1. PURPOSE AND SCOPE OF THE POLICY

Processing and protection of personal data in accordance with the law,

Title of data controller : Maslak Physical Therapy
Data controller address : Maslak Meydan Sk. Beybi Giz Plaza No:1 D:2 Sarıyer - Istanbul
Data controller phone                     : 0533 414 4020
Data controller e-mail : info@maslakfiziktedavi.com

Data controller website : maslakphysicaltreatment.com

It is of great importance for the data controller. This Policy on Processing and Protection of Personal Data (“Policy”) has been prepared in order to ensure that personal data processing activities comply with the Personal Data Protection Law No. 6698 and the regulations, circulars and directives issued within the scope of this law and to make the company as a whole compliant with the KVKK legislation. In addition, the principles, procedures and principles of personal data processing, storage and security processes have been determined with this Policy.

2. DEFINITIONS

Legal and technical terms used in this Policy;

Open Consent	Consent to a specific subject matter, based on information and freely given,
Related User	Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data,
Destruction	Deletion, destruction or anonymization of personal data,
Law	Law No. 6698 dated 24.3.2016 on the Protection of Personal Data,
Recording media	Any medium containing personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system,
Personal Data	Any information relating to an identified or identifiable natural person,
Personal Data Processing	All kinds of operations performed on personal data, such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system,
Personal Data Deletion	Deletion of personal data; making personal data inaccessible and non-reusable in any way for the Relevant Users,
Personal Data Destruction	The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way,
Board	Personal Data Protection Board,
Special Qualified Personal Data	Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,
Periodic Disposal	In the event that all of the conditions for processing personal data specified in the law disappear, the deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy,
Relevant Person / Data Subject	The natural person whose personal data is processed,
Data Controller	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

Expression.

3. PROCESSING OF PERSONAL DATA

3.1   Basic Principles for Processing Personal Data

Personal data will be processed in accordance with the basic principles specified in the Law. In this context Personal data;

• It will be processed in accordance with the law and good faith.
• It will be ensured that personal data is accurate and up-to-date when necessary.
• It will be processed for specific, explicit and legitimate purposes.
• They will be used and disclosed in connection with the legal purpose for which they are processed, in a limited and measured manner.
• It will be kept for the period stipulated in the relevant legislation or required for the purpose for which it is processed.

3.2   Terms of Processing of Personal Data

Personal data that are not of special nature may be processed in the presence of at least one of the following legal reasons or by obtaining the explicit consent of the data subject.

• Explicitly stipulated in the law
• Processing of the parties' data is necessary for the performance of the contract
• It is mandatory for the data controller to fulfill its legal obligation
• Data processing is mandatory for the establishment, exercise or protection of a right
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject

3.3   Processing of Special Categories of Personal Data

The procedures and principles to be followed while processing special categories of personal data are explained in detail in the Policy on Processing of Special Categories of Personal Data prepared and published by our company.

Policy on the Processing of Sensitive Personal Data;
You can reach us on our website https://maslakfiziktedavi.com/

3.4   Informing the Data Subject of the Personal Data Owner

Data subjects are informed in accordance with the Law. In this context, data subjects are informed about the identity of the data controller, the purposes for which personal data will be processed, to whom it will be transferred, the method by which it is collected and the legal reason and the rights of the data subject specified below.

Rights of Relevant Persons;

• Learn whether personal data is being processed,
• Request information if personal data has been processed,
• To learn the purpose of processing personal data and whether they are used for their intended purpose,
• To know the third parties to whom personal data are transferred domestically or abroad,
• To request correction of personal data in case of incomplete or incorrect processing,
• To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
• Request notification of updates or deletions of personal data to third parties to whom personal data are transferred,
• To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
• In case of damage due to unlawful processing of personal data, to demand compensation for the damage

To exercise your rights listed above:

• From our clinic with the above address
• The above-mentioned internet on our website you'll get Data Subject Application Form’You are required to fill out the 'Application Form' completely and send it to the clinic address by hand, mail or notary public, or to our e-mail address above via your e-mail address you have previously notified us and registered in our system.

The applications made as stated above will be responded free of charge as soon as possible and within 30 (thirty) days at the latest. However, if the transaction subject to your request incurs an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by the Clinic.

4. PURPOSES OF PROCESSING PERSONAL DATA

In accordance with the basic principles set out in Article 4 of the Law and based on at least one of the personal data and special categories of personal data processing conditions specified in Articles 5 and 6 of the Law, it is processed for the purposes listed below.

• Carrying out the application processes of employee candidates
• Fulfillment of employment contractual and legislative obligations for employees
• Execution of fringe benefits and benefits processes for employees
• Execution of activities in accordance with the legislation
• Conducting finance and accounting affairs
• Ensuring physical space security
• Follow-up and execution of legal affairs
• Conducting communication activities
• Conducting occupational health and safety activities
• Execution of contract processes
• Follow-up of requests and complaints
• Ensuring the security of movable property and resources
• Informing authorized persons, institutions and organizations
• It is processed limited to the purposes of carrying out promotional activities.

5. STORAGE PERIOD AND DESTRUCTION OF PERSONAL DATA

In accordance with the provisions of the Law and the Regulation on Deletion, Destruction or Anonymization of Personal Data, personal data are stored for the period required for the purpose for which they are processed and in accordance with the periods stipulated in the legal legislation to which the relevant activity is subject.

First of all, it is determined whether a period of time is stipulated in the relevant legislation for the storage of personal data, and if a period is determined in the legislation, it is stored until this period, and if there is no legal period, it is stored for the period required for the purpose for which they are processed.

The retention periods determined separately for each category of personal data in accordance with the specified criteria are shown in the table below. Personal data are destroyed within six-month periodic destruction periods starting from the end of these periods or within thirty days at the latest upon the application of the person concerned, with the specified destruction methods.

Retention periods of personal data;

PROCESSED DATA	RELEVANT PERSON CATEGORY	STORAGE TIME
Identity Information	Employee	15 years after the active employment relationship ends
	Employee Candidate	Not kept in case of negative results of the job application
	Patient	20 years from the end of treatment
	Companion	During the service period
	Natural Persons Providing External Services	10 years from end of service
Contact Information	Employee	15 years after the active employment relationship ends
	Employee Candidate	Not kept in case of negative results of the job application
	Patient	20 years from the end of treatment
	Companion	During the service period
	Natural Persons Providing External Services	10 years from end of service
Personal Health Data	Employee	15 years after the active employment relationship ends
	Employee Candidate	Not kept in case of negative results of the job application
	Patient	20 years from the end of treatment
Criminal Conviction and Security Measures Information	Employee	15 years after the active employment relationship ends
	Employee Candidate	Not kept in case of negative results of the job application
Personnel	Employee	10 years after the active employment relationship ends
	Employee Candidate	Not kept in case of negative results of the job application
Legal Action	Employee and Patient	10 years from the end of the legal process
Process Security	Employee and Patient	2 years
Customer Transaction	Patient	20 years
	Natural Persons Providing External Services	10 years from end of service
Finance	Patient	20 years
	Employee	10 Years
Camera Recordings	For All Groups of People	2 months
Professional Experience	Employee	10 years after the active employment relationship ends
	Employee Candidate	Not stored if the job application process is negative
Audio and Visual Recordings	Employee	15 years after the active employment relationship ends
	Patient	20 years after the end of treatment
	Employee Candidate	Not stored if the job application process is negative

6. TRANSFER OF PERSONAL DATA

6.1   Transfer of Personal Data Domestically

Processed personal data may be transferred to the following 3rd parties.

Personal data of the personnel working in our organization;

• To judicial authorities and party attorneys in case of legal dispute, limited to the personal data requested upon request
• Identity and contact information to the authorized financial advisor for the purpose of following up legal obligations
• Identity and financial information is submitted to the contracted bank for salary payment
• Identity, contact, health, photograph, diploma and criminal conviction data to the district/provincial health directorate for the purpose of applying for a personnel work certificate
• Identity and title information is entered into the Health Personnel Tracking System of the Ministry of Health
• Identity information is submitted to the Social Security Institution for the purpose of employment declaration
• Identity and financial information to the tax office for tax declaration
• Identity and family information to the tax office for the minimum living allowance
• To the software company that is the developer of workplace computer programs for archiving purposes

Personal data of patients receiving services;

• To judicial authorities and party attorneys in case of legal dispute, limited to the personal data requested upon request
• Identity, health and insurance information of those who receive services within the scope of private insurance to private insurance companies
• Identity, contact, health and companion information to the health institution to be referred in case of patient referral
• To the software company that is the developer of the patient registration program in order to archive patient files in accordance with the Regulation on Private Hospitals

Personal data obtained from natural persons providing services;

• Judicial authorities and party lawyers upon request in case of legal disputes
• Authorized financial advisor as per legal obligations,
• Contracted bank for payments
• Software company, developer of workplace computer programs for archiving

Personal data obtained from other groups of people;

In case of legal disputes, it can be transferred to judicial authorities and party lawyers upon request.

7. PROTECTION OF PERSONAL DATA

Our business, as stated in Article 12 of the Law;

• To prevent unlawful processing of personal data,
• To prevent unlawful access to personal data,
• It takes the necessary technical and administrative measures to ensure the appropriate level of security in order to ensure the protection of personal data and conducts or has the necessary audits carried out for the implementation of the measures taken.

7.1   Measures Taken to Protect Personal Data

1.1   Administrative Measures

• There are disciplinary regulations for employees that include data security provisions.
• Training and awareness raising activities on data security are carried out for employees at regular intervals.
• Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
• Confidentiality commitments are made.
• The signed contracts contain data security provisions.
• Extra security measures are taken for personal data transferred via paper and the relevant document is sent in the format of a confidential document.
• Personal data security policies and procedures have been determined.
• Personal data security issues are reported quickly.
• Personal data security is monitored.
• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• Physical environments containing personal data are secured against external risks (fire, flood, etc.).
• Security of environments containing personal data is ensured.
• Personal data is minimized as much as possible.
• Internal periodic and/or random audits are conducted and commissioned.
• Protocols and procedures for the security of sensitive personal data have been determined and implemented.
• If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using a KEP or corporate mail account.
• The scope and duration of authorization of users authorized to access sensitive personal data are clearly defined.
• Inventory allocated to employees who change their positions or leave their jobs is returned.
• A personal data inventory was prepared.
• Periodic deletion, destruction or anonymization operations are performed.

1.2  Technical Measures

• Network security and application security are ensured.
• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• Authorization matrix has been created for employees.
• Access logs are kept regularly.
• Employees who are reassigned or leave their jobs are no longer authorized in this area.
• Up-to-date anti-virus systems are used.
• Firewalls are used.
• User account management and authorization control system are implemented and monitored.
• Log records are kept without user intervention.
• Secure encryption/cryptographic keys are used for sensitive personal data and managed by different units.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Sensitive personal data transferred on portable memory sticks, CDs and DVDs are encrypted.
• Employees with access to sensitive personal data are periodically subject to authorization checks.
• Security updates for the environments where the data are stored are constantly monitored, necessary security tests are regularly performed or commissioned and test results are recorded.
• Security tests of software that accesses sensitive personal data are regularly conducted and test results are recorded.
• A two-stage authentication system is used for remote access to sensitive personal data.
• If personal health data is to be transferred between servers in different physical environments, it is transferred by establishing a VPN between servers or using sFTP methods.
• For personal data stored in digital media, deletion, destruction or anonymization operations are performed periodically.

 

7.2   Measures to be Taken in Case of Data Breach

In the event that the personal data processed by our clinic/office is obtained by others illegally, our business will notify the data owner and the Board as soon as possible after learning about the violation.

Following the determination of the persons affected by the violation by our clinic/office, the relevant persons will be notified directly to the contact address of the relevant person as soon as reasonably possible.

In the breach notification to the relevant person;

• When the breach occurred,
• Which personal data is affected by the breach,
• Possible consequences of a breach,
• Measures taken or proposed to be taken to mitigate the effects of the breach,
• The name and contact details of the contact person who will enable the data subject to receive information about the data breach will be included.

8. RIGHTS OF PERSONAL DATA SUBJECTS AND EXERCISE OF THESE RIGHTS

8.1   Rights of the Personal Data Subject

Personal data subjects have the following rights:

• Learn whether personal data is being processed,
• Request information if their personal data has been processed,
• To learn the purpose of processing personal data and whether they are used for their intended purpose,
• To know the third parties to whom personal data are transferred domestically or abroad,
• To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
• Although it has been processed in accordance with the provisions of the Law and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
• To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
• In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

8.2   Exercising the Rights of the Personal Data Owner

Personal data subjects,

• From our clinic with the above address
• from our website maslakfiziktedavi.com

that they will acquire Data Subject Application Form’They can exercise their rights listed above and listed in Article 11 of the Law by filling out the "Data Protection Law" and delivering it to the address of the data controller specified above by hand, mail or notary public.

8.3   Responding to Applications

In the event that the personal data owner duly submits his/her request regarding the rights mentioned above and in Article 11 of the Law to our Clinic, the clinic will finalize the relevant request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the procedure requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

9. COORDINATION OF PERSONAL DATA PROTECTION AND PROCESSING PROCESSES

The coordination of the protection and processing of personal data is carried out by the data controller or the personnel authorized by the data controller.

10. UPDATES TO THE POLICY

Our clinic has the right to make changes in this Personal Data Processing and Protection Policy due to changes in legislation, in accordance with Board decisions or in line with developments in the sector or in the field of informatics. Changes made within this scope are immediately incorporated into the text and explanations regarding the changes are added to the updates table below.

Updates Table

	Personal Data Processing and Protection Policy has entered into force.

11. FINAL PROVISIONS

This Personal Data Storage and Destruction Policy is prepared by the data controller;

• at appropriate locations within the enterprise
• from our website maslakfiziktedavi.com

and announced to the relevant persons.