Personal Data Protection policy

The Medgol

(The MEDGOL TURİZM TİCARET LİMİTED ŞİRKETİ)

 

PERSONAL DATA PROCESSING INVENTORY AND POLICY OF PROTECTION OF PERSONAL DATA

 

1. PURPOSE AND SCOPE OF THE POLICY

 

2. DEFINITIONS AND ABBREVIATIONS

 

3. GENERAL PRINCIPLES IN THE PROCESSING OF PERSONAL DATA

 

3.1. Compliance with the law and good faith

3.2. Accuracy and timeliness

3.3. Processing for specific, explicit and legitimate purposes

3.4. Processing data in connection with the purpose for which they are processed, limited and measured

3.5. Processing limited to the period stipulated by the legislation provisions or required by the purpose of processing

 

4. CONDITIONS OF PROCESSING PERSONAL DATA

 

4.1. Conditions for Processing Personal Data

4.2. Conditions of Processing Special Quality Personal Data

 

5. METHODS OF COLLECTION AND PROCESSING OF PERSONAL DATA

 

5.1. Personal Data Subject Groups

5.2. Data Categorization

5.3. Purposes of Collection and Processing of Personal Data of Personal Data Owners in Personal Data Subject Groups

5.4. Associating Data Subject Groups with Data Categories Belonging to These Persons

 

6. PRINCIPLES OF TRANSFERRING PERSONAL DATA:

 

7. TRANSFER OF PERSONAL DATA ABROAD

 

7.1. Transfer of Personal Data Abroad

7.2. Transferring Special Quality Personal Data Abroad

 

8. STORAGE OF PERSONAL DATA

 

9. MEASURES ON THE PROTECTION OF PERSONAL DATA

 

9.1. Technical Measures

9.2. Administrative Measures

9.3. Supervision of the Measures Taken for the Protection of Personal Data

 

10. DATA CONTROLLER’S OBLIGATION

 

11. RIGHTS OF THE DATA OWNER AND USE OF THESE RIGHTS

 

11.1.1. Situations where the Personal Data Owner Cannot Claim his Rights

11.1.2. The Personal Data Owner Using his Rights

11.1.3. Right of Personal Data Owner to Complain to the KVK Board

11.2. The Medgol’s Response to Applications

11.2.2. Information that The Medgol may request from the Applicant Personal Data Owner

11.2.3. The Medgol’s Right to Reject the Application of Personal Data Owner

 

12. REVISION AND TERMINATION

 

13. ENFORCEMENT

 

14. EXECUTION

 

15. ANNEXES

 

THE MEDGOL TURİZM TİCARET LİMİTED ŞİRKETİ. (Hereinafter referred to as “Medgol”) Çağlayan, 2043. Sk. No: 1/2, Muratpaşa/Antalya, Turkey

The Medgol is the legal person who is the data controller within the scope of the Law on the Protection of Personal Data No.6698 (hereinafter referred to as the “KVK Law”).

 

Personal data owners are real persons whose personal data are collected, processed and transferred in accordance with the provisions of the Law on KVK numbered 6698 and other legislation governing The Medgol for the purposes stated below.

 

The Medgol pays utmost attention to the security of personal data. With this awareness, personal data of personal data owners is processed and stored in accordance with the Law on KVK No.6698 and other legislation constituting the secondary regulations of the Law.

 

1. PURPOSE AND SCOPE OF THE POLICY

 

With this Policy, it is aimed to effectively implement the regulations to be introduced by The Medgol within the framework of the basic principles to be explained below in order to comply with the KVK Law by shareholders, officials, employees and business partners within the The Medgol.

 

In line with the basic regulations stipulated by this Policy, all kinds of administrative and technical measures will be taken in terms of the processing and protection of personal data within the operation of The Medgol, necessary internal procedures will be established, and all necessary trainings will be made to raise awareness. Appropriate and effective control mechanisms will be established by taking all necessary measures for the compliance of shareholders, officials, employees and business partners with KVKK processes.

 

This Policy regulates the basic principles to be observed in all these processes and the obligations of The Medgol in order to guide the internal operation in accordance with the regulations introduced by the KVK Law. With the internal procedures to be established within the framework of the KVK Law and the relevant legislation, compliance activities to be carried out by The Medgol regarding the protection of personal data will be organized. All employees of The Medgol are obliged to act in accordance with the regulations introduced by this Policy, the KVK Law and all other relevant legislation provisions while performing their duties.

 

In the event that this Policy and the provisions of the relevant legislation are not complied with, besides the criminal and legal liability stipulated by the provisions of the legislation, the Medgol will be subject to sanctions that can lead to the termination of the contract for a just cause within the framework of the legislation regulating business life, depending on the nature of the event.

 

2. DEFINITIONS AND ABBREVIATIONS

 

EXPRESS CONSENT	It refers to the consent that is based on information and expressed with free will regarding a specific subject.
RELATED USER	Except for the person or unit responsible for the technical storage, protection and backup of the data, they are the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.
DESTRUCTION	Deletion, destruction or anonymization of personal data.
LAW / KVKK	Personal Data Protection Law No. 6698.
RECORD MEDIA	Any medium containing personal data that is fully or partially automated or processed in non-automatic ways, provided that it is a part of any data recording system.
PERSONAL DATA	Any information pertaining to an identified or identifiable natural person.
PROCESSING OF PERSONAL DATA	Obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or using personal data through fully or partially automatic means or non-automatic means provided that they are part of any data recording system Any action taken on the data, such as blocking.
ANONYMIZING PERSONAL DATA	Making personal data unrelated to a certain or identifiable natural person under any circumstances, even by matching other data.
DELETING PERSONAL DATA	Deletion of personal data; making personal data inaccessible and unavailable in any way for relevant users.
DESTRUCTION OF PERSONAL DATA	The process of making personal data inaccessible, unrecoverable and reusable in any way.
Board	Personal Data Protection Board
SPECIAL QUALITY PERSONAL DATA	Individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
PERIODIC DESTRUCTION	The deletion, destruction or anonymization process to be carried out ex officio at repetitive intervals specified in the personal data storage and disposal policy in case all of the conditions for processing personal data in the Law are eliminated.
DATA OWNER / RELATED PERSON	The natural person whose personal data is processed.
DATA CONTROLLER	A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
REGULATION	Regulation on Data Controllers Registry

 

Within the scope of KVK Law, The Medgol will have the title of data controller and will be registered with VERBİS system. Regulation in paragraph 1 of Article 11 “is responsible for the data under the Law of legal persons residing obligations in Turkey, representing a legal entity in accordance with relevant legislation and bind mentioned in the official competent body or the applicable legislation or any person fulfilled with ingenuity. The body authorized to represent the legal entity may assign one or more persons in relation to the obligations to be fulfilled in terms of the implementation of the Law”.

Persons who are given management and representation of the company by the Board of Directors in accordance with the relevant articles of the TCC are responsible for the transactions and actions that take place within the limits of their authority within the scope of TCC, TBK and TCK. Especially in law enforcement,

They have been elected authorized to represent and testify in prosecution offices, public institutions and courts.

The Director of each department will be obliged to audit and report to the Board of Directors and the Executive Board whether the Related Users in the departments comply with this Policy and Destruction Policy prepared within the framework of the Law and Regulation.

3. GENERAL PRINCIPLES IN THE PROCESSING OF PERSONAL DATA

The Medgol accepts that it will process personal data within the scope of this Policy in accordance with Article 4 of the Law on KVK in accordance with the following principles:

3.1. Compliance with the law and good faith

The Medgol, as a data controller and as a prudent merchant, processes personal data in accordance with all legislative provisions that are in force, especially the Constitution and KVK Law, and in accordance with the honesty rule stipulated by Article 2 of the Civil Code. It accepts that it will carry out its activities.

3.2. Accuracy and timeliness

The Medgol takes all necessary measures to ensure the accuracy and up-to-datedness of personal data, as far as the technique allows, in the processing of personal data.

The administrative and technical mechanisms established by The Medgol will be operated in order to correct and control the accuracy of erroneous or out-of-date personal data in line with the requests to be notified by the relevant person to The Medgol as a data controller and the situations that The Medgol deems necessary.

3.3. Processing for specific, explicit and legitimate purposes

Personal data is processed in accordance with the law by The Medgol, limited to the services offered or to be provided in accordance with the requirements of the relevant legislation provisions, and the purpose of processing personal data is clearly and precisely determined before the data is processed.

3.4. Processing data in connection with the purpose for which they are processed, limited and measured

Personal data is processed by The Medgol in connection with and limited to the purposes of processing and to the extent necessary for the realization of this purpose. In this context, it is essential to avoid the processing of personal data that is not related to the purpose of processing the data and is not needed.

3.5. Processing limited to the period stipulated by the legislation provisions or required by the purpose of processing

Personal data is kept in line with the provisions of the relevant legislation or for the period required by the purpose of processing the data.

At the end of the period stipulated by the provisions of the legislation or the period required by the purpose of the data processing, personal data is deleted, destroyed or anonymized by The Medgol. Necessary administrative and technical measures will be taken to prevent data from being stored at the end of the required period.

4. CONDITIONS OF PROCESSING PERSONAL DATA

The conditions for the processing of personal data are regulated by the KVK Law, and the personal data is processed by The Medgol in accordance with the aforementioned conditions stated below.

4.1. Conditions for Processing Personal Data

Apart from the exceptions listed in the KVK Law, The Medgol processes personal data only by obtaining the explicit consent of the data owners.

Personal data can be processed even without the explicit consent of the data owner, in the presence of the following situations listed in the Law:

• It is clearly stipulated in the laws,
• It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his consent due to the actual impossibility or whose consent is not legally valid,
• It is necessary to process personal data belonging to the parties of the contract, provided that it is directly related to the establishment or performance of a contract.
• It is mandatory for the data controller to fulfill his legal obligation,
• It has been made public by the data owner himself,
• Data processing is mandatory for the establishment, use or protection of a right,
• Provided that it does not harm the fundamental rights and freedoms of the data owner, it is necessary to process data for the legitimate interests of the data controller.

4.2. Conditions of Processing Special Quality Personal Data

Special sensitivity is shown by The Medgol in the processing of special quality personal data, which is believed to be of more critical importance for data owners in various aspects. In this context, such data is not processed without the explicit consent of the data subjects, provided that adequate measures determined by the Board are taken.

However, personal data of a special nature, other than data related to health and sexual life, can also be processed without the explicit consent of the data owner in cases stipulated by the law. However, data on health and sexual life can be processed without obtaining express consent, provided that adequate precautions are taken and in the presence of the following reasons:

• Protection of public health,
• Preventive medicine,
• Medical diagnosis,
• Carrying out treatment and care services,
• Planning and management of healthcare and financing.

5. METHODS OF COLLECTION AND PROCESSING OF PERSONAL DATA

The Medgol processes personal data of natural persons based on the Personal Data Processing Inventory, which must be regulated in accordance with the Law on KVK and within the scope of the 5th, 7th, 9th and 10th articles of the Regulation and include the following information.

Although the title of Personal Data Processing Inventory is not included in this Policy, if the following information is included in this heading and the following headings, the relevant articles will be counted as “Personal Data Processing Inventory” .

1. Personal data processing purposes,
2. Data category
3. Recipient group or recipient groups to which data is transferred
4. Data subject contact groups
5. Associating data category with data subject groups
6. Personal data envisaged to be transferred to foreign countries
7. Measures taken regarding data security
8. The maximum period required for the purposes for which personal data are processed

5.1. Personal Data Subject Groups

 

PERSONAL DATA SUBJECT PERSON GROUPS	DESCRIPTION
The Medgol SHAREHOLDERS	Real persons who own the shares of Medgol.
The Medgol OFFICIALS	Members of the Board of Directors of The Medgol and other authorized real persons.
THE MEDGOL TENTER, SUPPLIER AND SUBCONTRACTORS	The authorized real persons of tenants who operate in the independent sections of The Medgol within the framework of the lease agreement; Authorized natural persons of the suppliers and subcontractors used by The Medgol while performing its activities and employees assigned by these persons.
EMPLOYEE / INTERNSHIP	Real persons working or doing internship at The Medgol.

 

 

5.2 Data Categorization

DATA CATEGORIZATION	DATA CATEGORIZATION DESCRIPTION
IDENTITY INFORMATION	Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; data containing information about the identity of the person; Documents such as name-surname, TR identity number, nationality information, mother’s name and father’s name, place of registration and other identity information, place of birth, date of birth, gender, marital status, and tax number. , SGK number, signature information, etc. information
COMMUNICATION INFORMATION	Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Information such as phone number, address, e-mail address, fax number, IP address
FAMILY INDIVIDUALS AND KNOWLEDGE	Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Within the scope of the activities carried out by The Medgol, information about family members (e.g., spouse, mother, father, child), relatives and other persons who can be reached in case of emergency)
SAFETY INFORMATION	Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Personal data regarding the records and documents received during the entrance to the physical space, during the stay in the physical space; camera recordings, vehicle license plate information, records taken at the security point, voice records taken from phone calls, etc.
FINANCIAL INFORMATION	Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Financial personal data, bank account number, bank account information, (IBAN number, account holder, etc.) credit card information, etc. regarding the information, documents and records that vary according to the type of legal relationship established by The Medgol with the personal data owner. . and employee financial and salary details, payrolls, premium progress payments, premium amounts, file and debt information regarding execution follow-up files, bank passbook, minimum living allowance information, private health insurance amount, etc. information.
PERSONAL INFORMATION (PERFORMANCE EVALUATION DATA, CAREER DEVELOPMENT DATA, RECORDS OF WORKING AND LEAVE DAYS)	Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Information that will be the basis for the formation of personal rights of real persons who are in a working relationship with The Medgol and required by law to be included in the personal file (Education status, certificate and diploma information, foreign language information, education and skills, CV, courses taken, Permission based on seniority date, leave seniority additional days, leave group, departure / return date, day, reason for leaving, address / phone for leave, position name, department and unit, title, last employment date, job Entry and exit dates, insurance entry / retirement, social security number, flexible hours working status, travel status, number of working days, projects worked, monthly total overtime information, severance pay base date, severance pay additional days, days on strike, employee internet access logs All kinds of personal data processed for obtaining entry-exit logs and the performance, training and skills required for the employee to progress in his / her position, information on which training date, e-mail, signed participation form, customer interview quality evaluation form, monthly performance evaluation and goal realization status, activity) information.
SPECIAL QUALITY PERSONAL DATA	Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Data specified in Article 6 of the Law on KVK (e.g., health data including blood type, biometric data, religion and membership association information)
REQUEST AND COMPLAINT MANAGEMENT INFORMATION	Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Personal data regarding the receipt and evaluation of any request or complaint directed to The Medgol

 

5.3 Purposes of Collection and Processing of Personal Data of Personal Data Owners in Personal Data Subject Groups

 The Medgol processes the personal data of its shareholders and officials in order to carry out the activities written in the Introduction section within the framework of the legal obligations arising from the Turkish Commercial Code, Tax Procedure Law, Labor Law and other relevant legislation. These personal data are obtained from the records kept in official institutions regarding The Medgol, the minutes of the company’s general assembly and board of directors, and the documents kept regarding the corporate and management processes of the company.

The Medgol, the data of tenants operating in the independent sections of the hospital within the framework of the lease agreement in the data category of authorized real persons; Ensuring the execution of the lease agreement between the parties, ensuring that all tenants act in accordance with the rules due to the obligation of the data controller in ensuring the general security and order of the hospital, and in case of breach of contractual obligations, notices can be drawn, enforcement and lawsuits can be applied and other measures can be taken saves in order.

The personal data of the tenants in the hospital are obtained through the lease agreement, addendums, additional contracts, protocols, mail correspondence, and the business cards given by the tenants themselves.

The Medgol records it in order to check whether the authorized real persons of the suppliers and subcontractors who assist in the performance of the hospital’s activities and the real person employees assigned by these suppliers and subcontractors fulfill their duties and to ensure the order of the activities of the company. Personal data of suppliers and subcontractors are obtained through e-mails sent and received as a result of communication with them, telephone calls and transfer of business card and website information.

The Medgol requests and processes the personal data of the personnel and interns working within its body in order to be able to register with the Social Security Institution, in order to complete the required documents to be included in the personnel file within the scope of the current Labor Law and Occupational Health and Safety Law. These personal data include the resume, job application forms, resume viewing methods offered by human resources software programs (such as Kariyer.net, LinkedIn) that provide candidate pool services, which are asked to them during the interview and answered with their consent. It is obtained through their answers to the questions.

The Medgol requests and processes personal data from real persons applying for a job in order to communicate with the person for interview purposes during the recruitment process and to determine whether the person’s qualifications and experiences are compatible with the vacant position to be recruited. This personal data is for applicants to send their CVs to the human resources department with their express consent, to answer questions of their own consent during the interview, or to publish advertisements and view resumes provided by human resources software programs (such as Kariyer.net, LinkedIn) that provide candidate pool services It is obtained by methods.

The Medgol records the data of the employees and authorized real persons of the business partners with which it cooperates, within the framework of the purposes of establishing the business partnership. It records the personal data of the suppliers of goods and services in order to ensure that the services required to fulfill the commercial activities of the shopping center are provided in The Medgol and to control this. These personal data are obtained from business cards through signed contracts, invoices sent, device delivery reports, mail correspondence, telephone and other communication.

The license plate information, information in the complaint and request form, and identity information of all visitors coming to the office where The Medgol operates are obtained in order to ensure the security of the office where the company operates. In case people call the Call Center or the relevant departments of the company to convey their requests and complaints, the voice records of the individuals are processed in order to ensure the service quality. The data provided by individuals at the counter, at the information desk or on the Wi-Fi login screen are processed for the purpose of ensuring service quality, performing activities and for security reasons. Images of people visiting The Medgol office for whatever reason are obtained by 24/7 security camera image methods.

5.4. Associating Data Subject Groups with Data Categories Belonging to These Persons

 

PERSONAL DATA CATEGORIZATION	CATEGORY OF THE DATA OWNER WITH RELATED PERSONAL DATA
IDENTITY INFORMATION	Company shareholders, members of the board of directors, members of the executive board, employees, interns, officials, subcontractors and suppliers, tenants, service providers, service offerors, applicants for work or internship, visitors and patients, benefiting from or benefiting from any service offered by the hospital All persons who apply with their request, employees of the institutions and organizations with which the company cooperates, and their families and relatives
COMMUNICATION INFORMATION	Company shareholders, members of the board of directors, members of the executive board, employees, interns, officials, subcontractors and suppliers, tenants, service providers, service offerors, applicants for work or internship, visitors and patients, benefiting from or benefiting from any service offered by the hospital All persons who apply with their request, employees of the institutions and organizations with which the company cooperates, and their families and relatives
FAMILY INDIVIDUALS AND KNOWLEDGE	Company shareholders, members of the board of directors, members of the executive board, employees, interns, officials, subcontractors and suppliers, tenants, service providers, service offerors, applicants for work or internship, visitors and patients, benefiting from or benefiting from any service offered by the hospital All persons who apply with their request, employees of the institutions and organizations with which the company cooperates, and their families and relatives
SAFETY INFORMATION	Company shareholders, members of the board of directors, members of the executive board, employees, interns, officials, subcontractors and suppliers, tenants, service providers, service offerors, applicants for work or internship, visitors and patients, benefiting from or benefiting from any service offered by the hospital All persons who apply with their request, employees of the institutions and organizations with which the company cooperates, and their families and relatives
FINANCIAL INFORMATION	Company shareholders, members of the board of directors, members of the executive board, employees, interns, officials, subcontractors and suppliers, tenants, service providers, service offerors, applicants for work or internship, visitors and patients, benefiting from or benefiting from any service offered by the hospital All persons who apply with their request, employees of the institutions and organizations with which the company cooperates, and their families and relatives
PERSONAL INFORMATION (PERFORMANCE EVALUATION DATA, CAREER DEVELOPMENT DATA, RECORDS OF WORKING AND LEAVE DAYS)	Company shareholders, members of the board of directors, members of the executive board, employees, interns, officials, subcontractors and suppliers, tenants, service providers, employees in institutions and organizations with which the company cooperates
SPECIAL QUALITY PERSONAL DATA	Company shareholders, members of the board of directors, members of the executive board, employees, interns, officials, subcontractors and suppliers, tenants, service providers, service offerors, applicants for work or internship, visitors and patients, benefiting from or benefiting from any service offered by the hospital All persons who apply with their request, employees of the institutions and organizations with which the company cooperates, and their families and relatives
REQUEST AND COMPLAINT MANAGEMENT INFORMATION	Persons who make a request or complaint about the services and activities offered by the hospital, those who benefit from or want to benefit from the services provided by the hospital

 

. PRINCIPLES OF TRANSFERING PERSONAL DATA:

 

Personal data of The Medgol data owners are collected within the scope of personal data processing conditions specified in Articles 5 and 6 of KVK Law No.6698 and limited to the purposes specified in this Policy, in accordance with Articles 8 and 9 of the KVK Law. 3. Will be able to transfer to persons and institutions.

The scope of the persons to whom the transfer is made and the purposes of data transfer are stated below. These people and Institutions;

a- The Medgol affiliated institutions and organizations and business partners,

b-The Medgol suppliers / tenants / subcontractors

c- The Medgol Shareholders,

d -The Medgol officials,

e- Public institutions and organizations authorized to obtain information legally,

f- They are private law legal entities legally authorized to obtain information.

RECEIVER GROUPS THAT CAN TRANSFER DATA	DEFINITION OF BUYER GROUPS	TRANSFER PURPOSE
AFFILIATED INSTITUTIONS AND ORGANIZATIONS AND BUSINESS PARTNERS	While The Medgol carries out its activities, the institutions and organizations that carry out projects, receive services, establish partnerships and associated companies of The Medgol (e.g., private health insurances, intermediary and assistant companies, etc.)	Business partnership, related companies or affiliated institutions and organizations in relation to and limited to the activity purposes
SUPPLIER / TENANT / SUBCONTRACTORS	While Medgol carries out its commercial and medical activities, in accordance with the orders and instructions of the company, the parties and suppliers who provide services to the company individually on a contract basis or without a contract; Parties and tenants who carry out commercial activities in independent departments on a contract basis in The Medgol; The third person, company or organizations used by The Medgol while performing its activities	In relation to and limited to the fulfillment of the services provided by The Medgol from suppliers, tenants and subcontractors.
SHAREHOLDERS	Shareholders of The Medgol are real persons	In accordance with the provisions of the relevant legislation, limited to designing strategies regarding the commercial and medical activities of The Medgol, ensuring the highest level of management and supervision purposes.
AUTHORIZED	The Medgol board members and other authorized real persons	In accordance with the provisions of the relevant legislation, limited to designing strategies regarding the commercial and medical activities of The Medgol, ensuring the highest level of management and supervision purposes.
PUBLIC INSTITUTION / ORGANIZATIONS LEGALLY AUTHORIZED TO RECEIVE INFORMATION	According to the provisions of the relevant legislation, public legal institutions and organizations authorized to receive information and documents from The Medgol (e.g., Social Security Institution etc.)	Limited to the purposes requested by the relevant public institutions and organizations within the legal authority.
PRIVATE LEGAL PERSONS LEGALLY AUTHORIZED TO RECEIVE INFORMATION	Private law persons authorized to obtain information and documents from The Medgol in accordance with the relevant legislation provisions	Limited to the purpose requested by the relevant private law persons within the legal authority.

 

. TRANSFER OF PERSONAL DATA ABROAD

The Medgol, KVK Board by adequate protection where it has been declared to foreign countries (“Adequate Protection with Foreign Countries”) or in case of adequate protection of the absence of an adequate protection of those responsible for the data in and in the foreign countries, Turkey has pledged in writing and KVK Board can transfer personal data to foreign countries (“Foreign Country where Data Controller Committing Adequate Protection”) has the permission of.

In this direction, The Medgol acts in accordance with the regulations stipulated in Article 9 of the KVK Law.

7.1 Transferring Personal Data Abroad

The Medgol can transfer personal data to Foreign Countries with Sufficient Protection or Undertaking Sufficient Protection, if the personal data owner has given explicit consent for legitimate and legal personal data processing purposes, or if the personal data owner does not have express consent:

• If there is a clear regulation in the laws that personal data will be transferred,
• If it is mandatory for the protection of the life or body integrity of the personal data owner or someone else and if the personal data owner is unable to disclose his consent due to the actual impossibility or his consent is not legally valid;
• If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• If personal data transfer is mandatory for The Medgol to fulfill its legal obligation,
• If the personal data has been made public by the personal data owner,
• If the transfer of personal data is mandatory for the establishment, exercise or protection of a right,
• Personal data transfer is mandatory for the legitimate interests of The Medgol, provided that the fundamental rights and freedoms of the personal data owner are not damaged.

7.2. Transferring Special Quality Personal Data Abroad

The Medgol, with due care, taking necessary security measures and taking adequate precautions stipulated by the KVK Board; In line with legitimate and lawful personal data processing purposes, it can transfer the special quality data of the personal data owner to Foreign Countries with Sufficient Protection or Undertaking the Adequate Protection in the following cases.

• If the personal data owner has explicit consent, or
• If the personal data owner has no explicit consent;
  • Personal data of special nature other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, association, foundation or union membership, criminal conviction and security measures and biometric and genetic data), in cases stipulated by laws,

• Personal data of special quality regarding the health and sexual life of the personal data owner, only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, persons or authorized institutions and organizations under the obligation to keep confidentiality. under the processing by.

As a rule, personal data obtained by The Medgol is not shared abroad. Personal data of foreign nationals, Turkish nationals living abroad or coming to The Medgol through companies established in foreign countries can be shared with the relevant public institution, insurance company or intermediary institutions and organizations.

8. STORAGE OF PERSONAL DATA

The personal data we obtain is securely stored in physical or electronic environment for an appropriate period of time in order to enable The Medgol to perform its medical and commercial activities.

Within the scope of these activities, The Medgol acts in accordance with the obligations stipulated in all relevant legislation, especially the KVK Law, regarding the protection of personal data.

In accordance with the relevant legislation, with the exception of cases where the storage of personal data is permitted or required for a longer period, in the event of the termination of the purposes of processing personal data, personal data will be deleted, destroyed or anonymized by The Medgol or at the request of the relevant persons.

In case of deletion of personal data through the aforementioned methods, these data will be destroyed in a way that they cannot be used and retrieved in any way.

However, in cases where the data controller has a legitimate interest, personal data will be processed until the limitation period specified in the Law of Obligations or other legislation concerning The Medgol expires, provided that the purpose of processing and the periods specified in the relevant laws expire, provided that the fundamental rights and freedoms of the data subjects are not harmed can be stored. Personal data will be deleted, destroyed or anonymized after the aforementioned limitation period expires.

9. MEASURES ON THE PROTECTION OF PERSONAL DATA

The Medgol takes the necessary technical and administrative measures to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the appropriate level of security in accordance with the conditions set forth in the KVK Law. to make or have inspections.

Although all technical and administrative measures have been taken, The Medgol informs the relevant units as soon as possible in the event that the processed personal data are illegally seized by third parties.

9.1. Technical Measures:

• Technical measures are taken in accordance with the developments in technology, the measures taken are periodically updated and
• Access and authorization technical solutions are implemented in accordance with legal compliance requirements determined on a business unit basis.
• Access rights are limited and authorities are regularly reviewed.
• The technical measures taken are periodically controlled, and the necessary technological solutions are produced by re-evaluating the issues that pose a risk.
• Software and hardware including virus protection systems and firewalls are installed.
• Knowledgeable personnel on technical issues are employed and system vulnerabilities are controlled.
• It is regularly subjected to security scans to detect security vulnerabilities in applications where personal data are collected. Closing the gaps found is provided.
• It is ensured that personal data is destroyed in such a way that it cannot be recycled and leave no audit trail. With penetration tests, the risks, threats, vulnerabilities and gaps, if any, of our Company’s information systems are revealed and necessary measures are taken.
• Necessary measures are taken for the physical security of our company’s information systems equipment, software and data.
• Procedures are established and implemented for the distribution of access authorizations and roles, authorization matrix is applied, access is recorded and inappropriate access is kept under control, disposal processes in accordance with the storage and disposal policy are defined and implemented. Backup programs are used that ensure the safe storage of personal data.
• Information systems are kept up to date and strong passwords are used in electronic environments where personal data are processed.
• As a result of real-time analysis with information security event management, risks and threats that will affect the continuity of information systems are constantly monitored.
• The session is recorded. Hardware and software (firewalls, network access control, systems that prevent malicious software, etc.) are taken to ensure the security of information systems against environmental threats.
• Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks and technical controls are carried out for the measures taken.
• By creating access procedures within the company, reporting and analysis studies regarding access to personal data are carried out.
• Accesses to storage areas where personal data are stored are recorded, and inappropriate access or access attempts are kept under control.
• The company takes the necessary measures to ensure that the deleted personal data cannot be accessed and reused for the relevant users.
• In case personal data is illegally obtained by others, a suitable system and infrastructure has been established by the Company to inform the relevant person and the Board.
• Passwords are used in electronic environments where personal data are processed. Data backup programs are used that ensure the safe storage of personal data.
• Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
• Users are enabled to use unique usernames and passwords while logging into the systems.
• A separate policy has been determined for the security of sensitive personal data. Special quality personal data security trainings have been provided for employees involved in special quality personal data processing processes, confidentiality agreements have been made, and the authorities of users with access to data have been defined.
• Adequate security measures are taken in the physical environments where personal data of special nature are processed, stored and / or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
• If personal data of special nature needs to be transferred via e-mail, they are transferred encrypted using a corporate e-mail address or a REP account. It is encrypted if required to be transferred via removable memory, CD, DVD, etc. If it is required to be transferred via paper environment, necessary measures are taken against risks such as theft, loss or being seen by unauthorized persons, and the document is sent in “confidential” format.

9.2. Administrative Measures:

• Employees, personal data are trained on technical measures will be taken to prevent unlawful access.
• Employees are trained by the Legal Advisor on the KVK Law.
• Personal data processing on a business unit basis is designed and implemented in The Medgol in accordance with the legal compliance requirements for access and authorization of personal data.
• Medgol has to comply with the obligations stipulated by the KVK Law in order to process personal data in accordance with the law in all kinds of documents that regulate the relationship between its personnel and personal data, personal data should not be disclosed, personal data should not be used illegally and The non-compliance of the personnel with these obligations requires the implementation of sanctions that may terminate the employment contract and is specifically regulated in the Medgol’s Group Code of Conduct.
• Employees are informed that they cannot disclose the personal data they have learned to anyone in violation of the provisions of the KVK Law and cannot use them for purposes other than processing, and this obligation will continue after they leave their job and, in this direction, necessary commitments are taken from them.
• Contracts concluded by The Medgol with persons to whom personal data are legally transferred; The provisions stating that the persons to whom the personal data are transferred will take the necessary security measures in order to protect the personal data and ensure that these measures are followed in their own organizations.
• The Medgol notifies the relevant person and the Board as soon as possible in the event that the processed personal data are obtained by others illegally.
• The Medgol employs knowledgeable and experienced personnel about the processing of personal data and provides necessary training to its personnel within the scope of personal data protection legislation and data security.
• The Medgol carries out the necessary inspections and has them done in order to ensure the implementation of the provisions of the Law before its own legal entity. Confidentiality and security vulnerabilities arising as a result of the audits
• The Medgol is responsible for fulfilling the obligations of third parties to whom personal data is transferred, to process and preserve the data in accordance with the provisions of this Policy and KVK Law, and to access data in accordance with the law, pursuant to the article of the KVK Law. For this reason, The Medgol should take commitments that include the provision of these conditions and the authorization to perform inspections in the contracts to be made and all kinds of arrangements while transferring data to third parties. Again, The Medgol should specifically inform all of its staff in terms of responsibilities arising from the processes of transferring personal data to third parties.
• In order to improve the quality of employees, training is provided on the prevention of unlawful processing of personal data, prevention of unlawful access to personal data, protection of personal data, communication techniques, technical knowledge skills and other relevant legislation.
• Confidentiality agreements are made to the employees regarding the activities carried out by the company. A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
• Before starting to process personal data, the obligation to inform the relevant persons is fulfilled by the Authority.
• Personal data processing inventory has been prepared. Our employees are trained and informed about the legal processing of personal data.
• It is ensured that unneeded personal data are deleted, destroyed or anonymized.
• It is ensured that all reasonable precautions are taken in order to prevent the theft, loss or corruption of information.
• Disciplinary procedures to be applied to employees who do not comply with security policies and procedures are applied, and the obligation to inform the relevant persons is fulfilled.
• Periodic and random audits are conducted within the company and information security trainings are provided for employees.

9.3. Supervision of the Measures Taken for the Protection of Personal Data:

Within the scope of KVK Law, The Medgol will have the title of data controller and will be registered with VERBİS system.

In the 1st paragraph of the 11th article of the Regulation “is responsible for the data under the Law of legal persons residing obligations in Turkey, representing a legal entity in accordance with relevant legislation and bind mentioned in the official competent body or the applicable legislation or any person fulfilled with ingenuity. The body authorized to represent the legal entity may assign one or more persons in relation to the obligations to be fulfilled in terms of the implementation of the Law”.

Persons who are given management and representation of the company by the Board of Directors in accordance with the relevant articles of the TCC are responsible for transactions and actions that take place within the limits of their authority within the scope of TCC, BK and TCK.

In particular, they have been elected authorized to represent and testify in law enforcement, prosecutors’ offices, public institutions and courts.

The Director of each department will be obliged to audit and report to the Board of Directors and the Executive Board whether the Related Users in the departments comply with this Policy and Destruction Policy prepared within the framework of the Law and Regulation. In cases requiring a decision, the decision taken will be put into effect following the Board of Directors’ decision after obtaining the opinion of the Legal Consultancy.

10. DATA CONTROLLER’S OBLIGATION

The Medgol informs the personal data subject’s rights in accordance with Article 10 of the Law on KVK and guides the personal data owner on how to exercise these rights.

The Medgol carries out the necessary channels, internal operation, administrative and technical regulations in accordance with Article 13 of the KVK Law in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.

Within the scope of Article 10 of the Law on KVK, data owners should be informed before or at the latest during the acquisition of personal data. The information to be conveyed to data owners within the framework of the mentioned disclosure obligation is as follows:

1. Identity of the data controller and, if any, its representative,
2. For what purpose personal data will be processed,
3. To whom and for what purpose the processed personal data can be transferred,
4. Method and legal reason for collecting personal data,
5. Other rights enumerated in Article 11 of the KVK Law.

In order to fulfill its obligation of illumination, The Medgol has prepared illumination statements on the basis of the process and the persons whose data are processed, to be submitted to the data owners within the scope of the above-mentioned KVK Law.

After the disclosure statements were submitted to the data owners, explicit consent statements were also prepared for data processing activities and data categories requiring the explicit consent of the data owner in order for The Medgol to carry out its activities.

On the other hand, The Medgol is not obliged to enlighten in cases listed within the framework of Article 28 (1) of the KVK Law.

11.2. THE MEDGOL’S RESPONSE TO APPLICATIONS

 The Procedure and Duration of The Medgol to Answer Applications

Personal data subject, 11.1.2 of this section. In the event that it transmits its request to The Medgol in accordance with the procedure in the section titled “Medgol”, The Medgol will finalize the request free of charge within thirty days at the latest, depending on the nature of the request.

However, if a fee is stipulated by the KVK Board, the fee in the tariff determined by the KVK Board will be collected from the applicant by The Medgol.

11.2.2. Information that The Medgol may request from the Applicant Personal Data Owner

The Medgol may request information from the relevant person in order to determine whether the applicant is the owner of personal data. In order to clarify the matters included in the application of the personal data owner, it may ask a question to the personal data owner about his application.

11.2.3. The Medgol Right to Reject the Application of Personal Data Owner

• Medgol may reject the application of the applicant by explaining the reason in the following cases:
• Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
• Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
• Processing of personal data is necessary for the prevention of crime or for criminal investigation.
• Processing personal data made public by the personal data owner himself.
• The processing of personal data is necessary for the execution of supervision or regulation duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations that have the status of public institutions, based on the authority granted by the law
• Processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial issues.
• The possibility of the personal data subject’s request to hinder the rights and freedoms of other persons
• Requests requiring disproportionate effort have been made
• The information requested is public information.

12. REVISION AND TERMINATION

If this Policy is revised or abolished, the revised version of the Policy or the new policy sample will be announced in the relevant places.

13. ENFORCEMENT

This Policy comes into force on 28.01.2018.

14. EXECUTION

All department Directors are responsible for the follow-up and coordination of all business and transactions within the scope of the KVK Law and the Data Protection Board regulations of the board of directors of The Medgol, which is responsible for fulfilling the obligations of the data controller and the data controller.