL DATA PROCESSING ACTIVITIES PERFORMED AT BAHCECI OFFICES
We avail of security cameras in order to ensure the security of our Center. Our Center performs personal data processing activities by using security cameras and recording visitor entries and exits.
Our Center intends to improve the quality of the provided service, ensure reliability, protect the life and property of our Center, a Relevant Person or other persons, prevent exploitation and protect the legitimate interests of these persons by monitoring with security cameras.
The personal data processing activities performed by monitoring with security cameras at our centers are carried out in compliance with the Constitution, KVKK and other relevant regulations.
As per KVKK article 4, our Center processes personal data in a limited and moderate way and according to a purpose. The areas which are accepted as the violation of personal privacy and which exceed security purposes (for example; restrooms) are not monitored. Relevant Persons are informed about the personal data processing activities specified above. However, their consents are not required for the Center has legitimate interests.
As per KVKK article 12, our Center takes necessary technical and administrational measures in order to ensure the security of the personal data acquired as a result of the monitoring activities with cameras.
15. PRESERVATION OF INTERNET ACCESS DATA ACQUIRED BY INTERNET SUPPLY TO THE VISITORS OF BAHCECI OFFICES
Visitors can access to internet during their visits to our buildings and centers according to the safety rules of our Center and the purposes specified in the Policy. In this sense, the log data of your internet access is preserved according to the compulsory provisions of Law no. 5651 and the regulations issued thereto. However, these data are processed only if they are required by authorized public institutions and organizations and in order to perform our legal liabilities concerning the auditory processes in the Center.
In this context, the log data can only be reached by a limited number of Bahceci employees. The employees of the Center who can access to such data can view them only upon the request of authorized public institutions and organizations or if auditory processes are in question, and share them only with legally authorized persons.
16. DELETION, ELIMINATION AND ANONYMIZATION OF PERSONAL DATA
a) The liability of Bahceci to delete, eliminate and anonymize personal data
As per Turkish Criminal Law article 138, KVKK article 7 and the Regulation on the Deletion, Elimination and Anonymization of Personal Data article 7, personal data is deleted, eliminated or anonymized upon the request of a Relevant Person or upon the decision of our Center provided that the reasons that require processing are also eliminated even though processed according to the provisions of relevant laws. The deletion, elimination and anonymization terms given in the Policy are used according to the definitions provided in the Regulation on the Deletion, Elimination and Anonymization of Personal Data. In this sense, a Personal Data Preservation and Elimination Policy is prepared.
In case our Center has a right and/or is liable to preserve personal data as per KVKK article 5/2, the Center preserves its right to deny the elimination request of a Relevant Person.
b) The deletion, elimination and anonymization techniques for personal data
• The Deletion and Elimination Techniques for Personal Data
The principles and procedures of the deletion and elimination techniques for personal data by Bahceci are as follows:
– Physical Elimination: Personal data can also be processed manually on condition that such data is a part of any data recording system. Physical elimination is applied during deleting/eliminating such data. This process does not allow data to be used at a further time.
– Secure Deletion from Software: This method avails of techniques which deletes data irrevocably from a relevant software while deleting/eliminating automatically (partly or in whole) processed and preserved data from digital media.
– Secure Deletion by an Expert: In some cases, a Relevant Person may agree with an expert to have personal data deleted. In this case, personal data is securely deleted/eliminated irrevocably by an expert.
– Blanking: This is a method that renders personal data physically unreadable.
During the foregoing processes, Bahceci ensures full compliance with KVKK, secondary regulations and other relevant regulations and takes all necessary administrational and technical measures in order to provide data security.
• Anonymization Techniques for Personal Data
Personal data anonymization means that personal data is rendered non-relatable with an identified or identifiable real person under no circumstances even though associated with other data. Our Center may anonymize personal data when the reasons which require the legal processing of personal data are no longer applicable.
As per KVKK article 28, anonymized personal data can be used for research, planning and statistical purposes. This type of processing is out of the scope of KVKK and the consent of a Relevant Person is not required for such personal data.
The mostly practiced anonymization techniques applied by our Center are as follows:
Masking defines rendering a person unidentifiable by deleting or using asterisks instead of certain information.
For example If asterisks are used instead of a Relevant Person’s credit card number, it means masking is used.
Aggregation means cumulating data and reflecting total values.
For example If the total numbers of female and male employees at the Center defined as 40% and 60%, it means aggregation.
– Data Derivation
Data derivation means the conversion of detailed data to general corresponding information.
For example Anonymization by data derivation is of question when the age of a person is given instead of day/month/year details of date of birth.
– Data Blending
Data blending is the elimination of identifiability of persons by blending values in a data cluster without interrupting total utility.
For example Data blending is of question when the values that refer to the ages of employees are interchanged in a workplace of which age average is required.
17. THE RIGHTS OF RELEVANT PERSONS
As per KVKK article 10, our Center informs Relevant Persons about their rights and guides them about the use thereto. The Center conducts necessary channels, in-house processes and administrational and technical regulations in compliance with KVKK article 13 in order for Relevant Persons to execute their rights and to inform Relevant Persons about necessary information.
a) The Rights of Relevant Persons
Relevant Persons have the following rights:
- Learning whether their personal data is processed,
- Requesting information about the matter if their personal data is processed,
- Learning the purpose of processing personal data and whether such is used in parallelism with the purposes,
- Learning the third persons to whom personal data is transferred whether at home or abroad,
- Requesting correction if personal data is processed as incomplete or inaccurately and requesting transferee third parties to be informed about the procedure carried out such,
- Requesting the deletion or elimination of personal data even though processed in compliance with the provisions of KVKK and other relevant laws provided that the reasons that require processing are also eliminated, and requesting transferee third parties to be informed about the procedure carried out such,
- Objecting in case a condition arises to the detriment of a relevant person due to the analysis of processed data only by automatic systems,
- Requesting indemnification in case a relevant person incurs damage due to illegal processing of personal data.
Relevant Persons can submit their requests concerning their rights under KVKK article 11 to our Center free-of-charge using the following method:
1) Personal delivery by filling the form on bahceci.com, signing manually and delivering it to Bahceci Saglik Hizmetleri A.S. Mahir Iz Cad. No:31 Kat:2-3 Altunizade/Istanbul.
2) Delivery via notary office by filling the form on bahceci.com , signing manually and delivering it to Bahceci Saglik Hizmetleri A.S. Mahir Iz Cad. No:31 Kat:2-3 Altunizade/Istanbul.
3) Delivery by e-mail to firstname.lastname@example.org after filling the form on bahceci.com and signing it with your “secure electronic signature” as per Law no. 5070 on Electronic Signatures.
Third parties cannot execute information acquiring rights under KVKK article 11 on behalf of Relevant Persons. In order for a Relevant Person to request information about personal data on behalf of a person other than himself/herself, such person should submit a manually signed and notarized special power of attorney issued by Relevant Person for the applicant.
In case the procedure requested by Relevant Persons necessitates an expense, our Center will collect the price according to the tariff agreed by KVK Board. The payment method of such price will be indicated in the Application Form. Application will not be taken into consideration if the price is not deposited as specified.
b) The Right of Relevant Persons to Complain to KVK Board
Relevant Persons can address their complaints to KVK Board under KVKK article 14 within thirty days as of learning the response of our Center in case their applications are rejected, responses are found insufficient or the application are not answered in a timely manner. However, they can address their complaints to KVK Board within sixty days in any case.
18. RESPONSE BY BAHCECI TO APPLICATIONS
In case Relevant Persons submit their requests to our Center, the Center will respond to the requests as soon as possible or within thirty days at latest according to the content of application.
The Center may request information/documents from a Relevant Person in order to determine whether applicant is Relevant Person. Our Center may address a question about application to Relevant Person in order to clarify the matters specified in Relevant Person’s application.
An applicant’s application may be rejected based on the following conditions:
- Processing of personal data for research, planning and statistics by anonymizing them with official statistics.
- Processing of personal data for artistic, historical, literary or scientific purposes or for freedom of expression on condition that such do not constitute a crime or breach national defense, national security, public security, public order, economic security, right of privacy or personal rights.
- Processing of personal data for preventive, protective or informative activities by public institutions and organizations authorized or assigned by laws in order to ensure national defense, national security, public security, public order or economic security.
- Processing of personal data by jurisdiction or execution authorities for investigation, judging, or execution practices.
- Necessity of personal data processing for preventing or investigating a crime.
- Processing of personal data that are made public by a Relevant Person.
- Necessity of personal data processing by assigned and authorized public institutions and organizations and public organizations of professions for supervision, regulation and disciplinary proceeding and prosecution purposes based on the authority granted by laws.
- Necessity of personal data processing in order to protect the economic and financial interests of the State in relation to budgetary, taxational and financial matters.
- Possibility of prevention of other persons’ rights and freedom by a Relevant Person’s request.
- Relevant Person’s requests which require disproportionate attempt.
- Requesting publicly known information.
19. THE RELATION OF THE POLICY WITH OTHER CORPORATE DOCUMENTS
The Policy is the fundamental regulation referring to the processing of personal data at our Center. The Policy was prepared to be implemented in compliance with other policies, procedures and processes issued with similar purposes. The provisions of the Policy shall prevail for personal data processing in case no controversy arises between the Policy and other policies and procedures issued for personal data processing.
Bahçeci Sağlık Hizmetleri A.Ş.
Mahir İz Cad. No:31 Kat:2-3 Altunizade/Istanbul
Trade Registration No: 370646-0
|Communique on Disclosure||Communique on the Principles and Procedures to be Complied in Performing Disclosure Liability as published in Official Gazette no. 30356 dated March 10, 2018.|
|The Constitution||The Constitution of the Republic of Turkey no. 2709 dated November 7, 1982 as published in the Official Gazette no. 17863 dated November 9, 1982.|
|Relevant Person(s)||Relevant Person(s) are the real person(s) whose personal data is processed. These person(s) may include but not limited to the patients of Bahceci or of the Centers/participations of Bahceci, commercially related employees, patients, business partners, shareholders, authorized officers, candidate employees, internees, visitors, suppliers and third parties and the employees of other institutions which collaborate with Bahceci.|
|The Regulation on the Deletion, Elimination and Anonymization of Personal Data||The Regulation on the Deletion, Elimination and Anonymization of Personal Data as published in Official Gazette no. 30224 dated October 28, 2017 and entered into force on January 1, 2018.|
|KVKK||Law on Protection of Personal Data as entered into force having been published in Official Gazette no. 29677 dated April 7, 2016|
|KVK Board||Board of Protection of Personal Data|
|KVK Institution||Institution of Protection of Personal Data|
|Policy||Bahceci Saglik Hizmetleri A.S. Policy for the Privacy and Protection of Personal Data|
|Head Office/Bahceci||Bahceci Saglik Hizmetleri A.S.|
|Turkish Criminal Law||Turkish Criminal Law no. 5237 dated September 26, 2004 as published in the Official Gazette no. 25611 dated October 12, 2004|
ANNEX – 2 UPDATE TABLE
The policy is available with the first updated version. No revision has been made.