KVKK Law
Information Form on Processing of Personal Data
NOTICE OF INFORMATION AND DISCLOSURE UNDER THE PERSONAL DATA PROTECTION LAW NUMBER 6698 ("NOTICE")
Üsküdar University Dental Hospital attaches importance to personal data privacy and confidentiality of private life. Article 20 of the Constitution states that "Everyone has the right to request the protection of personal data concerning him/her. This right includes the right to be informed about personal data concerning oneself, to access such data, to request their correction or deletion, and to learn whether they are used for their intended purposes. Personal data may only be processed in cases stipulated by law or with the explicit consent of the person. The principles and procedures regarding the protection of personal data shall be regulated by law." Within the framework of the mandatory provision, the Personal Data Protection Law No. 6698 ("KVKK") entered into force after being published in the Official Gazette dated 07.04.2016, and regulations and board decisions, which are derivative legislation in terms of the implementation of the law, have been published. The aforementioned law regulates the procedures and principles to be followed by the obligations of real and legal persons who process personal data and to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data. In this context, we fulfill our responsibility to inform and inform your rights and obligations.
Üsküdar University Hospital ("Hospital") may process your personal data as "data controller" within the scope described in this Notice. In terms of business requirements, employees also carry out their services in line with the KVKK and derivative legislation with patients receiving services, patients' relatives and other third parties and organizations (generally referred to as "Recipients"), including suppliers, with whom they deal within the framework of the health service relationship, and employees also comply with their obligations and responsibilities as personnel within the scope of the protection of personal data in their relationship with "Recipients".
In the event of a conflict between this Notice and the provisions of the legislation in force, the Hospital accepts that the provisions of the legislation will be applied in line with the title of "Data Controller".
A) DEFINITIONS UNDER KVKK
a) Explicit consent: Consent regarding a specific subject, based on information and expressed with free will.
b) Anonymization: It refers to making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
c) Relevant person: Refers to the natural person whose personal data is processed.
ç) Personal data: Any information relating to an identified or identifiable natural person.
d) Processing of personal data: It refers to all kinds of operations performed on personal data such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system.
e) Sensitive Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
f) Data processor: Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.
g) Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
B) BASIC PRINCIPLES OF PROCESSING PERSONAL DATA
The Hospital hereby accepts that it will process personal data in accordance with the following principles in both its internal and external procedures in accordance with Article 4 of the KVKK:
- Compliance with the law and good faith
- Accuracy and timeliness
- Processing for specific, explicit and legitimate purposes
- Processing data in connection with the purpose for which they are processed, in a limited and measured manner
- Processing limited to the period stipulated by the provisions of the legislation or required by the purpose of processing
C) TERMS OF PROCESSING PERSONAL DATA
In accordance with Article 5 of the KVKK, the processing processes of "personal data" by the Hospital are carried out in accordance with the following conditions specified in the KVKK and the relevant legislation:
- Explicit Consent of the Relevant Person
- Processing of Data Due to Legal Requirements
- It is Mandatory to Process the Data of the Person Who is Unable to Explain the Consent of the Data Subject or Whose Consent cannot be Recognized as Legally Valid Due to Physical Impossibility, in order to Protect the Life or Physical Integrity of Himself or Someone Else
- It is Mandatory to Process Personal Data of the Parties to the Contract, Provided that it is Directly Related to the Establishment and Execution of a Contract
- It is Mandatory for the Data Controller to Fulfill its Legal Obligation
- Processing of Personal Data Made Public by the Data Subject
- Processing of Data Required for the Establishment, Exercise or Protection of a Right
- Processing of Personal Data for the Legitimate Interests of the Data Controller
D) TERMS FOR PROCESSING SPECIAL NATURE PERSONAL DATA
Pursuant to Article 6 of the Law on Protection of Personal Data, data relating to ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data. It is prohibited to process sensitive personal data without the explicit consent of the data subject. It is the basic principle that hospital employees "do not process sensitive personal data" in terms of personal data, and the processing of sensitive personal data is strictly prohibited as a rule, without prejudice to the following legal exceptions and obligations. The Hospital has also adopted the basic rule and principle not to process the "sensitive personal data" of the Addressees, without prejudice to the following legal exceptions and obligations. The exceptions to the main principle are as follows:
a-Processing of Sensitive Personal Data in the Presence of Explicit Consent of the Data Subject: The provisions stipulated by the KVKK regarding the processing of sensitive personal data without explicit consent are reserved.
b-Processing of Sensitive Personal Data Despite the Lack of Explicit Consent of the Data Subject Due to the Provisions of the Legislation: In cases where it is stipulated that sensitive personal data may be processed with the provisions of the legislation, sensitive personal data other than the health and sexual life of the data subject may be processed in accordance with the provisions of the KVKK. In terms of the hospital, this requirement, including the work and transactions required by the financing and management of the health service; In legal processes such as investigations, lawsuits, execution proceedings arising from legal relations, especially contracts, the submission of special quality personal data to legal processes, provided that it is related to and limited to the merits of the relevant legal process, the inclusion of special quality personal data collected by law enforcement authorities, investigation authorities, courts ex officio or by parties or third parties in legal processes and the storage and processing of personal data for the period required for legal processes.
c-Processing of Personal Data of Special Nature Related to Health and Sexual Life for the Purposes of Preventive Medicine, Execution of Medical Diagnosis, Treatment and Care Services, Planning and Management of Health Services and Financing, Provided that they are under the Obligation of Confidentiality:
d-Precautions to be taken in the Processing of Special Categories of Personal Data: In order to process special categories of personal data, necessary technical and administrative measures are taken, especially preventing unauthorized access and cyber-attacks with encrypted access in accordance with KVKK. This issue is monitored and coordinated by the Personal Data Protection Committee. Employees are also obliged to comply with these administrative and technical measures.
E) PURPOSES FOR WHICH PERSONAL DATA WILL BE PROCESSED
The collected personal data may be processed for the purposes listed below, provided that the personal data is within the personal data processing conditions specified in Articles 5 and 6 of Law No. 6698: Basic Law No. 3359 on Health Services, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliated Organizations, Regulation on Private Hospitals, Regulation on the Processing of Personal Health Data and Ensuring Privacy and other health-related regulations. In addition, the execution of public health medical diagnosis, treatment and care services, early diagnosis and preventive medicine, planning and management of health services and financing; informing you about the appointment in case you make an appointment; counter and cashier transactions; planning and managing the internal functioning of our Hospital, conducting analysis for the purpose of improving health services; engaging our employees in training activities to serve you better, monitoring and preventing abuse and unauthorized transactions; fulfilling risk management and quality improvement activities; to conduct diagnostic and therapeutic research and device supply within the limits of the legislation; to fulfill legal and regulatory requirements; to be paid for our services through invoices and legal processes; to confirm your identity; newborn baby notification; to confirm your relationship with institutions contracted with our Hospital; to share the information requested with the Ministry of Health and other public institutions and organizations and private organizations in accordance with the relevant legislation; to share the information requested with private insurance companies within the scope of financing health services; responding to all kinds of questions and complaints regarding our health services; analyzing your use of health services and storing your health data in order to develop and improve the health services we provide to you; to make calls with call centers more effective and efficient health services, to better fulfill the service of hospital security officers, to keep information about your health data that must be kept in accordance with the relevant legislation; financial reconciliation with the institutions we have contracted with regarding the health services provided to you; including but not limited to measuring patient satisfaction, conducting and developing medical diagnosis, treatment and care services, planning and management of health services and financing, increasing patient satisfaction, announcing our medical diagnosis, treatment and care services to you, online and live support, secondary opinion, information and dissemination activities through websites, improvement and development of human resources policies, improvement and development of human resources policies, improvement of the effectiveness of health care services.C. It may be processed for the purposes of obtaining support from group companies and academic institutions, especially Üsküdar University, to increase the efficiency of healthcare services, to provide auxiliary services of the hospital building, including parking and valet service, and for similar purposes, provided that they remain within legal limits.
F) TO WHOM AND FOR WHAT PURPOSE THE PROCESSED PERSONAL DATA MAY BE TRANSFERRED
Personal data collected to the extent permitted and required by the KVKK and derivative legislation and according to the circumstances of the case, but not limited to those here; In line with contractual purposes, in order to perform health services, to maintain and improve effective employee management, to fulfill the obligations arising from the contracts concluded by our hospital, except in cases where data transfer is legally prohibited, to provide referral and information supply between departments in order to carry out legally and legally necessary administrative procedures, to evaluate the performance of employees, to ensure and improve occupational safety, and also to ensure the legal and commercial security of our Hospital and persons in business relations with our Hospital; For the purposes of determining and implementing the business strategies of our Hospital; Basic Law No. 3359 on Health Services, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliated Organizations, Private Hospitals Regulation, Labor Law, Occupational Health and Safety Law, Social Insurance and General Health Insurance Law, Law on Regulation of Publications on the Internet and Combating Crimes Committed through These Publications, Turkish Code of Obligations, Turkish Commercial Code, Tax Procedure Law, Personal Data Protection Law No. 6698 and institutions or organizations permitted by other legislation provisions; Public legal entities such as the Personal Data Protection Authority, the Ministry of Health and its organization, the Council of Higher Education, the Ministry of Finance, the Ministry of Customs and Trade, the Ministry of Labor and Social Security, the Information Technologies and Communication Authority; our subsidiaries and/or our direct/indirect domestic/foreign affiliates; our online service units in order for secondary opinion and live support units to provide effective health services over the internet, domestic/foreign organizations and other third parties who are jointly and severally responsible with us in taking workplace security measures such as the protection of all kinds of your personal data, preventing unauthorized access and preventing unlawful processing, program partner domestic/foreign organizations and other 3rd parties. Persons limited to the personal data processing conditions and purposes specified in Articles 8 and 9 of Law No. 6698. Üsküdar University Dental Hospital Social Security Institution, Ministry of Health and its organization, Family Medicine Centers, private insurance companies (health, pension and life insurance and similar law enforcement agencies, especially the General Directorate of Security, General Directorate of Population, Turkish Pharmacists Association, courts, laboratories, centers and similar third parties with whom we cooperate for medical diagnosis, your authorized representatives, The health institution to which the patient is referred or to which the patient himself/herself applies, third parties from whom we receive consultancy, including lawyers, tax consultants and auditors, regulatory and supervisory institutions, official authorities, our suppliers, support service providers and business partners and other third parties whose services we benefit from or cooperate with are also included in this scope and may be transferred to such organizations within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the KVKK. and 9. of the LPPD and may be transferred to such organizations within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the LPPD.
G) METHOD AND LEGAL REASON FOR COLLECTING PERSONAL DATA
Your personal data is collected by the Hospital through different channels and based on different legal grounds; for the purposes of performing the Hospital's health services effectively and efficiently within the framework of legal requirements, fulfilling the duty of care, implementing and executing human resources policies, fulfilling the obligations arising from contracts, evaluating the performance of employees, ensuring and improving occupational safety, and carrying out our activities and operational processes. Your personal data collected for this legal reason may also be processed and transferred for the purposes specified in Articles (E) and (F) of this Notice within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of Law No. 6698.
H) TRANSFER OF PERSONAL DATA
Article 8 of the Law regulates the transfer of personal data to third parties within the country. As a main rule, personal data cannot be transferred to third parties without the explicit consent of the data subject. Our employees have also been informed with this Notice that the personal data of the RESPONDENTS cannot be transferred to third parties as a rule. Compliance with the following criteria is ensured in the processes regarding the transfer of personal data. It is the responsibility of the Hospital to act in accordance with all legislative provisions regarding the transfer of personal data and to adapt the transfer processes according to the provisions of the legislation in force or to enter into force, and these processes will be followed and coordinated by the Personal Data Protection Committee.
Explicit consent of the data subject for the transfer of personal data Pursuant to Article 8 of the LPPD, the main rule for the transfer of personal data to third parties is the explicit consent of the data subject. In cases where the data subject does not have explicit consent for the transfer of personal data within the country, it is possible to transfer personal data to third parties under the conditions regulated by paragraph 2 of Article 5 of the KVKK regarding the data processing conditions for the processing of personal data and paragraph 3 of Article 6, provided that adequate measures are taken. Even if the person concerned does not have explicit consent, it is possible to transfer personal data, provided that the relevant conditions are met in terms of the transfer of special categories of personal data and other legislation provisions are required.
I) TRANSFER OF PERSONAL DATA ABROAD
In accordance with Article 9 of the KVKK, personal data cannot be transferred abroad without the explicit consent of the person concerned as a main rule. In case of consent, personal data may be shared with our affiliated organizations abroad in proportion to the legitimate requirements arising from educational activities, and personal data may be transferred taking into account the list of safe countries to be published by the Data Protection Board.
In cases where the data subject does not have explicit consent for the transfer of personal data abroad, the processing and transfers permitted under the LPPD and the relevant legislation may be carried out in terms of processing and transfer of personal data.
I. DELETION, DESTRUCTION, ANONYMIZATION OF PERSONAL DATA
Personal data must be deleted, destroyed or anonymized by the request of the person concerned or by the Hospital itself upon the disappearance of the reasons requiring the processing of the data, even if it has been processed in accordance with the provisions of the KVKK and other legislation and this Notice. The Hospital provides the administrative and technical infrastructure suitable for fulfilling all new legislation provisions that are in force or will enter into force regarding the deletion, destruction or anonymization of data. Employees are obliged to implement all new legislative provisions that are in force or will enter into force regarding the deletion, destruction or anonymization of data.
J. RIGHTS OF PERSONAL DATA SUBJECT
As personal data owners, you may submit your requests regarding your rights by filling out the "Personal Data Information and Request Form" below and hand-delivering it to the hospital address where you have received service, sending it via notary public, sending an e-mail with an e-mail signed with a secure electronic signature belonging to you, or sending a "Word or PDF" extension file signed with a secure electronic signature by e-mail to kisiselveri@uskudardishastanesi.com.tr; Üsküdar University Dental Hospital will finalize the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost other than free of charge legal requirements, the fee in the tariff determined by the Personal Data Protection Board may be charged by Ukudar University Dental Hospital. In this context, personal data owners;
- Learning whether personal data is being processed,
- Request information if personal data has been processed,
- Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
- Knowing the third parties to whom personal data are transferred domestically or abroad,
- To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
- Despite the fact that it has been processed in accordance with the provisions of Law No. 6698 and other relevant laws, in the event that the reasons requiring its processing disappear, to request the deletion or destruction of personal data and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
- Objection to the occurrence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
- If personal data is damaged due to unlawful processing of personal data, it has the right to demand the compensation of the damage.
Attachment: Personal Data Information and Request Form
Sincerely submitted for your information.
Üsküdar University Dental Hospital
Saray Mah. Site Yolu Caddesi No:13-15A -9001 Ümraniye / Istanbul / Turkey
T: +90 216 633 25 25 F: +90 0216 474 12 59