CLARIFICATION TEXT ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

The addressee of this clarification text is the Patient (Person Receiving Goods or Services), the Patient’s Parent or Guardian and the Relatives of these Persons. As the data controller OP. DR. MEHMET TİBET ALTUĞ, all kinds of personal data processed by us are protected within the scope of the provisions of the relevant national and international legislation, especially the Law No. 6698 on the Protection of Personal Data. In order to ensure the necessary protection, we take technical and administrative measures in a timely manner and make the necessary notifications to the relevant persons, institutions and organizations as soon as possible within the framework of legal provisions in case of any suspected violation.

A. PROCESSING OF PERSONAL DATA AND BASIC PRINCIPLES GOVERNING DATA PROCESSING

All kinds of processes such as obtaining, partially or completely changing, categorizing, transferring, recording, storing, storing and destroying personal data belonging to real persons by using fully or partially automatic recording methods or non-automatic methods are called processing of personal data. As can be understood from this explanation, all of the processes of obtaining, storing, transferring and destroying the data obtained means the processing of data. Your personal data are processed in connection with the requirements of the commercial activity, workplace order and general operation within our Clinic within the scope of the provisions of the Labor Law No. 4857, Personal Data Protection Law No. 6698, Turkish Code of Obligations No. 6098, Social Insurance and General Health Insurance Law No. 5510, Occupational Health and Safety Law No. 6331 and other laws. The data in question are obtained from the information within the scope of employment contracts, commercial contracts, other contractual relations and the personal file of the party, the information and documents submitted by you, and the information and documents legally obtained from the relevant institutions or notified to us by the institutions. Again, the data in question are processed within legal frameworks limited to their exclusive purposes by the personnel or personnel of Human Resources, Data Protection Unit (DPO), Call Center, Accounting, IT, Support Services and other service units/units under the supervision and responsibility of our data controller clinic. Data may also be processed by the doctor and lawyer/lawyers of the organization limited to the purpose in line with the requirements of the job and legal requirements. There are basic principles regarding the processing of personal data accepted in international documents, especially the GDPR, i.e. the European Data Regulation, and included in the authorized board decisions of the countries. Article 4 of the Law on the Protection of Personal Data regulates the procedures and principles regarding the processing of personal data in parallel with Convention No. 108 and European Union Directive 95/46/EC. Accordingly, the general (basic) principles listed in the Law for the processing of personal data are as follows:
– Compliance with the law and good faith,
– Being accurate and up to date when necessary,
– Processing for specific, explicit and legitimate purposes,
– Being relevant, limited and proportionate to the purpose for which they are processed,
– Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
These principles are applied to disputes by the boards and judicial authorities authorized to take regulatory action.In order to be able to mention that personal data is obtained and processed in accordance with the law, the data in question must be processed by taking into account the principles and the basic motives at the core of the principles above.

B. DEFINITIONS

Explicit consent, according to the scope of Directive 95/46 EC, explicit consent should be understood as the declaration of consent given by the person concerned to the processing of data concerning him/her, freely, with sufficient information on the subject, in a clear manner that leaves no room for hesitation and limited only to that transaction. Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. Data recording system refers to the recording system in which personal data is structured and processed according to certain criteria. Such systems may be physical or digital. Data can be processed according to more than one criterion within the system in question. For example, data can be registered and processed based on a registration system based on name, surname, Turkish Republic or place of birth. The data controller is the person who is responsible for the processing, transfer, deletion and deletion of direct data within the scope of Law No. 6698 and for the obligations under other laws. are those who determine the purposes and means of processing personal data and are responsible for the establishment and management of the data recording system. These persons may be real persons or legal entities such as public institutions, companies, associations or foundations. Within the scope of this disclosure text, OP. DR. MEHMET TİBET ALTUĞ. Data processors are natural and legal persons who process data on behalf of the data controller. These persons may be employees who process personal data within the framework of the instructions given to them, or a separate natural or legal person determined by the data controller by purchasing services. Any natural or legal person can be both a data controller and a data processor at the same time. For example, an accounting company will be considered a data controller with respect to the data it keeps on its own personnel, while it will be considered a data processor with respect to the data it keeps on its client companies. Relevant Person refers to the real person whose personal data is processed, i.e. PATIENT, PATIENT RELATIVE AND PATIENT’S PARENT OR GUARDIAN within the scope of this contract. Destruction refers to the deletion, destruction or anonymization of personal data.

C. CONDITIONS FOR PROCESSING PERSONAL DATA

The processing of personal data is defined in Article 3/e of Law No. 6698 as follows: ” Processing of personal data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,” Article 5 of the same law states how the information in the nature of personal data will be processed as follows: ” Conditions for processing personal data ARTICLE 5-
(1) Personal data cannot be processed without the explicit consent of the data subject.
(2) In the presence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject:
a) It is clearly stipulated in the laws.
b) It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
c) It is necessary to process personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of a contract.
ç) It is mandatory for the data controller to fulfill its legal obligation.
d) It has been made public by the data subject himself/herself.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject”

D. PERSONAL DATA OF SPECIAL NATURE AND PROCESSING CONDITIONS

Some data are more indispensable than other personal rights in terms of their nature, nature and area of intervention. For this reason, the protection and processing of these rights are regulated separately and with strict formal requirements under the law in question. Personal rights of special nature are defined and listed in paragraph 6/1 of the law as follows:
”Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data are personal data of special nature.”
How these rights can be processed is stated in the other paragraphs of the same article as follows:
”(2) It is prohibited to process special categories of personal data without the explicit consent of the data subject.
3) Personal data other than health and sexual life listed in the first paragraph can be processed without the explicit consent of the person concerned in cases stipulated by law. Personal data relating to health and sexual life may be processed without the explicit consent of the data subject only for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.
(4) In the processing of special categories of personal data, adequate measures determined by the Board must also be taken.”
Non-profit organizations or entities such as political parties, foundations, associations or trade unions may process special categories of personal data as required by their activities. These organizations and entities will be able to process special categories of personal data of their members and members in accordance with the purposes of their establishment, that is, limited to the purpose, in accordance with the law. The storage of membership information by a political party means the processing of personal data of a special nature. As stated above, such organizations and formations will only be able to process such data in accordance with their fields of activity and purposes. For example, a trade union will only keep the union membership records of its workers and will not be able to process special categories of personal data regarding their political views or health status.
If the personal data of a private nature has been made public by the data subject, that is, it has become publicly available, it is possible to process such data. In such a case, the data controller will not be held liable. According to the prevailing opinion, in such cases, the legally protected interest of the data subject has disappeared. The issue to be considered here is the scope of publicization.
As in the case of personal data, in the case of private data, if the processing is mandatory for the establishment, use or protection of a right, the processing is considered lawful without the requirement of consent. Explicit consent is not required if a workplace that is obliged to employ disabled employees receives and processes the data of the employee in question, that is, if it shares it with the relevant institutions and organizations. Similarly, if the disabled person or his/her guardian who wants to buy a vehicle by benefiting from the SCT exemption shares the data in question with the Tax Office and the office processes the data, explicit consent will not be required.
You can access the administrative and technical measures taken during the processing of both your special and other personal data under the heading KVKK Destruction Policies on the website with the extension https://www.drtibetaltug.com.

E. METHODS OF COLLECTING PERSONAL DATA

Your personal data are collected from the information received within the scope of dialogues and communication with our practice, reference letters sent to us and the scope of the preliminary contract and contract concluded, mobile communication, mobile applications, suggestion / complaint form, various contracts, information, documents and application forms sent by e-mail and other communication channels, website cookie applications, forms filled out and transmitted to us within the scope of the website, security cameras. These data are obtained and processed in accordance with our data policy and Board decisions, taking into account the principles of Article 5 of the KVKK. In all these processes, it is aimed to prevent unnecessary data collection by considering the principles of proportionality and proportionality.

F. PROCESSED PERSONAL DATA, PURPOSES OF PROCESSING, LEGAL BASIS AND STORAGE METHODS

Personal data obtained within the scope of the above-mentioned collection methods can be categorized under the following general headings;
Identity Information: It is the information belonging to one or more real persons, which is processed by automatic, partially automatic or non-automatic methods, making the person or persons specific or identifiable. Among the information in question, not only the Turkish ID information of the persons, but also the information contained in the documents that replace the ID is included in this scope. In this context, your Name, Surname, TR Identity Number, Passport Number, Temporary TR Identity Number, Place of Birth, Date of Birth, Marital Status, Gender information is received as identity information.
Contact Information: These are the data belonging to one or more real persons, which are processed automatically, partially automatically or non-automatically, and which enable the person or persons to contact and communicate with each other. This includes information such as phone number, letter, address, e-mail address, fax number, IP address and ID numbers defined according to the communication applications used (such as ZOOM and Teamwiever).
Data of Family Members and Relatives: Family and next of kin information obtained from identified or identifiable natural persons or persons who can be identified within the scope of an automated or partially automated system or a non-automated method. What is to be understood from the information of relatives mentioned here is the persons whose data is processed and who consent to contact with the relevant person in the processes related to him/her. A kinship relationship is not required. These data are processed to ensure patient-doctor process management, to manage the crisis process in emergencies and as required by law.
Financial Data: All kinds of information and documents related to financial status obtained from real persons by automatic or non-automatic methods are called financial data. The data received in question varies within the scope of the dialogs established with the Practice. Bank Account Number, IBAN Number, Credit Card Information, Invoice Information are processed within this scope.
Health Information: Examination Data received from the relevant persons, narratives and reports on medical history, data on medical family history, analysis and test results, laboratory results, medical imaging results, appointment information, prescription information, photographs before and after surgery, three-dimensional visual data, practice follow-up data, endoscopy data, videos taken for diagnosis and treatment, information and documents recorded remotely through digital devices are the main health data received and processed. Interview and correspondence data regarding the diagnosis and treatment of the disease obtained from the dialogs established before and after the examination with the practice, data on social environment, family life and sexual life are also included in this scope. Consultation notes, surgery notes, examination and evaluation results, which are considered medically important in treatment and diagnosis by us and reported and recorded by other health institutions or doctors, may be considered as processed health data.

Data Received within the Scope of SSI Legislation: Insurance and Patient Protocol numbers are included in this scope.
Audio/Visual Data: Data obtained from visual and auditory recording media belonging to real person or persons and the media where these data are stored. Only visual recordings are made by the cameras in our clinic. There is no sound recording. Call center records are also included in this scope.
Data on Request/Complaint Management: Data obtained by automatic, semi-automatic or non-automatic methods within the practice request and complaint process. This includes data on malpractice treatment during the complaint of practice staff. Other data included in the complaint form also determines this scope.
Legal Action Data: Data obtained as evidence for legal disputes to which the employees of the practice and us are parties and used before judicial authorities are included in this group of data.
The purposes of processing the above personal data are as follows;
a. To ensure that an effective, safe and quality health service is provided to the person concerned.
b. To fulfill the requirements of legal regulations.
c. To ensure doctor-patient communication.
d. To manage identity and disease confirmation processes.
e. To ensure the protection of public health, preventive medicine, medical diagnosis, treatment and care services.
f. Confirming and scheduling appointment processes.
g. Ensure the effective management of the internal functioning of the practice.
h. To ensure the coordination of confirmation and financial processes regarding contracted institutions.
i. Invoicing.
j. To meet legal requests from relevant institutions and organizations, especially the Ministry of Health.
k. Managing the request and complaint processes regarding the services provided.
l. Managing promotion and marketing processes.
m. To ensure the management of risk and quality processes.
n. Ensuring the supply of medicines and materials suitable for the patient.
o. To meet the demands of regulatory and supervisory institutions and organizations and official authorities.
p. To ensure that the requested information and documents are shared with judicial authorities in line with the requests of judicial authorities.
In addition to all these, in case of Explicit Consent, health data obtained from the relevant patient and personal data belonging to the patient may be processed to inform and educate other patients, assistants, staff receiving training and the public. The data obtained within this scope may be used in educational platforms such as articles, presentations, seminars, seminars, books and open sessions, limited to the purpose.
The legal provisions of the legislation on the basis of the processing of personal data are as follows;
a. Basic Law No. 3359 on Health Services
b. Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Affiliated Organizations
c. Regulation on Private Hospitals
d. Law No. 6698 on the Protection of Personal Data
e. Regulation on Processing and Ensuring the Privacy of Personal Health Data,
f. Code of Obligations No. 6098
g. Regulation on Private Health Institutions Providing Oral and Dental Health Services
h. Regulation on Private Health Institutions for Outpatient Diagnosis and Treatment
i. Patient Rights Regulation
j. Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through Such Publications,
k. Law No. 6563 on the Regulation of Electronic Commerce
Personal data obtained within the scope of the above-mentioned legal regulations and storage purposes will be protected by our clinic and the forms of protection and retention are as follows:

DIGITAL MEDIA; Cloud Environments, Servers, Digital Storage Areas, Software Digital Environments (Office software, VERBIS), Devices used for Cyber and Network Security (Firewall etc.), Mobile Devices such as phones, tablets, Portable Disks, Printers, Scanners and Photocopiers Optical Disks.
PHYSICAL MEDIA; Paper and derivatives, Forms and notebooks filled in the operation and processes of the clinic, All kinds of media where written data is kept, Other documents related to physical data (photographs, photocopies, etc.).

G. STORAGE PERIODS AND DESTRUCTION OF PERSONAL DATA

Article 3 of the Law defines the concept of processing personal data, Article 4 states that the personal data processed must be linked, limited and measured for the purpose for which they are processed and must be kept for the period stipulated in the relevant legislation or for the purpose for which they are processed, and Articles 5 and 6 list the processing conditions of personal data.
Accordingly, personal data obtained within the framework of the activities of our practice are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes. In this context, the data of a person who receives services or goods from us will be destroyed in the first destruction period after 10 years, considering the nature of the work between us as a contract of attorney / work contract in case of a possible dispute. Data related to legal proceedings will be kept for 5 years after the end of the litigation process and will be destroyed in the first destruction period. Camera recordings will be kept for 90 days. Data on online visitors will be kept for 2 years in accordance with Law No. 5651. However, the data related to the forms filled out on the internet will be destroyed in the first destruction period after 10 years. Personal Data Regarding Tax Records and Personal Data Processed with Documents Required to be Kept Pursuant to the Tax Procedure Law such as Invoice / Expense Compass / Receipt will be kept for 5 years in accordance with the Tax Procedure Law No. 213 and then destroyed in the first destruction period. Call center voice recordings will be kept for 3 years in accordance with Law No. 6563 and Related Legislation and will be destroyed in the first subsequent destruction period. If the data in question is the subject of a criminal case, the data will be kept for 30 years.
In our practice, January and July have been designated as destruction periods. The data in question will be destroyed with a report and this report will be kept for 3 years.
When requested by the person concerned, the personal data in question will be deleted by our clinic and third parties to whom we transfer it, if legal conditions are met. The person concerned, in accordance with Article 13 of the Law, OP. DR. When MEHMET TİBET ALTUĞ applies to our clinic and requests the deletion or destruction of his personal data;
1. If all the conditions for processing personal data have disappeared; As the data controller, it deletes, destroys or anonymizes the personal data subject to the request within 30 (thirty) days from the day it receives the request, explaining its justification, with the appropriate destruction method. In order for our clinic to be deemed to have received the request as the data controller, the person concerned must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, the Data Controller informs the person concerned about the transaction made by the Data Controller.
1’Detay :In the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/9 on the Calculation of the Application to the Data Controller and Complaint Periods to the Board, the following principles are included:
If the data controller responds to the application made by the data subject within 30 days, the data subject may file a complaint within 30 days following the response of the data controller, in this respect, in such cases, the data subject does not have a 60-day period from the date of application to the data controller,
In the event that the data controller does not respond to the application made by the data subject, the data subject may file a complaint to the Board within 60 days from the date of application to the data controller,
In the event that a response is given by the data controller to the application made by the data subject after the 30-day period granted in the Law, the data subject is not obliged to wait for the response to be given after the 30-day period granted to the data controller in the Law and can file a complaint to the Board upon the expiration of the period granted to the data controller, taking into account that the data subject can file a complaint to the Board within 60 days from the date of application to the data controller, not 30 days from the date of the data controller’s response,
It has been deemed appropriate to announce the issues to the public with the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/9.
2. If all the conditions for processing personal data have not disappeared, this request may be rejected by the Data Controller by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the rejection response shall be notified to the person concerned in writing or electronically within thirty days at the latest. The relevant person reserves the right to complain to the institution. In this context, the relevant persons may apply to the Board within 60 (sixty days) after they learn that their requests have been rejected.

3. Applications to be made to our clinic as the Data Controller in “written” within this framework,
– By personal application of the Applicant,
– Through a notary,
– Signed by the Applicant with the “secure electronic signature” defined in the Electronic Signature Law No. 5070
– By sending to the registered e-mail address of the practice,
will be able to be forwarded to us. Our contact information to exercise this right is as follows:

Title : OP. DR. MEHMET TIBET ALTUG
Address: Mustafa Kemal Mah. 2118 Cad. B Blok 4/B No:102 Çankaya/Ankara
Mersis no : 0660045316
E-mail address : info@drtibetaltug.com
Postal Address: Mustafa Kemal Mah. 2118 Cad. B Blok 4/B No:102 Çankaya/Ankara
Tel: 0312 503 5330 – 0532 251 8816
KEP:

H. TRANSFER OF PERSONAL DATA

The manner and conditions under which personal data may be transferred to third parties within the borders of the country are regulated under Article 8 of the Law on the Protection of Personal Data. According to this article, it is possible to transfer personal data only with the explicit consent of individuals. However, it is also written in the same article of the law that personal data can be transferred without explicit consent in case of the conditions under Articles 5 and 6. It follows from the interpretation of these articles of law together;
– Obtaining the explicit consent of the person concerned,
– Explicitly stipulated in the law,
– It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
– Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract,
– It is mandatory for the data controller to fulfill its legal obligation,
– It has been made public by the person concerned,
– Data processing is mandatory for the establishment, exercise or protection of a right,
– Provided that it does not harm the fundamental rights and freedoms of the data subject, it is possible to transfer personal data if data processing is mandatory for the legitimate interests of the data controller.

In order to transfer personal data of special nature;
– If the explicit consent of the person concerned is obtained,
– In case it is explicitly stipulated in the laws in terms of special categories of personal data other than health and sexual life,
– In terms of personal data relating to health and sexual life, personal data of a special nature may be transferred to third parties by persons under the obligation of confidentiality or authorized institutions and organizations for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
Contrary to the fact that personal data can only belong to natural persons, “data controller” and “data processor” can be both natural and legal persons. Any natural or legal person who performs operations on personal data is either a data controller or a data processor, depending on the purposes and methods of data processing. In this context, the regulations set out in Article 8 of the Law must be complied with for any data transfer between the persons in these two categories.
It is possible to transfer personal data to public and private legal entities abroad within the scope of the scope of the scope of the activities and commercial interests of our Company. According to Article 9 of the Law, data transfer abroad
– Explicit consent of the person concerned,
– In the presence of the conditions specified in the Law (the conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the Law), there is adequate protection in the country where the data will be transferred (countries deemed safe by the Board),
– In the presence of the conditions specified in the Law (the conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the Law), in the absence of adequate protection in the country to which the data will be transferred (countries that are not considered safe by the Board), it can be realized in cases where adequate protection is undertaken in writing and the Board has permission.
As the data controller, in the event that the data transfer conditions detailed above exist, the data in question may be transferred to the relevant personnel of our clinic, our affiliated companies, our direct / indirect domestic subsidiaries, the organizations we receive services from, the domestic server (servers) we use, the domestic institutions from which we receive cloud services, data processors on behalf of the data controller, measurement, targeting, persons and organizations providing profiling support, audit companies, e-doctor and similar online intermediary systems (whichever ones are used here should be clearly written), consultants, private insurance companies, business and solution partners to which transfer is made for domestic indirect / direct scientific studies, transportation companies, suppliers, public legal entities.
……………………………………… of the processed data may be shared with our foreign affiliated companies, direct / indirect foreign subsidiaries, organizations from which we receive foreign services, foreign servers (servers) we use, foreign institutions and organizations from which we receive cloud services, foreign companies, foreign business and solution partners to which transfers are made for indirect / direct scientific studies, foreign servers and data centers used by communication, storage and communication programs that transfer online data.
Although the country where the data is transferred varies in terms of foreign servers and data centers used by communication, storage and communication programs that transfer online data, the management center of Google and Microsoft-based Online applications is the United States of America, and the management center of Yandex is Russia. Again, in terms of Whats App application, the center in question is the United States of America, while in terms of Telegram, it is Russia.

I. YOUR RIGHTS AS A DATA SUBJECT

Your rights as a data subject are as follows;
– To learn whether their personal data are processed or not, and if so, how and for how long they are processed or will be processed,
– Request information about processed personal data, if any,
– To learn the purpose of processing personal data and whether this data is used in accordance with the purpose,
– To know the third parties to whom their personal data have been transferred, to request the correction of errors in their personal data and to request this correction from the relevant third party if the transfer has been made,
– To request that complaints related to personal data be resolved through an appeal before the institution, if the appeal is inconclusive or the request is rejected, to file a complaint with the Personal Data Protection institution,
– To request the deletion, destruction or anonymization of personal data in the event that the reasons requiring the processing of personal data disappear, and if the transfer has been made, to request that this request be communicated to the transferred third party,
– Request to be notified of the periods for the destruction of personal data and how long the data will be kept,
– To object to any negative result related to the person as a result of the processed data,
– In the event of damage due to unlawful data processing, they have the right to claim their damages within the framework of the law.
Data controllers must finalize the requests regarding the implementation of the Law submitted to them in writing by the data subjects or by other methods to be determined by the Board free of charge as soon as possible and within thirty days at the latest, depending on their nature. However, if the transaction requires an additional cost, the data controller may request the fees in the tariff determined by the Board from the applicant.
If the data controller accepts the request or rejects it by explaining the reason, it shall notify the data subject in writing or electronically. If the request in the application is accepted, the data controller shall fulfill the requirements of this request. If the application is caused by the error of the data controller, the fee charged shall be returned to the person concerned.
In cases where the application is rejected, the response is found insufficient or the application is not responded in due time; the data subject may file a complaint to the Board within thirty days from the date of learning the response of the data controller and in any case within sixty days from the date of application.
For all your questions, complaints and opinions regarding your personal data, our data controller information is as follows;

Title : OP. DR. MEHMET TIBET ALTUG
Address: Mustafa Kemal Mah. 2118 Cad. B Blok 4/B No:102 Çankaya/Ankara
Mersis no : 0660045316
E-mail address : info@drtibetaltug.com
Postal Address: Mustafa Kemal Mah. 2118 Cad. B Blok 4/B No:102 Çankaya/Ankara
Tel: 0312 503 5330 – 0532 251 8816
KEP:

J. OTHER DISCLOSURES

When there is a change within the scope of these policies, they will be notified to those concerned on the website and approved copies of the old policies will be kept for 3 (three) years.
Muayenehane reserves the right to make changes to the Personal Data Processing and Protection Policy or this Personal Data Storage and Destruction Policy due to amendments to the Law, in accordance with the decisions of the Authority or in line with the developments in the sector or in the field of informatics.
Changes made to this Personal Data Storage and Destruction Policy are immediately incorporated into the text and explanations regarding the changes are explained at the end of the policy.
If the data in question is obtained in violation of the procedures and laws, it will be reported to the board as soon as possible in accordance with Article 12 of the KVKK. The shortest period of time (2′) is 72 hours.
2’Detay With the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10;
Paragraph (5) of Article 12 of the Law “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible…. “ shall be interpreted as 72 hours and in this context, the data controller shall notify the Board without delay and within 72 hours at the latest from the date of learning of this situation, and following the determination of the persons affected by the data breach in question by the data controller, the relevant persons shall be notified as soon as reasonably possible, directly if the contact address of the relevant person can be reached, and if not, by appropriate methods such as publishing on the data controller’s own website,