HWT CLINIC HEALTH TOURISM AND TRADING LTD. PERSONAL DATA PROTECTION AND PROCESSING POLICY
Purpose and Scope
HWT CLINIC HEALTH TOURISM AND TRADING LTD. (“HWT Clinic”) makes every effort to comply with all laws applicable to the processing and protection of personal data.
In this Policy, the principles adopted by HWT Clinic in the conduct of personal data processing activities are explained.
The aim of the Policy is to sustain the transparency of HWT Clinic’s clinic activities. In this context, the basic principles adopted by HWT Clinic for compliance with the regulations set forth in the Personal Data Protection Law No. 6698 (the “PDP Law”) are determined and the practices implemented by HWT Clinic are explained.
The Policy covers real persons whose personal data are processed automatically or not by automated means as part of any data recording system, although the protection of the personal data of HWT Clinic employees is also regulated in the “Personal Data Protection and Processing Policy for HWT Clinic Employees”.
2.1. General Principles
The policy is published on the HWT Clinic website at http://www.hwtclinic.com/ in a form accessible to data owners. Any changes to the policy will also be made available in a form easily accessible to data owners in line with changes and innovations in the legislation.
In the event of a conflict between the laws in force regarding the protection and processing of personal data and this Policy, HWT Clinic accepts that the application area of the laws in force will apply.
2.2. Groups of Persons Covered by the Policy
The data owner groups covered by the policy and whose personal data are processed by HWT Clinic are as follows:
Candidates for Employment
Persons who are being considered for employment by HWT Clinic but have not yet entered into a service agreement.
Officials and Employees of Business Partners
Real persons in charge, shareholders, and employees of organizations with whom HWT Clinic has a commercial relationship.
Real persons visiting HWT Clinic’s building or the internet sites operated by HWT Clinic.
Other Real Persons
All real persons not covered by the Personal Data Protection and Processing Policy for HWT Clinic Employees.
Information Provided to Data Owners
HWT Clinic carries out the necessary processes to inform data owners during the collection of personal data, in accordance with Article 10 of the PDP Law. In this context, the following information is contained in the disclosure texts provided to data owners:
• (1) The title of our clinic,
• (2) The purpose for which data owners’ personal data will be processed by HWT Clinic,
• (3) To whom and for what purpose the processed personal data may be transferred,
• (4) The method of collecting personal data and the legal reason for it,
• (5) The rights of the data owner, including:
o Learning whether personal data has been processed or not,
o Requesting information if personal data has been processed,
o Learning the purpose of processing personal data and whether they are being used in accordance with this purpose,
o Requesting the rectification of personal data if they are incomplete or incorrect, o Requesting the deletion or destruction of personal data under certain conditions, o Requesting that the processing of personal data be restricted,
o Objecting to the processing of personal data,
o Requesting the transmission of personal data to another data controller in a structured, commonly used, and machine-readable format.
4. Finalization of Personal Data Owners’ Requests
In the event that they submit the personal protections carrying the data to our relevant approach Clinic in writing, HWT Clinic, as the data controller, carries out the necessary processes to ensure that the restrictions are concluded as soon as possible and within thirty (30) days at the latest, in accordance with the article 13 of the KVK Law.
Within the scope of ensuring data security, HWT Clinic may request information in order to determine whether the applicant is the owner of the personal data subject to his application. Our clinic may also ask questions about our possession of the personal data owner, in order to ensure that the story of our personal data owner is concluded appropriately.
The owner of the data; According to HWT Clinic, features such as the possibility of impeding the rights and freedoms of the other person, requiring disproportionate effort, and having publicly available information can be requested by disclosure, according to HWT Clinic.
4.1. Rights of Personal Data Owners
Pursuant to Article 11 of the KVK Law, you can apply to our Clinic via the form available at http://www.hwtclinic.com/ and request the following:
• (1) Learning whether your personal data is processed,
• (2) If your personal data has been processed, requesting information about it,
• (3) To learn the purpose of processing your personal data and whether they are used in accordance with the purpose,
• (4) Learning the third parties to whom your personal data is transferred in the country or abroad,
• (5) Requesting correction of your personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,
• (6) Requesting the deletion, destruction or anonymization of your personal data in the event that the reasons requiring its processing have disappeared, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting that the process carried out within this scope be notified to the third parties to whom your personal data has been transferred,
• (7) Objecting to the emergence of a result against you by analyzing your processed data exclusively through automated systems,
• (8) To request the compensation of the damage in case you suffer damage due to unlawful processing of your personal data.
4.2. Circumstances Excluded from the Rights of Personal Data Owners as per the Legislation
Pursuant to Article 28 of the KVK Law, personal data owners will not be able to assert their rights in the following matters, since the following situations are not within the scope of the KVK Law:
• (1) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime. .
• (2) Processing of personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
• (3) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
• (4) Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
Pursuant to article 28/2 of the KVK Law; Personal data owners will not be able to assert their rights, with the exception of demanding compensation in the following cases:
• (1) The processing of personal data is necessary for the prevention of crime or for criminal investigation.
• (2) Processing of personal data made public by the personal data owner.
• (3) The processing of personal data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law.
• (4) The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
5. Ensuring the Security and Confidentiality of Personal Data
All necessary precautions are taken by HWT Clinic, depending on the nature of the data to be protected, in order to prevent the unlawful disclosure, access, transfer or security deficiencies that may occur in other ways.
In this context, all necessary (i) administrative and (ii) technical measures are taken by HWT Clinic, (iii) an audit system is established within the clinic, and (iv) in case of unlawful disclosure of personal data, it acts in accordance with the measures stipulated in the KVK Law.
(1) Administrative Measures Taken by HWT Clinic to Ensure Legal Processing of Personal Data and to Prevent Unlawful Access to Personal Data
• HWT Clinic trains and raises awareness of its employees on the law of personal data protection.
• In cases where personal data is subject to transfer, HWT Clinic ensures that records are added to the contracts concluded with the persons to whom the personal data is transferred, stating that the party to which the personal data is transferred will fulfill its obligations to ensure data security.
• Personal data processing activities carried out by HWT Clinic are examined in detail, and in this context, steps to be taken to ensure compliance with the personal data processing conditions stipulated in the KVK Law are determined.
• HWT Clinic determines the practices that must be followed in order to ensure compliance with the KVK Law and regulates these practices with internal policies.
(2) Technical Measures Taken by HWT Clinic to Ensure Legal Processing of Personal Data and to Prevent Unlawful Access to Personal Data
• As far as technology allows, technical measures are taken by HWT Clinic regarding the protection of personal data, and the measures taken are updated and improved in parallel with the developments.
• Expert personnel are employed in technical matters.
• Audits are made at regular intervals for the implementation of the measures taken.
• Software and systems are installed to ensure security.
• Access to personal data processed within HWT Clinic is limited to the relevant employees in line with the specified processing purpose.
(3) Carrying out Audit Activities for the Protection of Personal Data by HWT Clinic
The operation of the technical and administrative measures taken by HWT Clinic within the scope of protection and security of personal data is supervised and practices are carried out to ensure the continuation of the operation. The results of the audit activities carried out in this context are reported to the relevant department within the HWT Clinic. In line with the audit results, activities are carried out to ensure the development and improvement of the measures taken for the protection of data.
(4) Measures to be Taken in Case of Unlawful Disclosure of Personal Data
Within the scope of the personal data processing activity carried out by HWT Clinic, if the personal data is obtained by unauthorized persons unlawfully, the situation will be reported to the KVK Board and the relevant data owners without delay.
6. Identification of the Unit Responsible for the Protection and Processing of Personal Data
The “Personal Data Protection Unit” has been established by HWT Clinic, which will provide the necessary coordination within the clinic within the scope of ensuring, maintaining and maintaining compliance with the personal data protection legislation. The Personal Data Protection Unit is responsible for the execution and improvement of the systems established to ensure unity among HWT Clinic units and to ensure that the activities carried out comply with the personal data protection legislation.
In this context, the main duties of the Personal Data Protection Unit are as follows:
• To prepare and enforce the basic policies regarding the protection and processing of employee personal data,
• To decide how to implement and control the policies regarding the protection and processing of employee personal data, and to assign and coordinate in-clinic within this framework,
• To determine the issues that need to be done in order to ensure compliance with the KVK Law and the relevant legislation; to monitor and coordinate its implementation,
• To raise awareness within the Clinic and in cooperation with institutions on the protection and processing of personal data,
• To determine the risks that may occur in the personal data processing activities of the Clinic and to ensure that the necessary measures are taken; presenting improvement suggestions
• To design and implement trainings on the protection of personal data and the implementation of policies,
• To decide on the applications of personal data owners at the highest level,
• Personal data owners; Coordinating the execution of information and training activities to ensure that the Clinic is informed about personal data processing activities and their legal rights,
• To prepare and implement changes in the basic policies regarding the protection and processing of personal data,
• To follow the developments and regulations on the protection of personal data; To advise senior management on what should be done in clinical operations in accordance with these developments and regulations,
• Managing the relations with the KVK Board and the KVK Institution,
• To perform other duties assigned by the clinical management regarding the protection of personal data.
7. Purposes of Processing Personal Data and Personal Data Groups Subject to Data Processing
7.1. Personal Data Categories
Personal data in the following groups are processed by HWT Clinic partially or completely automatically or non-automatically as part of the data recording system.
PERSONAL DATA CATEGORIES DISCLOSURE
Identity Information/Family and Relatives Data Personal data containing information about the identity of the person; name and surname, T.C. Documents such as driver’s license, identity card and passport containing information such as identity number, nationality information, mother’s name and father’s name, place of birth, date of birth, gender, tax number, SGK number, signature information, Marriage Certificate, etc. informations.
Contact Information Contact information; personal data such as phone number, address, e-mail address, fax number.
Physical Space Security Information Personal data regarding the records and documents taken at the entrance to the physical space, during the stay in the physical space; camera recordings, and recordings taken at the security point, etc.
Transaction Security Information Personal data processed to ensure the technical, administrative, legal and commercial security of both the data owner and the Clinic while carrying out the commercial activities of HWT Clinic.
Risk Management Information Personal data processed through the methods used in accordance with the generally accepted legal, commercial practices and good faith in these fields in order to manage commercial, technical and administrative risks.
Financial Information Personal data such as bank account number, IBAN number, credit card information, and personal data processed for information, documents and records showing all kinds of financial results created within the scope of the legal relationship between HWT Clinic and the data owner.
Legal Action and Compliance Information Personal data processed within the scope of determination, follow-up and performance of HWT Clinic’s legal claims and rights, and compliance with legal obligations and HWT Clinic policies.
Audit and Inspection Information Personal data processed within the scope of HWT Clinic’s compliance with its legal obligations and Clinical policies.
Special Quality Personal Data Data specified in Article 6 of the KVK Law (for example, health data including blood type, religious information, etc.)
Request/Complaint Management Information Personal data regarding the receipt and evaluation of any request or complaint directed to HWT Clinic.
Reputation Management Information Personal data associated with the person and collected for the purpose of protecting the commercial reputation of HWT Clinic (for example, sharing about HWT Clinic)
7.2. Purposes of Processing Personal Data
Personal data is processed by HWT Clinic for the purposes listed below in accordance with data processing conditions and principles. The existence of the following purposes may vary for each personal data owner.
The personal data obtained are processed by HWT Clinic in accordance with the processing conditions of personal data specified in Articles 5 and 6 of the KVK Law.
• Follow-up of Finance and/or Accounting Affairs • Planning and Execution of Business Activities
• Follow-up of Legal Affairs
• Recruitment / Employment
• Planning of Human Resources Processes
• Execution of Personnel Procurement Processes
• Planning and Execution of Sales Processes of Products and/or Services
• Planning and Execution of Customer Relationship Management Processes
• Planning and Execution of Marketing Processes of Products and/or Services
• Planning and/or Execution of Efficiency/Efficiency and/or Appropriateness Analysis of Business Activities
• Planning of Information Security Processes
• Planning and/or Execution of Business Continuity Activities
• Planning and/or Execution of the Processes of Establishing and/or Increasing Loyalty to the Products and/or Services Offered by the Clinic
• Business Application
• Planning and/or Execution of After Sales Support Services Activities
• Planning and Execution of Production and/or Operation Processes
• Management of Relationships with Business Partners and/or Suppliers • Follow-up of Contract Processes and/or Legal Requests
• Planning and Execution of Operational Activities Required for the Ensuring that Clinical Activities are carried out in accordance with Clinical Procedures and/or Relevant Legislation
• Planning and/or Execution of Customer Satisfaction Activities
• Planning and Execution of Corporate Communication Activities
• Ensuring Data is Accurate and Up-to-Date
• Planning and Execution of Market Research Activities for Sales and Marketing of Products and Services
• Planning and Execution of Information Systems Access Authorizations of Business Partners and/or Suppliers
• Creating and Tracking Visitor Records
• Providing Information Based on Legislation to Authorized Institutions
• Planning and Execution of Clinical Audit Activities
• Planning and/or Execution of In-Clinical Training Activities.
• Work and/or event, organization, training activities deemed appropriate/assigned by the Clinic 7.3. Shared Party Categories
HWT Clinic may transfer the personal data of data owners within the scope of the Policy (See Section 5.2.) to the following groups of persons for the purposes stated below, in accordance with the principles set forth in the KVK Law and in particular, Articles 8 and 9 of the KVK Law:
• HWT Clinic suppliers,
• Authorized public institutions and organizations and authorized private legal persons,
• In accordance with the data transfer terms, to other third parties
The scope of the above-mentioned persons to whom the transfer is made and the possible data transfer purposes are stated below.
DEFINITION OF PERSONS WHO MAY BE TRANSFERRED TO DATA TRANSFER PURPOSE
The parties that provide services to HWT Clinic on a contractual basis, in accordance with the orders and instructions of HWT Clinic, within the scope of carrying out the commercial activities of the Supplier HWT Clinic on a limited basis in order to ensure that it is made available to
Legally Authorized Public Institutions and Organizations Public institutions and organizations authorized to receive information and documents of the Clinic in accordance with the provisions of the relevant legislation Limited to the purpose requested by the relevant public institutions and organizations within their legal authority
Legally Authorized Private Law Persons Private law persons authorized to receive information and documents from the Clinic in accordance with the provisions of the relevant legislation Limited to the purpose requested by the relevant private legal persons within their legal authority
Definitions of terms used in the Policy are given below:
Explicit Consent: Consent on a specific subject, based on information and expressed with free will.
Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching it with other data.
Regulation on the Processing of Personal Health Data: Regulation on the Processing of Personal Health Data and Ensuring Privacy, published in the Official Gazette dated October 20, 2016 and numbered 29863
Personal Health Data: Any health information relating to an identified or identifiable natural person. Personal Data: Any information relating to an identified or identifiable natural person.
Personal Data Owner: The natural person whose personal data is processed. For example; Customers and employees.
Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.
KVK Law: The Law on Protection of Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette dated 7 April 2016 and numbered 29677.
KVK Board: Personal Data Protection Board
KVK Authority: Personal Data Protection Authority
Special Qualified Personal Data: Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data .
Policy: HWT Clinic Personal Data Protection and Processing Policy HWT Clinic : Hwt Clinic Health Tourism Ve Tic. Ltd. Sti.
HWT Clinic Suppliers: Parties that provide services to HWT Clinic on a contractual basis.
Constitution of the Republic of Turkey: Published in the Official Gazette dated 9 November 1982 and numbered 17863; The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709.
Turkish Penal Code: Published in the Official Gazette dated 12 October 2004 and numbered 25611; Turkish Penal Code No. 5237 dated 26 September 2004.
Data Processor: It is the natural and legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Controller: It is the person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically.