Anasayfa PDPL Law on the Processing and Protection of Special Categories of Personal Data

Law on the Processing and Protection of Special Categories of Personal Data

1.1 INTRODUCTION

Maximum importance is given to the lawful protection and processing of personal data by Dr. Lida ÇETELİ in accordance with the Law on the Protection of Personal Data No. 6698 (“Law”), and all planning and activities are carried out with this care. DR. Lida Çeteli carefully takes all necessary administrative and technical measures regarding the protection of personal data. Since special categories of personal data are data that, if learned, could cause discrimination or victimization of the relevant person, special technical and administrative measures are taken regarding the processing, protection, and security of these data in addition to the administrative and technical measures taken for general personal data, in accordance with the nature and sensitivity of special categories of personal data.

1.2. PURPOSE

This Policy for the Processing and Protection of Special Categories of Personal Data (“Policy”) aims to inform Data Subjects by taking necessary technical and administrative measures within the framework of the Constitution, Law No. 6698 on the Protection of Personal Data, relevant legislation, the Decision of the Personal Data Protection Board dated 31.01.2018 and numbered 2018/10, and other relevant decisions regarding the processing, protection, and security of special categories of personal data, and by ensuring that DR. Lida Çeteli fulfills its obligations regarding the special categories of personal data it holds as a data controller.

1.3. SCOPE

This Policy relates to all personal data of our patients, customers, website users, employees, employee candidates, practice officials, visitors, business contacts (officials, shareholders, and employees of institutions with which we have business relationships such as suppliers, contractors, etc.), and third parties, processed through automatic means or non-automatic means provided that they are part of any data recording system.

In this context, while the entirety of this Policy may be applied to the groups of personal data owners mentioned above, only certain provisions may also be applied.

1.4. DEFINITIONS

The definitions used in the implementation of this Policy are listed below:

Explicit Consent

Consent that is based on information and expressed with free will regarding a specific subject.

Recipient Group

The category of natural or legal persons to whom personal data is transferred by the data controller.

Anonymization

Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching it with other data.

Employee(s)

Workers who are in an employment relationship with DR. LİDA ÇİTELİ pursuant to the Labor Law, and students/graduates receiving internship (compulsory/optional) training.

Relevant User

Persons who process personal data within the organization of DR. LİDA ÇİTELİ or in line with the authorization and instructions received from DR. LİDA ÇİTELİ, excluding the person or unit responsible for technical storage, protection, and backup of the data.

Destruction

The deletion, destruction, or anonymization of personal data in a way that cannot be recovered.

Recording Medium

Any medium containing personal data processed through fully or partially automatic means or non-automatic means provided that they are part of any data recording system.

Personal Data

Any information relating to an identified or identifiable natural person.

Data Subject / Relevant Person

The natural person whose personal data is processed.

Processing of Personal Data

Any operation performed on data such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data through fully or partially automatic means or non-automatic means provided that they are part of any data recording system.

Personal Data Inventory

The inventory where data controllers detail their personal data processing activities carried out depending on their business processes; by associating them with personal data processing purposes, data category, transferred recipient group, and data subject group, and by explaining the maximum period required for the purposes for which personal data are processed, personal data envisaged to be transferred to foreign countries, and the measures taken regarding data security.

Personal Data Protection Committee

A committee formed with the participation of officials from different units, which has the authority to make decisions and present them to senior management for the purpose of ensuring, preserving, maintaining, managing, and developing compliance with the personal data protection legislation by DR. LİDA ÇİTELİ, and which ensures the necessary coordination within DR. LİDA ÇİTELİ for this purpose.

Board

Personal Data Protection Board (KiKK)

Authority

Personal Data Protection Authority (KVKK)

KVKK / Law

Law No. 6698 on the Protection of Personal Data

Special Categories of Personal Data

Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership in associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.

Periodic Destruction

The process of deletion, destruction, or anonymization to be carried out ex officio at repeating intervals specified in the personal data processing, storage, and destruction policy in the event that all the personal data processing conditions specified in the Law disappear.

Policy

This "Policy for the Protection, Processing, and Destruction of Personal Data," in which the principles adopted by DR. LİDA ÇİTELİ in the processing, storage, and destruction of personal data are regulated.

Deletion

The process of making personal data inaccessible and unusable in any way for the relevant users.

Data Processor

The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

Data Controller

The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Recording System

The recording system where personal data are processed by being structured according to specific criteria.

Registry of Data Controllers

The registry of data controllers kept by the Presidency of the Personal Data Protection Authority and open to the public (VERBIS).

Destruction (Absolute)

The process of making personal data inaccessible, irrecoverable, and unusable by anyone in any way.

For definitions not included in this Policy, the KVKK definitions apply.

PART 2

PROTECTION, PROCESSING, PURPOSES OF PROCESSING, AND BASIC PRINCIPLES REGARDING THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

2.1. Special Categories of Personal Data

Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership in associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special categories of personal data.

2.2. Protection of Special Categories of Personal Data

Since special categories of personal data are data that, if learned, could cause discrimination or victimization of the Data Subject, administrative and technical measures taken by DR. Lida Çeteli regarding the protection of such personal data processed in accordance with the law are applied with care, and necessary audits are conducted within DR. Lida Çeteli. In addition, necessary procedures are carried out by taking sufficient precautions determined by the Board in the processing of special categories of personal data.

2.3 Processing of Special Categories of Personal Data

Special sensitivity is shown by DR. Lida Çeteli in the processing of special categories of personal data, which are believed to be of more critical importance to the Data Subject in various aspects. Special categories of personal data are processed by DR. Lida Çeteli in accordance with the principles specified in this Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

(i) Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data owner if clearly provided for in the laws, in other words, if there is a clear provision regarding the processing of personal data in the law to which the relevant activity is subject. Otherwise, the explicit consent of the data owner will be obtained for the processing of such special categories of personal data.

(ii) Special categories of personal data relating to health and sexual life may be processed without explicit consent by persons under the obligation of secrecy or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. Otherwise, the explicit consent of the data owner will be obtained for the processing of such special categories of personal data.

2.4. Purposes of Processing Special Categories of Personal Data

Special categories of personal data may be processed in accordance with the principles specified in Article 4 of the Law and the procedures and principles set forth in the relevant legislation, and in line with the personal data processing conditions specified in Articles 5 and 6 of the Law. Special categories of personal data collected by DR. Lida Çeteli through proper methods may be processed and stored within the scope of business relationship, product, service, or commercial activities, or within other relationships with Data Subjects, within the framework of the following purposes that require their processing, and in a manner that is connected, limited, and proportionate to these purposes.

Purposes of processing special categories of personal data include:

  • Execution of legal compliance processes,
  • Management of operations,
  • Fulfillment of financial and fiscal affairs,
  • Determination and implementation of commercial and business strategies,
  • Fulfillment of service obligations depending on the service contract,
  • Execution of emergency management processes,
  • Fulfillment of obligations arising from employment contracts and legislation for employees,
  • Execution of fringe benefits and interest processes for employees,
  • Execution of business activities for employees,
  • Evaluation of application processes of employees,
  • Execution of activities in accordance with the legislation,
  • Planning of human resources activities,
  • Execution of occupational health/safety activities,
  • Notifying authorized persons, institutions, and organizations.

2.5. General Principles Regarding the Processing of Special Categories of Personal Data

One of the matters of primary importance for DR. Lida Çeteli is to act in accordance with the general principles provided for in the legislation in the processing of special categories of personal data. In this context, DR. Lida Çeteli must act in accordance with the principles listed below in the processing of special categories of personal data in accordance with the Constitution and the KVKK Law.

  1. Engaging in Personal Data Processing Activities in Accordance with the Law and Honesty Rules

DR. Lida Çeteli carries out special category personal data processing activities in accordance with Article 4 of the KVKK Law, in compliance with the law and honesty rules; accurately and, when necessary, up-to-date; by pursuing specific, clear, and legitimate purposes; and in a manner that is connected, limited, and proportionate to the purpose. In this context, DR. Lida Çeteli takes proportionality requirements into account in the processing of special categories of personal data and does not use special categories of personal data for cases other than those required by the purpose.

  1. Ensuring Personal Data is Accurate and Up-to-Date When Necessary

Our DR. Lida Çeteli ensures that the special categories of personal data it processes are accurate and up-to-date, taking into account the fundamental rights and its own legitimate interests of the Data Subject; in this direction, it takes the necessary measures and establishes systems to ensure these.

  1. Processing for Specific, Clear, and Legitimate Purposes

DR. Lida Çeteli processes special categories of personal data for legitimate and lawful reasons and in connection with the activities it carries out and to the extent necessary. The purpose for which special categories of personal data will be processed by DR. Lida Çeteli is determined before the personal data processing activity begins.

  1. Being Connected, Limited, and Proportionate to the Purpose for Which They Are Processed

DR. Lida Çeteli processes special categories of personal data in a way that is suitable for the realization of the determined purposes and avoids processing personal data that are not related to or needed for the realization of the purpose. No special category personal data processing activity is carried out by our DR. Lida Çeteli to meet needs that are likely to arise later.

  1. Retention for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for Which They Are Processed

DR. Lida Çeteli, in accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the KVKK Law, retains the special categories of personal data it processes only for the period envisaged in the relevant legislation and laws or required by the personal data processing purpose.

In this context, DR. Lida Çeteli first determines whether a period is envisaged in the relevant legislation for the storage of special categories of personal data, and if a period is determined, it acts in accordance with this period. If a legal period is not available, it stores special categories of personal data for the period necessary for the purpose for which they are processed. Special categories of personal data are destroyed at the end of the determined storage periods, in accordance with periodic destruction periods or the Data Subject's application, and with the determined destruction methods (deletion and/or destruction and/or anonymization). Details are specified in the Personal Data Storage and Destruction Policy.

PART 3

TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA AND CONDITIONS:

3.1. Transfer of Special Categories of Personal Data

Our DR. Lida Çeteli takes the necessary precautions with sensitivity in the transfer processes of such personal data it processes in accordance with the law, as special categories of personal data are of a nature that could cause the relevant person to be victimized or exposed to discrimination if learned by others. In this context, DR. Lida Çeteli may transfer special categories of personal data to third parties by taking the necessary administrative and technical measures in accordance with the legislation, in line with the purposes of processing personal data.

3.2. Conditions for the Transfer of Special Categories of Personal Data

a. Conditions for the Domestic Transfer of Special Categories of Personal Data:

DR. Lida Çeteli may transfer special categories of personal data to third parties within the country, provided that the relevant person has explicit consent, in line with the data processing purposes and by taking the necessary technical and administrative measures in accordance with the legislation. As a rule, special categories of personal data cannot be transferred to third parties within the country without the explicit consent of the Data Subject.

However, personal data other than health and sexual life may be transferred without the explicit consent of the Data Subject if clearly provided for in the laws, in other words, if there is a clear provision regarding the processing/transfer of special categories of personal data in the law to which the relevant activity is subject. In this direction, special categories of personal data other than personal data relating to health and sexual life may be transferred if:

· The Data Owner has explicit consent,

· There is a clear regulation in the laws regarding the transfer of Special Categories of Personal Data,

· It is compulsory for the protection of the life or physical integrity of the Data Owner or another person, and the Data Owner is unable to express his/her consent due to actual impossibility or his/her consent is not given legal validity;

· It is necessary to transfer personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of a contract,

· Personal data transfer is compulsory for DR. Lida Çeteli to fulfill its legal obligation,

· Special Categories of Personal Data have been made public by the Data Owner,

· Special Category Personal Data transfer is compulsory for the establishment, exercise, or protection of a right,

· Personal data transfer is compulsory for the legitimate interests of DR. Lida Çeteli, provided that it does not harm the fundamental rights and freedoms of the Data Owner.

Personal data relating to health and sexual life may be transferred without the explicit consent of the Data Subject only by taking adequate and necessary precautions and in the presence of any of the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

b. Conditions for the Transfer of Special Categories of Personal Data Abroad:

DR. Lida Çeteli may transfer special categories of personal data abroad in line with legitimate and lawful personal data processing purposes by showing necessary care and taking the administrative and technical measures envisaged by the legislation and the measures deemed necessary by the Board. As a rule, special categories of personal data cannot be transferred abroad without the explicit consent of the Data Subject.

However, special categories of personal data other than health and sexual life may be transferred to countries with adequate protection determined and announced by the Board, without the explicit consent of the Data Subject, if clearly provided for in the laws, in other words, if there is a clear provision regarding the processing/transfer of personal data in the law to which the relevant activity is subject. In the absence of adequate protection, data transfer abroad can only be made if the data controllers undertake adequate protection and the Board's permission is obtained.

Personal data relating to health and sexual life may be transferred to countries with adequate protection determined and announced by the Board, without the explicit consent of the Data Subject, only in the presence of any of the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. In the absence of adequate protection, data transfer abroad can only be made if the data controllers undertake adequate protection and the Board's permission is obtained.

PART 4

DELETION, DESTRUCTION, OR ANONYMIZATION OF SPECIAL CATEGORIES OF PERSONAL DATA

Although it has been processed in accordance with the Law and other relevant law provisions, personal data are deleted, destroyed, or anonymized by DR. Lida Çeteli ex officio or upon the request of the relevant person in the event that the reasons requiring its processing disappear.

In the deletion, destruction, or anonymization of personal data, action is taken in accordance with the general principles in Article 4 of the Law and the technical and administrative measures to be taken within the scope of Article 12, the relevant legislation provisions, Board decisions, and the Personal Data Storage and Destruction Policy.

PART 5

SECURITY OF SPECIAL CATEGORIES OF PERSONAL DATA

Necessary technical and administrative measures are taken by DR. Lida Çeteli for the secure storage of special categories of personal data, the prevention of unlawful processing and access, and the lawful destruction of personal data, in accordance with the obligations specified in Article 12 of the Law and within the framework of adequate precautions determined and announced by the Board for special categories of personal data pursuant to the fourth paragraph of Article 6. In this context, the technical and administrative measures taken by DR. Lida Çeteli are specified in the Policy for the Processing and Protection of Personal Data and the Personal Data Storage and Destruction Policy. In addition to the technical and administrative measures specified in these policies, DR. Lida Çeteli also takes the following measures in special category personal data processing, security, and protection activities.

5.1. Measures for Employees Involved in Special Category Personal Data Processing Processes:

  • Trainings are provided to employees on data security issues such as the processing, security, protection, and storage of special categories of personal data in accordance with the relevant legislation.
  • Confidentiality agreements are made with employees and disciplinary procedures are applied.
  • The scope and duration of authorization for employees who have access to special categories of personal data are defined.
  • Authorization controls are performed periodically.
  • The authorizations of employees who have a change of duty or leave their jobs in this area are immediately removed. In this context, the inventory allocated to them, if any, is taken back.

5.2. Measures Regarding Electronic Media Where Special Categories of Personal Data are Processed, Stored, and/or Accessed:

  • Data are stored using cryptographic methods.
  • Cryptographic keys are kept in secure and different environments.
  • Transaction records of movements performed on the data are securely logged.
  • Security updates of the environments where the data are located are constantly monitored, security tests are regularly performed/had performed, and test results are recorded.
  • If data are accessed through a software, user authorizations of this software are made, security tests of these software are regularly performed/had performed, and test results are recorded.
  • If remote access to data is required, at least a two-stage authentication system is applied.

5.3. Measures Regarding Physical Environments Where Special Categories of Personal Data are Processed, Stored, and/or Accessed:

  • Physical environments (cabinets, archives, etc.) where special categories of personal data are located are locked.
  • Adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where special categories of personal data are located.
  • The physical security of these environments is ensured, and unauthorized entry and exit are prevented.

5.4. Measures Regarding the Transfer of Special Categories of Personal Data:

  • If special categories of personal data need to be transferred via e-mail, these data are transferred encrypted with a corporate e-mail address or by using a Registered Electronic Mail (KEP) account. Password information of the file in question is not included in the e-mail content.
  • If special categories of personal data need to be transferred via media such as portable memory, CD, DVD, these data are encrypted with cryptographic methods and the cryptographic key is kept in a different environment.
  • If the transfer of special categories of personal data is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between the servers or by the SFTP method.
  • If the transfer of special categories of personal data via paper medium is required, necessary measures are taken against risks such as theft, loss, or being seen by unauthorized persons of the document to which these data are transferred, and the document is sent in the "confidential documents" format.

PART 6

6.1 APPLICATION OF THE POLICY AND RELEVANT LEGISLATION

The relevant legal regulations in force regarding the processing and protection of special categories of personal data will primarily find a field of application. In case of incompatibility between the legislation in force and the Policy, DR. Lida Çeteli accepts that the legislation in force will find application. The Policy concretizes and regulates the rules set forth by the relevant legislation within the scope of DR. Lida Çeteli applications. In case of a change in the Policy, the effective date and relevant articles of the Policy will be updated accordingly.

6.2. EFFECTIVENESS OF THE POLICY

The effective date of this Policy is 07/11/2022. This Policy is published on DR. Lida Çeteli's website at https://www.drlidaciteli.com/ and is made available to the relevant persons upon the request of the personal data owners.

6.3. DISTRIBUTION

The Policy is announced to third parties and DR. Lida Çeteli employees by being published on DR. Lida Çeteli website.

Contact Form Clarification Text Law on the Processing and Protection of Special Categories of Personal Data Cookie Policy Patient Explicit Consent Form Patient Information Text Physician Clarification Text
RANDEVU AL
Hemen Ara Yol Tarifi Randevu Al WhatsApp