+90 232 423 43 52

+90 532 730 80 08

+90 532 730 80 08

info@elaroyal.com

Opera Avenue Number 33/E Mavişehir Karşıyaka/IZMIR

EN

Personal Data Processing and Protection Policy

  1. PURPOSE AND SCOPE

As Ela Royal Klinik Sağlık Turizm ve Danışmanlık Anonim Şirketi (hereinafter briefly referred to as the Clinic/Employer) located at Mavişehir Mah. Opera Cad. No:33 E Karşıyaka-İZMİR, we attach importance to the protection of personal data belonging to all natural persons we come into contact with in any way while carrying out our activities, in accordance with the Constitutionally regulated Law No. 6698 on the Protection of Personal Data (KVKK) and the provisions of the European Union General Data Protection Regulation (GDPR), and in this context, the fulfillment of the requirements set forth in the KVKK.

This Personal Data Protection Policy has been prepared to inform you about the processes related to the collection, use, sharing, and storage of personal data by **Ela Royal Klinik Sağlık Turizm ve Danışmanlık Anonim Şirketi (hereinafter briefly referred to as the Clinic/Employer)** located at Mavişehir Mah. Opera Cad. No:33 E Karşıyaka-İZMİR. In the process of processing and protecting personal data, the provisions of the relevant legislation currently in force shall be applied primarily.

Within this framework, the main purpose of this Personal Data Protection and Processing Policy (**"Policy"**) is to present the rules, measures, duties, and responsibilities adopted by the Clinic within the scope of personal data protection legislation using a methodological approach, and to ensure transparency in the measures we apply for the protection of personal data in this context.

  1. DEFINITIONS AND ABBREVIATIONS

The terms used in the application of this Policy shall bear the meanings set forth below.

**Employees:** Refers to the employees of the Clinic.

**Contact Person:** The person responsible for monitoring personal data processing activities within the Clinic and the implementation of the KVK Policies and Procedures on an individual basis.

**Personal Data:** Refers to any information relating to an identified or identifiable natural person.

For example; name, surname, address, phone number, date of birth, place of birth, eye color, Turkish ID number.

**Personal Data Subject:** The natural person whose personal data is processed. For example; employee, visitor, customer, interested person, patient.

**Processing of Personal Data:** Any operation performed upon personal data, wholly or partly by automatic means or non-automatically provided that it is a part of a data recording system. For example; obtaining, recording, storing, changing, transferring.

**KVKK:** Refers to the Law No. 6698 on the Protection of Personal Data.

**GDPR:** European Union General Data Protection Regulation

 

**3. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA**

The Clinic processes Personal Data in accordance with the procedures and principles stipulated in the KVKK and other laws.

 The following principles are complied with in the processing of personal data:

**a) Processing in compliance with the law and good faith:**

The Clinic processes personal data in compliance with legal regulations, the law, and good faith. It provides information to personal data subjects.

**b) Being accurate and, where necessary, up to date:**

The Clinic takes necessary measures to ensure that the personal data it processes is accurate and up to date.

**c) Processing for specified, explicit, and legitimate purposes:**

The Clinic clearly and precisely defines the legitimate and lawful purpose for processing personal data. The Clinic processes personal data only as much as is necessary and relevant to the service it provides.

**ç) Being relevant, limited, and proportionate to the purposes for which they are processed:**

The Clinic processes personal data for the realization of the purposes determined within the scope of the service it provides, and avoids obtaining, processing, and storing personal data that is not necessary for the realization of the purpose.

**d) Storing for the period stipulated in the relevant legislation or required for the purpose for which they are processed:**

The Clinic stores personal data in accordance with legal regulations. At the end of the period, personal data is deleted, anonymized, or destroyed.

 

**CONDITIONS FOR PROCESSING PERSONAL DATA:**

When processing personal data, the Clinic complies with the following conditions in line with the provisions of the KVKK No. 6698:

       (1) Personal data cannot be processed without the explicit consent of the data subject.

Personal data is processed only with the explicit consent of the data owner/relevant person. Accordingly, patients are informed about the issue, and their explicit consent based on free will is obtained.

        (2) In the presence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject:

a) Explicitly stipulated in the laws.

b) It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose their consent due to actual impossibility or whose consent is not legally valid, or that of another person.

c) Processing of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.

ç) It is mandatory for the data controller to fulfill its legal obligation.

d) The data subject has made the data public.

e) Data processing is mandatory for the establishment, exercise, or protection of a right.

f) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

 

**CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA**

The Clinic complies with the regulations specified in the processing of special categories of personal data specified by KVKK No. 6698.

KVKK “ARTICLE 6- (1) Personal data concerning the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and attire, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are defined as special categories of personal data.”

The Clinic processes special categories of personal data with the explicit consent of the data subject.

Personal data other than those related to health and sexual life shall be processed without seeking the explicit consent of the data subject in cases stipulated by law.

Personal data related to health and sexual life shall be processed without seeking the explicit consent of the data subject by persons under the obligation of secrecy or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, and planning and managing health services and their financing.

METHODS OF COLLECTING AND PROCESSING PERSONAL DATA

The Clinic processes personal data belonging to natural persons based on the Personal Data Processing Inventory, which is mandatory to be regulated in accordance with Articles 4, 5 and 6 of the Law on the Protection of Personal Data and within the scope of Articles 5, 7, 9, and 10 of the Regulation, and which must contain the information listed below:

  • Data category
  • Personal data processing purposes and legal basis
  • Recipient/recipient groups to whom the data is transferred
  • Data subject groups
  • Maximum retention period of personal data required for the purposes for which they are processed
  • Transfer to foreign countries
  • Administrative and technical measures taken regarding data security

 

THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY THE CLINIC AND THE PURPOSES OF TRANSFER

The Clinic meticulously complies with the conditions regulated in the KVKK regarding the sharing of personal data with third parties, subject to the provisions contained in other laws. In this context, personal data is not transferred to third parties by the Clinic without the explicit consent of the data subject. However, in the presence of one of the following conditions regulated by the KVKK, personal data may be transferred by the Clinic without obtaining the explicit consent of the data subject:

  • Explicitly stipulated in the laws,
  • It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose their consent due to actual impossibility or whose consent is not legally valid, or that of another person,
  • Processing of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract,
  • It is mandatory for the data controller to fulfill its legal obligation,
  • The data subject has made the data public,
  • Data processing is mandatory for the establishment, exercise, or protection of a right,
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. Provided that adequate measures are taken; in case of special categories of personal data other than health and sexual life, it is stipulated in the laws, and in case of special categories of personal data related to health and sexual life,
  • Protection of public health,
  • Preventive medicine,
  • Medical diagnosis,
  • Conducting treatment and care services,
  • Planning and managing health services and their financing, your personal data may be transferred without obtaining explicit consent. In the transfer of special categories of personal data, the conditions specified in the processing conditions of these data are also complied with.                                           

    Furthermore, the situations in which your data may be processed without an explicit consent statement, pursuant to GDPR Article 9/2/h, Article 6/1/b, and Article 6/1/f, are listed below.

-Your Health Data, which is considered Special Categories of Personal Data, will be processed without your explicit consent by the Clinic, which is under the obligation of secrecy due to the Law, for the purpose of conducting examination, medical diagnosis, treatment, and care services.

  • Your Personal Data will be processed by the Clinic without your explicit consent, for the purpose of performing your check-ups after medical diagnosis and treatment processes, communicating with you one-on-one,
  • and managing appointment processes.

-Your Personal Data will be processed by the Clinic without your explicit consent, for the purpose of realizing patient satisfaction and demand management.

Pursuant to GDPR Article 6/1/c, your Personal Data will be processed without your explicit consent in the following situations, based on legal obligations;

  • Creation of a patient file.
  • Preservation of information regarding your health data that must be stored according to the relevant legislation.
  • Issuance of invoices by checking your fee payments.
  • Fulfillment of tax payments.
  • Fulfillment of obligations as required by the Ministry of Health Legislation.
  • Fulfillment of obligations as required by the Health Tourism Legislation.
  • Ensuring your data security.
  • Fulfillment of legal obligations before judicial authorities.

Fulfillment of administrative obligations before administrative institutions and organizations. **     **

 

RETENTION OF PERSONAL DATA WITHIN THE SCOPE OF RELEVANT LEGISLATION

The Clinic stores personal data securely in a physical or electronic environment for an appropriate period of time in order to carry out the activities of our company, in accordance with the provisions of the KVKK and other relevant laws. First, it examines whether there is a retention period for personal data and acts in accordance with this period. If there is no legal period, the necessary period is determined and personal data is stored in accordance with this period. At the end of the period, personal data is deleted, destroyed, or anonymized.

However, in cases where the data controller has a legitimate interest, personal data may be stored until the end of the general statute of limitations (ten years) regulated in the Code of Obligations, provided that the fundamental rights and freedoms of the data subjects are not harmed, even if the processing purpose and the periods specified in the relevant laws have expired.

In this context, the Clinic provides the necessary training to the relevant units within the Clinic and ensures awareness. **     **

MEASURES TAKEN FOR DATA SECURITY

The Clinic takes all necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data.

The measures stipulated in Article 12(1) of the KVKK are as follows:

  • To prevent unlawful processing of personal data,
  • To prevent unlawful access to personal data,
  • To ensure the protection of personal data.

The measures taken by the Clinic in this context are listed below:

Administrative Measures

  • The Clinic conducts necessary audits to ensure the implementation of the Law's provisions.
  • If personal data is obtained by others through unlawful means, the Clinic notifies the data subject and the Board as soon as possible.
  • Regarding the sharing of personal data, data security is ensured through framework agreements, consent forms, and data subject explicit consent forms or provisions to be added to contracts with the persons with whom personal data is shared.
  • Employs knowledgeable and experienced personnel regarding the processing of personal data and provides necessary KVK training to its personnel.

Technical Measures

  • The Clinic employs knowledgeable and experienced people to ensure data security and provides necessary KVK training to its personnel.
  • Conducts necessary internal controls within the established systems.
  • Ensures the provision of the technical infrastructure that will prevent and/or monitor the leakage of personal data outside the institution and the creation of related matrices.
  •  

RIGHTS OF PERSONAL DATA SUBJECTS PURSUANT TO KVKK ARTICLE 11:

Within the framework of Article 11 of the Law No. 6698 on the Protection of Personal Data (KVKK), personal data subjects, by applying to the Clinic's address, have the right to:

a- Learn whether personal data is processed,

b- Request information if personal data has been processed,

c- Learn the purpose of processing personal data and whether they are used appropriately for their purpose,

ç- Know the third parties to whom personal data is transferred domestically or abroad,

d- Request the correction of personal data if it is incomplete or incorrectly processed,

e- Request the deletion or destruction of personal data in accordance with the provisions of the KVKK and other relevant legislation,

f- Request that the third parties to whom personal data is transferred be notified of the transactions made in case of correction, deletion or destruction of personal data,

g- Object to a result against the person arising from the analysis of the processed personal data exclusively through automated systems,

ğ- Request the compensation of the damage in case of damage due to the unlawful processing of personal data.

RIGHTS OF DATA SUBJECTS PURSUANT TO GDPR

As a Data Subject, your Personal Data is also protected under the GDPR. In cases where the GDPR jurisdiction applies (citizens of the European Union or those residing in European Union countries), the rights of the Data Subjects are as follows:

  • Right of Access (GDPR Article 15): The data subject has the right to confirm whether personal data concerning them is being processed by applying to the Clinic, and in case of processing, to learn the details specified in GDPR Article 15.
  • Right to Rectification (GDPR Article 16): The Data Subject has the right to request the rectification of their changing personal data held by the Clinic at any time by applying.
  • Right to Erasure ('Right to be Forgotten') (GDPR Article 17): The Data Subject has the right to request the erasure of their personal data held by the Clinic. If the circumstances specified in GDPR Article 17 occur, your personal data will be erased by the Clinic without delay.
  • Right to Restriction of Processing (GDPR Article 18):
  • If Data Subjects object to the accuracy of their Personal Data, they have the right to request the restriction of the use of the data as Data Subject until the accuracy of the Personal Data is verified by the Clinic.
  • In cases where the Data Subject requests the erasure of their Personal Data because the Personal Data processing activity is unlawful, they have the right to request the restriction of the use of the data until their request is realized.
  • The Data Subject has the right to request the restriction of the use of their data in cases where the Clinic no longer needs their personal data for the purpose of processing.

In cases where Data Subjects object to the processing activity pursuant to GDPR Article 21/1, they have the right to request the restriction of the use of their data until it is verified whether the Clinic's legitimate grounds for data processing override the legitimate grounds of the Data Subject.

  • Right to Data Portability (GDPR Article 20): The Data Subject has the right to request the transfer of their Personal Data held by the Clinic to another controller at any time by applying, provided that it is technically possible. However, this right can be exercised when data processing is based on consent or is required by contract.

.Right to Object (GDPR Article 21)

+90 532 730 80 08