HC International Clinic

Protection of Personal Data

HC International Clinic > Protection of Personal Data

POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA AND SPECIAL CATEGORIES OF PERSONAL DATA

 

CHAPTER 1

 

PURPOSE AND SCOPE OF THE POLICY

 

Law No. 6698 on the Protection of Personal Data, which entered into force in 2016 after the protection of personal data became a constitutional right in 2010, is a legal protection device indicating the procedures and principles on this subject, developed in order to preserve the principle of privacy during the processing of personal data and to prevent damage to fundamental rights and freedoms.

 

Pursuant to Article 16 of Law No. 6698 (“KVKK” or “Law”), data controllers who are obliged to register with the Data Controllers Registry are obliged to prepare a personal data protection and processing policy in accordance with the personal data processing inventory.

This Personal Data Protection and Processing Policy has been prepared in order to determine the procedures and principles to be applied by HC CLINIC regarding the protection and processing of personal data and personal health data processed and held by us as Hc Sağlık Hizmetleri A.Ş. (“Center”) (“HC Clinic”) in accordance with the Law No. 6698 and the Regulation on Personal Health Data.

DEFINITIONS

 

Registry is the register of data controllers kept by the Personal Data Protection Authority.

 

Explicit Consent is a declaration of consent on a specific subject, based on information and expressed with free will.

 

Data recording system is the recording system in which personal data is structured and processed according to certain criteria.

 

Subjects Defined by the Personal Data Protection Law and Regulation

 

Data Controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

 

Relevant User is the person who processes personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.

 

Recipient Group is the category of natural or legal person to whom personal data is transferred by the data controller.

 

Data subject is the natural person whose personal data is processed.

 

Inventory is the inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the personal data processing purposes and legal reason, data category, transferred recipient group and data subject group, and detailing the maximum retention period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.

 

Open data is anonymized data that is made freely available to everyone over the internet free of charge or at a cost not exceeding the cost of its preparation, that does not have any intellectual property rights and can be freely used for any purpose, that can be read by machines and thus interoperable with other data and systems.

 

Open health data is health data that has been made open data.

 

Personal health data is any information relating to the physical and mental health of an identified or identifiable natural person and information about the health service provided to the person.

 

Health service providers are natural persons and public law and private law legal entities that provide or produce health services.

 

A center is a private health institution providing outpatient diagnosis and treatment services.

 

Genetic data are data related to the genetic characteristics of a real person obtained from the analysis of biological samples of a real person that provide information about the physiological health of a real person.

 

SECTION 2.

 

CONDITIONS OF PROCESSING PERSONAL DATA

 

Processing of personal data is defined in Article 3 of the Law. Accordingly; As Data Controller HC CLİNİC, we, as Data Controller HC CLİNİC, accept all kinds of operations performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system as the processing of personal data.

 

The conditions for processing personal data are listed in Article 5 of the Law. We act accordingly and process personal data legally in the presence of at least one of the following conditions.

 

    • Explicit consent of the person concerned,
    • Explicitly stipulated in the law,
    • It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
    • It is necessary to process personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of the contract,
    • It is mandatory for the data controller to fulfill its legal obligation,
    • It has been made public by the person concerned,
    • Data processing is mandatory for the establishment, exercise or protection of a right,
    • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

 

The conditions for the processing of personal data, i.e. the cases of compliance with the law, are determined by enumeration in the Law and these conditions cannot be expanded.

 

As HC CLINIC as Data Controller, we process data by meeting the conditions listed above.

 

I.EXPRESS CONSENT

 

As HC CLINIC, the Data Controller first evaluates whether one of the other data processing conditions can be relied upon in the realization of the data processing activity, and if none of these are available, it resorts to obtaining the explicit consent of the person concerned.

 

II. EXPLICITLY STIPULATED IN THE LAWS

 

One of the conditions for data processing is that it is explicitly stipulated in the laws. A provision in the laws stipulating that personal data may be processed shall constitute a data processing condition. For example, the processing and transfer of patients’ personal health data to the Ministry pursuant to Article 27 of the Regulation on Private Health Institutions for Outpatient Diagnosis and Treatment is within this scope.

 

III. ACTUAL IMPOSSIBILITY

 

The personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid may be processed if it is mandatory for the protection of his/her or someone else’s life or physical integrity.

 

IV. NECESSITY FOR THE CONCLUSION AND PERFORMANCE OF THE CONTRACT

 

Provided that it is directly related to the establishment or performance of a contract, it is possible to process the personal data of the relevant persons limited to this purpose if it is mandatory to process the personal data of the parties to the contract. For example, the processing of personal data and personal health data of the healthcare service provider HC CLINIC within the scope of the healthcare service to be provided to its patients is within this scope.

 

V. IT IS MANDATORY FOR THE DATA CONTROLLER TO FULFILL ITS LEGAL OBLIGATION

 

In cases where data processing is mandatory for the data controller to fulfill its legal obligation, the personal data of the data subject may be processed.

 

As HC CLINIC, obtaining and processing data such as the employee’s bank account number, dependents, whether his/her spouse is working or not, social insurance number in order to pay salaries to employees can be given as an example.

 

As an employer, submitting the information of our employees to the examination of the relevant public officials during tax audits can also be evaluated within this scope.

 

VI. PERSONAL DATA SHOULD BE MADE PUBLIC BY THE DATA SUBJECT

 

Personal data that are made public by the data subject himself/herself, in other words, disclosed to the public in any way, may be processed. An example of this situation is when a person publicly announces his/her contact information in order to be contacted in certain circumstances. Publicization can also be mentioned in the event that the workplace phone numbers and corporate e-mail addresses of employees are shared on corporate websites in a way that is accessible to third parties. However, in order for personal data to be considered public, the person to whom it belongs must want it to be public. In other words, in order for publicization to take place, there must be a will to make it public.

 

These reasons, in principle, do not perceive the fact that a person’s personal data is in a place where everyone can see it as publicizing, and accepts that the person only publicizes the data shared by the person for that purpose.

 

VII. PROCESSING OF PERSONAL DATA IS MANDATORY FOR THE ESTABLISHMENT OR EXERCISE OF A RIGHT

 

It is possible to process the personal data of the person concerned if it is mandatory for the establishment, exercise or protection of a right.

 

In addition, after the contracts we have established as Data Controller HC CLINIC are terminated, the storage of documents such as invoices, contracts, surety bonds for these purposes until the end of the statute of limitations against possible legal proceedings will be evaluated within this scope.

VIII. DATA PROCESSING IS MANDATORY FOR THE LEGITIMATE INTERESTS OF THE DATA CONTROLLER, PROVIDED THAT IT DOES NOT HARM THE FUNDAMENTAL RIGHTS AND FREEDOMS OF THE DATA SUBJECT

Provided that it does not harm the fundamental rights and freedoms of the data subject, it is possible to process personal data if data processing is mandatory for the legitimate interests of the data controller.

In some cases, data processing may be in the legitimate interest of the data controller. For example, provided that it does not harm the fundamental rights and freedoms of our employees, we consider the processing of personal data of our employees to be taken as a basis for their promotions, salary increases or social rights or for the distribution of duties and roles in the process of restructuring the enterprise within the scope of the legitimate interest of the data controller.

CHAPTER 3

 

BASIC PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

 

Data Controller HC CLINIC adopts the following basic principles within the scope of ensuring and maintaining compliance with the personal data protection legislation:

 

There are basic principles regarding the processing of personal data, which are recognized in international documents and reflected in the practices of many countries. Article 4 of the Law regulates the procedures and principles regarding the processing of personal data in parallel with Convention No. 108 and European Union Directive 95/46/EC.

 

 

 

Accordingly, the general (basic) principles listed in the Law for the processing of personal data are as follows:

  • Compliance with the law and good faith,
  • Being accurate and up to date when necessary,
  • Processing for specific, explicit and legitimate purposes,
  • Being relevant, limited and proportionate to the purpose for which they are processed,
  • Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed. The principles regarding the processing of personal data should be at the core of all personal data processing activities and all personal data processing activities should be carried out in accordance with these principles.

A. The Principle of Compliance with the Law and Good Faith

 

Compliance with the law and the rule of honesty refers to the obligation to act in accordance with the principles introduced by laws and other legal regulations in the processing of personal data.

 

Pursuant to the principle of compliance with the rule of good faith, we, HC CLİNİC, the Data Controller, always take into account the interests and reasonable expectations of the data subjects while trying to achieve our goals in data processing. In addition, in principle, we act in a way that prevents the emergence of consequences that the data subject does not expect and should not expect. In accordance with the aforementioned principle, we always act in accordance with the transparency of the data processing activity in question for the data subject and the obligations to inform and warn by the Data Controller HC CLİNIC.

 

B. The Principle of Being Accurate and Up-to-Date When Necessary

 

As Data Controller HC CLINIC, we are aware that we have an active duty of care to ensure that personal data is accurate and up-to-date when necessary. Accordingly, we always keep the channels open to ensure that the relevant person’s information is accurate and up-to-date.

 

C. Principle of Processing for Specific, Explicit and Legitimate Purposes

 

The principle that the purposes of processing personal data are specific, legitimate and clear;

 

 

 

  • The personal data processing activities are clearly understandable by the person concerned,
  • Determination of the legal processing conditions on the basis of which personal data processing activities are carried out,
  • It ensures that the personal data processing activity and the purpose of realization of this activity are put forward in detail to ensure certainty.

 

In this respect, as Data Controller HC CLİNİC, we show a high sensitivity in compliance with the principle of certainty and clarity in legal transactions and texts (explicit consent, clarification, answering the applications of the data subject, application to the data controller registry) in which the purposes of personal data processing are explained, and we keep the use of technical-legal terminology at a minimum level in order to be easily understood by everyone when presenting these legal texts to the other party.

Compliance with this principle is also important in terms of compliance with the principle of honesty.

 

D. The Principle of Being Relevant, Limited and Proportionate to the Purpose of Processing

 

As Data Controller HC CLINIC, we avoid unnecessary processing of personal data that is not related to the realization of the purpose or that is not needed in order to ensure that the processed data is suitable for the realization of the specified purposes. At this point, we process a minimum level of personal data in order to serve the specified purpose.

 

Likewise, data processing is not carried out in order to meet the needs that may arise later. In addition, the processed data will be limited only to the personal data required for the realization of the purpose. In principle, Data Controller HC CLINIC avoids data processing that is not necessary for the purpose other than this, after providing sufficient data to fulfill the purpose.

 

E. Retention Principle for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

 

As a requirement of the “purpose limitation principle” of personal data, Data Controller HC CLİNIC retains personal data in accordance with the period required for the purpose for which they are processed. As stated in Article 12 of the Law, the data controller is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the preservation of personal data. In this regard, as Data Controller HC CLINIC, we are aware that we are obliged to take administrative and technical measures.

In addition to the retention periods determined as Data Controller HC CLINIC in accordance with the principle of purpose limitation for the storage of personal data, there are also retention periods determined within the scope of the relevant legislation to which we are subject. Accordingly; If there is a period stipulated in the legislation for the relevant personal data, we will comply with this period; If such a period is not stipulated, we store the data only for the period required for the purpose for which they are processed.

 

If there is no valid reason for further storage of a data, that data will be deleted or destroyed. It has been mentioned above that personal data cannot be kept by thinking that it can be used again in the future or for any other reason.

 

In addition, as Data Controller HC CLINIC, we determine the maximum period required for the purpose of processing personal data while applying for registration to the registry in accordance with Article 16 of the Law, taking into account Article 9 of the Regulation on the Registry of Data Controllers and publish the necessary periods in our legal texts.

 

SECTION 4

 

PROCESSING CONDITIONS OF SPECIAL CATEGORIES OF PERSONAL DATA

 

Sensitive personal data are data that, if learned, may cause discrimination or victimization of the person concerned. For this reason, as Data Controller HC CLİNIC, we are aware that the protection and processing of such data should be protected much more strictly than other personal data. As a matter of fact, the Law attributes a special importance to these data and introduces a different regulation regarding these data. The Law recognizes them as special categories of personal data or sensitive data. Sensitive personal data may be processed with the explicit consent of the data subject or in limited circumstances listed in the Law.

HC CLINIC is a healthservice provider and medical center whose main activity is to process personal health data. In this context, it processes special categories of personal data in accordance with the processing conditions in the Law and the Regulation.

If the applicant makes the first application to the Center in order to receive health services, the patient is informed and the personal data and personal health data of the patient are processed.

Our center may receive test services from external laboratories for tests that cannot be performed within its main field of activity.

HC CLINIC works with doctors, hospitals and other health service providers by selling services. In this context, it also obtains patient data through the transfer of these centers to which it sells services. In cases where such applications are not received directly by HC CLINIC, the procedure for the processing of special categories of personal data to be applied for the patients whose data will be processed is applied by the center where the service is sold where the patient first applied.

PERSONAL DATA CATEGORIES

1-Identity (name, surname, mother’s and father’s name, mother’s maiden name, date of birth, place of birth, marital status, identity card serial number, TR ID number, etc.)

 

2-Contact (such as address no, e-mail address, contact address, registered electronic mail address (REM), telephone no)

 

3-Personnel (such as payroll information, disciplinary investigation, employment-exit document records, property declaration information, resume information, performance evaluation reports)

 

4-Legal Action (such as information in correspondence with judicial authorities, information in the case file)

 

5-Customer Transaction (such as invoice, promissory note, check information, information on receipts, complaint information, request information)

 

6-Physical Space Security (such as employee and visitor entry and exit records, camera records)

 

7-Finance (credit card information, Iban Information, financial performance information, credit and risk information, asset information, etc.)

 

8-Vocational Experience (such as diploma information, courses attended, professional knowledge, vocational training information, certificates, transcript information)

 

9-Visual and Auditory Recordings (such as visual and auditory recordings)

 

10- Personal Health Data-Genetic Data (allergy status, previous tests, information on disability status, information on pregnancy, past surgeries, disease findings, blood group information, personal health information, chronic disease status, device and prosthesis information, medications used, smoking addiction, result analysis report, diagnosis, type of treatment, diagnostic information, treatment to be applied, treatment applied, nature of the health service provided, radiological examinations, diagnosis and treatment information, surgical intervention performed, department visited, blood or tissue sample, blood sample, health service to be provided, genetic data, prescription, type of test requested, accident information, health report, birth certificate, pathological results, health service to be provided)

14-Criminal Conviction and Security Measures (such as information on criminal conviction, information on security measures)

 

CHAPTER 5

DISCLOSURE OF PERSONAL DATA SUBJECTS BY HC CLİNİC

 

Data Controller HC CLİNİC carries out the necessary processes to ensure that data subjects are informed during the acquisition of personal data in accordance with Article 10 of the Law and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform. In this context, the following are listed below in the disclosure texts provided by HC CLINIC to data subjects;

 

 

 

  1. Data Controller Center,
  2. For what purpose the personal data of data subjects will be processed by HC CLINIC,
  3. To whom and for what purpose the processed personal data may be transferred,
  4. The method and legal grounds for collecting personal data,
  5. Data owner;

– To learn whether personal data is being processed or not,

– To request information if personal data has been processed,

– To learn the purpose of processing personal data and whether they are used for their intended purpose,

– To know the third parties to whom personal data is transferred domestically or abroad,

– To request correction of personal data if it has been processed incorrectly or incompletely, and to request that the transaction be notified to third parties to whom personal data has been transferred,

–To request the deletion or destruction of personal data within the framework of the stipulated conditions and to request that the transaction be notified to third parties to whom personal data has been transferred,

– İşlenen verilerin münhasıran otomatik sistemler vasıtasıyla analiz edilmesi suretiyle kişinin kendisi aleyhine bir sonucun ortaya çıkmasına itiraz etmek,

– If they suffer damage due to unlawful processing of personal data, they have the right to demand compensation for the damage.

It is one of our basic principles to fully and accurately fulfill our obligation to inform the data subject, taking into account the necessary procedures and principles.

CONCLUSION OF PERSONAL DATA OWNERS’ REQUESTS BY HC CLINIC

In case the data owners submit their requests regarding their personal data to the Data Controller Center in writing or by other methods determined by the KVK Board, HC CLİNİC, as the data controller, requests the relevant person to us in order to exercise any of his rights written in Article 11 of the Law in accordance with Article 13 of the Law. It is concluded within 30 (thirty) days and the relevant person is informed.

Data owners must make their requests regarding their personal data in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller.

Within the scope of ensuring data security, HC CLİNİC may request information to determine whether the applicant is the owner of the personal data subject to the application. In addition, in order to ensure that the personal data owner’s application is finalized in accordance with the request, the personal data owner may ask questions about his application.

CHAPTER 6

ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA BY HC CLINIC, THE DATA RESPONSIBLE

HC CLINIC takes all necessary precautions, depending on the nature of the data to be protected, within the means possible, in order to prevent unlawful disclosure, access, transfer of personal data or security deficiencies that may occur in other ways.

 

  1. Administrative Measures Taken by Data Controller HC CLİNİC to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access to Personal Data:

– HC CLINIC limits access to stored personal data to the personnel required to have access according to their job description. In restricting access, whether the data is of special nature and its degree of importance are also taken into account.

– If the processed personal data is obtained by others through illegal means, this situation is reported to the relevant person and the Board as soon as possible.

– Regarding the sharing of personal data, a framework agreement regarding the protection of personal data and data security is signed with the persons with whom the personal data is shared, or data security is ensured by provisions added to the existing agreement.

– It employs knowledgeable and experienced personnel regarding the processing of personal data, and its personnel are given the necessary training within the scope of personal data protection legislation and data security.

– It carries out the necessary inspections and has them carried out in order to ensure the implementation of the provisions of the Law within its own legal entity. Confidentiality and security vulnerabilities revealed as a result of audits are eliminated.

 

  1. Technical Measures Taken by Data Controller HC CLİNİC to Ensure Lawful Processing of Personal Data and Prevent Illegal Access to Personal Data:

– Necessary internal controls are carried out within the scope of the established systems.

– It is ensured that the technical infrastructure that will prevent or monitor data leakage outside the institution is provided and the relevant matrices are created.

CHAPTER 7

IDENTITY OF THE DATA CONTROLLER

TITLE: HC Health Services Inc.

ADDRESS Aziziye Mah. Hoşdere Cad. No:147 Çankaya Ankara

E-MAIL ADDRESS: info@hcintclinic.com

She is the “Data Controller” within the scope of the law.

Visitor Information Text

Camera Records Clarification Text

Contact Person Application Form

Employee Information Text

Information Text for Employee Candidates

Patient Information Text

Explicit Consent Text for the Processing of Special Personal Data