OP. DR. SEDAT CÖMERT CLINIC – POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
1. INTRODUCTION
OP. DR. SEDAT CÖMERT Clinic (“OP. DR. SEDAT CÖMERT”) attaches great importance to safeguarding fundamental rights and freedoms—primarily the right to privacy guaranteed by Article 20 of the Constitution—in the protection and processing of personal data. In this context, the Clinic acts in full compliance with the Turkish Personal Data Protection Law No. 6698 (“KVKK”) and the EU General Data Protection Regulation (“GDPR”) in all planning and activities concerning the lawful protection and processing of personal data.
Ensuring the security of personal data is a priority for OP. DR. SEDAT CÖMERT. Therefore, the Clinic implements administrative and technical security measures in line with applicable legislation to ensure secure processing and to prevent unauthorised access or data leakage.
1.1 PURPOSE OF THE POLICY
The purpose of this Policy on the Protection and Processing of Personal Data (“Policy”) is to inform data subjects about the obligations of OP. DR. SEDAT CÖMERT and the procedures and principles to be followed in protecting and processing personal data processed fully or partially by automatic means, or non-automatically provided that they form part of a data filing system, in line with the aims of the KVKK and GDPR. The goal is to ensure full compliance with legislation and to protect the privacy and data security rights of data subjects.
1.2 SCOPE OF THE POLICY
This Policy applies to natural persons only—namely clients/patients, employees, employee candidates and visitors. Publishing this Policy on the Clinic’s website aims to inform data subjects about data protection and processing practices and data security. The Policy does not apply to legal entities, regardless of capacity.
The Policy applies where the Clinic processes the personal data of the above data subjects by fully/partially automated means or non-automated means forming part of a filing system. If data do not qualify as “personal data” within this scope, or if processing does not occur in the aforementioned ways, the Policy will not apply.
1.3 DEFINITIONS
The following terms shall have the meanings given below:
| TERM | MEANING |
|---|---|
| Explicit Consent | Consent based on information and declared freely for a specific matter. |
| Information (Transparency) Obligation | The obligation of the data controller to inform data subjects about who processes their data, for what purposes and legal bases, and to whom and for what purposes data may be transferred. |
| Relevant User | Persons who process personal data within the controller’s organisation or under its authority/instructions, excluding those responsible solely for technical storage, protection and backup. |
| Destruction | Deletion, destruction or anonymisation of personal data. |
| Processing of Personal Data | Any operation performed on personal data (automatic or part of a filing system), such as collection, recording, storage, retention, alteration, reorganisation, disclosure, transfer, acquisition, making available, classification, or prevention of use. |
| PDP Board | The Personal Data Protection Board. |
| Data Subject | Patients, clients, employees, employee candidates and visitors whose personal data (including special categories) are processed. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Authority/Supervisory Body | The Personal Data Protection Authority composed of the Board and the Presidency. |
| Automatic Data Processing | Processing carried out by processor-equipped devices through software/hardware, automatically according to predefined algorithms without human intervention. |
| Special Categories of Personal Data | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress, association/foundation/union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. |
| Registry | Data Controllers’ Registry. |
| OP. DR. SEDAT CÖMERT | OP. DR. SEDAT CÖMERT Clinic. |
| Data Processor | A natural or legal person who processes personal data on behalf of the controller based on its authorisation. |
| Data Filing System | A recording system in which personal data are processed by being structured according to specific criteria. |
| Data Category | A class of personal data belonging to the group(s) of data subjects, grouped by common features. |
| Group of Data Subjects | The relevant group whose personal data are processed by the controller. |
| Data Controller | The natural or legal person who determines the purposes and means of processing and is responsible for establishing and managing the filing system. |
1.4 ENTRY INTO FORCE
The principles of this Policy, issued by OP. DR. SEDAT CÖMERT and effective as of 01.04.2021, are published on the Clinic’s corporate websites for access by data subjects.
2. PROTECTION OF PERSONAL DATA
2.1 SECURITY OF PERSONAL DATA
In accordance with the KVKK and GDPR, OP. DR. SEDAT CÖMERT takes all necessary administrative and technical measures to ensure an appropriate level of security to securely store personal data and prevent unlawful processing and access. Administrative and technical measures regarding data security are detailed in the Clinic’s Personal Data Retention and Destruction Policy.
2.2 AUDIT
To ensure and maintain data security and the continuity of adopted measures, OP. DR. SEDAT CÖMERT conducts or commissions necessary audits. Technical measures are audited by authorised persons at six-month intervals; administrative measures are audited by authorised personnel.
2.3 CONFIDENTIALITY
Administrative and technical measures are taken to prevent data processors from disclosing personal data to others contrary to the KVKK, GDPR and this Policy, or using them for purposes other than processing. Staff receive information and training on the KVKK, GDPR and the Policy; confidentiality agreements are executed during hiring. Policies are notified to external service providers and processors, and confidentiality undertakings are obtained.
2.4 UNAUTHORISED DISCLOSURE / DATA BREACH
If personal data processed by OP. DR. SEDAT CÖMERT are obtained by others unlawfully, the Clinic carries out necessary actions to notify the data subject and the PDP Board within the time limits set by the Board. Where deemed necessary, the Board may make a public announcement on its website or by another method.
2.5 OBSERVANCE OF DATA SUBJECTS’ LEGAL RIGHTS
The Clinic respects all legal rights of data subjects concerning the implementation of this Policy and the Law and takes necessary measures to protect these rights.
2.6 PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA
Recognising that disclosure of such data could cause victimisation or discrimination, the Clinic applies the measures determined by the Board with due care and operates a separate, systematic and sustainable policy titled “Security Policy for Special Categories of Personal Data.”
3. PROCESSING AND TRANSFER OF PERSONAL DATA
3.1 GENERAL PRINCIPLES IN PROCESSING AND TRANSFER
Personal data are processed by OP. DR. SEDAT CÖMERT in accordance with the KVKK, GDPR and the procedures and principles envisaged in this Policy. The following principles apply:
a) Lawfulness, fairness and transparency: Processing is carried out in accordance with legislation and good faith, considering the interests and reasonable expectations of data subjects, and fulfilling information/warning obligations.
b) Accuracy and up-to-dateness: Data are kept accurate and up to date; sources are identifiable; updates are assessed; channels for updates remain open.
c) Specific, explicit and legitimate purposes: Processing purposes are clearly defined and limited to lawful purposes connected with the healthcare services.
d) Relevance, limitation and proportionality: Only data necessary to achieve the purpose are processed; unnecessary processing is avoided.
e) Retention limited to legal or necessary periods: Data are retained for statutory periods or only as long as necessary for the purpose; afterwards, they are deleted, destroyed or anonymised under the Retention and Destruction Policy.
f) Integrity and confidentiality: Appropriate security measures protect against loss, damage or unauthorised access.
g) Accountability: Measures and processes are documented and can be demonstrated to supervisory authorities when required.
3.2 CONDITIONS FOR PROCESSING PERSONAL DATA
The main rule is explicit consent. However, personal data may be processed without consent in the following cases:
a) Clearly provided for by law.
b) Necessary to protect the life or physical integrity of the person or another where the person is unable to consent due to actual impossibility or where consent is not legally valid.
c) Necessary for the conclusion or performance of a contract directly related to the parties.
d) Necessary for the controller to fulfil a legal obligation.
e) Data made public by the data subject.
f) Necessary for the establishment, exercise or protection of a right.
g) Necessary for the legitimate interests of the Clinic provided that fundamental rights and freedoms are not harmed.
3.3 CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA
As a rule, special categories of personal data are processed with explicit consent. Without consent, processing is permitted in the following cases:
- For special data other than health and sexual life: where expressly provided by law.
- For health and sexual life data: for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning/management of healthcare services and their financing, by persons or authorised institutions and organisations under a confidentiality obligation.
3.4 CONDITIONS FOR TRANSFERRING PERSONAL DATA
In accordance with KVKK Articles 8–9 and GDPR Articles 45–49, and with necessary security measures, OP. DR. SEDAT CÖMERT may transfer personal data to third parties based on one or more of the following legal grounds and limited to the purpose:
- Presence of explicit consent,
- Explicit legal provision allowing transfer,
- Necessity to protect the life/physical integrity of the data subject or others where consent cannot be obtained due to actual impossibility or is legally invalid,
- Necessity for the conclusion/performance of a contract directly related to the parties,
- Necessity to fulfil the Clinic’s legal obligations,
- Data made public by the data subject,
- Necessity for the establishment, exercise or protection of a right,
- Legitimate interests of the Clinic provided fundamental rights and freedoms are not harmed.
Transfer of special categories of personal data may occur—subject to adequate safeguards—(i) with explicit consent; (ii) where an explicit legal provision exists for non-health/sexual-life data; (iii) for health/sexual-life data, by confidentiality-bound persons/institutions for public health, diagnosis, treatment, care, and planning/management and financing of healthcare services.
4. PERSONAL DATA CATEGORIES AND GROUPS OF DATA SUBJECTS
4.1 Personal Data Categories
The Clinic processes personal data by categorising them as follows:
| Category | Description |
|---|---|
| Identity | Name–surname, TR ID/Passport/Temporary TR ID number, place/date of birth, marital status, gender, profession, signature and other identifying data. |
| Contact | Address (residential/work), phone numbers, e-mail, social media accounts, IP and other contact data. |
| Personnel | CV, title; onboarding/offboarding records; social security/retirement data, payroll and other HR data. |
| Physical Security | CCTV footage and other physical site security data. |
| Finance | Information/documents/records evidencing financial relations; bank account, credit card and other financial data. |
| Visual/Audio Records | Photos, videos and audio recordings obtained outside the scope of physical site security. |
| Communications Records | Corporate phone call logs, postal/e-mail records and contents, etc. |
| Customer Transaction | Patient satisfaction information, invoice/receipt data, etc. |
| Health Data | Blood group, allergies, chronic diseases, past procedures/operations, regular medication, test/imaging results, prescriptions, body analysis/measurements, medical history, skin analysis, hormonal tests, sexually transmitted disease information, anaesthesia information, COVID-19 information, medical treatments and other health data. |
| Biometric Data | Image, voice, video data. |
4.2 Groups of Data Subjects
| Group | Description |
|---|---|
| Employee Candidate | Natural persons who apply for a job by any means or make their CV available for the Clinic’s review. |
| Client/Patient | Individuals who apply to the Clinic for healthcare services. |
| Employee | Individuals employed by OP. DR. SEDAT CÖMERT. |
| Visitor | Natural persons who enter the Clinic’s premises for various purposes or visit our websites. |
5. METHODS OF COLLECTING PERSONAL DATA AND LEGAL BASIS
5.1 Methods of Collection
Your personal data are processed by natural/legal persons authorised by OP. DR. SEDAT CÖMERT acting as “data processors” verbally, in writing, by taking camera/photo records, and in physical/electronic environments; where required by the KVKK and GDPR, your explicit consent is obtained. Principal sources include:
- Job application forms,
- Employee information forms,
- Various documents submitted to the Clinic,
- Mail and e-mails; corporate telephones,
- Photo/video recordings,
- Websites (www.sedatcomert.net) and contact forms,
- CCTV systems,
- Log recording devices (firewall),
- Patient information/consent forms,
- Laboratory results; medical information forms,
- Service providers hosted abroad (WhatsApp/Instagram/Facebook/Messenger/LinkedIn/YouTube/Zoom/Google, etc.).
5.2 Legal Basis for Collection
The Clinic collects personal data based on one or more of the legal grounds set out in KVKK Articles 5–6 and GDPR Articles 6–9:
- Explicit consent of the data subject,
- Explicitly provided for by law,
- Data made public by the data subject,
- Necessary for conclusion/performance of a contract directly related to the parties,
- For special categories relating to health/sexual life: for public health, preventive medicine, medical diagnosis, treatment and care, and planning/management of healthcare services and their financing,
- Necessary to fulfil the Clinic’s legal obligation,
- Necessary for the establishment, exercise or protection of a right,
- Legitimate interests of the Clinic provided fundamental rights and freedoms are not harmed.
6. PURPOSES OF PROCESSING PERSONAL DATA
6.1 Mapping of Data Subject Groups to Data Categories and Purposes
- Employee Candidate — Categories: Identity, Contact, Personnel, Professional Experience, Physical Security. Purposes: Emergency management, information security, recruitment and placement, application processes, physical security, communications.
- Patient/Client — Categories: Identity, Contact, Financial, Customer Transaction, Physical Security, Health Data, Biometric Data. Purposes: Creating patient files; examination, preventive care, diagnosis, treatment and care; follow-ups; one-to-one communication and appointments; satisfaction and request management; legal/contractual obligations; statutory retention; clinic security; consultations when necessary; compliance with health tourism legislation and planning of transfer/accommodation/interpretation; communicating medical updates; informing third parties medically about provided healthcare; planning and managing healthcare services and financing; fulfilling responsibilities arising from the doctor–patient relationship; financial/administrative obligations; ensuring technical/commercial security and public obligations.
- Employee — Categories: Identity, Contact, Personnel, Finance, Visual/Audio, Physical Security. Purposes: Emergency management, information security, fulfilment of employment/legal obligations, benefits and allowances, lawful conduct of activities, physical security, business operations/supervision, organisation and event management.
- Visitor — Categories: Physical Security, IT Systems Security. Purposes: Emergency management, information security, ensuring physical security.
6.2 Processing in Physical Premises
For clinic security, entries and exits are recorded and common areas are monitored by cameras. Data subjects are informed about the camera monitoring activity.
6.3 Processing on the Website
Traffic data of online visitors to our website are automatically processed to conduct information security processes. Additionally, under Law No. 5651 and related legislation, hosting providers have obligations to record and retain website traffic data.
6.4 Processing via Communication Channels
Communications via telephone, e-mail, etc., may be monitored and recorded by the Clinic for conducting/supervising business operations and tracking requests/complaints. These channels must be used solely for business purposes.
7. PURPOSES OF TRANSFER AND RECIPIENTS
7.1 Purposes of Transfer
Within the conditions set out in KVKK Articles 8–9 and GDPR Articles 45–49, the Clinic may transfer personal data limited to the following purposes:
- Provision of examination, preventive medicine, diagnosis, treatment and care services,
- Management of complication processes,
- Obtaining consultations,
- Fulfilling obligations under Ministry of Health regulations,
- Fulfilling obligations under international health tourism legislation,
- Planning transport, accommodation and interpretation needs of health-tourist patients,
- Fulfilling administrative obligations before provincial/district health directorates,
- Medically informing third parties about provided healthcare services,
- Conducting promotion and marketing within international health tourism incentive legislation,
- Recruitment and placement processes,
- Application processes for candidates,
- Employment and legal obligations for employees; benefits and allowances,
- Conduct of activities in compliance with legislation,
- Finance and accounting operations,
- Business operations/supervision and business continuity,
- Risk management,
- Ensuring and auditing data security,
- Contract management,
- Providing information to authorised persons, institutions and organisations.
7.2 Recipients
Limited to the purpose and to relevant data subject groups/data, and by applying all administrative and technical security measures required by legislation, transfers may be made to:
- Relevant specialist physicians for consultations,
- Insured employees,
- Suppliers,
- Chartered accountants, tax/finance advisors and auditors,
- Legal counsel,
- Database (server) providers,
- Clinical management software providers,
- Interpreters,
- Overseas promotion consultants,
- Support Management System (DYS) officers,
- Data protection officer/consultant,
- IT consultants,
- Tourism agencies,
- Authorised public institutions and organisations,
- Judicial authorities.
8. DESTRUCTION OF PERSONAL DATA AND RETENTION PERIODS
8.1 Destruction of Personal Data
- Without prejudice to other statutory provisions, when the reasons requiring processing cease to exist, personal data are deleted, destroyed or anonymised by the Clinic ex officio or upon the data subject’s request in accordance with the Personal Data Retention and Destruction Policy.
- Deletion: Rendering personal data inaccessible and unusable for relevant users.
- Destruction: Rendering personal data inaccessible, irrecoverable and unusable for anyone.
- Anonymisation: Making personal data impossible to associate with an identified/identifiable person under any circumstances—even when matched with other data—through techniques such as masking, variable removal and generalisation.
8.2 Retention Periods
Personal data are retained in accordance with periods stipulated by laws and related legislation. Where no period is stipulated, personal data are retained only for the duration necessary for the processing purpose and then deleted, destroyed or anonymised within periodic destruction cycles, in line with the Retention and Destruction Policy.
9. RIGHTS OF THE DATA SUBJECT UNDER THE KVKK AND GDPR
9.1 Rights under the GDPR
- Right of Access (Art. 15)
- Right to Rectification (Art. 16)
- Right to Erasure (Art. 17)
- Right to Restriction of Processing (Art. 18)
- Right to Data Portability (Art. 20)
- Right to Object (Art. 21)
9.2 Rights under the KVKK
- To learn whether personal data are processed,
- If processed, to request information thereof,
- To learn the purpose of processing and whether they are used in line with that purpose,
- To know third parties to whom personal data are transferred domestically or abroad,
- To request correction of incomplete or inaccurate data and notification to third parties,
- To request deletion or destruction under the conditions of the Law and notification to third parties,
- To object to results to the detriment of the person arising from analysis exclusively by automated systems,
- To claim compensation for damages due to unlawful processing.
You may submit your requests regarding these rights in accordance with the “Communiqué on the Procedures and Principles of Application to the Data Controller” including name–surname, signature, TR ID/passport/temporary TR ID number, residential/work address, e-mail, telephone and the subject of your request; in writing with wet signature and identity documents to Nenehatun Caddesi No:114, Floor:1, GOP Çankaya, Ankara, Türkiye 06680, via notary, or through the contact channels on our website. Depending on the nature of the request, applications are concluded as soon as possible and within 30 (thirty) days at the latest. If the process incurs a cost, a fee may be charged according to the tariff determined by the Personal Data Protection Board. Contact: +90 532 463 71 20 / +90 312 468 84 95 — Web: www.sedatcomert.net
EFFECTIVE DATE: 01.04.2021 — LAST UPDATE: 01.04.2021