- +90 (0) 212 882 08 02
- +90 (0) 537 727 37 05
- info@marinadis.com
- Fatih Mah. Mehtap Cad. No: 15, Büyükçekmece / Istanbul
MARINADİŞ ORAL AND DENTAL CLINIC TRADE LIMITED COMPANY PERSONAL DATA PROTECTION, PROCESSING AND PRIVACY POLICY
version
1.1
first puplication date
01.07.2024
Personal data protection,
processing and privacy policy
Last Update Date
–
Page number
1/17
1. Purpose and Scope
Marinadiş Oral and Dental Clinic makes every effort to comply with all applicable legislation regarding the processing and protection of personal data.
Marinadiş Oral and Dental Clinic’s Personal Data Protection and Processing Policy (” Policy “) outlines the principles adopted by the Company in carrying out its personal data processing activities.
The policy aims to ensure the sustainability of the principle that company activities are conducted in accordance with the law and principles of honesty, and with transparency. In this context, the fundamental principles adopted regarding the company’s compliance with the regulations in the Law No. 6698 on the Protection of Personal Data (” KVKK “) are determined, and the practices implemented by the company are explained.
This policy applies to individuals whose personal data is processed by the Company, whether automatically or non-automatically as part of any data recording system.
2. Policy Principles
2.1. General Principles
In line with changes and innovations in legislation, amendments to the Policy will be made accessible to data subjects in an easily understandable manner.
In the event of any conflict between the legislation in force regarding the protection and processing of personal data and this Policy, the Company acknowledges that the legislation in force shall prevail.
2.2. Groups of People Covered by the Policy
The Data Subject groups covered by this policy and whose personal data is processed by the Company are as follows:
- Job Applicants
Individuals who have not yet established an employment contract with the company but have applied to the company with the intention of establishing one.
- Business Partners’ Officials, Employees
Authorized persons, shareholders, and employees of organizations with which the company has a commercial relationship.
- Company Visitors
Natural persons who visit the premises where the Company operates or the websites operated by the Company.
- Employees
Natural persons who have established an employment contract with the company.
3. Principles Regarding the Processing and Protection of Personal Data
3.1. Compliance with Data Processing Conditions
The company acts in accordance with (i) the basic principles set forth in Article 4, (ii) the conditions for processing personal data set forth in Article 5, and (iii) the conditions for processing special categories of personal data set forth in Article 6 of the KVKK (Law on Protection of Personal Data) when carrying out its personal data processing activities.
3.1.1. Compliance with Fundamental Principles
(1) Processing personal data in accordance with the law and rules of fairness
The company conducts its personal data processing activities in accordance with the law and the principle of fairness, primarily in line with the Constitution of the Republic of Turkey, the Personal Data Protection Law (KVKK), and related secondary legislation.
(2) Ensuring the accuracy and timeliness of the processed personal data.
While processing personal data, the company takes all necessary administrative and technical measures to ensure the accuracy and timeliness of personal data within the limits of its technical capabilities. In this context, the company has established mechanisms to correct and verify the accuracy of personal data in case it is outdated or inaccurate.
(3) Processing personal data in a manner that is relevant to the purpose, limited and proportionate.
Personal data is processed by the company only to the extent necessary for the fulfillment of the processing purpose related to the data processing conditions. In this context, the purpose of personal data processing is determined before the personal data processing activity begins, and data processing is not carried out on the assumption that it may be used in the future.
(4) To retain personal data for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they are processed.
The company retains personal data for a period limited to that stipulated in the relevant legislation or as required by the purpose of data processing. Accordingly, upon the expiration of the period stipulated in the legislation or when the reasons requiring the processing of personal data cease to exist, the personal data is deleted, destroyed, or anonymized by the company. Personal data is not stored by the company based on the possibility of future use.
3.1.2. Compliance with Personal Data Processing Conditions
The company conducts its personal data processing activities in accordance with the data processing conditions set forth in Article 5 of the KVKK (Law on Protection of Personal Data). Accordingly, personal data processing activities are carried out only if the following personal data processing conditions are met:
- The Existence of the Data Subject’s Explicit Consent
Personal data processing by the Company shall be carried out only if the Data Subject freely and unequivocally consents to the processing of their data, having sufficient knowledge of the specific matter.
- The personal data processing activity must be explicitly provided for in the laws.
Where there are explicit regulations in the laws regarding personal data processing activities, the Company may carry out personal data processing activities only within the limits of the relevant legal regulation.
- Inability to Obtain the Explicit Consent of the Data Subject Due to Factual Impossibility and the Necessity of Processing Personal Data
In cases where the Data Subject is unable to express their consent or their consent is not deemed valid, the Company shall carry out data processing activities within this scope if the processing of personal data is necessary for the protection of the life or physical integrity of the individual.
- The personal data processing activity must be directly related to the establishment or performance of a contract.
In cases where the processing of personal data belonging to the parties to a contract is necessary for the establishment or performance of that contract, the Company shall carry out data processing activities.
- The processing of personal data is necessary for the company to fulfill its legal obligations.
The Company, which has adopted a policy of demonstrating the necessary sensitivity to legal compliance, will only process personal data to fulfill its legal obligations in cases where such obligations arise.
- Making Personal Data Public by the Data Subject
Personal data that has been made public by the data subject (disclosed in any way) is processed by the company in accordance with the purpose for which it was made public.
- Data processing is necessary for the establishment, exercise, or protection of a right.
Where the processing of personal data is necessary for the establishment, exercise, or protection of a right, the Company shall carry out its personal data processing activities in line with this necessity.
- The processing of personal data must be necessary for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of the data subject.
If the processing of personal data is necessary for the legitimate interests of the Company, and if this does not harm the fundamental rights and freedoms of the Data Subject, then data processing activities may be carried out. In this context, the existence of a balance between the legitimate interests of the Company, in its capacity as “data controller,” and the fundamental rights and freedoms of the Data Subject will be sought.
3.1.3. Compliance with Special Conditions for Processing Personal Data
The company places particular emphasis on the processing of sensitive personal data. In this context, when processing sensitive personal data, the company first meticulously determines whether the conditions for data processing exist, and only proceeds with data processing activities after ensuring compliance with the law.
Special categories of personal data may be processed by the Company, provided that adequate measures determined by the Board are taken, in the following cases:
- Processing Personal Health Data
Personal health data may be processed by the company provided that (i) adequate measures are taken as foreseen by the Ministry of Health, (ii) general principles are complied with and (iii) confidentiality obligations are met, under one of the following conditions:
– The existence of the relevant person’s explicit written consent,
– Protecting public health,
– Preventive medicine,
– Providing medical diagnosis, treatment, and care services.
– Planning and management of health services and their financing.
- Processing of Special Categories of Personal Data Other Than Health and Sexual Life
The company may process special categories of personal data, excluding health and sexual life data, with the explicit consent of the Data Subject or in cases stipulated by law.
3.1.4. Compliance with Personal Data Transfer Conditions
Personal data transfers carried out by the company comply with the personal data transfer conditions stipulated in Articles 8 and 9 of the KVKK (Law on Protection of Personal Data).
- Domestic Transfer of Personal Data
In accordance with Article 8 of the KVKK (Turkish Personal Data Protection Law), the company complies with the data processing conditions (see Policy 3.1.) in its domestic data transfer activities.
(2) Transfer of Personal Data Abroad In accordance with Article 9 of the KVKK, personal data may be transferred abroad by the Company; (i) in accordance with the personal data processing conditions (See Policy 3.1.) and (ii) if the country to which the transfer will be made is one of the countries with adequate protection declared by the Board, or if there is no adequate protection in the relevant foreign country, the data controllers in Turkey and the relevant foreign country must provide a written commitment of adequate protection and the Board’s permission must be obtained.
(3) Groups of Persons to Whom Personal Data is Transferred by the Company
In accordance with Articles 8 and 9 of the Turkish Personal Data Protection Law (KVKK), the company may transfer the personal data of data subjects covered by this Policy (See Policy 2.2.) to the following groups of individuals for the purposes stated below:
- Third-party service providers who process personal data on behalf of the Company may do so only for the purpose of carrying out the Company’s business activities.
- The company may provide its business partners with services limited to the establishment and maintenance of the business partnership,
- The company may provide its suppliers with the necessary permission solely for the purpose of carrying out the company’s business activities.
- To authorized public institutions and organizations, and authorized private legal entities, limited to the purpose requested by the relevant persons within their legal authority,
- To third parties, in accordance with the terms and conditions for the transfer of personal data.
4. Informing Personal Data Owners
In accordance with Article 10 of the Turkish Personal Data Protection Law (KVKK), the company implements the necessary processes to ensure that data subjects are informed during the collection of personal data. The information provided to data subjects by the company primarily includes the following:
(1) The name of the Company,
(2) The purposes for which the personal data of data owners will be processed by the company,
(3) To whom and for what purpose the processed personal data may be transferred,
(4) Method and legal basis for collecting personal data,
(5) The Data Subject has the following rights:
– To find out whether your personal data is being processed,
– Requesting information regarding the processing of personal data,
– To learn the purpose of processing personal data and whether it is being used appropriately for that purpose,
– Knowing the third parties to whom personal data is transferred, whether domestically or internationally,
– The right to request the correction of personal data if it has been processed incompletely or incorrectly, and to request that the correction be notified to third parties to whom the personal data has been transferred.
– The right to request the deletion or destruction of personal data, even if processed in accordance with the KVKK (Personal Data Protection Law) and other relevant laws, when the reasons requiring its processing cease to exist, and to request that this action be notified to third parties to whom the personal data has been transferred.
– The right to object to a result that is detrimental to oneself, arising solely from the analysis of processed data by automated systems.
– The right to claim compensation for damages incurred as a result of the unlawful processing of personal data.
5. Finalizing Requests from Personal Data Owners
In order to ensure data security, the company may request information to determine whether the applicant is the owner of the personal data in question. The company may also ask the Data Subject questions regarding their application to ensure that the application is processed appropriately.
The Company may reject a request from the Data Subject, with a stated reason, if the request is likely to infringe upon the rights and freedoms of others, requires disproportionate effort, or involves publicly available information.
5.1. Rights of Personal Data Owners
In accordance with Article 11 of the KVKK (Turkish Personal Data Protection Law), you may apply to the Company and make requests regarding the following matters:
(1) To find out whether your personal data is being processed,
(2) Request information regarding the processing of your personal data,
(3) To learn the purpose of processing your personal data and whether it is used in accordance with its purpose,
(4) To learn which third parties your personal data is transferred to, domestically or abroad,
(5) The right to request the correction of your personal data if it is incomplete or inaccurate, and to request that the correction be notified to the third parties to whom your personal data has been transferred.
(6) You have the right to request the deletion and destruction of your personal data if the reasons requiring its processing cease to exist, even though it has been processed in accordance with the KVKK and other relevant laws, and to request that the process carried out within this scope be notified to the third parties to whom your personal data has been transferred.
(7) You have the right to object to a result that is against you solely through the analysis of your processed data by automated systems.
(8) You have the right to claim compensation for any damages you suffer as a result of the unlawful processing of your personal data.
5.2. Cases Excluded from the Rights of Personal Data Owners According to Legislation
In accordance with Article 28 of the KVKK (Law on Protection of Personal Data), since the following situations are not within the scope of the KVKK, personal data owners will not be able to assert their rights in the matters listed below:
(1) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime.
(2) Processing of personal data for purposes such as research, planning and statistics by anonymizing it through official statistics.
(3) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that have been given duties and powers by law to ensure national defense, national security, public security, public order or economic security.
(4) Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial or execution proceedings.
According to Article 28/2 of the KVKK (Law on Protection of Personal Data), personal data owners will not be able to assert their rights, except for the right to claim compensation for damages, in the following cases:
(1) The processing of personal data is necessary for the prevention of crime or for criminal investigation.
(2) Processing of personal data made public by the Data Subject.
(3) The processing of personal data is necessary for the performance of auditing or regulatory duties, or for disciplinary investigations or prosecutions, by the competent and authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law.
(4) The processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.
6. Ensuring the Security and Confidentiality of Personal Data
The company takes all necessary measures, within its capabilities and according to the nature of the data to be protected, to prevent the unlawful disclosure, transfer, unlawful access to personal data, or other security breaches that may occur.
In this context, the Company takes all necessary (i) administrative and (ii) technical measures, (iii) establishes an audit system within the company, and (iv) acts in accordance with the measures stipulated in the Personal Data Protection Law in case of unlawful disclosure of personal data.
- Administrative Measures Taken by the Company to Ensure the Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
– The company trains and raises awareness among its employees regarding personal data protection law.
– In cases where personal data is transferred, the Company ensures that the contracts concluded with the parties to whom the personal data is transferred include clauses stating that the party to whom the personal data is transferred will fulfill its obligations to ensure data security.
– Personal data processing activities carried out by the company are examined in detail and periodically reviewed and updated as necessary. In this context, the steps that need to be taken to ensure compliance with the personal data processing conditions stipulated in the KVKK (Personal Data Protection Law) are identified.
– The company identifies the practices that need to be implemented to ensure compliance with the Personal Data Protection Law (KVKK), regulates these practices through internal policies, and periodically reviews and updates them when necessary.
- Technical Measures Taken by the Company to Ensure the Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
– The company takes reasonable technical measures to protect personal data to the extent that technology allows, and these measures are updated and improved in line with developments.
– In technical matters, expert personnel are employed or support is sought from expert consultants when necessary.
– Regular inspections are carried out to ensure the implementation of the measures taken.
– Software and systems to ensure security are installed.
– Access to personal data processed within the company is limited to relevant employees in accordance with the defined processing purpose.
(3) Conducting Audit Activities Regarding the Protection of Personal Data by the Company
The company monitors the functioning of the technical and administrative measures taken to ensure the protection and security of personal data, and implements practices to ensure their continued operation. The results of these audits are reported to the Company’s Data Protection Committee and the relevant department. Based on the audit results, activities are carried out to improve and enhance the measures taken regarding data protection.
(4) Measures to be Taken in Case of Unlawful Disclosure of Personal Data
In cases where it is determined that personal data has been obtained unlawfully by unauthorized persons within the scope of the personal data processing activity carried out by the company, the situation will be reported to the Board and the relevant data owners without delay, within a maximum of 72 hours .
Purposes of Personal Data Processing and Personal Data Groups Subject to Data Processing Activities
7.1. Categories of Personal Data
The company processes personal data in the groups listed below, either partially or fully automatically, or non-automatically as part of a data recording system.
PERSONAL DATA CATEGORIES | EXPLANATION |
Identity Information | Personal data includes information about a person’s identity; such as name, surname, Turkish Republic identity number, nationality, mother’s and father’s name, place of birth, date of birth, and gender, as well as information found in documents like driver’s licenses, national identity cards, and passports, along with tax identification number, social security number, signature information, vehicle license plate number, etc. |
Contact Information | Contact information includes personal data such as phone number, address, email address, and fax number. |
Physical Space Security Information
| Personal data relating to records and documents collected upon entry to and during stay within a physical space; camera recordings, fingerprint records, and records taken at security checkpoints, etc. |
Transaction Security Information | Personal data processed to ensure the technical, administrative, legal, and commercial security of both the Data Subject and the Company in the course of the Company’s business activities. |
Risk Management Knowledge | Personal data processed for the management of commercial, technical and administrative risks through methods used in accordance with generally accepted legal, commercial practices and principles of good faith in these areas. |
Financial Information | Personal data processed in relation to information, documents, and records showing all financial outcomes created within the scope of the legal relationship between the Company and the Data Subject, as well as personal data such as bank account number, IBAN number, credit card information, financial profile, asset data, and income information. |
Legal Procedures and Compliance Information | Personal data processed for the purpose of determining and monitoring the company’s legal receivables and rights, fulfilling its debts, complying with legal obligations, and adhering to company policies. |
Audit and Inspection Information | Personal data processed within the scope of the Company’s legal obligations and compliance with Company policies. |
Special Category Personal Data | KVKK’nın 6. maddesinde belirtilen veriler (örneğin; kan grubu da dahil sağlık verileri, biyometrik veriler, din ve üye olunan dernek bilgisi gibi) |
Request/Complaint Management Information
| Personal data relating to the receipt and evaluation of all requests or complaints directed to the Company. |
Reputation Management Knowledge
| Personal data associated with an individual and collected for the purpose of protecting the Company’s business reputation (e.g., posts related to the Company) |
7.2. Purposes of Processing Personal Data
Personal data is processed by the Company in accordance with the data processing conditions and principles for the purposes listed below. The existence of these purposes may vary for each Data Subject.
The personal data obtained is processed by the Company within the scope of the personal data processing conditions specified in Articles 5 and 6 of the KVKK (Law on Protection of Personal Data) and for the purposes listed below:
– Planning and/or execution of in-house training activities.
– Planning and Execution of Emergency Management Processes,
– Planning and Execution of Corporate Sustainability Activities,
– Planning Human Resources Processes,
– Legal Affairs Follow-up,
– Planning and Execution of Business Activities,
– Establishment and Management of Information Technology Infrastructure,
– Planning Information Security Processes,
– Planning and execution of corporate relations and communication activities.
– Planning and execution of in-house orientation activities.
– Planning and/or execution of activities for conducting effectiveness/efficiency and/or appropriateness analyses of business activities.
– Ensuring that the data is accurate and up-to-date,
– Recruitment / Employment,
– Creating and Tracking Visitor Records,
– Monitoring Contract Processes and/or Legal Claims,
– Planning and/or execution of business continuity activities,
– Planning and Execution of Company Audit Activities,
– Planning and executing the necessary operational activities to ensure that company operations are conducted in accordance with company procedures and/or relevant legislation.
– Handling of Company and Partnership Law Transactions,
– Ensuring the Security of Company Operations,
– Management and/or supervision of relationships with affiliates,
– Managing Personnel Recruitment Processes,
– Planning and Execution of Corporate Governance Activities,
– Execution of Strategic Planning Activities,
– Planning and execution of external training activities.
7.3. Shared Party Categories
In accordance with the principles set forth in the KVKK (Turkish Personal Data Protection Law), and in particular Articles 8 and 9 of the KVKK, the company may transfer the personal data of data subjects within the scope of this Policy (See Section 2.2.) to the following groups of individuals for the purposes stated below:
– To the company’s suppliers,
– To the company’s business partners,
– To third parties who process personal data on behalf of the company,
– To authorized public institutions and organizations, and authorized private legal entities,
– To other third parties in accordance with data transfer terms.
The scope of the individuals to whom data is transferred, as mentioned above, and the possible purposes of data transfer are outlined below.
PERSONS TO WHOM DATA CAN BE TRANSFERRED | DEFINITION | PURPOSE OF DATA TRANSFER |
Business Partner | Parties with whom the Company establishes business partnerships for purposes such as conducting its commercial activities. | limited to ensuring the fulfillment of the purposes for which the business partnership was established. |
Supplier | Parties providing services to the Company in accordance with the Company’s orders and instructions and on a contractual basis, within the scope of conducting the Company’s commercial activities. | The services that the Company procures from suppliers through outsourcing and that are necessary for the Company to carry out its commercial activities are limited to these services. |
Affiliates | Companies in which the company is a shareholder | Limited to ensuring the conduct of the company’s commercial activities which require the participation of its subsidiaries. |
Legally Authorized Public Institutions and Organizations | Public institutions and organizations authorized to obtain information and documents from the Company in accordance with the relevant legislation. | Limited to the purpose requested by the relevant public institutions and organizations within their legal authority. |
Legally Authorized Private Persons | Private legal entities authorized to obtain information and documents from the Company in accordance with the relevant legislation. | limited to the purpose requested within the legal authority of the relevant private legal entities. |
8. Use of Closed-Circuit Television (CCTV)
In the building where the company’s headquarters are located, your visual and audio data may be collected via a closed-circuit camera system for purposes such as preventing criminal behavior, ensuring the safety of the building interior, surroundings, equipment, visitors, and employees, and may only be stored for the period necessary for these purposes. The company will take all necessary technical and administrative measures to ensure the security of personal data obtained through the closed-circuit camera system. In accordance with the Labor Law and other relevant legislation, our closed-circuit camera system only monitors common areas, office entrances, and corridors.
9. Website Usage
The company records visitors’ internet activity on its owned and managed websites in order to ensure that visitors conduct their visits in a manner consistent with their purpose, to provide them with personalized content, to offer social media features, and to facilitate visits by remembering them should they revisit the website.
The company may cease using cookies on the websites it owns and manages, change their types or functions, or add new cookies.
The company will process personal data obtained through these cookies in accordance with the Personal Data Protection Law (KVKK) and the terms and conditions of this Policy.
Detailed explanations regarding the protection and processing of personal data for the websites in question can be found in the “Privacy Policy” texts of those websites.
Şirket sahibi olduğu ve yönettiği internet sitelerinde kullandığı çerezleri kullanmaktan vazgeçebilir, bunların türlerini veya fonksiyonlarını değiştirebilir veya yeni çerezler ekleyebilir.
Şirket, söz konusu çerezler vasıtasıyla elde ettiği kişisel verileri KVKK’na ve işbu Politika’nın hüküm ve koşullarına uygun olarak işleyecektir.
Söz konusu internet siteleri bakımından kişisel verilerin korunması ve işlenmesine ilişkin detaylı açıklamalar ilgili internet sitelerinin “Gizlilik Politikası” metinleri içerisinde yer almaktadır.
10th Review
This Policy will be reviewed by the Company’s Data Protection Committee at least once a year and updated as necessary. The Company representative is authorized and responsible for the entry into force, amendment, execution, and termination of this Policy.
11. Definitions
Below are definitions of terms used in politics:
| Informed and freely given consent regarding a specific matter. | ||
| Making personal data impossible to link to an identified or identifiable natural person, even when combined with other data. | ||
| Regulation on the Processing of Personal Health Data and Ensuring Privacy, published in the Official Gazette dated October 20, 2016, and numbered 29863. | ||
| Any health information relating to an identified or identifiable natural person. | ||
| Any information relating to an identified or identifiable natural person. | ||
| The natural person whose personal data is being processed. For example; customers and employees. | ||
| Personal data processing includes any operation performed on data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data, whether wholly or partly automated or non-automated, provided that it is part of a data recording system. | ||
| The Law on the Protection of Personal Data, numbered 6698 and dated March 24, 2016, was published in the Official Gazette numbered 29677 and dated April 7, 2016. | ||
| Personal Data Protection Board | ||
| Personal Data Protection Authority | ||
| Data relating to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. | ||
Company Business Partners: | Parties with whom the company forms business partnerships for various purposes while conducting its commercial activities. | ||
| Parties that provide services to the Company on a contractual basis. | ||
| The Constitution of the Republic of Türkiye, dated November 7, 1982, and numbered 2709, published in the Official Gazette dated November 9, 1982, and numbered 17863. | ||
| Turkish Penal Code No. 5237, dated September 26, 2004, published in the Official Gazette No. 25611, dated October 12, 2004. | ||
| This person determines the purposes and means of processing personal data and manages the location where the data is systematically stored. |
Marinadiş Ağız ve Diş Polikliniği
Fatih Mah. Mehtap Cad. No: 15,
Büyükçekmece / Istanbul
- +90 (0) 532 727 37 45
- +90 (0) 537 727 37 05
- info@marinadis.com
© 2024 Marinaprofdent Ağız ve Diş Sağlığı. Tüm Hakları Saklıdır.
