Personal Data Protection and Processing Policy

Personal Data Protection and Processing Policy

Ados Sağlık Hizmetleri Limited Şirketi (Private Ados Clinic), as the data controller, places utmost importance on the protection of personal data belonging to customers, employees, and other natural persons with whom it interacts, in accordance with the regulations set by the Personal Data Protection Law, adhering to principles of superior service quality, respect for individual rights, transparency, and honesty. The clinic highly prioritizes maintaining patient confidentiality and meticulously processing and preserving all personal data related to our patients in the best possible manner. This policy has been formulated to protect and process the personal data of our patients, companions, visitors, employees, company officials, employees of collaborating institutions, authorities, and third parties within the framework of the basic principles specified in the legislation.

The aim of this Policy is to ensure transparency by informing individuals whose personal data are processed within the scope of the personal data processing activities conducted by our clinic in a lawful manner. In this context, administrative and technical measures necessary for the processing and protection of personal data are taken in accordance with Law No. 6698 and related legislation. Within the scope of this policy, real persons whose personal data are processed are referred to as Data Subject, Relevant Person, or Personal Data Owner.

Definitions

Explicit Consent: Consent that is informed, based on specific matters, and declared freely.

Anonymization: The process of altering personal data in such a way that it no longer retains its personal data attribute in an irreversible manner, such as through masking, aggregation, data distortion, etc., making it impossible to link the data to a real person. Personal data can be anonymized for various purposes without violating the scope of the PDPL and explicit consent. Necessary precautions will be taken within our Clinic to ensure that anonymized personal data cannot be associated with a person in any way.

Employees, Shareholders, and Officials of Collaborating Institutions: Refers to real persons, including employees, shareholders, and officials of institutions we are in business relations with (such as partners, suppliers, but not limited to them).

Processing of Personal Data: Refers to any operation performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Personal Data: Refers to any information relating to an identified or identifiable natural person. Information that makes the person identifiable is regulated as personal data, including but not limited to national identification number, name, surname, email address, phone number, residential address, date of birth, bank account number.

Special Categories of Personal Data: Data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning health, sex life, criminal convictions and security measures, and biometric and genetic data.

Third Party: Refers to real persons associated with the parties mentioned above to ensure commercial transaction security or to protect and provide benefits for their rights.

Data Processor: Refers to the real or legal person who processes personal data on behalf of the data controller based on the authority given by the controller, such as the IT company holding our data.

Data Controller: Refers to the person who determines the purposes and means of processing personal data, managing the place where the data is systematically stored (data recording system).

Our clinic, being the data controller within the scope of PDPL, has registered in the VERBIS system. A team (Personal Data Responsible Team) has been established by our company. In cases requiring decision-making, the Personal Data Responsible Team consults a Lawyer/Attorney specialized in personal data before implementing the decision approved by the management.

The personal data processed may vary depending on the health services provided and are collected through physical and/or digital means. Our patients, doctors, health personnel, subcontractors and their employees, and companies we engage in commercial activities with, our call center, the clinic’s website, online services, and similar means, including health data primarily, as well as other special and general categories of personal data, are processed for the purposes listed below and others that may arise in the future:

• Execution of medical diagnosis, treatment, and care services,
• Protection of public health,
• Planning and management of preventive healthcare services and their financing,
• Informing our patients about appointments,
• Planning and management of internal procedures,
• Conducting analysis for the improvement of health services in compliance with regulations,
• Fulfillment of risk management and quality improvement activities,
• Conducting research,
• Compliance with legal and regulatory requirements,
• Billing for our services,
• Verification of identity,
• Verification of relationship with contracted institutions,
• Sharing of all requested information with private insurance companies within the scope of health services financing,
• Responding to any questions and complaints related to our health services,
• Taking all necessary technical and administrative measures within the scope of data security,
• Financial reconciliation with contracted institutions, banks, and all organizations collecting health expenses (both public and private),
• Sharing requested information with the Ministry of Health and other public institutions and organizations as required by the relevant legislation,
• Measuring and enhancing patient satisfaction,
• Fulfilling our contracts and legal obligations.

Categorization of Processed Personal Data

Identity Information: All information related to the individual’s identity contained in documents such as driver’s license, identity card, passport, attorney ID, marriage certificate.

Communication Information: Information for contacting the data owner, such as phone number, address, residence, email.

Location Data: Data that is clearly related to an identified or identifiable natural person within a data recording system, used to determine the location of the data owner.

Family Members and Close Relatives Information: Information about the family members and close relatives of the personal data owner, processed to protect the legal interests of the relevant Institution and the data owner, clearly related to an identified or identifiable natural person within a data recording system.

Physical Space: Personal data related to records and documents such as camera recordings, fingerprint records, visual and auditory recordings.

Transaction Security Information: Personal data processed to ensure our technical, administrative, legal, and commercial security while conducting our activities.

Financial Information: Personal data related to all kinds of financial results shown in information, documents, and records.

Candidate Employee Information: Personal data processed about individuals who have applied to become an employee (CV or resume information).

Personnel Information: Information related to payroll, disciplinary investigation, Social Security Institution (SGK) information, employment entry-exit document records, asset declaration information, resume information, performance evaluation reports, interview results, contents of the Employment Contract, employment start information, and termination of employment information.

Legal Transaction: Personal data processed in the context of determining, tracking our legal claims and debts, and fulfilling our legal obligations.

The personal data mentioned above can be processed in accordance with the provisions of the Law No. 3359 on Health Services, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Its Affiliated Institutions, Regulation on Private Hospitals, Regulation on Personal Health Data, and other regulations issued by the Ministry of Health.

Our company commits to processing personal data in accordance with the following principles:

• Compliance with the law and principles of honesty,
• Ensuring personal data are accurate and up to date when necessary,
• Processing for specified, explicit, and legitimate purposes,
• Being relevant, limited, and proportionate to the purposes for which they are processed,
• Retaining for the period stipulated by relevant legislation or necessary for the purpose for which the data are processed.

The explicit consent of the personal data owner is just one of the legal grounds allowing the lawful processing of personal data. Personal data can also be processed under the conditions other than explicit consent, listed below. The basis for processing personal data activity may be only one of the conditions below or multiple conditions may simultaneously serve as the basis for the same personal data processing activity. In cases where the processed data is of special category, the following conditions apply:

• Existence of Explicit Consent of the Personal Data Owner,
• Clearly Stipulated by Laws,
• Impossibility of Obtaining Explicit Consent Due to Actual Impossibility,
• Directly Related to the Execution or Performance of a Contract,
• Obligation for the Company to Fulfill its Legal Duty,
• Personal Data Owner Has Made His/Her Personal Data Public,
• Data Processing Being Necessary for the Establishment or Protection of a Right,
• Data Processing Being Necessary for the Legitimate Interests of Our Company, provided that it does not violate the principles set by the PDPL, the purpose of processing personal data, and does not interfere with the essence of the right guaranteed by the Constitution.

Our company processes special categories of personal data, subject to taking adequate measures determined by the Personal Data Protection Board, under the following conditions:

• If the personal data owner has given explicit consent, or
• If the personal data owner has not given explicit consent; special categories of personal data except for those related to health and sexual life can be processed in cases stipulated by laws,
• Special categories of personal data related to health and sexual life can only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and financing, by persons or authorized institutions and organizations under confidentiality obligation.

Technical and Administrative Measures

In accordance with Article 12 of the PDPL, Regulation provisions, the general principles mentioned above, this Policy, and the decisions of the Personal Data Protection Board, our company takes the necessary technical and administrative measures according to technological possibilities and implementation costs regarding the following matters:

• Necessary software and hardware have been determined. Strong passwords are used on computers and email accounts.
• Personnel have been trained on the protection of customer information, and their responsibilities have been documented in employment contracts (Confidentiality Agreements). This obligation continues even after the relevant persons leave their positions.
• Necessary infrastructure has been established for data backup purposes.
• Employees who can access data on computers have been identified.
• Customer files and information are provided only to the individuals themselves, their relatives who have given written consent, relevant public institutions and organizations within the framework of the legislation, and competent judicial authorities in legal cases.
• The obligation to inform relevant individuals before starting personal data processing is fulfilled by the Institution.
• A personal data processing inventory has been prepared.
• Personal data owners are informed about these matters through texts posted or made available to guests in our Clinic in other ways.

Your personal data, in compliance with the basic principles prescribed by the Law and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law, can be shared with our clinic, Ministry of Health, its subordinate units and family medicine centers, private insurance companies (health, pension, and life insurance, etc.), Social Security Institution, General Directorate of Security and other law enforcement agencies, General Directorate of Population, Turkish Pharmacists‘ Association, prosecutors and courts, laboratories, medical centers, and third-party health service providers we cooperate with for medical diagnosis either domestically or internationally, health institutions the patient is referred to or applies to, your authorized representatives, third parties we consult, regulatory and supervisory authorities and official bodies, our suppliers, and support service providers we benefit from or collaborate with, within the framework of the conditions and purposes for personal data processing specified in Articles 8 and 9 of the Law. Your personal data are not shared with foreign countries.

Related persons have the right to learn whether their personal data are processed, request information if their personal data have been processed, access and request their personal health data, learn whether they are used appropriately for their purpose, learn the third parties to whom they are transferred, request correction in case of incorrect processing, request deletion or destruction of personal data, demand notification of the corrections to the third parties to whom the data have been transferred, object to the outcome resulting from the analysis by automated systems, and demand compensation for the damage arising from the unlawful processing of personal data. These rights can be exercised by submitting a petition to our company.

Our company conducts personal data processing activities by using security cameras and recording images of guest entries and exits. In this context, our clinic acts in accordance with the Personal Data Protection Law and security legislation.

Access to records stored and preserved in digital media is granted only to authorized employees and/or employees of the supplier company. Camera recordings are stored for a period of 2 months.

This Policy takes effect upon its publication on the website.