INTRODUCTION

This policy sets forth the rules to be followed when processing Prof. Dr. Selçuk İnanlı ‘s non-employee personal data, in accordance with KVKK No. 6698. Protecting personal data is one of our clinic’s top priorities. Our clinic carries out its processing activities with the utmost care in adhering to the principles of legality and integrity when processing personal data.

The term “non-employee” in this Policy shall include, to the extent appropriate, individuals who receive services from our clinic and those who are affiliated with our clinic within its scope of business.

Updatability

This policy may be amended and updated in accordance with regulatory changes. Any updates will be posted online and in the document archive without delay.

1-         PROCESSING OF NON-EMPLOYEE PERSONAL DATA

1.1 General Approach to Processing Non-Employee Personal Data

Our clinic provides information texts to non-employees, informing them about the personal data processed about them, the purposes and reasons for which personal data will be processed, the sources from which personal data is collected, with whom this personal data will be shared and how it will be used.

Our clinic evaluates the personal data it processes and processes these data based on at least one of the conditions set out in the KVKK.

These conditions;

The person has explicit consent,

Data processing is clearly prescribed in the relevant laws,

· Inability to obtain the person’s explicit consent due to actual impossibility,

Data processing is directly related to the establishment or performance of a contract,

Data processing is mandatory for our company to fulfill its legal obligations,

Personal data has been made public by the personal data owner himself,

Data processing is necessary for the establishment or protection of a right,

Processing of data based on legitimate interest.

Personal data processing can be carried out if at least one of the conditions listed above is met. Data processing can be carried out based on one or more of the conditions.

In cases where explicit consent is required, the process for obtaining such consent is completed before any personal data is processed. Our clinic never obtains blanket explicit consent.

1.2 Collection of Personal Data as Necessary and for the Necessary Period

Our clinic collects personal data from employees and non-employees based on a clear and foreseeable need. Our clinic ensures that the data collected is suitable for meeting these needs. Furthermore, our clinic is meticulous in ensuring that collected data is processed only for the period required by law or specified in the express consent text. Data that has expired is eliminated through destruction, anonymization, or deletion.

To ensure compliance with the aforementioned principle, all forms and input methods through which employees enter personal data are audited. This audit is completed as soon as possible for existing forms and input methods and before any new forms and input methods are created.

Following the audit, any sections that allow unnecessary data collection
will be removed from the relevant form and input method. Furthermore, personal data obtained through these sections will be immediately deleted, destroyed, or anonymized.

1.3 Ensuring the Up-to-Dateness of Personal Data

Our clinic takes the necessary precautions to ensure that the personal data of non-employees is up to date.

In this context, the following points are particularly taken into consideration:

Personal data of non-employees that may change (address, telephone, family/relatives information, etc.) are identified.

Measures are taken to ensure that personal data that is likely to change can be easily viewed electronically.

Personal data that is subject to change is not visible to everyone in the electronic environment, but only to the person concerned and other access authorities.

If it is not possible for non-employees to view personal data that may change electronically
, necessary measures are taken to ensure that these personal data can be displayed in physical form.

Non-employees are ensured to keep their personal data, which is subject to change, up-to-date. In this context, the responsible party actively monitors awareness campaigns. In addition to the methods described above, our company takes the necessary measures to keep
individuals’ personal data, which is being processed, up-to-date, based on its specific circumstances .

1.4 Processing of Data of Special Qualified Non-Employees

Some of the personal data is regulated separately as “special personal data” within the scope of KVKK and is subject to special protection.

As explained in the special personal law, data includes data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions, and biometric and genetic data.

Our clinic may process health data in the following cases, provided that adequate measures are taken, as determined by the Personal Data Protection Board, in cases where there is no explicit consent from a non-employee:

• Special personal data, other than the health and sexual life of non-employees, only in cases stipulated by law,
• Sensitive personal data regarding the health and sexual life of non-employees may be processed by persons under a confidentiality obligation or authorized institutions and organizations for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.

2. DATA ON THE HEALTH OF NON-EMPLOYEE PERSONS

2.1 General Approach to Processing Health Data of Non-Employees

Health data is considered sensitive personal data. Health data of non-employees is stored separately from other personal data.

2.2 Determination of Persons Who Will Process Health Data

Company employees who will process or authorize non-employee health data are informed about relevant legislation and the established privacy policy. Non-employee health data is analyzed by authorized personnel. Our clinic is diligent in clearly informing employees about the purposes for which health data is used and who accesses it and for what purpose.

During periodic training, the importance of this data to our clinic and the principles to be followed during processing activities are repeatedly explained to relevant personnel. In this regard, measurement and evaluation tests are administered to personnel at intervals determined by our clinic. Employees who fail these tests are immediately terminated from data processing. The relevant personnel are excluded from any sensitive data processing activities until they receive a passing grade on the next test.

3.         PROCESSING OF NON-EMPLOYEE DATA BY PROF. DR. SELCUK İNANLI

Prof. Dr. Selçuk İnanlı obtains and processes personal data in the following cases:

• Providing the necessary service to those who will receive service from our clinic
• Determining the identity of people who will receive service from our clinic
• Reporting the services received by those who will receive services from our clinic to the necessary public institutions and receiving payments
• And to fulfill all other legal obligations

4. LEGAL RIGHTS OF NON-EMPLOYEE INDIVIDUALS REGARDING PERSONAL DATA COLLECTED ABOUT THEM

Individuals whose personal data is processed by our company have all the legal rights set forth in Article 11 of the Personal Data Protection Law and in our clinic’s disclosure statement. Our company determines the necessary methods to ensure access to these rights and includes these methods in the disclosure statement.

4.1 Principles Regarding the Exercise of Legal Rights by Non-Employees

Our clinic takes all administrative, legal, and technical measures to ensure that non-employees can exercise their legal rights under the Personal Data Protection Law, submit necessary applications, and respond to their requests within 30 days at the latest. We design relevant processes and inform our employees about these measures. Our clinic develops methods to ensure that the individual’s application is fully satisfied.

In the responses given by our clinic to employees exercising their legal rights,
every care is taken to avoid disclosing personal data of third parties.

5. SHARING OF NON-EMPLOYEE PERSONAL DATA WITH THIRD PARTIES

5.1 General Rules Regarding Personal Data Sharing

Our clinic establishes internal procedures regarding the sharing of personal data of individuals other than our employees. We ensure that data sharing requests are handled by qualified personnel.
Necessary measures are taken to verify the authenticity and accuracy of data sharing requests from outside the clinic (such as judicial authorities, administrative authorities, insurance claims).

It is essential that data sharing requests from outside the clinic be made in writing.
If the personal data of non-employees is sent abroad upon request, all administrative, legal, and technical measures are taken regarding the international transfer of personal data.
If sharing the personal data of non-employees constitutes a legal obligation, personal data may only be shared in accordance with the scope of this legal obligation.
Subject to the legal requirements regarding international data transfer and the transfer of special personal data, personal data of employees may be transferred: If the data subject has given their explicit consent, If there is a clear legal provision regarding the transfer of personal data, If it is necessary to protect the life or physical integrity of the personal data subject or another person, and if the personal data subject is unable to express their consent due to a practical impossibility or if their consent is not legally valid; Personal data may be transferred to third parties if it is necessary to transfer personal data belonging to the parties to a contract, provided that it is directly related to the establishment or performance of a contract; if personal data transfer is mandatory to fulfill a legal obligation; if personal data has been made public by the data owner; if personal data transfer is necessary to establish, exercise, or protect a right; and if personal data transfer is necessary for the legitimate interests of the relevant clinic, provided that it does not prejudice the fundamental rights and freedoms of the data owner. The clinic cannot transfer personal data unless the conditions set forth herein are met.

5.2 Information and Record Keeping Regarding Personal Data Sharing

If personal data of non-employees is shared with third parties, the data sharing must be based on one of the conditions set out in the KVKK before the data is shared.

If non-employees have not been previously informed, they will be informed of the sharing at the latest at the time of sharing. However, if this information constitutes a violation of the law or serves as a prior warning of an investigation by the relevant authorities, the non-employee will not be informed of the matter.

6. STORAGE PERIOD OF PERSONAL DATA OF NON-EMPLOYEE PERSONS

Our company retains the personal data of non-employees for the period necessary for the purpose for which they are processed and in accordance with the minimum periods stipulated in the legal legislation governing the relevant activity.

In this context, our clinic first determines whether relevant legislation specifies a retention period for personal data, and if so, it complies with this period. If no legal period exists, personal data is retained for the period necessary for the purpose for which it is processed. At the end of the designated retention periods, personal data is destroyed in accordance with periodic destruction periods or the data subject’s request, using the specified destruction methods (deletion and/or destruction and/or anonymization).

7. USE OF EXTERNAL SERVICE PROVIDERS IN PROCESSING PERSONAL DATA

Our clinic may use external service providers to process non-employee personal data
. However, our clinic is obligated to take the following precautions regarding external service providers:

• Checking that the external service provider has taken the technical and administrative security measures required by the relevant legislation and industry practices,
• Auditing the external service provider at regular intervals to ensure that they have taken the technical and administrative security measures required by the relevant legislation and industry practices,
• Making a contract with the external service provider, which includes the conditions for taking the necessary technical and administrative security measures,
• Taking the necessary legal, administrative and technical measures if personal data is sent to external service providers abroad.

8. SECURITY OF PERSONAL DATA

Our clinic takes all necessary administrative and technical measures to ensure the security of non-employee data. These measures are designed to prevent the risk of unauthorized access, accidental data loss, intentional deletion, or damage to data. The number of employees responsible for processing personal data and authorized to access personal data obtained as a result of this processing is kept as limited as possible. In this context, our clinic removes or limits the access rights of employees who currently have unnecessary access to this data. Necessary physical security measures are taken to ensure that only authorized individuals have access to the personal data of non-employees. Furthermore, authorized individuals are prevented from gaining unnecessarily broad authority. Measures such as audit trails are implemented on information systems to identify who has accessed employees’ personal data. Access records are regularly reviewed, and investigation mechanisms are established to address unauthorized access. It is essential that all other employees who have access to the personal data of non-employees undergo the necessary security checks. In addition, these individuals must sign a confidentiality agreement/undertaking providing the necessary protections, or their employment contracts must include provisions of this nature, and they must receive ongoing training on their responsibilities. If personal data belonging to non-employees is removed from the workplace via various means, such as laptops, the necessary security measures must be taken, and the relevant employees must be informed of these measures.

THIS POLICY IS PUBLISHED IN PLACES DEEMED APPROPRIATE BY THE COMPANY TO PROVIDE DATA PROCESSING PERSONNEL AND NATURAL PERSONS (RELEVANT PERSONS) WHOSE DATA IS PROCESSED WITH INFORMATION ABOUT THE DATA PROCESSING POLICY.