INTRODUCTION
Dr. Çiğdem Ünal Gülmeden’s clinic attaches the utmost importance to protecting fundamental rights and freedoms by prioritising the confidentiality of private life and the right to data security. Accordingly, in connection with our activities and service purposes, we act with the understanding that all kinds of personal data belonging to you, our valued patients, patient relatives, employees, and all third parties related to us, are processed and stored in compliance with the Law on the Protection of Personal Data No. 6698 (“KVKK”).
Necessary security measures, in line with the current legislation, are implemented as a clinic policy by Dr. Çiğdem Ünal Gülmeden to ensure the secure processing of Personal Data and to prevent any unauthorised access or leakage of such data in an unlawful manner.
PURPOSE
The purpose of the Personal Data Protection and Processing Policy (“Policy”) is to inform personal data subjects about the obligations of Dr. Çiğdem Ünal Gülmeden and the procedures and principles she will adhere to in the destruction processes (erasure, destruction, anonymisation) of personal data—processed fully or partially by automated means or non-automated means provided that they form part of any data recording system—in compliance with the KVKK, the Regulation on the Erasure, Destruction or Anonymisation of Personal Data (“Regulation”), and the provisions of the relevant legislation.
SCOPE
This Policy applies to all personal data of our patients, website users, employees, employee candidates, visitors, customers, suppliers, and third parties processed by automated means or by non-automated means provided that they form part of any data recording system. Within this scope, either the entire Policy may apply to the groups of personal data subjects mentioned above, or only certain provisions of it may apply.
The Policy has been prepared on the basis of the KVKK, the Regulation, the Regulation on the Data Controllers’ Registry No. 30286, and other relevant regulations.
DEFINITIONS
DEFINITIONS USED IN THE IMPLEMENTATION OF THIS POLICY
Explicit Consent
Consent based on information and expressed with free will for a specific subject.
Employees
Those engaged in an employment relationship with Dr. Çiğdem Ünal Gülmeden under the Labour Law, as well as students or graduates undergoing internship training.
Data Subject
The natural person whose personal data is processed.
Destruction
The act of rendering personal data permanently erased, destroyed, or anonymised so that it can no longer be retrieved.
Periodic Destruction
When the conditions for personal data processing specified in the Law no longer exist, the act of erasing, destroying, or anonymising personal data at repeated intervals specified in the policy on personal data processing, storage, and destruction.
Erasure
The act of making personal data inaccessible and unusable under any circumstances for relevant users.
Destruction
The act of making personal data inaccessible, irretrievable, and unusable by anyone under any circumstances.
Anonymisation
The act of rendering personal data incapable of being associated in any way, even by matching it with other data, with an identified or identifiable natural person.
Recording Medium
Any medium where personal data is processed fully or partially by automated means, or by non-automated means provided that it forms part of any data recording system.
Personal Data
Any information relating to an identified or identifiable natural person.
Special Category Personal Data
Data concerning an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
Processing of Personal Data
Any operation performed on personal data such as obtaining, recording, storing, maintaining, altering, rearranging, disclosing, transferring, taking over, making data available, classifying, or preventing its use, by fully or partially automated means or by non-automated means provided that it is part of any data recording system.
Personal Data Processing Inventory
An inventory created by data controllers by associating the personal data processing activities they carry out in connection with their business processes with the purpose of processing personal data, data category, group of recipients to whom data is transferred, and group of data subjects, explaining in detail the maximum retention period necessary for the purpose of processing personal data, the personal data foreseen to be transferred abroad, and the measures taken regarding data security.
Board
The Personal Data Protection Board.
Authority
The Personal Data Protection Authority.
Policy
This Personal Data Protection, Processing, and Destruction Policy adopted by Dr. Çiğdem Ünal Gülmeden concerning the processing, storage, and destruction of personal data.
Data Processor
The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Controller
The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data Recording System
A recording system in which personal data is structured according to specific criteria.
Data Controllers’ Registry Information System (Verbis)
The information system accessible via the internet, created and managed by the Presidency, which data controllers use for application to the Registry and for other transactions related to the Registry.
Regulation
Refers to the Regulation on the Erasure, Destruction or Anonymisation of Personal Data, published in the Official Gazette on 28 October 2017.
CLASSIFICATION OF PERSONAL DATA BY DATA SUBJECT GROUP
Below is a table in which personal data categories are matched with the relevant data subject categories:
Personal Data Categories
Data Subject Group
Identity Data
Service Recipients, Guardians/Representatives, Website and Social Media Users, Employees, Employee Candidates, and Suppliers.
Contact Information
Service Recipients, Guardians/Representatives, Website and Social Media Users, Employees, Employee Candidates, and Suppliers.
Employment Records
Employees and Employee Candidates.
Physical Space Data
Service Recipients, Employees, and Employee Candidates.
Transaction Security Data
Service Recipients, Website and Social Media Users, and Employees.
Financial Data
Service Recipients, Employees, and Suppliers.
Visual and Audio Data
Service Recipients.
Race and Ethnic Origin Data
Service Recipients.
Health Data
Service Recipients, Potential Service Recipients, and Employees.
Sex Life Data
Service Recipients.
Criminal Conviction and Security Measures
Employees, Employee Candidates.
Genetic Data
Service Recipients.
Personal Data Categories to Which Your Data May Be Transferred
Within the scope of this Policy, personal data may be transferred by Dr. Çiğdem Ünal Gülmeden to the following recipient groups for the purposes indicated below:
Recipient Groups
Purposes of Personal Data Transfer
Suppliers
Limited to enabling our clinic to carry out its activities and providing the necessary services.
Legally Authorised Public Institutions and Organisations
Limited to the purposes for which these public institutions and organisations have legal authority to request data.
Legally Authorised Real Persons or Private Law Legal Entities
RECORDING MEDIA
Personal data are lawfully recorded and securely stored in the following environments:
Electronic Environments:
- Servers: Central server, data centre servers, backup, email, web, file sharing, etc.
- Software: Office software, etc.
- Information Security Devices: Firewall, intrusion detection and prevention, antivirus, etc.
- Electronic Devices: Network devices, computers, portable devices (USB, hard disk, memory cards, etc.), printers, scanners, photocopiers, and mobile devices (phone, tablet, etc.).
Physical Environments:
- Unit cabinets, archive
- Manual data recording systems (forms, notebooks, etc.)
- Written, printed, and visual media.
MATTERS RELATING TO THE PROTECTION OF PERSONAL DATA
Dr. Çiğdem Ünal Gülmeden takes the necessary administrative and technical measures, in accordance with Article 12 of the KVKK, to ensure an appropriate level of security in preventing the unlawful processing of personal data and preventing unlawful access to the data, taking into account the nature of the data to be protected, and carries out the necessary audits within this scope.
Administrative Measures
Below is a list of the main administrative measures taken to prevent the unlawful processing of personal data, prevent unlawful access to data, and ensure the preservation of data:
- Personal data processing activities conducted by Çiğdem Ünal Gülmeden have been identified, and a personal data inventory that is regularly updated has been prepared.
- Before starting to process personal data, the obligation to inform the relevant individuals is fulfilled.
- The responsibilities of employees regarding personal data security have been defined in their job descriptions, ensuring they are aware of these responsibilities.
- Training is provided for employees to improve their skills in protecting personal data, processing data lawfully, preventing the unlawful processing of personal data and unlawful access to such data, communication techniques, technical knowledge and skills, and information security, as well as about Law No. 657 and other relevant legislation.
- Employees sign confidentiality undertakings within the scope of personal data protection legislation and data security, covering the activities carried out.
- In the event that personal data is obtained by others through unlawful means, the relevant parties and the Board will be notified as soon as possible.
TECHNICAL MEASURES
Measures are taken, and updated as technology permits, to prevent the unlawful processing of personal data, prevent unlawful access to such data, and ensure their security. The main technical measures are listed below:
- Risks related to preventing the unlawful processing of personal data are identified, and appropriate technical measures are taken to address these risks. Controls are carried out regarding the measures taken.
- Access procedures are established, and reporting and analysis are conducted concerning access to personal data.
- Access to personal data stored in electronic or non-electronic environments is restricted so that only authorised persons can access the data, limited to the purpose for which the data is stored. Improper accesses or access attempts are kept under control.
- Access and authorisation of users to information systems are carried out via an access and authorisation matrix and security policies.
- Up-to-date anti-virus systems are used.
- Firewalls are in use.
- Log records are kept in a manner that prevents user intervention.
- Data masking measures are applied when necessary.
- Necessary precautions are taken for the physical security of IT system equipment, software, and data.
- Security tests and research are conducted to detect security vulnerabilities in information systems, and any identified issues that pose an existing or potential risk are resolved.
- The website provided by the clinic is encrypted using an HTTPS method with an SHA 256 Bit RSA algorithm.
- Strong passwords are used in the electronic environments where personal data is processed.
- Measures are taken to ensure that deleted personal data cannot be accessed or reused by relevant users.
- Security vulnerabilities are tracked, appropriate security patches are applied, and information systems are kept up to date.
- In order to ensure IT system security against environmental threats, both hardware-based (access control system allowing only authorised personnel to enter the system room, fire extinguishing system, climate control system, etc.) and software-based (network access control, systems to block malicious software, etc.) measures are taken.
Some personal data require special attention under legislation due to the risk of causing grievances and discrimination when processed unlawfully. Pursuant to the Board’s decision numbered 2018/10 dated 31.01.2018 on “Adequate Measures to be Taken by Data Controllers for the Processing of Special Category Personal Data,” Dr. Çiğdem Ünal Gülmeden has established a separate policy, clearly defining, manageable, and sustainable rules concerning the security of special category personal data within the clinic, demonstrating the utmost sensitivity:
- In processes involving the processing of special category personal data, employees have received training on the security of special category personal data, confidentiality agreements have been executed, and the scope and duration of authorisations for users who have access to this data have been clearly defined.
- Security updates regarding the environments where the data is stored are monitored, necessary security tests are conducted, and test results are recorded.
- Adequate security measures (against electrical leaks, fire, flooding, theft, etc.) are taken for the physical environments where special category personal data is processed, stored, or accessed, and physical security is ensured to prevent unauthorised entry and exit.
- If special category personal data needs to be transferred via email, it is transferred in encrypted form using the corporate email address or a KEP (Registered Electronic Mail) account. If transfer is required between servers located in different physical environments, it is carried out online via the FTP method or the Plesk control panel. If it needs to be transferred in paper form, necessary measures are taken against risks such as theft, loss, or viewing by unauthorised persons.
MEASURES TO BE TAKEN IN THE EVENT OF UNAUTHORISED DISCLOSURE OF PERSONAL DATA
In the event that personal data, processed in compliance with Article 12 of the KVKK, are obtained by others through unlawful means, it will be ensured that this situation is reported to the relevant personal data subject and the Personal Data Protection Board (KVK Board) as soon as possible. Within this scope, from the date this situation is learned by Dr. Çiğdem Ünal Gülmeden, a notification will be made to the Board without delay and within 72 hours at the latest; following the identification of the individuals affected by the data breach, the relevant individuals will also be notified in the shortest reasonable time possible, either directly through the communication address if reachable, or, if not reachable, through appropriate methods such as publication on the data controller’s own website.
MATTERS CONCERNING THE STORAGE AND DESTRUCTION OF PERSONAL DATA
Storage and Destruction of Personal Data
Personal data obtained by Dr. Çiğdem Ünal Gülmeden are securely recorded, stored, and destroyed in compliance with the relevant legislation, primarily the provisions of the KVKK, depending on factors such as the nature of the data, the purposes of processing, and frequency of use.
Periods for Storing and Destroying Personal Data
Dr. Çiğdem Ünal Gülmeden retains the personal data she processes within the scope of her activities for the period specified in the relevant legislation, or if not specified, for as long as is necessary for the purposes for which they are processed in connection with the services provided. In this context, if the period for storing personal data is specified in the relevant legislation, it is complied with; if not specified, the duration required by the purpose of processing the data, depending on the services provided, is taken into account. When the period ends, upon the data subject’s request, or when the purpose for processing no longer exists, personal data are erased, destroyed, or anonymised by Dr. Çiğdem Ünal Gülmeden. Detailed information on the retention periods of the personal data processed is provided in Annex 2 of this Policy.