Special Personal Data Processing Policy
1. PURPOSE AND SCOPE OF THE POLICY
Data controller title: Assoc. Dr. Ata Can
Data controller address: İnönü, Nizamiye Cd. No:9 D:No:1, 34373 Şişli/Istanbul
Data controller phone : 0536 576 66 66
Data controller e-mail: atababay@yahoo.com
Data controller website: https://dratacan.com/
The data controller acts extremely sensitively in terms of protecting the sensitive personal data it processes.
This policy applies to the special categories of personal data obtained, as stated in paragraph (4) of Article 6 of the Law: "In the processing of special categories of personal data, it is also essential to take adequate measures determined by the Board." It has been prepared to explain the security measures taken pursuant to the provision and to determine the procedures and principles in this context.
2. DEFINITIONS
Among the legal and technical terms included in this Policy;
Explicit Consent | Consent regarding a specific subject, based on information and expressed with free will, |
Law | Personal Data Protection Law No. 6698 dated 24.3.2016, |
recording media | Any environment containing personal data processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system, |
Special Personal Data | Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data, |
Personal Data
Processing |
Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data such as blocking, |
Board | Personal Data Protection Board, |
Related person | The real person whose personal data is processed, |
Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system, |
expresses
3. PROCESSING OF SPECIAL PERSONAL DATA
3.1 Basic Principles Followed in the Processing of Special Personal Data
Special personal data are processed by taking all necessary administrative and technical measures in accordance with the Law and the principles specified in this Policy. In this context, special personal data;
- It will be processed in accordance with the law and the rule of honesty,
- It will be ensured that personal data is accurate and up-to-date when necessary,
- It will be processed for specific, clear and legitimate purposes,
- They will be used and disclosed in a limited and measured manner in connection with the legal purpose for which they are processed,
- They will be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
3.2 Processing of Special Personal Data
- Personal health data of patients are processed by our physicians who are under the obligation of confidentiality for the purpose of carrying out medical diagnosis, treatment and care services, health services and management in accordance with Article 6/3 of KVKK. These special personal health data are processed electronically and physically by personnel who are regularly given awareness training on KVKK and employed with a confidentiality agreement.
- Health reports obtained from personnel pursuant to the Occupational Health and Safety Law are processed in accordance with KVKK legislation.
- The criminal record records of our healthcare professionals are processed based on the legal reason that it is clearly stipulated in the law for personnel employment certificate transactions.
- The criminal record records of those who have not been issued a personnel employment certificate are informed and processed physically and electronically with their express consent based on their free will.
- The clothing data of healthcare professionals working within our organization are processed based on the legal reason that it is clearly stipulated in the Laws specified in Article 6 of the Law.
- Health, criminal conviction and security precaution data are obtained from personnel candidates with explicit consent, and the data of those whose job applications are rejected are immediately deleted.
4. PURPOSES OF PROCESSING SPECIAL PERSONAL DATA
The Center processes personal data for the purposes listed below, in accordance with the basic principles set out in Article 4 of the Law, and based on at least one of the conditions for processing special personal data specified in Article 6 of the Law.
- Conducting Emergency Management Processes
- Carrying out the application processes of employee candidates
- Fulfillment of Employment Contract and Legislation Obligations for Employees
- Execution of Fringe Benefits and Benefits Processes for Employees
- Conducting Activities in Compliance with Legislation
- Follow-up and Execution of Legal Affairs
- Planning Human Resources Processes
- Carrying out Occupational Health / Safety Activities
- Carrying out the Operational Processes of the Service
- Carrying out storage and archive activities
- Execution of Contract Processes
- Ensuring the Security of Movable Goods and Resources
- Ensuring the Security of Data Controller Operations
- Providing Information to Authorized Persons, Institutions and Organizations
- Protection of public health, provision of medical diagnosis, treatment and care services
5. TRANSFER OF SPECIAL PERSONAL DATASI
5.1 Domestic Transfer
- Personal health data of patients may be transferred to the third parties listed below.
- In case of a legal dispute, upon request, to judicial authorities and party lawyers, limited to the requested personal data.
- Identity and health information is transferred to the E-Nabız system in accordance with the Health Services Basic Law.
- Identity, health and insurance information of those who receive service within the scope of private insurance are provided to private insurance companies.
- Personal health data of the personnel are transferred to the third parties listed below.
- In case of a legal dispute, upon request, to judicial authorities and party lawyers, limited to the requested personal data.
- Identity, contact, health, photograph, diploma and criminal conviction data are submitted to the district/provincial health directorate for the purpose of applying for a personnel work certificate.
- To the software company that is the developer of workplace computer programs for archiving purposes.
- Personal health, criminal conviction and security measures data obtained from job applicants with explicit consent are immediately deleted and destroyed if the job application is rejected.
5.2 Transfer Abroad
Processed sensitive personal data is not transferred abroad.
6. MEASURES TAKEN FOR THE PROTECTION OF SPECIAL PERSONAL DATA
7.1 Security Measures Taken
1– Our center has determined a systematic, clearly defined, manageable and sustainable separate policy and procedure for the security of special personal data,
2-For employees involved in the processing of special personal data,
- a) Regular training is provided on the law and related regulations and special personal data security,
- b) Confidentiality agreements have been made,
- c) The authorization scope and duration of users who have access to data are clearly defined,
- d) Authorization checks are carried out periodically,
- e) The authorizations of employees who change their duties or leave their jobs in this area are immediately removed. In this context, the inventory allocated to the employee who left the job is returned,
3– If the environments where sensitive personal data are processed, stored and/or accessed are electronic media;
Security updates for the environments where data is stored are constantly monitored, necessary security tests are performed regularly and test results are recorded.
4– The physical environment where sensitive personal data is processed, stored and accessed;
- a) Adequate security measures have been taken (against situations such as electricity leakage, fire, flood, theft, etc.) depending on the nature of the environment where sensitive personal data is stored,
- b) Physical security of these environments is ensured and unauthorized entries and exits are prevented,
5– If special personal data will be transferred;
- a) If the data must be transferred via e-mail, it is transferred encrypted using the corporate e-mail address or Registered Electronic Mail (KEP) account.
- b) If data must be transferred via paper, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in the format of "confidential documents".
Also Administrative and Technical Measures Taken
Administrative Measures
- Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
- The signed contracts contain data security provisions.
- Personal data is reduced as much as possible.
- Internal Periodic and/or Random Audits are carried out or are carried out.
- Risk Analyzes are made and reported.
- KVKK provisions are added to texts such as employment contracts and disciplinary regulations.
- Personal data security is monitored.
- Confidentiality agreements are made with the recipient groups to whom data is transferred.
- Personal Data Processing Inventory has been prepared.
- Deletion, destruction or anonymization operations are carried out periodically.
Technical Measures
- Network security and application security are ensured.
- Security measures are taken within the scope of information technology systems supply, development and maintenance.
- Up-to-date anti-virus systems are used.
- Firewalls are used.
- User account management and authorization control system is implemented and these are also monitored.
7 RIGHTS OF RELATED PERSONS AND THE USE OF THESE RIGHTS
7.2 Rights of Relevant Persons
- Learning whether personal data is processed or not,
- Requesting information if personal data has been processed,
- Learning the purpose of processing personal data and whether they are used for their intended purpose,
- Requesting correction of personal data in case personal data has been processed incompletely or incorrectly and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
- Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the law and other relevant legal provisions, and requesting that the action taken in this context be notified to third parties to whom the personal data has been transferred,
- Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,
- Request compensation for damage in case of damage due to unlawful processing of personal data.
7.3 Exercising the Rights of the Relevant Person
Personal data owners,
- From our clinic whose address is written above.
- From our website mentioned above
what they will acquire Data Owner Application FormYou must fill in the form and send it with a wet signature, by hand, by mail or through a notary, to the address of the data controller specified above, or to our e-mail address above, via your e-mail address that you have previously notified us and registered in our system.
7.4 Responding to Applications
If the relevant person submits his request regarding the rights listed above and mentioned in Article 11 of the Law to us in accordance with the procedure, the relevant request will be finalized free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.
8 COORDINATION OF PERSONAL DATA PROTECTION AND PROCESSING PROCESSES
The coordination of the processing and protection of special personal data is carried out by the company manager or the personnel assigned by him.
9 UPDATES TO THE POLICY
Changes may be made to this Policy on the Processing of Special Personal Data due to changes in legislation, in accordance with the Board decisions or in line with developments in the sector or the field of informatics. Changes made in this context are immediately recorded in the text and explanations regarding the changes are added to the updates table below.
Updates Table
…………………………………. | The Processing and Protection of Special Personal Data Policy has entered into force. |