1. INTRODUCTION
Protection of personal data is among the most important priorities of THE WELL PORT HEALTH TOURISM TRADE CORPORATION. The necessary sensitivity is shown regarding the security of personal data, and great importance is attached to patient privacy and the best possible and careful processing and storage of all kinds of personal data belonging to our patients. In addition to our patients, our companions, visitors, all our employees and the employees of the institutions and organisations we cooperate with; It has been adopted as corporate policy to protect personal data within the framework of the following basic principles according to the Law No. 6698 on the Protection of Personal Data and the Regulation on the Processing of Personal Health Data and Ensuring Privacy and related legislation.
- Processing personal data in accordance with the law and good faith,
- Keeping personal data accurate and up to date when necessary,
- Processing personal data for specific, explicit and legitimate purposes,
- Processing personal data in connection with the purpose for which they are processed, limited and measured,
- Retaining personal data for the period stipulated in the relevant legislation or for the period required for the purpose for which they are processed,
- Informing and enlightening personal data subjects,
- Establishing the necessary system for personal data subjects to exercise their rights,
- Taking necessary measures for the protection of personal data,
- To act in accordance with the relevant legislation and KVK Board regulations in transferring personal data to third parties in line with the requirements of the purpose of processing,
- To show the necessary sensitivity to the processing and protection of special categories of personal data,
- Deleting and destroying personal data in accordance with the law in a defined manner and time
2. PURPOSE
The main purpose of this Policy is to make explanations about the personal data processing activities carried out by THE WELL PORT SAĞLIK TURİZMİ TİCARET ANONİM ŞİRKETİ in accordance with the law and the actions taken for the protection of personal data, and in this context, to ensure transparency by informing the persons whose personal data are processed by our institution, especially our patients, visitors, employees, business partners, suppliers. Personal data processed by THE WELL PORT SAĞLIK TURİZMİ TİCARET ANONİM ŞİRKETİ may vary depending on the health services provided, but are collected by automatic or non-automatic methods. Our physicians, employees, business partners and employees and companies engaged in all kinds of commercial activities; special categories of personal data and general categories of personal data, especially health data collected verbally, in writing or electronically, can be processed for the purposes listed below.
Carrying out medical diagnosis, treatment and care services,
Protection of public health,
Planning and management of preventive medicine health services and financing;
To be able to inform our patients about the appointment;
Planning and management of internal clinical procedures,
Analysing for the purpose of improving health services;
Training and developing our employees,
Protecting the personal processes and legal rights of our employees,
Monitoring and prevention of abuse and unauthorised transactions;
Fulfilment of risk management and quality improvement activities;
Fulfilment of legal and regulatory requirements;
Billing for our services;
Confirming your identity;
Confirm your relationship with the organisations contracted by the clinic;
Sharing any information requested by private insurance companies within the scope of financing health services;
To be able to respond to all your questions and complaints regarding our health services;
Taking all necessary technical and administrative measures within the scope of data security of the systems and applications of our clinic;
Analyse your use of healthcare services and store your health data in order to develop and improve the healthcare services we provide to you;
Maintaining information about your health data that must be kept in accordance with the relevant legislation;
Financial reconciliation with our contracted institutions, banks and all institutions (public and private) from which health expenditures are collected, regarding the health services provided to you;
Sharing the information requested with the Ministry of Health and other public institutions and organisations in accordance with the relevant legislation;
Measuring patient satisfaction, increasing patient satisfaction.
Carrying out communication activities
Execution of goods/service procurement processes
Execution of finance and accounting transactions
Personal data are collected and processed in all kinds of verbal, written or electronic media for the above-mentioned purposes and in order to provide health services within the legal framework determined and to fulfil THE WELL PORT SAĞLIK TURİZMİ TİCARET ANONİM ŞİRKETİ contracts and legal obligations as required.
3. SCOPE
This Policy covers the following personal data of our patients, visitors, institution officials, employees, employees, officials and third parties of persons, organisations and institutions with whom we are in cooperation and all kinds of legal relations, which are processed by automated or non-automated means.
Name, surname, Turkish ID number, passport number or temporary Turkish ID number, place and date of birth, gender, marital status, other identification data identifying patients; contact data such as address, telephone number, e-mail address, etc., financial data such as payment and billing information; audio and digital information that can be obtained by electronic or non-electronic methods; general and special quality personal data, especially personal health data obtained during the execution of all medical diagnosis, examination, treatment and care services; data related to private health insurance for the purpose of financing and planning of health services
According to the groups of personal data owners, the scope of application of this policy may be the entire Policy (such as our patients); only some of its provisions (such as only our employees, suppliers, etc.)
4. DEFINITIONS
Explicit Consent: Consent on a specific subject, based on information and expressed with free will
Anonymisation: It is the modification of personal data in such a way that it loses its personal data characteristic and this situation cannot be reversed. For example, masking, aggregation, data corruption, etc. techniques to make personal data unrelated to a natural person
Employees and Authorities of the Institutions We Cooperate with: Real persons, including the officials of these institutions, working in the institutions (such as, but not limited to, business partners, suppliers) with which our institution has all kinds of business relations
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system
Personal Data Owner: The natural person whose personal data is processed. For example: patients and employees
Personal Data: Any information relating to an identified or identifiable natural person. Therefore, the processing of information on legal persons is not covered by the Law. For example, name, surname, Turkish ID number, e-mail, address, date of birth, credit card number, bank account number, etc.
Patient A person who applies to our institution for examination and treatment and receives outpatient or inpatient treatment
Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data
Third Party: Third party real persons (For example, employees or officials of the company from which the service is received, Companions, etc.) who are related to these persons in order to ensure the security of commercial transactions between our institution and the above-mentioned parties or to protect the rights of the aforementioned persons and to provide benefits.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller. For example, the IT company that keeps the data of our institution, all employees who enter patient data into the system
Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system)
Visitor Natural persons who have entered the physical areas owned by our organisation for various purposes or who visit our websites.
5. IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION
The processing and protection of personal data is carried out within the framework of the relevant legal regulations in force THE WELL PORT SAĞLIK TURİZMİ TİCARET ANONİM ŞİRKETİ Personal Data Protection Policy has been prepared in accordance with current regulations.
The policy has been created by integrating with THE WELL PORT SAĞLIK TURİZMİ TİCARET ANONİM ŞİRKETİ applications within the framework of the rules set forth by the relevant legislation. It carries out the necessary preparations by adhering to the effective periods stipulated in the KVK Law. When necessary, the above-mentioned personal data may be processed within the framework of the provisions of the Basic Law No. 3359 on Health Services, Regulation on Private Health Institutions for Outpatient Diagnosis and Treatment, Regulation on Private Hospitals, Regulation on Personal Health Data and Ministry of Health regulations, etc., and will be transferred to the physical archives and information systems of our clinics and / or suppliers / business partners. As a result, personal data will be protected both in digital and physical environment in accordance with the legal periods defined in the procedures of the institution.
6. ENSURING THE SECURITY OF PERSONAL DATA
Our Institution takes the necessary technical and administrative measures to ensure the optimum level of security in order to prevent unlawful processing of the personal data it processes and to ensure the preservation of the data, and conducts or has the necessary audits carried out within this scope.
The actions and measures taken by our organisation to ensure "data security" in accordance with Article 12 of the KVK Law are stated below.
- In order to ensure that personal data is processed in accordance with the law, our organisation takes technical and administrative measures according to technological possibilities and implementation cost. Employees are informed that they cannot disclose the personal data they have learnt to others in violation of the provisions of the KVKK and cannot use them for purposes other than processing, and that this obligation will continue after they leave their duties and necessary commitments are taken from them in this direction.
- Our Institution takes technical and administrative measures to prevent all unlawful disclosure, access, transfer or other forms of unauthorised disclosure, access, transfer or other unlawful access to personal data.
- Our institution raises awareness as data processing institutions such as business partners and suppliers to whom personal data are transferred to prevent unlawful processing of personal data, prevent unlawful access to data and ensure that data are kept in accordance with the law.
- The obligations that our institution has to comply with when processing personal data as a data controller and the obligation to comply with the legal, administrative and technical measures it has developed in this regard Contracts are made to the data processing institutions that our institution is in relation with in various capacities such as suppliers and business partners in accordance with the nature of their activities in data processing
- Our institution carries out or has the necessary audits carried out within its own organisation. The results of these audits are reported to the relevant department within the scope of the internal functioning of the Agency and necessary activities are carried out to improve the measures taken.
In case the personal data processed in accordance with Article 12 of the KVK Law are obtained by others illegally, our institution operates the system that ensures that the relevant personal data owner and the KVK Board are notified as soon as possible.
7. RIGHTS OF THE DATA SUBJECT
In the event that personal data owners submit their requests regarding their rights listed below to our Authority in writing by personal application and with a specially authorised power of attorney, our Authority concludes the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. Personal data owners;
- To learn whether personal data is being processed,
- Request information if personal data has been processed,
- To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
- To know the third parties to whom personal data are transferred domestically or abroad,
- To request correction of personal data in case of incomplete or incorrect processing,
- Request deletion or destruction of personal data,
- In case of correction, deletion or destruction of personal data, to request notification of these transactions to third parties to whom personal data are transferred,
- To object to the emergence of a result to the detriment of the person himself/herself by analysing the processed data exclusively through automated systems,
- In case of damage due to unlawful processing of personal data, it has the right to demand compensation for the damage.
In accordance with paragraph 1 of Article 13 of the KVK Law, the request regarding the exercise of the above-mentioned rights must be submitted to our Institution (data controller) in writing.
In order to exercise the rights specified within the framework of the KVK, the necessary information identifying the identity and explanations regarding the rights to be exercised, together with the request, indicating which right specified in Article 11 of the Law is related to the use of the right; It will ensure that the application regarding the request is answered more quickly and effectively.
8. ENSURING THE SECURITY OF SPECIAL CATEGORIES OF PERSONAL DATA
THE WELL PORT SAĞLIK TURİZMİ TİCARET ANONİM ŞİRKETİ meticulously protects personal data with its technical and administrative facilities. The security measures taken by our clinic are provided at an optimum level, taking into account technological possibilities and possible risks.
A group of personal data is defined as "sensitive personal data" in the PDP Law due to the risk of causing victimisation or discrimination when processed unlawfully.
These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
We act sensitively in the protection of the data defined above, which are determined as "special quality" by the KVK Law and processed in accordance with the law.
The details of the technical and administrative measures applied during the storage of special categories of personal data are specified in the "Personal Data Storage and Destruction Policy" published by our Institution. These administrative and technical measures have been established in accordance with the Board decision published by the Personal Data Protection Board.
9. ENLIGHTENING AND INFORMING THE PERSONAL DATA SUBJECT
In accordance with Article 10 of the KVK Law, it enlightens personal data owners during the collection of personal data. In this context, our Institution informs the personal data owners about the identity of our Institution during the acquisition of their personal data, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and the rights of the personal data owner within the scope of Article 11 of the KVK Law.
Article 20 of the Constitution stipulates that everyone has the right to be informed about personal data concerning him/her. In this direction, "requesting information" is also listed among the rights of the personal data owner in Article 11 of the KVK Law. In this context, in accordance with Article 20 of the Constitution and Article 11 of the KVK Law, our institution provides the necessary information in case the personal data owner requests information.
By announcing the corporate policy on the protection of personal data to personal data owners and data subjects through various public documents, our Institution ensures informing the data subjects in personal data processing activities and ensures accountability and transparency within this framework. In addition, our Organisation also informs the data subjects about its activities and the articles in the law by different methods, especially when the data subjects apply for "explicit consent".
10. PROCESSING OF PERSONAL DATA
In accordance with Article 20 of the Constitution and Article 4 of the KVK Law, in the processing of personal data; accurate and up-to-date, in accordance with the law and honesty rules; pursuing specific, clear and legitimate purposes; It carries out personal data processing activities in a purpose-related, limited and measured manner.
Our institution retains personal data for the period stipulated by law or required by the purpose of personal data processing.
Pursuant to Article 20 of the Constitution and Article 5 of the PDP Law, our Organisation processes personal data based on one or more of the conditions in Article 5 of the PDP Law regarding the processing of personal data.
In accordance with Article 6 of the KVK Law, our Institution acts in accordance with the regulations stipulated for the processing of special categories of personal data.
In accordance with Articles 8 and 9 of the KVK Law, our institution acts in accordance with the regulations stipulated in the law and set forth by the KVK Board regarding the transfer of personal data.
Processing of Personal Data in Compliance with the Principles Stipulated in the Legislation
Processing in accordance with the Law and Good Faith
Our Organisation acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. Our Institution takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than the purpose.
Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
Our organisation takes the necessary measures to ensure that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legal interests.
Processing for Specific, Explicit and Legitimate Purposes
Our organisation clearly and precisely determines the purpose of processing personal data that is legitimate and lawful. Our Organisation processes personal data in connection with and to the extent necessary for the services it provides. The purpose for which personal data will be processed by our Institution is notified before the personal data processing activity begins.
Being relevant, limited and proportionate to the purpose for which they are processed
Our institution processes personal data in a manner that is conducive to the realisation of the specified purposes and avoids the processing of personal data that is not related to the realisation of the purpose or is not needed. For example, personal data processing activities are not carried out to meet the needs that may arise later.
Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed
Our Organisation retains personal data only for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. In this context, our Authority first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period of time is determined, it acts in accordance with this period, and if no period of time is determined, it keeps personal data for the period required for the purpose for which they are processed. In the event that the period expires or the reasons requiring the processing of personal data disappear, personal data are deleted, destroyed or anonymised by our Institution.
Conditions for Processing Personal Data
Protection of personal data is a constitutional right. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the person. In this direction and in accordance with the Constitution, our Organisation processes personal data only in cases stipulated by law or with the explicit consent of the person.
Although the legal basis for the processing of personal data by our Institution varies, all kinds of personal data processing activities are carried out in accordance with the general principles specified in Article 4 of Law No. 6698.
The explicit consent of the personal data owner is only one of the legal grounds that allow personal data to be processed in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity. In case the processed data is personal data of special nature; the following conditions are applied.
- Explicit Consent of the Personal Data Owner
- Explicitly stipulated in the Laws
- Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility
- Direct Relevance to the Establishment or Performance of the Contract
- Fulfilment of Legal Obligation by the Institution
- Publicisation of Personal Data by the Personal Data Owner
- Data Processing is Mandatory for the Establishment or Protection of a Right
Data Processing is Mandatory for the Legitimate Interest of our Institution
Building, Facility Entrances and Personal Data Processing Activities within the Building Facility
Our organisation acts in accordance with the regulations in the KVK Law in carrying out camera surveillance activities for security purposes.
Personal data processing activities are carried out for monitoring the entrances and exits of patients, personnel, visitors and employees of supplier companies with security camera surveillance activities in the buildings and facilities of our institution.
Personal data processing activity is carried out by our Institution through the use of security cameras and recording of guest entrances and exits.
In this context, our Organisation acts in accordance with the Constitution, KVK Law and other relevant legislation.
Video recordings and, where necessary, audio recordings of our visitors are taken by means of a camera surveillance system at the building, facility entrances and inside the facility.
Within the scope of security camera monitoring activity, our institution aims to increase the quality of the service provided, to ensure its reliability, to ensure the safety of the institution, patients and other employees, and to protect the interests of patients regarding the healthcare and other services they receive.
Only authorised employees of the institution and/or employees of the supplier company have access to the records recorded and stored in digital environment.
In accordance with Article 12 of the KVK Law, necessary technical and administrative measures are taken by our institution to ensure the security of personal data obtained as a result of camera surveillance activities.
11. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
In the processing of personal data determined as "special quality" by the KVK Law, our institution acts in strict compliance with the regulations stipulated in the KVK Law.
In Article 6 of the PDP Law, some personal data that have the risk of causing victimisation or discrimination when processed unlawfully are determined as "special categories". These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
In accordance with the PDP Law, special categories of personal data are processed by our Institution in the following cases, provided that adequate measures to be determined by the PDP Board are taken:
- If there is explicit consent of the personal data owner or
- If the personal data subject does not have explicit consent;
- Sensitive personal data other than the health and sexual life of the personal data owner, in cases stipulated by law,
- Sensitive personal data relating to the health and sexual life of the personal data subject are processed only for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorised institutions and organisations under the obligation of confidentiality.
12. TRANSFER OF PERSONAL DATA
Our institution can transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. In this direction, our institution acts in accordance with the regulations stipulated in Article 8 of the KVK Law.
Your personal data, within the scope of the Law and other legislation and for the above-mentioned purposes, the Ministry of Health, its sub-units and family medicine centres, private insurance companies (health, pension and life insurance and similar), Social Security Institution, General Directorate of Security and other law enforcement agencies, General Directorate of Population, Turkish Pharmacists Association, courts and all public institutions and organisations, laboratories, medical centres and third parties providing health services in Turkey or abroad (in case of explicit consent) with which we cooperate for medical diagnosis, The health institution to which the patient is referred or to which the patient is applied, your authorised representatives, the institution to which you are affiliated and/or employed, third parties, including lawyers, tax consultants and auditors, regulatory and supervisory bodies and official authorities, our support service providers whose services we benefit from or cooperate with, clinical management software (cloud system) accredited by the Ministry of Health used for clinical and patient management, and our business partners.
Transfer of Personal Data Abroad
Your personal data is not transferred abroad by us under any circumstances.
13. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMISATION OF PERSONAL DATA
Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law, personal data shall be deleted, destroyed or anonymised in accordance with the relevant procedures of our Institution or upon the request of the personal data owner, if the reasons requiring its processing disappear.
In this context, our Institution trains, assigns and raises awareness of the relevant business units in order to fulfil the relevant obligation.
While the names and surnames of the persons coming to the buildings of our Institution are obtained or through the texts posted in the Institution or otherwise made available to the guests, the personal data owners in question are enlightened within this scope.
Detailed information on the deletion, destruction and anonymisation of personal data is provided in the "Personal Data Retention and Destruction Policy" published by our Institution.
14. ENTRY INTO FORCE OF THE POLICY
THE WELL PORT SAĞLIK TURİZMİ TİCARET ANONİM ŞİRKETİ Personal Data Protection and Processing Policy enters into force upon signature on ../.../.... In the event that all or certain articles of the Policy are renewed, the effective date of the Policy is the date on which that article is revised for the renewed article.