1. PURPOSE AND SCOPE OF THE POLICY

Title of data controller : Maslak Physical Therapy
Data controller address : Maslak Meydan Sk. Beybi Giz Plaza No:1 D:2 Sarıyer - Istanbul
Data controller phone : 0533 414 4020
Data controller e-mail : info@maslakfiziktedavi.com
Data controller website : maslakphysicaltreatment.com

The data controller is extremely sensitive to the protection of the special categories of personal data it processes.

This policy has been prepared for the purpose of explaining the security measures taken in accordance with the provision “In the processing of sensitive personal data, it is also necessary to take adequate measures determined by the Board.” specified in paragraph (4) of Article 6 of the Law and to determine the procedures and principles in this context.

2. DEFINITIONS

Legal and technical terms used in this Policy;

Open Consent	Consent to a specific subject matter, based on information and freely given,
Law	Law No. 6698 dated 24.3.2016 on the Protection of Personal Data,
Recording media	Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system,
Sensitive Personal Data	Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,
Personal Data Processing	All kinds of operations performed on personal data, such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system,
Board	Personal Data Protection Board,
Contact Person	The natural person whose personal data is processed,
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,

Expresses

3. PROCESSING OF PERSONAL DATA OF SPECIAL NATURE

Article Content

3.1 Basic Principles for Processing Sensitive Personal Data

Sensitive personal data are processed by taking all necessary administrative and technical measures in accordance with the Law and the principles set forth in this Policy. In this context, special categories of personal data;

It will be processed in accordance with the law and good faith,
It will be ensured that personal data is accurate and, where necessary, up-to-date,
It will be processed for specific, explicit and legitimate purposes,
They will be used and disclosed in connection with the legal purpose for which they are processed, in a limited and measured manner,
It will be kept for the period stipulated in the relevant legislation or required for the purpose for which it is processed.

3.2 Processing of Special Categories of Personal Data

Personal health data of patients are processed by our physicians who are under the obligation to keep secrets for the purpose of medical diagnosis, treatment and care services, health services and management according to Article 6/3 of the KVKK. This special quality personal health data is processed electronically and physically by the personnel who are regularly provided awareness trainings on KVKK and who are employed with a confidentiality undertaking.
Health reports obtained from personnel in accordance with the Occupational Health and Safety Law are processed in accordance with the KVKK legislation.
The criminal record of the healthcare professionals within our organization is processed based on the legal reason that it is clearly stipulated in the laws for personnel work certificate procedures.
The criminal records of those whose personnel work certificates are not issued are processed physically and electronically with their explicit consent based on their free will.
The dress code data of healthcare professionals working in our organization is processed based on the legal reason that it is clearly stipulated in the Laws specified in Article 6 of the Law.

Health, criminal conviction and security measure data are obtained from personnel candidates with explicit consent, and the data of those whose job application is negative are deleted immediately.

4. PURPOSES OF PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

In accordance with the basic principles set out in Article 4 of the Law, the Center processes personal data for the purposes listed below, based on at least one of the conditions for processing special categories of personal data specified in Article 6 of the Law.

Execution of Emergency Management Processes
Execution of Employee Candidate Application Processes
Fulfillment of Employment Contract and Regulatory Obligations for Employees
Execution of Employee Benefits and Benefits Processes
Execution of Activities in Compliance with the Legislation
Monitoring and Execution of Legal Affairs
Planning Human Resources Processes
Execution of Occupational Health / Safety Activities
Execution of Operation Processes of the Service
Carrying out storage and archive activities
Execution of Contract Processes
Ensuring the Security of Movable Property and Resources
Ensuring the Security of Data Controller Operations
Providing Information to Authorized Persons, Institutions and Organizations
Protection of public health, medical diagnosis, treatment and care services

5. TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATASI

5.1 Transfer to Domestic

Patients' personal health data may be transferred to the following 3rd parties.

To judicial authorities and party attorneys in case of legal dispute, limited to the personal data requested upon request
Identity and health information to the E-Nabız system in accordance with the Basic Law on Health Services
Identity, health and insurance information of those who receive services within the scope of private insurance to private insurance companies

Personal health data of the personnel are transferred to the following 3rd parties.

To judicial authorities and party attorneys in case of legal dispute, limited to the personal data requested upon request
Identity, contact, health, photograph, diploma and criminal conviction data to the district/provincial health directorate for the purpose of applying for a personnel work certificate
To the software company that is the developer of workplace computer programs for archiving purposes

Personal health, criminal conviction and security measures data obtained with explicit consent from job applicants are immediately deleted and destroyed if the job application is negative.

5.2 Transferring Abroad

Special categories of personal data processed are not transferred abroad.

6. MEASURES TAKEN FOR THE PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

7.1 Security Measures Taken

1- Our Center has determined a systematic, clearly defined, manageable and sustainable separate policy and procedure for the security of sensitive personal data,

2-For employees involved in the processing of sensitive personal data,

a) Regular trainings are provided on the Law and related regulations and special categories of personal data security,
b) Confidentiality agreements have been made,
c) The scope and duration of authorization of users authorized to access data are clearly defined,
d) Periodic authorization checks are carried out,
e) The authorizations of employees who change their duties or leave their jobs are immediately revoked. In this context, the inventory allocated to the departing employee is returned,

3- If the media where special categories of personal data are processed, stored and/or accessed are electronic media;

Security updates for the environments where the data are located are constantly monitored, necessary security tests are regularly performed and the test results are recorded.

4- The physical environment where special categories of personal data are processed, stored and accessed;

a) Adequate security measures (against electric leakage, fire, flood, theft, etc.) have been taken according to the nature of the environment where sensitive personal data is located,
b) Physical security of these environments was ensured and unauthorized entry and exit were prevented,

5- If sensitive personal data will be transferred;

a) If the data needs to be transferred via e-mail, it is transferred encrypted with a corporate e-mail address or using a Registered Electronic Mail (REM) account.
b) If it is necessary to transfer data via paper media, necessary precautions are taken against risks such as theft, loss or unauthorized viewing of the document and the document is sent in the format of “confidential documents”.

Administrative and Technical Measures Taken

Administrative Measures

Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
The signed contracts contain data security provisions.
Personal data is minimized as much as possible.
Internal Periodic and/or Random Audits are conducted or commissioned.
Risk Analyses are conducted and reported.
KVKK provisions are added to texts such as employment contracts and disciplinary regulations.
Personal data security is monitored.
Confidentiality agreements are made with the recipient groups to which data is transferred.
Personal Data Processing Inventory has been prepared.
Deletion, destruction or anonymization operations are performed periodically.

Technical Measures

Network security and application security are ensured.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems
Up-to-date anti-virus systems are used.
Firewalls are used.
User account management and authorization control system are implemented and monitored.

7 RIGHTS OF THE PERSONS CONCERNED AND THE EXERCISE OF THESE RIGHTS

7.2 Rights of Relevant Persons

Learn whether personal data is being processed,
Request information if their personal data has been processed,
To learn the purpose of processing personal data and whether they are used for their intended purpose,
To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
Although it has been processed in accordance with the provisions of the Law and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

7.3 Exercise of the Relevant Person's Rights

Personal data subjects,

From our clinic with the above address
From our website mentioned above

that they will acquire Data Subject Application Form’You are required to fill in the "Data Controller's Application Form" and send it to the above-mentioned address of the data controller by hand, mail or notary public or to our e-mail address above via your e-mail address that you have previously notified us and registered in our system.

7.4 Responding to Applications

In the event that the relevant person duly submits his/her request regarding the above-mentioned rights under Article 11 of the Law to us, the relevant request will be finalized free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

8 COORDINATION OF PERSONAL DATA PROTECTION AND PROCESSING PROCESSES

The company manager or the personnel to be assigned by him/her shall coordinate the processes of Processing and Protection of Sensitive Personal Data.

9 UPDATES TO THE POLICY

Due to changes in the legislation, in accordance with the decisions of the Board or in line with the developments in the sector or in the field of informatics, amendments may be made to this Policy on the Processing of Special Categories of Personal Data. Changes made within this scope are immediately incorporated into the text and explanations regarding the changes are added to the updates table below.

Updates Table

........................................

The Policy on Processing and Protection of Sensitive Personal Data has entered into force.

Policy on Processing Sensitive Personal Data