Within the framework of the principles of superior service quality, respect for the rights of individuals, transparency and honesty determined as the data controller Medlook Dr. Handan Yavuz Polyclinic, it is of great importance to protect the personal data of its customers, employees and other real persons with whom it has a relationship in line with the regulations determined by the Personal Data Protection Law. We attach great importance to patient privacy and to processing and preserving all kinds of personal data belonging to our patients in the best possible way and with the utmost care. This policy has been prepared in order to protect and process the personal data of our patients, as well as companions, visitors and employees of the institutions and organizations we cooperate with, within the framework of the basic principles in the legislation.

The purpose of this Policy is to ensure transparency by informing the persons whose personal data are processed, especially our patients, companions, visitors, employees and institution officials, employees and officials of the institutions we cooperate with, and third parties, within the scope of personal data processing activities carried out by our polyclinic in accordance with the legislation. In this context, administrative and technical measures are taken to process and protect personal data in accordance with Law No. 6698 and relevant legislation. Natural persons whose personal data are processed within the scope of this policy are referred to as Data Subject, Data Subject or Personal Data Owner.

Open Consent:

Consent on a specific issue, based on information and freely given.

Anonymization:

Changing personal data in such a way that it loses its personal data characteristic and this situation cannot be reversed. For example, masking, aggregation, data corruption, etc. Making personal data unassociated with a real person by means of techniques. It is possible to anonymize personal data for various purposes, but in accordance with the request and / or consent of the person concerned, so as not to violate the scope of KVKK and explicit consent. Necessary measures will be taken within our outpatient clinic to prevent the anonymized personal data from being made identifiable by various methods.

Employees, Shareholders and Authorities of the Institutions we cooperate with:

It refers to real persons, including shareholders and officials of these organizations, who work in organizations (such as business partners, suppliers, but not limited to these) with which we have all kinds of business relations.

Processing of Personal Data:

It refers to all kinds of operations performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Personal Data:

It refers to any information relating to an identified or identifiable natural person. All information that makes the person identifiable is regulated as personal data, and information such as TR Identity Number, Name and Surname, e-mail address, telephone number, residence address, date of birth, bank account number can be given as examples of personal data.

Sensitive Personal Data:

Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data refer to data of special nature.

Third Person

Refers to third party real persons who are associated with the above-mentioned parties in order to ensure the security of commercial transactions between them and the parties mentioned above or to protect the rights of the aforementioned persons and to obtain benefits (For example, employees or officials of the company from which the service is received, Companion, etc.).

Data Processor:

A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. For example, the IT company that holds our data.

Data Controller:

It refers to the person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system).

Within the scope of KVKK, our polyclinic has the title of data controller and has registered to the VERBIS system. A team (Personal Data Officer Team) has been established from our company. In cases requiring a decision to be taken, the Personal Data Officer team receives the opinion of a Lawyer / lawyer specialized in personal data, and the decision taken following the approval of the management is put into practice.

Although the personal data processed may vary depending on the health services provided, they are collected by physical and/or digital methods. Personal data of special nature and personal data of general nature, especially health data collected verbally, in writing or digitally by our patients, physicians, healthcare personnel, etc., our employees, subcontractor companies and their employees and companies with which we engage in all kinds of commercial activities, our call center, our polyclinic's website, online services and similar means, are processed for the following and other purposes that may arise in the future:

• Conducting medical diagnosis, treatment and care services,
• Protection of public health,
• Planning and management of preventive medicine health services and financing,
• Informing our patients about appointments
• Planning and managing internal procedures,
• Analyzing the fulfillment of health services in accordance with the legislation for the purpose of development,
• Fulfillment of risk management and quality improvement activities,
• Conducting research,
• Fulfillment of legal and regulatory requirements,
• Billing for our services,
• Confirmation of your identity
• Confirmation of your relationship with contracted institutions,
• Sharing any information requested by private insurance companies within the scope of financing health services,
• Responding to all your questions and complaints regarding our health services,
• Taking all necessary technical and administrative measures within the scope of data security,
• Ensuring financial reconciliation with our contracted institutions, banks and all organizations (public and private) from which health expenditures are collected, regarding the health services provided to you,
• Sharing the information requested with the Ministry of Health and other public institutions and organizations in accordance with the relevant legislation,
• Measuring patient satisfaction, increasing patient satisfaction,
• It may be collected and processed in order to fulfill purposes such as contracts and to fulfill our legal obligations.

CATEGORIZATION OF PROCESSED PERSONAL DATA

Credentials

All information about the identity of the person in documents such as driver's license, identity card, passport, lawyer ID, marriage certificate

Contact Information:

Information for contacting the data subject such as phone number, address, residence, e-mail

Location Data:

Data which clearly belongs to an identified or identifiable natural person and which are included in the data recording system and which are used to determine the location of the data subject

Family Members and Close Knowledge:

Information about the family members and relatives of the personal data owner, which clearly belongs to an identified or identifiable natural person and is included in the data recording system and processed in order to protect the legal interests of the relevant Institution and the data owner

Physical Space:

Personal data related to records and documents such as camera recordings, fingerprint records, visual and audio recordings

Process Security Information:

Personal data processed to ensure our technical, administrative, legal and commercial security while conducting our activities

Financial Information:

Personal data processed regarding information, documents and records showing all kinds of financial results

Employee Candidate Information:

Personal data processed about individuals who have applied to be an employee (CV or resume information)

Personal Information:

Personal data related to Payroll Information, Disciplinary Investigation, SSI information, employment entry-exit document records, property declaration information, resume information, information about performance evaluation reports, interview results, content of the employment contract, employment start information, termination information

Legal Action:

Personal data processed within the scope of determination and follow-up of our legal receivables and rights and performance of our debts and our legal obligations

The above personal data may be processed within the framework of the provisions of the Basic Law on Health Services No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Affiliated Organizations, Private Hospitals Regulation, Personal Health Data Regulation and Ministry of Health regulations, etc., and may be transferred to the physical archives and information systems of our polyclinic and / or suppliers.

Our Company accepts that personal data will be processed in accordance with the following principles:

• Compliance with the law and good faith,
• Ensuring that personal data is accurate and, where necessary, up to date,
• Processing for specific, explicit and legitimate purposes,
• Being relevant, limited and proportionate to the purpose for which they are processed,
• Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed

The explicit consent of the personal data owner is only one of the legal grounds that allow personal data to be processed in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity. In case the processed data is personal data of special nature, the following conditions shall apply:

• Explicit Consent of the Personal Data Owner,
• Explicit Provision in the Laws,
• Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility
• Direct Relevance to the Establishment or Performance of the Contract
• Fulfillment of the Company's Legal Obligation:
• Publicization of Personal Data by the Personal Data Owner:
• Data Processing is Mandatory for the Establishment or Protection of a Right:
• Data Processing is Mandatory for the Legitimate Interest of our Company, (The expression of the legitimate interests of the company can in no way be contrary to the principles determined by the KVKK, the purpose of processing personal data and cannot interfere with the essence of the right guaranteed by the Constitution).

Special categories of personal data are processed by our Company in the following cases, provided that adequate measures to be determined by the Personal Data Protection Board are taken:

• If the personal data subject has explicit consent or,
• If the personal data owner does not have explicit consent; personal data of special nature other than the health and sexual life of the personal data owner, in cases stipulated by law,
• Sensitive personal data relating to the health and sexual life of the personal data subject are processed only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.

TECHNICAL AND ADMINISTRATIVE MEASURES

Our Company takes the necessary technical and administrative measures in accordance with the provisions of Article 12 of the KVKK and the Regulation, the general principles stated above, this Policy and the decisions of the Personal Data Protection Board, according to the technological possibilities and the cost of implementation regarding the following issues:

• Necessary software and hardware have been identified. Strong passwords are used on computers and e-mail accounts.
• What needs to be protected in terms of protecting customer information has been conveyed to our personnel through trainings, and their responsibilities have been put in writing in their employment contracts. (Confidentiality Agreements) This obligation continues even after the relevant persons leave their positions.
• Necessary infrastructure has been established for the backup of all data.
• Employees who can access data on computers have been identified.
• Customer files and information are provided only to the relevant persons themselves, to their relatives to whom they have given written consent, to the relevant public institutions and organizations within the framework of the legislation and to the competent judicial authorities in judicial cases.
• Before starting to process personal data, the Authority fulfills the obligation to inform the data subjects.
• A personal data processing inventory has been prepared.
• The personal data owners in question are enlightened on these issues through the texts posted in our polyclinic or otherwise made available to the guests.

Your personal data will be processed in accordance with the basic principles stipulated by the Law and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law. Our polyclinic, the Ministry of Health, its sub-units and family medicine centers, private insurance companies (health, pension and life insurance and similar), the Social Security Institution, the General Directorate of Security and other law enforcement agencies, the General Directorate of Population, the Pharmacists Association of Turkey, prosecutor's offices and courts, laboratories located in Turkey or abroad with which we cooperate for medical diagnosis, medical centers and third parties providing health services, the health institution to which the patient is referred or to which the patient himself/herself applies, your duly authorized representatives, third parties from whom we receive consultancy, regulatory and supervisory institutions and official authorities, our suppliers and support service providers whose services we benefit from or with whom we cooperate, within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law. and 9. of the Law within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law. Your personal data is not shared with foreign countries.

Regarding the processed personal data, the person concerned has the right to learn whether personal data has been processed, to request information if it has been processed, to access and request personal health data, to learn whether it is used for its intended purpose, to learn the third parties to whom it has been transferred, to request correction in case of incorrect processing, to request the deletion or destruction of personal data, to request notification of the correction to the third parties to whom the personal data has been transferred in case of incorrect processing, to object to the adverse result by analyzing it through automated systems, to request the compensation of the damage incurred due to the unlawful processing of personal data. In case of incorrect processing, it has the right to request notification of the correction to the third parties to whom the personal data is transferred, to object to the unfavorable result by analyzing it through automated systems, to demand the compensation of the damage incurred due to the unlawful processing of personal data.

Personal data processing activities are carried out by our Company through the use of security cameras and taking video recordings at guest entrances and exits. In this context, our polyclinic acts in accordance with the Personal Data Protection Law and security legislation.

Only authorized employees and/or employees of the supplier company have access to the records recorded and stored in digital media. Camera recordings are kept for 2 months.

This Policy shall be deemed to have entered into force upon its publication on the website.