Mhacare Health Tourism Construction Trade Co. Inc.
PERSONAL DATA PROTECTION POLICY
25/03/2020 1.INTRODUCTION 1. 1. Definitions 1. 2. Purpose and Scope of KVK Policy 2. PROCESSING OF PERSONAL DATA 2. 1. General Principles Regarding the Processing of Personal Data 2. 2. Terms of Processing Personal Data 2. 3. Purposes of Processing Personal Data 2. 4. Method of Collection of Personal Data 3. TRANSFER OF PERSONAL DATA 4. STORAGE AND DESTRUCTION OF PERSONAL DATA 5. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA 6. RIGHTS OF THE PERSONS CONCERNED OVER THEIR PERSONAL DATA 7. CHANGES TO BE MADE IN THE KVK POLICY 1. INTRODUCTION Protection of personal data, Mhacare Sağlık Turizm İnşaat Ticaret A.Ş. (hereinafter referred to as the "Company") is an important issue for . The Company has kept the personal data obtained from real persons confidential within the scope of the activities it has carried out since the day it was established and has taken all kinds of technical and administrative measures to protect personal data and ensure data security. The Company adopted and implemented the confidentiality of personal data as a working principle before April 7, 2016, when the Law on the Protection of Personal Data No. 6698 entered into force. The Company carries out all its activities in the T.C. In order to carry out in accordance with the Constitution and the KVK Law and the secondary legislation on the subject, it adopts all the principles stipulated by the KVK Law and fulfills its obligations regarding the processing, deletion, destruction, anonymization, transfer, clarification of the relevant person and ensuring data security of personal data. This KVK Policy, which is regulated within this scope, is offered to the access of real persons whose personal data are processed. 1.1. DEFINITIONS
||Consent to a specific subject, based on being informed and explained with free will
||Real person who has an employee-employer-like relationship with the Company depending on the employment contract or service contract
||Law No. 6698 on the Protection of Personal Data
||Any information relating to personally identifiable or identifiable natural persons
|"Anonymization of Personal Data"
||The process of making personal data not in any way associated with an identified or identifiable real person, even by matching it with other data,
|"Processing of Personal Data"
||Any operation performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosure, transferring, taking over, making available, preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system
|"Deletion of Personal Data"
||The process of making personal data inaccessible and unreusable for the relevant users in any way
|"Destruction of Personal Data"
||The process of making personal data inaccessible, irretrievable and unreusable by anyone, in any way.
||Personal Data Protection Board
||Personal Data Protection Authority
|"Special Quality Personal Data"
||Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and data on security measures, and biometric and genetic data
||Company Personal Data Protection Policy
||Mhacare Health Tourism Construction Trade Co. Inc.
||Natural or legal person who processes personal data on behalf of the data controller on the basis of the authorization given by him
||The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system
1.2. PURPOSE AND SCOPE OF THE KV POLICY This KVK Policy explains the issues related to the acquisition, use, transfer, destruction and other processing of personal data by the Company, the technical and administrative measures taken by the Company for the protection of personal data and the rights of the relevant persons. This KVK Policy;
- Employee candidates,
- Shareholders of the company,
- Company officials,
- Employees of the institutions with which they cooperate,
- Those who access all types of applications and services offered by the Company, and
- Third parties
It is applied for personal data processed within the scope of KVK Law. The personal data obtained by obtaining the explicit consent of the relevant persons or within the scope of other cases of compliance with the law listed in the KVK Law are processed for the purposes of fulfilling the legal obligations of the Company, providing its services as required, increasing the quality of the services provided and improving the quality policy and other purposes specified in this KVK Policy. 2. PROCESSING OF PERSONAL DATA 2.1. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA The Company complies with the principles listed in Article 4 of the KVK Law while carrying out personal data processing activities. Being in compliance with the law and good faith: The Company questions the source of the personal data obtained from the relevant person or third parties and attaches importance to the fact that they are obtained and processed in accordance with the law and within the framework of honesty rules. In this context, the Company makes the necessary warnings and notifications to the third parties to whom it transfers personal data for the protection of personal data. Being accurate and up-to-date when necessary: The Company attaches importance to the fact that all data within its legal entity are correct information, do not contain false information and finally update the personal data in case of changes in these when they are communicated to it. The Company pays reasonable care and attention to the accuracy and timeliness of the personal data declared by its customers or third parties who come into contact with it. Processing for specific, explicit and legitimate purposes: The Company sets out the legitimate and lawful data processing purposes in a specific and clear manner before starting the personal data processing activity. Personal data are not processed except for the purposes determined in this way. Being relevant, limited and proportionate to the purpose for which they are processed: The Company carries out personal data processing activities limited to the purpose for which they are processed. Personal data that are not related to the specified purpose are not processed by the Company. Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed: The Company retains the personal data for the period stipulated by the legislation or required by the purpose of processing. On the other hand, when the period stipulated by the legislation expires or when all the purposes of processing are eliminated, it deletes, destroys or anonymizes personal data. The principles in question are; It applies regardless of whether the Company has processed personal data on the basis of explicit consent or in accordance with other data processing requirements. At this point, the Company processes personal data in accordance with the data processing conditions and general principles and fulfills its obligation to clarify. 2.2. CONDITIONS OF PROCESSING OF PERSONAL DATA The Company processes personal data with explicit consent or in cases where it is considered in accordance with other data processing conditions:
- To be explicitly stipulated in the laws.
- It is mandatory for the protection of the life or bodily integrity of the person who is unable to express his consent due to actual impossibility or whose consent is not recognized as legally valid.
- It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the conclusion or performance of a contract.
- It is mandatory for the data controller to fulfill its legal obligation.
- It has been made public by the person concerned.
- Data processing is mandatory for the establishment, exercise or protection of a right.
- Provided that it does not harm the fundamental rights and freedoms of the data subject, the data processing is mandatory for the legitimate interests of the data controller.
According to the KVK Law, race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and clothing, association, foundation or union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data are personal data of special nature. In the processing of personal data of special nature, the Company takes additional measures stipulated by the KVK Law and the Personal Data Protection Board. In the processing of personal data of special nature, the data processing conditions listed in Article 6 of the KVK Law and the additional measures announced by the Personal Data Protection Board are complied with. In this context, personal data of special nature are processed in the following cases:
- Explicit consent of the person concerned
- The processing of personal data of special nature other than health and sexual life is stipulated in the laws.
- Processing of data related to health and sexual life by persons under the obligation of secrecy for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.
The procedures and principles regarding the processing, destruction and protection of personal data of special nature are regulated by the Company's Policy on the Protection and Processing of Personal Data of Special Nature. 2.3. PURPOSES OF PROCESSING PERSONAL DATA The Company processes personal data for the following purposes within the framework of the legal reasons set forth in Article 5 and 6 of the KVK Law: Within the scope of planning and execution of human resources activities; The personal data of the employee candidates are processed for the purpose of evaluating the suitability for the job and carrying out the personnel procurement processes, the personal data of the employees are processed for the purposes of performance of the employment contract, establishment of benefits, execution of promotion/premium/increase processes, fulfillment of obligations arising from the legislation to which the Company is subject, especially the Labor Law, realization of social insurance processes, evaluation of employee performance, etc. In addition, the Company shall disclose personal data within the scope of ordinary company activities and services provided to its customers; planning and execution of corporate sustainability activities, event management, management of relations with business partners or suppliers, execution/follow-up of financial reporting and risk management transactions, execution / follow-up of legal affairs, planning and execution of corporate communication activities, execution of corporate governance activities, realization of corporate and partnership law transactions, demand and complaint management, management of investor relations, Company buildings and facilities security, creation and follow-up of visitor records, determination and implementation of the Company's commercial and business strategies, resolution of the problems and complaints of the relevant persons, ensuring satisfaction and providing an effective service, responding to information requests from administrative and judicial authorities, ensuring compliance with legal processes and legislation, ensuring information and transaction security and preventing malicious use, etc. In the event that the processing activity carried out for the aforementioned purposes does not meet any of the other data processing requirements stipulated under the KVK Law, explicit consent is obtained from the relevant person by the Company regarding the relevant data processing process. 2.4. METHOD OF COLLECTING PERSONAL DATA The Company collects personal data through contracts, digital media, notifications from administrative and judicial authorities, audio, electronic or written media, physical and electronic media in accordance with the personal data processing conditions specified in the KVK Law and in accordance with the legal reasons specified in this KVK Policy. The personal data in question are mainly processed within the scope of this KVK Policy for the purpose of establishing a contract and providing better service to the relevant persons. In this context, personal data can be obtained when the services offered by the Company are utilized, when a legal relationship is established with the Company (purchase, intermediary, work, etc.) or when the Company is contacted by means of (mail, e-mail, etc.) regarding the services. The Company adopts the principle of acting in accordance with the law when obtaining personal data from both its business partners and solution partners. Data is collected from business partners and solution partners with the commitment of data confidentiality and only as much as the service requires, and measures are taken to ensure data security at this point. The Company processes the personal data of its employees as much as it is necessary for business relations and in other cases permitted by the relevant legislation without obtaining consent and ensures the confidentiality and protection of the personal data of its employees. 3. TRANSFER OF PERSONAL DATA The Company transfers personal data to third parties only in line with the purposes specified in this KVK Policy and in accordance with Articles 8 and 9 of the KVK Law. In this context, the Company will be able to transfer the personal data it collects to the following persons and institutions for certain purposes:
- To the business partners of the Company limited to ensure the fulfillment of the purposes for which the business partnership was established,
- To the Company's suppliers, limited to the Company's suppliers, in order to ensure that the services provided to the Company by the Company outsourced from the supplier and necessary to carry out the Company's commercial activities,
- To the Company's customers,
- Upon request, to the authorized public institutions and organizations,
- To the Company's solution partners,
The purpose of the Company's sharing of personal data is to provide access to the services, to fulfill its legal obligations, to ensure the implementation of the contract concluded with the relevant person, to carry out purchase and sale transactions or to prevent and detect fraudulent or illegal activities related to the services and to carry out other commercial activities in accordance with the law. The Company adopts the principle of acting in accordance with the law in its data sharing activities. Data is shared with third parties to whom personal data are transferred only to the extent required by the service. Maximum care is taken to ensure that these parties take measures regarding data security. The personal data subject to the above-mentioned domestic and international transfer, in addition to the technical measures to ensure data security; it is also legally protected through data transfer contracts. The Company processes the personal data; may share this information with public institutions and organizations that are legally authorized to request this information in order to fulfill its obligation to the law (in cases where the Company has a legal or administrative obligation to notify or provide information, including but not limited to the fight against crime, threat to state and public security and so on). 4. STORAGE AND DESTRUCTION OF PERSONAL DATA In accordance with the KVK Law, personal data are kept accurate and up-to-date and kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed. This period is determined separately for each personal data category, and after the expiration of this period, the relevant personal data are deleted, destroyed or anonymized at the end of the periodic destruction periods determined in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data. Deletion of personal data, making personal data inaccessible and unreusable for the relevant users in any way; destruction of personal data, making personal data inaccessible, irretrievable and unreusable by anyone in any way; anonymization of personal data means that personal data cannot be associated with an identified or identifiable real person under any circumstances, even if it is matched with other data. In this context, the Company has determined the necessary periodic destruction periods and established a Personal Data Storage and Destruction Policy. The Company records all transactions related to the deletion, destruction and anonymization of personal data and keeps such records for at least three years, excluding other legal obligations. When the relevant persons apply to the Company and request the deletion or destruction of their personal data, the Company;
- If all the conditions for processing personal data have been eliminated, it deletes, destroys or anonymizes the personal data subject to the request. It concludes the request of the relevant person within thirty days at the latest and informs the relevant person.
- If all the conditions for processing personal data have been eliminated and the personal data subject to the request has been transferred to third parties, it shall notify the third party; ensures that the necessary actions are taken before the third party.
- If all the conditions for processing personal data have not been eliminated, it may reject this request by explaining the reason in accordance with the third paragraph of Article 13 of the KVK Law and notify the relevant person of the rejection response in writing or electronically within thirty days at the latest.
5. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA The Company takes technical and administrative measures according to technological facilities and application cost to ensure that personal data is processed in accordance with the law. The technical and administrative measures taken for the protection of personal data are implemented with care and additional measures in terms of special quality personal data and the necessary audits are periodically provided at the highest level within the Company. The Company has taken all appropriate security measures to ensure that personal data is processed only within the scope of the purposes specified in this KVK Policy and to reduce risks such as malicious use, unauthorized access, sharing, destruction or modification of personal data. These security measures include other measures taken in matters such as the transfer of personal data to countries that may not provide an adequate level of data protection. Personal data is confidential and the Company respects this confidentiality. Personal data can only be accessed by authorized persons within the Company. In this context, it is ensured that the software complies with the standards, that third parties are carefully selected and that the data protection policy is complied with within the Company. Within the scope of the technical and administrative measures taken by the Company to ensure data security;
- It organizes regular trainings and awareness activities on the protection of personal data for its employees.
- The Company creates policies based on the personal data processing inventory and establishes the necessary processes for the implementation of the policies.
- The Company identifies the risks within the scope of personal data protection law and carefully carries out studies to eliminate the risks. In this context, it creates active lighting and open consent channels.
- It carries out periodic audits within the Company in order to fulfill the obligations related to the protection of personal data law.
- It provides legal consultancy services on a continuous basis on compliance with the updated legislation.
- It establishes a separate policy for the protection of personal data of special nature and implements additional measures determined by the Board.
- It implements the necessary measures such as data sharing agreement etc. in managing the relations with the data processors.
- It uses generally accepted security technology standards such as firewalls and Secure Socket Layer (SSL) encryption.
- It uses virus protection systems, secure databases, servers, firewalls.
- In order to protect personal data in the light of current technological developments, including the encryption of electronic mail information, it analyzes the risk situation and takes the widest and most appropriate preventive security measures.
- It creates a secure technical infrastructure to ensure the security of the databases where personal data will be stored.
- It determines the procedures for reporting the technical measures taken and audit processes.
- It takes other administrative measures regarding the protection of personal data.
- Safety-related measures are periodically renewed and improved.
In the event that personal data is damaged or falls into the hands of unauthorized third parties as a result of attacks on the platforms or the Company's system operated by the Company, despite the Company's taking the necessary information security measures, the Company shall immediately take action to remedy the violation and minimize the damage of the data subject. The Company immediately notifies the relevant persons and the Board of this situation and takes the necessary measures. 6. RIGHTS OF PERSONS CONCERNED OVER PERSONAL DATA According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of personal data concerning him/her. In this context, the rights of the data subject over their personal data are listed as follows in Article 11 of the KVK Law:
- To learn whether your personal data is processed or not,
- Request information about this if personal data is processed,
- To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
- To know the third parties to whom their personal data are transferred domestically or abroad,
- If their personal data is processed incompletely or incorrectly, to request their correction,
- Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVK Law,
- Requesting that these deletion, destruction or correction procedures be notified to third parties to whom personal data are transferred,
- To object to the occurrence of a result against the data owner by analyzing the processed data exclusively by means of automated systems,
- Requesting the compensation of the damage in case the personal data is damaged due to the processing of the KVK Law.
In the event that the relevant persons submit their requests regarding the above-mentioned rights to the Data Controller in accordance with the application procedures stipulated in the Communiqué on the Principles and Procedures of Application, the Company shall conclude this request free of charge as soon as possible and within 30 (thirty) days at the latest according to its nature. However, if the transaction requires an additional cost, the Company may receive the fee in the tariff determined by the Board. Within the scope of the above-mentioned rights, the relevant person may submit his / her requests in writing or by using the registered electronic mail (KEP) address, secure electronic signature, mobile signature or the electronic mail address previously notified to the Company by the relevant person and registered in the Company's system. In the application made;
- Name, surname and signature if the application is in writing,
- T.R. identity number for citizens of the Republic of Turkey, nationality for foreigners, passport number or identity number, if any,
- The address of the place of residence or place of business for the notification,
- The electronic mail address, telephone and fax number, if any, for the notification,
- Subject of the request
and information and documents related to the subject must be attached to the application. Applications will only be evaluated if they are in Turkish. In order for third parties to request an application on behalf of the relevant persons, there must be a special power of attorney issued by the relevant person on behalf of the person to be applied through a notary. BC CHANGES TO BE MADE TO THE KVK POLICY The Company may make changes to this KVK Policy at any time. These changes take effect on the day the new amended KVK Policy is published. In order to be informed of the changes in this KVK Policy, necessary information will be provided to the relevant persons.