POLICY ON THE PROTECTION AND PROCESSING OF NON-EMPLOYEE PERSONAL DATA
PROF. SELCUK INANLI
POLICY ON THE PROTECTION AND PROCESSING OF NON-EMPLOYEE PERSONAL DATA
This policy regulates the rules to be followed when Prof. Selcuk Inanlı is processing non-employee personal data in accordance with PPD No. 6698. Protection of personal data is one of the most important priorities of our Clinic. Our Clinic carries out its processing activities by paying utmost attention to the rules of lawfulness and honesty while processing personal data.
The term “non-employee” in this Policy will include, as appropriate, service areas from our Clinic and people who are related to our company within the scope of its subject.
This policy may be changed and updated in accordance with legislative changes. Updates will take place both online and in the document archive without delay.
1- PROCESSING OF NON-EMPLOYEE PERSONAL DATA
1.1 General Approach in Processing Non-Employee Personal Data
With the information texts offered by our clinic, non-employees; informed about which personal data are processed about them, for what purposes and reasons personal data will be processed, from which sources the personal data is collected, with whom this personal data will be shared and how it will be used.
Our clinic evaluates the personal data it processes and processes this data based on at least one of the conditions in the PPD.
These conditions are;
• Having the explicit consent of the person,
• The data processing is clearly stipulated in the relevant laws,
• Failure to obtain the explicit consent of the person due to actual impossibility,
• The data processing is directly related to the establishment or performance of a contract,
• Data processing is mandatory for our clinic to fulfill its legal obligation,
• The personal data has been made public by the data subject himself,
• Data processing is mandatory for the establishment or protection of a right,
• Processing of data based on legitimate interest.
In the presence of at least one of the conditions written above, personal data processing can be carried out. Data processing may be carried out based on one or more of the conditions.
In cases where explicit consent is required, the said explicit consent process is completed before the processing of personal data. Our clinic never takes blanket consent.
1.2 Collection of Personal Data :as Necessary for the Required Period
Our clinic collects personal data from employees and non-employees based on a clear and foreseeable need. Our clinic ensures that the collected data is suitable for meeting the needs. In addition, our clinic is sensitive about processing the received data only for the period prescribed by law or specified in the express consent text. After data processing period has expired; destruction, anonymization and deletion will be made.
In order to ensure compliance with the above-mentioned principle, all forms and input methods in which employees enter personal data are audited.
As a result of the audit, the parts that provide unnecessary data collection are removed from the relevant form and input method. In addition, the personal data obtained through these parts are immediately deleted, destroyed or anonymized.
1.3 Ensuring Update of Personal Data
Our clinic takes the necessary measures to keep the personal data of non-employees up-to-date. In this context, particular attention is paid to the following:
• The personal data (address, telephone, family/relative information, etc.) of non-employee persons, which may change, is determined.
• Measures are taken to ensure that personal data, which may change, can be seen easily in the electronic environment.
• Personal data that is likely to change is not shared by everyone in electronic environment; it is ensured that only the relevant person is seen by himself and other access authorities.
• If it is not possible for non-employee persons to see the personal data that may change in electronic environment; Necessary measures are taken to display these personal data in the physical environment.
• It is ensured that the personal data of non-employees, which may change, are kept up to date. In this context, active follow-up is carried out by the responsible person regarding awareness activities. Except for the method described above, our clinic; takes the necessary measures to keep the personal data of individuals being processed up-to-date according to its specific conditions.
1.4 Processing of Data of Non-Special Qualified Persons
Some of the personal data is regulated separately as "special quality personal data" within the scope of PPD and is subject to special protection.
Data as described in PPD; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction, and biometric and genetic data.
Our clinic can process health data in the following cases, provided that adequate measures to be determined by the Personal Data Protection Board are taken in cases where the non-employee does not have the express consent:
(i) Private personal data other than the health and sexual life of the non-employee person, only in cases stipulated by law,
(ii) Private personal data relating to the health and sexual life of the non-employee; may be operated by persons or authorized institutions and organizations under the obligation of secrecy for the purpose of protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and financing.
2. DATA ON THE HEALTH OF NON-EMPLOYEE PERSONS
2.1 General Approach to the Processing of Health Data of Non-Employees
Health data is among the special categories of personal data. Health data of non-employee persons are stored separately from other personal data.
2.2 Identification of Persons to Process Health Data
In periodic trainings, the importance of this data for our company and the principles to be followed in processing activities are explained to the relevant employees. In this regard, measurement and evaluation tests are carried out on the employee for periods to be determined by our clinic. The data processing activities of the employees who fail these tests are terminated immediately. Until this employee receives a passing grade from the next test, the relevant employee are kept away from special data processing activities.
3. PROCESSING OF DATA OF NON-EMPLOYEE PERSONS BY OUR CLINIC
OUR CLINIC provides and processes personal data in the following cases:
• Providing necessary service to people who will receive service from our Clinic
• Identifying the people who will receive service from our Clinic
• Reporting the services received by the people who will receive services from our Clinic to the necessary public institutions and receiving their payments
• And fulfilling all other legal obligations
4. LEGAL RIGHTS OF NON-EMPLOYEE PERSONS REGARDING THE PERSONAL DATA COLLECTED ABOUT THEM
Data subject whose personal data are processed by our Clinic have all the legal rights specified in Article 11 of the PPD and included in the disclosure text of our clinic. Our clinic determines the necessary methods in order to ensure access to these rights and includes these methods in the information text.
4.1 Principles Regarding the Exercise of Legal Rights by Non-Employee Persons
Our Clinic takes all kinds of administrative, legal and technical measures to ensure that non-employees can exercise their legal rights, make necessary applications and respond to their applications within 30 days at the latest, and design the relevant processes and inform the employees on this issue. Our clinic develops methods that will ensure that the data subject is fully satisfied with the application to be made by the data subject.
In the answers to be given by our clinic to the employees exercising their legal rights, every necessary care is taken not to disclose the personal data of third parties.
5. SHARING THE PERSONAL DATA OF NON-EMPLOYEE PERSONS WITH THIRD PARTIES
5.1 General Rules Regarding Personal Data Sharing
Our clinic determines the internal procedures regarding the sharing of personal data of non-employees. It is ensured that data sharing requests are answered by competent employees. Necessary measures are taken to confirm the reality and accuracy of data sharing requests from outside the clinic (such as judicial authorities, administrative authorities, insurance claims). It is essential that data sharing requests coming from outside the clinic are made in writing.
In case the personal data of non-employee persons is sent abroad upon the incoming request, all kinds of administrative, legal and technical measures are taken regarding the transfer of personal data abroad. If the sharing of personal data of non-employees constitutes a legal obligation, personal data may be shared only in accordance with the scope of this legal obligation.
Without prejudice to the legal conditions regarding international data transfer and the transfer of sensitive personal data; personal data of employees: Explicit consent of the data subject, If there is a clear regulation in the laws regarding the transfer of personal data, If it is necessary for the protection of the life or physical integrity of the data subject or someone else, and if the data subject is unable to express his consent due to actual impossibility or if his consent is not legally valid; If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the conclusion or performance of a contract, If personal data transfer is mandatory for the fulfillment of a legal obligation, If the personal data is made public by the data subject, Personal data transfer is a right to be established, exercised or Provided that it does not harm the fundamental rights and freedoms of the data subject, personal data may be transferred to third parties if it is necessary for the legitimate interests of the relevant clinic. The clinic cannot transfer personal data without fulfilling the conditions written here.
5.2 Information and Record Keeping on Personal Data Sharing
In case the personal data of non-employee persons is shared with third parties, it is required that the data sharing be based on one of the conditions in the PPD before the data is shared.
“If non-employee persons have not been informed before, it is ensured that they are informed about this sharing at the latest at the time of sharing. However, if this information is against the law or if it is a warning beforehand about an investigation by the competent authorities, the non-employee person is not informed about the subject.”
6. PERSONAL DATA STORAGE OF NON-EMPLOYEE PERSONS
Our clinic preserves the personal data of non-employees for the period required for the purpose for which they are processed and in accordance with the minimum periods stipulated in the legal legislation to which the relevant activity is subject.
In this context, our clinic first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the data subject and with the determined destruction methods (deletion and / or destruction and / or anonymization).
7. USE OF EXTERNAL SERVICE PROVIDERS FOR THE PROCESSING OF PERSONAL DATA
Our clinic may use external service providers for the processing of non-employee personal data. However, our clinic has to take the following precautions regarding external service providers:
• Checking that the external service provider has taken the technical and administrative security measures required by the relevant legislation and sector practices,
• Checking at regular intervals that the external service provider has taken the technical and administrative security measures required by the relevant legislation and sector practices,
• Making a contract with the external service provider, including the conditions for taking the necessary technical and administrative security measures,
• Taking necessary legal, administrative and technical measures in case personal data is sent to foreign service providers abroad.
8. SECURITY OF PERSONAL DATA
Our clinic takes all necessary administrative and technical measures to ensure the security of the data of non-employees. The measures taken are designed to prevent unauthorized access risks, accidental data loss, deliberate deletion of data or data damage. In this context, the number of employees who will be responsible for the personal data processing activity and who will be authorized to access the personal data obtained as a result of this processing is kept as limited as possible. In this context, our clinic removes or limits the access authorizations of employees who currently have unnecessary access to this data. Necessary physical security measures are taken to ensure that only authorized persons can access the personal data of non-employees. In this context, it is also prevented that the authorized access persons have unnecessarily wide authority. Measures such as audit trails are taken to determine who has access to personal data of employees on information systems. Access records to be created in this context are checked regularly and investigation mechanisms are established for unauthorized access. It is essential that other employees who have access to the personal data of non-employees are subject to the necessary security checks. In addition, it is ensured that these persons sign a confidentiality agreement/commitment that provides the necessary protections, or that provisions in this context are included in their employment contracts and that these persons are continuously trained about their responsibilities. In the event that personal data belonging to non-employees are removed from the workplace by various means such as laptop computers, necessary security measures are taken and the relevant employees are informed about these measures.
THIS POLICY IS PUBLISHED WHERE THE COMPANY DEEMS APPROPRIATE, SO THAT EMPLOYEES WHO PROCESS DATA AND DATA SUBJECT WHOSE DATA ARE PROCESSED ARE INFORMED ABOUT THE DATA PROCESSING POLICY.