PERSONAL DATA PROTECTION POLICY
İzmir Kaşkaloğlu Göz Hastanesi
As the data controller, it is of great importance for “Laser Miyopi Özel Tedavi Merkezi” Limited Company (will be referred to as “Kaskaloglu” or “Company”) to protect the personal data of its patients, employees and other real persons with whom it is in contact. The purpose of this policy and other written policies for the processing and protection of personal data is the legal processing and protection of the personal data of our patients, potential patients, suppliers, employees, employee candidates, visitors, employees of the institutions we cooperate with and third parties who contact Kaskaloglu.
In this context, necessary administrative and technical measures are taken by Kaskaloglu for the processing and protection of personal data in accordance with the General Data Protection Regulation (GDPR) and Turkey The Law on the Protection of Personal Data numbered 6698 (“Data Protection Law or KVK Law”) , as well as the local legislation.
In this Policy, the following basic principles adopted by Kaskaloglu for the processing of personal data will be explained:
Processing personal data within the scope of consent,
Processing personal data in accordance with the law and honesty rules, Keeping personal data accurate and up-to-date when necessary, Processing personal data for specific, explicit and legitimate purposes,
Related, limited and measured processing of personal data for the purpose for which they are processed,
Keeping personal data for as long as required by the relevant legislation or for the purpose for which they are processed,
Clarifying and informing the persons whose personal data are processed,
Creating the necessary infrastructure for the persons whose personal data are processed to exercise their rights,
Taking the necessary measures for the protection of personal data,
To act in accordance with the relevant legislation and the regulations of the Personal Data Protection Board in the determination and implementation of the processing purposes of personal data, transferring them to third parties,
Special regulation of the processing and protection of sensitive personal data.
2. PURPOSE OF THE POLICY
The main purpose of this Policy is to make statements about the personal data processing activity carried out by Kaskaloglu in accordance with the law and the systems adopted for the protection of personal data, and in this context, to provide transparency towards the persons with whom our company is associated.
3. SCOPE OF THE POLICY
This Policy relates to all personal data of our patients, suppliers, employees, employee candidates, visitors, employees of the institutions we cooperate with and third parties that are processed automatically or non-automatically, provided that they are part of any data recording system.
4. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
Kaskaloglu takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, illegal access to the data, and to ensure the preservation of the data in accordance with Article 32 and Article 78 of the GDPR and Article 12 of the Data Protection Law, and in this context, it carries out the necessary audits or has the audits conducted.
5. Measures Taken to Ensure Legal Processing of Personal Data and to Prevent Unlawful Access to Personal Data
Kaskaloglu takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data are processed in accordance with the law and to prevent unlawful access.
6. Technical Measures
The main technical measures taken by Kaskaloglu to ensure the legal processing of personal data and to prevent unlawful access are in Personal Data Protection Authority Data Controllers Registry Information System. Through the Data Controllers Registry Information System, you can review the technical measures taken by Kaskaloglu
7. Administrative Measures
Administrative measures taken by Kaskaloglu to process personal data in accordance with the law and to prevent unlawful access:
There are disciplinary regulations that include data security provisions for employees. Training and awareness activities are carried out periodically for employees on data security.
Institutional policies on access, information security, use, storage and destruction have been prepared and are being implemented.
Confidentiality commitments are made.
The signed contracts contain data security provisions.
Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
Personal data security policies and procedures have been determined. Personal data security issues are reported quickly.
Personal data security is monitored.
Physical environments containing personal data are secured against external risks (fire, flood, etc.).
The security of environments containing personal data is ensured. Personal data is reduced as much as possible.
In-house periodic and/or random audits are conducted and made. Existing risks and threats have been identified.
Protocols and procedures for special quality personal data security have been determined and implemented.
Data processing service providers are periodically audited on data security. Awareness of data processing service providers on data security is ensured.
8. Supervision of the Measures Taken for the Protection of Personal Data
Kaskaloglu has those concerned with the Protection of Personal Data. On behalf of Kaskaloglu, which is the data controller, this team personally carries out the necessary audits in order to ensure the implementation of the provisions of the Law in its own institution or organization, in accordance with its obligation arising from Article 32 of the Law and gets support from competent institutions when needed. According to the results of this audit, the detected violations, negativities and non-compliances are reported to the legal unit within the team and necessary measures are taken regarding these issues. In the event that an external service is outsourced by Kaskaloglu due to technical requirements regarding the storage of personal data, additional agreements are signed with the relevant companies to whom personal data is transferred in accordance with the law and the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data and that these measures will be complied within their own organizations. In addition, Kaskaloglu makes agreements with its personnel to comply with personal data protection measures in recruitment processes and in-house disciplinary policies.
9. RIGHTS AND REQUESTS OF THE PERSONAL DATA OWNER
Kaskaloglu, as the data controller, has established the Personal Data Application and Response Procedure, which is an annex to the personal data inventory, and a written template for applications that do not meet the application conditions specified in the law. Technical preparations have been made in order to carry out the necessary actions in accordance with these procedures.
Providing that the persons whose personal data are processed submit their requests regarding the rights listed below via a personal application showing the hard copy of their ID, or in writing or by using a previously registered electronic email address (KEP), by using a secure electronic signature, a mobile signature or by using the electronic mail address which has been previously registered in KASKALOGLU communication system and about which KASKALOGLU has been informed or on condition that they communicate their identities to Kaskaloglu in a verifiable form through a software or application developed for this purpose, the Company will respond to the request free of charge within thirty days at the latest, depending on the nature of the request. A detailed explanation on this matter is given below in Article 20 of this policy.
The persons whose personal data are processed will be able to claim all the rights in the relevant article of the law, including all data processing phases, its purposes and the information about the transfer of their personal data upon their application to be made in accordance with this procedure.
10. PROTECTION OF PRIVATE PERSONAL DATA
With the GDPR, special importance is attached to certain personal data due to the risk of causing victimization or discrimination when processed unlawfully. These data are; race, ethnicity, political thought, philosophical belief, religious affiliation, union membership, health, sexual life and sexual orientation, biometric and genetic data.
Kaskaloglu acts sensitively in the protection of sensitive personal data, which is determined as “sensitive” with the GDPR and is processed in accordance with the law. In this context, technical and administrative measures taken by Kaskaloglu for the protection of personal data are carefully implemented in terms of sensitive personal data and necessary audits are provided within Kaskaloglu.
11. TRAINING OF KASKALOGLU EMPLOYEES ON PROTECTION AND PROCESSING OF PERSONAL DATA
Kaskaloglu provides its employees with the necessary training in order to prevent the illegal processing of personal data as well as illegal access to the data, and to raise awareness about data protection.
12. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA
In accordance with Article 20 of the Constitution and Article 5 of the GDPR, Kaskaloglu engages in personal data processing activities in a fair and transparent manner in accordance with the law, accurately and, when necessary, for up-to-date, specific, clear and legitimate purposes and in a limited and prudent manner in connection with the purpose of processing personal data. Kaskaloglu preserves the integrity and confidentiality of personal data for as long as required by law or for the purpose of processing personal data. Kaskaloglu collects the personal information of its patients, employees, visitors, supplier company employees and third parties; identity information (name, surname, TR identity number, gender, age, date of birth), contact information (e-mail address, telephone number, address information), personal data, financial data, occupational data, audio-visual data, education data , family members data, health information, information on criminal convictions and security measures, military service information, transaction security information, physical space security, and while processing these data, the data subjects whose personal data are processed can benefit from Kaskaloglu’s services, products and services effectively. As a result of these services, it operates by, taking into account data minimization within the framework of the performance of contracts, fulfilment of work and financial / legal / commercial obligations, as well as being able to be informed about marketing and innovations as a result of these services.
Kaskaloglu informs the persons whose personal data is processed in accordance with Article 13 of the GDPR and requests the consent of the persons concerned in cases where consent is required, and processes this personal data based on the criteria set out below.
13. Legality, Fairness and Transparency
Kaskaloglu processes personal data in accordance with the principles introduced by legal regulations and the legal processing conditions in the Law. In accordance with the principle of compliance with the law, Kaskaloglu carries out a transparent data processing process, taking into account the interests and reasonable expectations of the persons concerned, while trying to achieve its goals in data processing.
Keeping personal data accurate and up to date is essential for Kaskaloglu to protect the fundamental rights and freedoms of the person concerned. Kaskaloglu has an active duty of care to ensure that personal data is accurate and up to date when necessary. For this reason, all communication channels are open in order to keep the information of the persons whose personal data are processed by Kaskaloglu accurate and up to date.
15. Data Minimization
Kaskaloglu clearly and precisely determines the legitimate and lawful purpose of processing personal data and continues to process personal data limited only to the personal data necessary for the realization of this purpose.
16. Limitation of Purpose
Kaskaloglu processes personal data for purposes related to its field of activity and necessary for the conduct of its business. For this reason, Kaskaloglu processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or that is not needed.
17. Limitation of Storage
Kaskaloglu retains personal data only for as long as specified in the relevant legislation or required for the purpose for which they are processed. In this context, Kaskaloglu first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If a period has not been determined, personal data is stored for the processing purpose and as long as the period specified in the Retention and Disposal Policy published by Kaskaloglu. Kaskaloglu acts on the basis of the retention periods in the personal data inventory, and at the end of the periods specified here, personal data is deleted, destroyed or anonymized according to the nature of the data and the purpose of use, within the framework of the obligations under the Law.
18. Integrity and Confidentiality
In the personal data processing activities carried out by Kaskaloglu, security measures are taken to the extent required by the activity. The technical and administrative measures in the local legislation and GDPR are based on the determination of these data security measures taken to prevent data loss, unauthorized access and illegal data processing
Kaskaloglu has a legal obligation to comply with the above-mentioned principles. In order to fulfill these obligations, the rights recognized by the Law are established for all persons whose personal data are processed and transparency is ensured in data processing activities.
20. ILLUMINATING AND INFORMING THE PERSONAL DATA OWNER
21. TRANSFERRING PERSONAL DATA
Kaskaloglu can transfer the personal data and sensitive personal data of the data subject to third parties by taking the necessary security measures in line with the purposes of processing personal data in accordance with the law. Personal data can be transferred by Kaskaloglu to foreign countries declared to have adequate protection by the KVK Board or, in the absence