Within the framework of the principles of superior service quality, respect for the rights of individuals, transparency and honesty determined by the data controller Özel Maya Cerrahi Tıp Merkezi (Arkansiyel Sağlık Hizmetleri ve Tic. A.Ş.), it is of great importance to protect the personal data of its customers, employees and other real persons with whom it has a relationship in line with the regulations determined by the Personal Data Protection Law. We attach great importance to patient privacy and to ensure that all kinds of personal data belonging to our patients are processed and stored in the best possible way and with the utmost care. This policy has been prepared in order to protect and process the personal data of our patients, as well as companions, visitors and employees of the institutions and organisations we cooperate with, within the framework of the basic principles in the legislation.

The purpose of this Policy is to ensure transparency by informing the persons whose personal data are processed, especially our patients, companions, visitors, employees and institution officials, employees and officials of the institutions we cooperate with, and third parties, within the scope of personal data processing activities carried out by our healthcare institution in accordance with the legislation. In this context, administrative and technical measures are taken to process and protect personal data in accordance with Law No. 6698 and related legislation. Real persons whose personal data are processed within the scope of this policy are referred to as Data Subject, Relevant Person or Personal Data Owner.

Open Consent: Consent on a specific subject, based on information and expressed with free will.

Anonymisation: Changing personal data in such a way that it loses its personal data characteristic and this situation cannot be reversed. For example, masking, aggregation, data corruption, etc. Making personal data unassociated with a real person by means of techniques. It is possible to anonymise personal data for various purposes, but in accordance with the request and / or consent of the person concerned, so as not to violate the scope of KVKK and explicit consent. Necessary measures will be taken within our health institution in order to prevent the anonymised personal data from being made identifiable by various methods.

Co-operation IEmployees, Shareholders and Authorities of the Institutions we are in: It refers to real persons working in organisations (such as business partners, suppliers, but not limited to these) with which we have all kinds of business relations, including the shareholders and officials of these organisations.

Processing of Personal Data: It refers to all kinds of operations performed on personal data such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Personal Data: It refers to any information relating to an identified or identifiable natural person. All information that makes the person identifiable is regulated as personal data, and information such as TR Identity Number, Name and Surname, e-mail address, telephone number, residence address, date of birth, bank account number can be given as examples of personal data.

Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data refer to special categories of data.

Third Person It refers to third party real persons who are associated with these persons in order to ensure the security of commercial transactions between the above-mentioned parties or to protect the rights of the aforementioned persons and to provide benefits (For example, employees or officials of the company from which the service is received, Companion, etc.).

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller. For example, the IT company that holds our data.

Data Controller: It refers to the person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system).

Within the scope of KVKK, our health institution has the title of data controller and has registered to VERBIS system. A team (Personal Data Officer Team) has been established from our company. In cases requiring a decision to be taken, the Personal Data Officer team takes the opinion of a Lawyer / lawyer specialised in personal data, and the decision taken following the approval of the management is put into practice.

Although the personal data processed may vary depending on the health services provided, they are collected by physical and/or digital methods. Our patients, physicians, health personnel, etc., our employees, subcontractor companies and their employees and companies with which we engage in all kinds of commercial activities, our call centre, the website of our health institution, online services and similar ways, verbally, in writing or digitally collected health data, especially personal data of special nature and personal data of general nature, are processed for the following and other purposes that may arise in the future:

  1. Carrying out medical diagnosis, treatment and care services,
  2. Protection of public health,
  3. Planning and management of preventive medicine health services and financing,
  4. To be able to inform our patients about the appointment
  5. Planning and management of internal procedures,
  6. Analysing the fulfilment of health services in accordance with the legislation for the purpose of development,
  7. Fulfilment of risk management and quality improvement activities,
  8. Conducting research,
  9. Fulfilment of legal and regulatory requirements,
  10. Invoicing for our services,
  11. Confirmation of your identity,
  12. Confirmation of your relationship with the contracted institutions,
  13. Sharing all kinds of information requested by private insurance companies within the scope of financing health services,
  14. Responding to all your questions and complaints regarding our health services,
  15. Taking all necessary technical and administrative measures within the scope of data security,
  16. Ensuring financial reconciliation with our contracted institutions, banks and all organisations (public and private) from which health expenditures are collected, regarding the health services provided to you,
  17. Sharing the information requested with the Ministry of Health and other public institutions and organisations in accordance with the relevant legislation,
  18. Measuring patient satisfaction, increasing patient satisfaction,
  19. It may be collected and processed for the fulfilment of purposes such as contracts and fulfilment of our legal obligations.

CATEGORISATION OF PROCESSED PERSONAL DATA

Credentials: All information about the identity of the person in documents such as driving licence, identity card, passport, lawyer ID, marriage certificate

Contact Details: Information for contacting the data subject such as telephone number, address, residence, e-mail

Location Data: Data which clearly belong to an identified or identifiable natural person and which are included in the data recording system and which are used to determine the location of the data subject

Family Members and Close Knowledge: Information about the family members and relatives of the personal data owner, which clearly belongs to an identified or identifiable natural person and is included in the data recording system and processed in order to protect the legal interests of the relevant Institution and the data owner

Physical Space: Personal data related to records and documents such as camera recordings, fingerprint records, visual and audio recordings

Process Gü Safety Knowledge: Personal data processed to ensure our technical, administrative, legal and commercial security while carrying out our activities

Financial Information: Personal data processed regarding information, documents and records showing all kinds of financial results

Employee Candidate Information: Personal data processed about individuals who have applied to be an employee (CV or resume information)

Personal Information: Payroll Information, Disciplinary Investigation, Social Security Institution (SSI) information, employment entry-exit document records, property declaration information, CV information, information about performance evaluation reports, interview results, the content of the employment contract, employment information, personal data related to termination information

Legal Action: Personal data processed within the scope of determination and follow-up of our legal receivables and rights and performance of our debts and our legal obligations

The above personal data may be processed within the framework of the provisions of the Basic Law on Health Services No. 3359, Decree Law No. 663 on the Organisation and Duties of the Ministry of Health and Affiliated Institutions, Private Hospitals Regulation, Personal Health Data Regulation and Ministry of Health regulations, etc., and may be transferred to the physical archives and information systems of our health institution and / or suppliers.

Our company accepts that personal data will be processed in accordance with the following principles:

  1. Compliance with the law and the rule of honesty,
  2. Ensuring that personal data is accurate and up-to-date when necessary,
  3. Processing for specific, explicit and legitimate purposes,
  4. Being relevant, limited and proportionate to the purpose for which they are processed,
  5. Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

The explicit consent of the personal data owner is only one of the legal grounds that allow personal data to be processed in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity. In case the processed data is personal data of special nature, the following conditions shall apply:

  1. Explicit Consent of the Personal Data Owner,
  2. Explicitly stipulated in the Laws,
  3. Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility,
  4. Direct Relevance to the Establishment or Performance of the Contract
  5. Fulfilment of the Company's Legal Obligation,
  6. Publicisation of Personal Data by the Personal Data Owner,
  7. Data Processing is Mandatory for the Establishment or Protection of a Right,
  8. Data Processing is Mandatory for the Legitimate Interest of our Company, (The expression of the legitimate interests of the company can in no way be contrary to the principles determined by the KVKK, the purpose of processing personal data and cannot interfere with the essence of the right guaranteed by the Constitution).

Special categories of personal data are processed by our Company in the following cases, provided that adequate measures to be determined by the Personal Data Protection Board are taken:

  1. If there is explicit consent of the personal data owner,
  2. If there is no explicit consent of the personal data owner; personal data of special nature other than the health and sexual life of the personal data owner, in cases stipulated by law,
  3. Sensitive personal data relating to the health and sexual life of the personal data subject are processed only for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorised institutions and organisations under the obligation of confidentiality.

TECHNICAL AND ADMINISTRATIVE MEASURES

Our Company takes the necessary technical and administrative measures in accordance with the provisions of Article 12 of the KVKK and the Regulation, the general principles stated above, this Policy and the decisions of the Personal Data Protection Board, according to the technological possibilities and the cost of implementation regarding the following issues:

  1. Necessary software and hardware have been identified. Strong passwords are used on computers and e-mail accounts.
  2. In terms of protecting customer information, our personnel have been trained on what needs to be protected and their responsibilities have been documented in their employment contracts (Confidentiality Agreements). This obligation continues even after the relevant persons leave their positions.
  3. The necessary infrastructure has been established for the backup of all data.
  4. Employees who can access data on computers have been identified.
  5. Customer files and information are provided only to the relevant persons themselves, to their relatives to whom they have given written consent, to the relevant public institutions and organisations within the framework of the legislation and to the competent judicial authorities in judicial cases.
  6. Before starting to process personal data, the Authority fulfils the obligation to inform the data subjects.
  7. Personal data processing inventory has been prepared.
  8. The personal data owners in question are enlightened on these issues through the texts posted in our health institution or otherwise made available to the guests.

Your personal data will be processed in accordance with the basic principles stipulated by the Law and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law. In accordance with the basic principles stipulated by the Law and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law and for the above-mentioned purposes, our health institution, the Ministry of Health, its sub-units and family medicine centres, private insurance companies (health, pension and life insurance and similar), the Social Security Institution, the General Directorate of Security and other law enforcement agencies, the General Directorate of Population, the Pharmacists Association of Turkey, prosecution offices and courts, laboratories located in Turkey or abroad with which we cooperate for medical diagnosis, medical centres and third parties providing health services, the health institution to which the patient is referred or to which the patient himself/herself applies, your duly authorised representatives, third parties from whom we receive consultancy, regulatory and supervisory bodies and official authorities, our suppliers and support service providers whose services we benefit from or cooperate with, and our support service providers. and 9. of the Law within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law.

Regarding the processed personal data, the person concerned has the right to learn whether personal data has been processed, to request information if it has been processed, to access and request personal health data, to learn whether it is used in accordance with the purpose, to learn the third parties to whom it has been transferred, to request correction in case of incorrect processing, to request the deletion or destruction of personal data, to request notification of the correction to the third parties to whom the personal data has been transferred in case of incorrect processing, to object to the adverse result by analysing through automated systems, to request the compensation of the damage incurred due to the unlawful processing of personal data. In case of incorrect processing, it has the right to request notification of the correction to the third parties to whom the personal data is transferred, to object to the unfavourable result by analysing it through automated systems, to demand the compensation of the damage incurred due to the unlawful processing of personal data.

Personal data processing activity is carried out by our Company through the use of security cameras and taking video recordings at guest entrances and exits. In this context, our health institution acts in accordance with the Personal Data Protection Law and security legislation.

Only authorised employees and/or employees of the supplier company have access to the records recorded and stored in digital environment. Camera recordings are kept for 2 months.

This Policy shall be deemed to have entered into force upon its publication on the website.

KVKK