Policy on the Protection and Processing of Personal Data

EFC SAĞLIK HİZMETLERİ TİC. A. Ş.

PERSONAL DATA PROTECTION AND PROCESSING POLICY

 

The protection of personal data is among the top priorities of EFC HEALTH SERVICES TRADE INC. (“Company”). The most important part of this matter is the protection and processing of personal data of our employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, which are governed by this Policy.

According to the Constitution of the Republic of Türkiye, everyone has the right to request the protection of their personal data. Regarding the protection of personal data, which is a right guaranteed by the Constitution, the Company shows due care for the protection of personal data of employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions it cooperates with, and third parties, governed by this Policy, and adopts this as a Company policy.

Within this scope, the Company takes the necessary administrative and technical measures to protect personal data processed in accordance with the applicable legislation.

The fundamental principles adopted by the Company in the processing of personal data in this Policy are as follows;

  • Processing personal data in compliance with the law and principles of honesty,
  • Keeping personal data accurate and up to date when necessary,
  • Processing personal data for specific, explicit and legitimate purposes,
  • Processing personal data in a manner relevant, limited and proportionate to the purposes for which they are processed,
  • Retaining personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed,
  • Informing and enlightening personal data subjects,
  • Establishing the necessary system for personal data subjects to exercise their rights,
  • Taking necessary measures for the safekeeping of personal data,
  • Acting in compliance with the relevant legislation and the regulations of the Personal Data Protection Board in the transfer of personal data to third parties in line with the requirements of the processing purpose,
  • Showing the necessary sensitivity in the processing and protection of special categories of personal data.

ARTICLE 1: PURPOSE OF THE POLICY

The main purpose of the Policy is to ensure transparency and trust by informing individuals whose personal data are processed by our Company, primarily our customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, regarding the personal data processing activities carried out lawfully by the Company.

ARTICLE 2: SCOPE AND DEFINITIONS

This Policy relates to all personal data of our employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, processed automatically or by non-automatic means provided that they form part of a data recording system.

The scope of application of this Policy to the personal data subject groups listed above may cover the entire Policy or only a part of it.

The definitions of the concepts included in this Policy text are as follows:

Recipient group : The category of natural or legal persons to whom personal data are transferred by the data controller.

Explicit consent : Consent regarding a specific matter, based on information and expressed with free will

Anonymization : Rendering personal data in such a way that they cannot be associated with an identified or identifiable natural person under any circumstances, even by matching them with other data

Employee : Company personnel

Electronic environment : Environments where personal data can be created, read, changed and written by electronic devices

Non-electronic environment : All written, printed, visual and other environments other than electronic environments

Service provider : A natural or legal person providing services to the institution within the framework of a specific contract

Data subject : The natural person whose personal data are processed

Relevant user : Persons who process personal data within the organization of the data controller or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data

Destruction : Deletion, destruction or anonymization of personal data

Law : Personal Data Protection Law No. 6698

Recording medium : Any environment where personal data processed fully or partially automatically or by non-automatic means provided that they form part of any data recording system are located

Personal data : Any information relating to an identified or identifiable natural person

Personal data processing inventory : The inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes, by associating them with the purposes and legal grounds of processing, data category, transferred recipient group and data subject group, and by explaining the maximum retention period required for the purposes for which personal data are processed, the personal data foreseen to be transferred abroad and the measures taken regarding data security

Processing of personal data : Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, fully or partially automatically or by non-automatic means provided that they form part of any data recording system

Board : Personal Data Protection Board

Special categories of personal data : Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data

Periodic destruction : The deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy in the event that all conditions for processing personal data set forth in the Law cease to exist

Policy : Personal Data Retention and Destruction Policy

Company : EFC HEALTH SERVICES TRADE INC.

Data processor : A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller

Data recording system : The recording system in which personal data are processed by structuring them according to certain criteria

Data controller : The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system

Data controllers registry information system : The information system created and managed by the Presidency, accessible via the internet, to be used by data controllers in applications to the Registry and in other related transactions

VERBIS : Data Controllers Registry Information System

Regulation : Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017

ARTICLE 3: IMPLEMENTATION OF THE POLICY AND THE RELEVANT LEGISLATION

The relevant legal regulations in force regarding the processing and protection of personal data shall primarily apply. In the event of any inconsistency between the legislation in force and the Policy, our Company accepts that the legislation in force shall prevail.

The Policy has been created by concretizing and regulating the rules set forth by the relevant legislation within the scope of Company practices.

ARTICLE 4: ENTRY INTO FORCE OF THE POLICY

This Policy issued by our Company enters into force on the day it is published on our website. In the event of any amendments or updates to the Policy, the effective date will be updated.

The Policy is published on our Company’s website and is made available to the access of the relevant persons upon the request of personal data subjects.

ARTICLE 5: MATTERS RELATING TO THE PROTECTION OF PERSONAL DATA

Pursuant to Article 12 of the PDPL, our Company takes all necessary administrative, technical and legal measures to ensure appropriate security in order to prevent unlawful processing of personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and carries out all necessary audits within this scope.

ARTICLE 6: ENSURING THE SECURITY OF PERSONAL DATA

6.1 Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data

Our Company takes technical and administrative measures, according to technological possibilities and implementation costs, to ensure the lawful processing of personal data.

 

  • Technical Measures Taken to Ensure Lawful Processing of Personal Data

The main technical measures taken by our Company to ensure lawful processing of personal data are listed below:

  1. Personal data processing activities carried out within our Company are audited through established technical systems.
  2. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
  3. Personnel knowledgeable in technical matters are employed.

 

  • Administrative Measures Taken to Ensure Lawful Processing of Personal Data

The main administrative measures taken by our Company to ensure lawful processing of personal data are listed below:

  1. Employees are informed and trained on personal data protection law and the lawful processing of personal data.
  2. All activities carried out by our Company are analyzed in detail on the basis of all business units, and as a result of this analysis, personal data processing activities specific to the commercial activities carried out by the relevant business units are identified.
  3. The requirements to be fulfilled in order to ensure that the personal data processing activities carried out by our Company’s business units comply with the personal data processing conditions stipulated in Law No. 6698 are determined specifically for each business unit and each detailed activity they carry out.
  4. In order to ensure compliance with the determined legal requirements, awareness is created within the relevant business units and implementation rules are determined; necessary administrative measures are implemented through internal Company policies and trainings to ensure the supervision of these matters and the continuity of implementation.
  5. Records are included in the contracts and documents governing the legal relationship between our Company and employees, imposing an obligation not to process, disclose or use personal data except for the Company’s instructions and the exceptions introduced by law, and employees’ awareness is raised in this regard and audits are conducted.

6.2 Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

Our Company takes technical and administrative measures, according to the nature of the data to be protected, technological possibilities and implementation costs, to prevent personal data from being disclosed, accessed, transferred or otherwise unlawfully accessed negligently or without authorization.

  • Technical Measures Taken to Prevent Unlawful Access to Personal Data

The main technical measures taken by our Company to prevent unlawful access to personal data are listed below:

  1. Technical measures in line with developments in technology are taken, and the measures taken are periodically updated and renewed.
  2. Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on a business unit basis.
  3. The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism; matters posing risks are re-evaluated and the necessary technological solutions are produced.
  4. Software and hardware including virus protection systems and firewalls are installed.
  5. Personnel knowledgeable in technical matters are employed.

 

  • Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The main administrative measures taken by our Company to prevent unlawful access to personal data are listed below:

  1. Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.
  2. Processes for access to and authorization of personal data within the Company are designed and implemented in accordance with legal compliance requirements on a business unit basis.
  3. Employees are informed that they cannot disclose personal data they have learned to others in violation of the PDPL and cannot use them for purposes other than processing purposes, and that this obligation will continue even after they leave their employment; necessary undertakings are obtained from them accordingly.
  4. Provisions are added to the contracts concluded with persons to whom personal data are lawfully transferred by our Company, stating that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure compliance with these measures within their own organizations.

6.3 Storage of Personal Data in Secure Environments

Our Company takes the necessary technical and administrative measures, according to technological possibilities and implementation costs, to store personal data in secure environments and to prevent their unlawful destruction, loss or alteration.

  • Technical Measures Taken for the Storage of Personal Data in Secure Environments

The main technical measures taken by our Company for the storage of personal data in secure environments are listed below:

  1. Systems appropriate to technological developments are used to store personal data in secure environments.
  2. Expert personnel in technical matters are employed.
  3. Technical security systems are established for storage areas; the technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, and matters posing risks are re-evaluated and necessary technological solutions are produced.
  4. Backup programs that are lawful are used to ensure that personal data are stored securely.

 

  • Administrative Measures Taken for the Storage of Personal Data in Secure Environments

The main administrative measures taken by our Company for the storage of personal data in secure environments are listed below:

  1. Employees are trained on ensuring that personal data are stored securely.
  2. In cases where our Company receives external services due to technical requirements regarding the storage of personal data, provisions are included in the contracts concluded with the relevant companies to whom personal data are lawfully transferred, stating that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure compliance with these measures within their own organizations.

6.4 Audit of the Measures Taken for the Protection of Personal Data

In accordance with Article 12 of the PDPL, our Company conducts or has conducted the necessary audits within its own structure. The results of these audits are reported to the relevant unit within the scope of the Company’s internal operations, and the necessary activities are carried out to improve the measures taken.

6.5 Measures to Be Taken in the Event of Unauthorized Disclosure of Personal Data

In the event that personal data processed in accordance with Article 12 of the PDPL are obtained by others through unlawful means, our Company shall ensure that this situation is notified to the relevant personal data subject and to the Personal Data Protection Board as soon as possible.

If deemed necessary by the Personal Data Protection Board, this situation may be announced on the Board’s website or by another method.

ARTICLE 7: PROTECTION OF THE RIGHTS OF THE DATA SUBJECT; CREATION OF CHANNELS THROUGH WHICH THESE RIGHTS CAN BE COMMUNICATED TO OUR COMPANY AND EVALUATION OF DATA SUBJECTS’ REQUESTS

Our Company carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the PDPL in order to evaluate the rights of personal data subjects and to provide the necessary information to personal data subjects.

If personal data subjects submit their requests regarding their rights listed below to our Company in writing, our Company shall finalize the request free of charge as soon as possible and at the latest within thirty days depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board shall be charged by our Company. Personal data subjects have the right to;

  1. Learn whether personal data are processed,
  2. Request information if their personal data have been processed,
  3. Learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  4. Know the third parties to whom personal data are transferred domestically or abroad,
  5. Request correction of personal data if they are processed incompletely or inaccurately and request notification of the transaction made within this scope to third parties to whom personal data are transferred,
  6. Request deletion or destruction of personal data in the event that the reasons requiring processing cease to exist, although they have been processed in accordance with the PDPL and other relevant laws, and request notification of the transaction made within this scope to third parties to whom personal data are transferred,
  7. Object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,
  8. Request compensation for damages in case of damage due to unlawful processing of personal data.

More detailed information regarding the rights of data subjects is included in this Policy.

ARTICLE 8: PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

With the PDPL, certain personal data have been attributed special importance due to the risk of causing victimization or discrimination if processed unlawfully.

These data are data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Our Company acts with sensitivity in the protection of special categories of personal data, defined as “special categories” under the PDPL and processed lawfully. Within this scope, the technical and administrative measures taken by our Company for the protection of personal data are meticulously implemented in respect of special categories of personal data, and the necessary audits are carried out within the Company.

Detailed information regarding the processing of special categories of personal data is included in this Policy.

ARTICLE 9: INCREASING AWARENESS OF BUSINESS UNITS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA AND THEIR SUPERVISION

Our Company ensures that necessary trainings are organized for business units in order to increase awareness aimed at preventing unlawful processing of personal data, preventing unlawful access to data and ensuring the preservation of data.

Necessary systems are established to ensure that current employees of the Company’s business units and newly joined employees develop awareness regarding the protection of personal data, and professional persons are engaged if needed.

ARTICLE 10: INCREASING AWARENESS OF BUSINESS PARTNERS AND SUPPLIERS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA AND THEIR SUPERVISION

Our Company ensures that trainings and seminars are organized for business partners in order to increase awareness aimed at preventing unlawful processing of personal data, preventing unlawful access to data and ensuring the preservation of data.

Trainings conducted for the Company’s business partners are repeated periodically; necessary systems are established to ensure that current employees of business partners and newly joined employees develop awareness regarding the protection of personal data, and professional persons are engaged if needed.

The results of trainings conducted to increase awareness of the Company’s business partners regarding the protection and processing of personal data are reported to the holding. In this direction, our Company evaluates participation in relevant trainings, seminars and information sessions and conducts or has conducted the necessary audits. Our Company updates and renews its trainings in parallel with updates to the relevant legislation.

ARTICLE 11: MATTERS RELATING TO THE PROCESSING OF PERSONAL DATA

In accordance with Article 20 of the Constitution and Article 4 of the PDPL, our Company processes personal data in compliance with the law and principles of honesty; accurately and, where necessary, up to date; for specific, explicit and legitimate purposes; in a manner relevant, limited and proportionate to the purpose. Our Company retains personal data for the period stipulated by law or required by the purpose of processing.

Pursuant to Articles 20 of the Constitution and 5 of the PDPL, our Company processes personal data based on one or more of the conditions set forth in Article 5 of the PDPL regarding the processing of personal data.

In accordance with Articles 20 of the Constitution and 10 of the PDPL, our Company informs personal data subjects and provides the necessary information if requested by personal data subjects.

Our Company acts in compliance with the regulations stipulated in Article 6 of the PDPL regarding the processing of special categories of personal data.

In accordance with Articles 8 and 9 of the PDPL, our Company acts in compliance with the regulations set forth in the Law and by the Personal Data Protection Board regarding the transfer of personal data.

ARTICLE 12: PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES SET FORTH IN THE LEGISLATION

12.1 Processing in Compliance with the Law and the Principle of Honesty

Our Company acts in compliance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. Within this scope, our Company takes into consideration the requirements of proportionality in the processing of personal data and does not use personal data beyond what is required by the purpose.

12.2 Ensuring That Personal Data Are Accurate and Up to Date Where Necessary

Our Company ensures that personal data it processes are accurate and up to date, taking into account the fundamental rights of personal data subjects and its own legitimate interests. Necessary measures are taken in this direction.

12.3 Processing for Specific, Explicit and Legitimate Purposes

Our Company clearly and precisely determines the legitimate and lawful purpose of processing personal data. Our Company processes personal data to the extent necessary in connection with the services it provides.

12.4 Being Relevant, Limited and Proportionate to the Purpose for Which They Are Processed

Our Company processes personal data in a manner suitable for achieving the specified purposes and avoids processing personal data that are unrelated to or not necessary for achieving the purpose. For example, personal data processing activities aimed at meeting potential needs that may arise later are not carried out.

12.5 Retaining Personal Data for the Period Stipulated in the Relevant Legislation or Required for the Purpose for Which They Are Processed

Our Company retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. Within this scope, our Company first determines whether a period is stipulated in the relevant legislation for the retention of personal data; if a period has been determined, it acts in accordance with this period; if no period has been determined, it retains personal data for the period required for the purpose for which they are processed. Upon expiration of the period or in the event that the reasons requiring processing cease to exist, personal data are deleted, destroyed or anonymized by our Company. Personal data are not retained by our Company with the possibility of future use. Detailed information on this matter is included in this Policy.

ARTICLE 13: PROCESSING OF PERSONAL DATA BASED ON ONE OR MORE OF THE CONDITIONS FOR PROCESSING PERSONAL DATA SPECIFIED IN ARTICLE 5 OF THE PDPL AND LIMITED TO THESE CONDITIONS

The protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted only by law and only for the reasons specified in the relevant articles of the Constitution, without infringing upon their essence. Pursuant to paragraph three of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the person. In this direction and in compliance with the Constitution, our Company processes personal data only in cases stipulated by law or with the explicit consent of the person. Detailed information on this matter is included in this Policy.

ARTICLE 14: INFORMING AND PROVIDING INFORMATION TO THE PERSONAL DATA SUBJECT

In accordance with Article 10 of the PDPL, our Company informs personal data subjects during the acquisition of personal data. Within this scope, it provides information regarding the identity of the holding and its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal reason for collecting personal data, and the rights of the personal data subject. Detailed information on this matter is included in this Policy.

Article 20 of the Constitution states that everyone has the right to be informed about personal data concerning them. In this direction, “requesting information” is also included among the rights of the personal data subject in Article 11 of the PDPL. Within this scope, our Company provides the necessary information if the personal data subject requests information, in accordance with Articles 20 of the Constitution and 11 of the PDPL. Detailed information on this matter is included in this Policy.

ARTICLE 15: PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

In the processing of personal data defined as “special categories” under the PDPL, our Company acts in compliance with the regulations stipulated in the PDPL with due sensitivity.

Article 6 of the PDPL defines certain personal data as “special categories” due to the risk of causing victimization or discrimination if processed unlawfully. These data are data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

In accordance with the PDPL, special categories of personal data are processed by our Company, provided that adequate measures determined by the Personal Data Protection Board are taken, in the following cases:

  1. If the personal data subject has given explicit consent, or
  2. If the personal data subject has not given explicit consent;
  1. Special categories of personal data other than those relating to the health and sexual life of the personal data subject may be processed in cases stipulated by law,
  2. Special categories of personal data relating to the health and sexual life of the personal data subject may only be processed by persons under the obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing.

ARTICLE 16: TRANSFER OF PERSONAL DATA

In line with lawful personal data processing purposes and by taking the necessary security measures, our Company may transfer the personal data and special categories of personal data of the personal data subject to third parties (third-party companies, business partners, third-party natural persons). In this direction, our Company acts in compliance with the regulations stipulated in Article 8 of the PDPL. Detailed information on this matter is included in this Policy.

16.1 Transfer of Personal Data

In line with legitimate and lawful personal data processing purposes, our Company may transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law listed below:

  1. If the personal data subject has given explicit consent;
  2. If there is an explicit provision in the laws regarding the transfer of personal data,
  3. If it is mandatory for the protection of the life or physical integrity of the personal data subject or another person and the personal data subject is unable to disclose consent due to actual impossibility or if consent cannot be legally recognized;
  4. If it is necessary to transfer personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of a contract,
  5. If the transfer of personal data is mandatory for our Company to fulfill its legal obligation,
  6. If the personal data have been made public by the personal data subject,
  7. If the transfer of personal data is mandatory for the establishment, exercise or protection of a right,
  8. If the transfer of personal data is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data subject.

16.2 Transfer of Special Categories of Personal Data

By showing due care, taking the necessary security measures and implementing the adequate measures stipulated by the Personal Data Protection Board, our Company may transfer special categories of personal data of the personal data subject to third parties in line with legitimate and lawful personal data processing purposes in the following cases:

  1. If the personal data subject has given explicit consent, or
  2. If the personal data subject has not given explicit consent;

 

  • Special categories of personal data other than those relating to the health and sexual life of the personal data subject (data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, as well as biometric and genetic data) may be transferred in cases stipulated by law,

 

  1. Special categories of personal data relating to the health and sexual life of the personal data subject may only be transferred by persons under the obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing.

ARTICLE 17: TRANSFER OF PERSONAL DATA ABROAD

In line with lawful personal data processing purposes and by taking the necessary security measures, our Company may transfer personal data and special categories of personal data of the personal data subject to third parties. Personal data may be transferred by our Company to foreign countries declared by the Personal Data Protection Board to have adequate protection (“Foreign Country with Adequate Protection”) or, in the absence of adequate protection, to foreign countries where data controllers in Türkiye and in the relevant foreign country undertake in writing to provide adequate protection and where the permission of the Personal Data Protection Board is available (“Foreign Country Where the Data Controller Undertakes Adequate Protection”). In this direction, our Company acts in compliance with the regulations stipulated in Article 9 of the PDPL. Detailed information on this matter is included in this Policy.

17.1 Transfer of Personal Data Abroad

In line with legitimate and lawful personal data processing purposes, if the personal data subject has given explicit consent, or if the personal data subject has not given explicit consent, personal data may be transferred to Foreign Countries with Adequate Protection or to Foreign Countries Where the Data Controller Undertakes Adequate Protection in the presence of one of the following conditions:

If there is an explicit provision in the laws regarding the transfer of personal data,

  1. If it is mandatory for the protection of the life or physical integrity of the personal data subject or another person and the personal data subject is unable to disclose consent due to actual impossibility or if consent cannot be legally recognized;

 

  1. If it is necessary to transfer personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of a contract,

 

  1. If the transfer of personal data is mandatory for our Company to fulfill its legal obligation,
  2. If the personal data have been made public by the personal data subject,

 

  1. If the transfer of personal data is mandatory for the establishment, exercise or protection of a right,

 

  1. If the transfer of personal data is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data subject.

17.2 Transfer of Special Categories of Personal Data Abroad

By showing due care, taking the necessary security measures and implementing the adequate measures stipulated by the Personal Data Protection Board, our Company may transfer special categories of personal data of the personal data subject to Foreign Countries with Adequate Protection or to Foreign Countries Where the Data Controller Undertakes Adequate Protection in the following cases in line with legitimate and lawful personal data processing purposes:

  1. If the personal data subject has given explicit consent, or
  2. If the personal data subject has not given explicit consent;

 

  • Special categories of personal data other than those relating to the health and sexual life of the personal data subject (data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, as well as biometric and genetic data) may be transferred in cases stipulated by law,

 

  1. Special categories of personal data relating to the health and sexual life of the personal data subject may only be transferred within the scope of processing by persons under the obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing.

ARTICLE 18: CATEGORIZATION, PROCESSING PURPOSES AND RETENTION PERIODS OF PERSONAL DATA PROCESSED BY OUR COMPANY

Within the scope of the obligation to inform pursuant to Article 10 of the PDPL, our Company informs the personal data subject regarding which groups of personal data subjects’ personal data are processed, the purposes for processing personal data and the retention periods.

ARTICLE 19: CATEGORIZATION OF PERSONAL DATA

Within our Company, in accordance with Article 10 of the PDPL, by informing the relevant persons and in line with legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the PDPL, in compliance with the general principles set forth in the PDPL, primarily the principles specified in Article 4 regarding the processing of personal data, and all obligations regulated in the PDPL, personal data within the scope of this Policy are processed in the categories listed below. It is also specified in this Policy which data subjects the personal data processed in these categories are related to.

IDENTITY INFORMATION; All information contained in documents such as driver’s license, identity card, residence certificate, passport, attorney identity card, marriage certificate, which are clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

CONTACT INFORMATION; Information such as phone number, address and e-mail, which are clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

CUSTOMER INFORMATION; Information obtained and generated about the relevant person as a result of our commercial activities and the operations carried out by our business units within this framework, which are clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

PHYSICAL SPACE SECURITY INFORMATION; Personal data relating to records and documents obtained at the entrance to and during stay within physical premises, clearly related to an identified or identifiable natural person and included in a data recording system.

TRANSACTION SECURITY INFORMATION; Personal data clearly related to an identified or identifiable natural person and included in a data recording system, processed in order to ensure our technical, administrative, legal and commercial security while conducting our commercial activities.

RISK MANAGEMENT INFORMATION; Data clearly related to an identified or identifiable natural person and included in a data recording system, that can be used and processed in accordance with generally accepted legal and commercial practices and the rule of honesty in order to manage our commercial, technical and administrative risks.

FINANCIAL INFORMATION; Personal data relating to information, documents and records that show all kinds of financial results created according to the type of legal relationship established between our Company and the personal data subject, clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

PERSONNEL INFORMATION; All kinds of personal data processed for the purpose of obtaining information that will form the basis for the formation of the personal rights of our employees or natural persons in an employment relationship with our Company, clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

JOB APPLICANT INFORMATION; Personal data relating to individuals who have applied to become employees of our Company by any means or who have made their résumé and related information available to our Company, or who have been evaluated as job applicants in line with our human resources needs in accordance with commercial practices and the rule of honesty, clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

EMPLOYEE TRANSACTION INFORMATION; Personal data relating to all kinds of transactions carried out by our employees or natural persons in an employment relationship with our Company in relation to work, clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

EMPLOYEE PERFORMANCE AND CAREER DEVELOPMENT INFORMATION; Data processed for the purpose of measuring the performance of our employees or natural persons in an employment relationship with our Company and planning and conducting their career development within the scope of our Company’s human resources policy, clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

FRINGE BENEFITS AND ADVANTAGES INFORMATION; Personal data processed for the purpose of planning the fringe benefits and advantages we provide or will provide to employees or other natural persons in an employment relationship with our Company, determining objective criteria related to entitlement to such benefits and tracking entitlements, clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

LEGAL TRANSACTION AND COMPLIANCE INFORMATION; Personal data processed for the purpose of determining, monitoring and fulfilling our legal receivables and rights and our obligations, and ensuring compliance with our legal obligations and Company policies, clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

AUDIT AND INSPECTION INFORMATION; Personal data processed within the scope of our Company’s legal obligations and compliance with Company policies, clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

SPECIAL CATEGORIES OF PERSONAL DATA; Data specified in Article 6 of Law No. 6698, clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

REQUEST/COMPLAINT MANAGEMENT INFORMATION; Personal data relating to the receipt and evaluation of all kinds of requests or complaints directed to our Company, clearly related to an identified or identifiable natural person and processed partially or fully automatically or by non-automatic means as part of a data recording system.

ARTICLE 20: PURPOSES OF PROCESSING PERSONAL DATA

The primary purposes for processing personal data according to the categorization prepared by our Company are shared below:

  1. Carrying out the necessary work by our relevant business units for the execution of commercial activities conducted by our Company and managing the related business processes,
  2. Planning and execution of our Company’s commercial and/or business strategies,
  3. Carrying out the necessary work by our business units to enable relevant persons to benefit from the products and services offered by our Company and managing the related processes,
  4. Planning and execution of our Company’s human resources policies and processes,
  5. Ensuring the legal, technical and commercial security of relevant persons who have a business relationship with our Company.

The data processing purposes within the scope of the primary purposes listed above are as follows:

  1. Event Management
  2. Planning and Execution of Research and Development Activities
  3. Planning and Execution of Business Activities
  4. Planning and Execution of Corporate Communication Activities
  5. Planning and Execution of Information Security Processes
  6. Establishment and Management of Information Technologies Infrastructure
  7. Planning and Execution of Access Authorizations to Information and Facilities of Business Partners and/or Suppliers
  8. Planning and Execution of Fringe Benefits for Supplier and/or Business Partner Employees
  9. Follow-up of Finance and/or Accounting Affairs
  10. Planning and Execution of Logistics Activities
  11. Management of Relations with Business Partners and/or Suppliers
  12. Conducting Activities to Determine the Financial Risks of Customers
  13. Planning and Execution of Customer Relationship Management Processes
  14. Follow-up of Contract Processes and/or Legal Claims
  15. Follow-up of Customer Requests and/or Complaints
  16. Planning of Human Resources Processes
  17. Execution of Personnel Recruitment Processes
  18. Follow-up of Legal Affairs
  19. Planning and Execution of Necessary Operational Activities to Ensure That Company Activities Are Conducted in Compliance with Company Procedures and/or Relevant Legislation
  20. Collection of Entry and Exit Records of Business Partner/Supplier Employees
  21. Creation and Follow-up of Visitor Records
  22. Planning and Execution of Company Audit Activities
  23. Planning and/or Execution of Occupational Health and/or Safety Processes
  24. Ensuring Data Accuracy and Currency
  25. Management and/or Supervision of Relations with Affiliates
  26. Ensuring Security of Company Campuses and/or Facilities
  27. Ensuring Security of Company Assets and/or Resources
  28. Planning and/or Execution of Company Financial Risk Processes

In order to carry out personal data processing activities falling outside the above-mentioned purposes, our Company seeks the explicit consent of personal data subjects; personal data processing activities listed below are carried out by the relevant business units based on such explicit consents. In this context; in the absence of the above-mentioned conditions, the personal data processing purposes for which explicit consent is sought are as follows:

  1. Planning and Execution of Access Authorizations to Information and Facilities of Business Partners and/or Suppliers
  2. Planning and Execution of Logistics Activities
  3. Management of Relations with Business Partners and/or Suppliers
  4. Follow-up of Contract Processes and/or Legal Claims
  5. Planning of Human Resources Processes
  6. Execution of Personnel Recruitment Processes
  7. Planning and/or Execution of Customer Satisfaction Activities
  8. Planning and Execution of Necessary Operational Activities to Ensure That Company Activities Are Conducted in Compliance with Company Procedures and/or Relevant Legislation
  9. Collection of Entry and Exit Records of Business Partner/Supplier Employees
  10. Planning and Execution of Company Audit Activities
  11. Planning and/or Execution of Occupational Health and/or Safety Processes
  12. Ensuring Security of Company Campuses and/or Facilities.

ARTICLE 21: RETENTION PERIODS OF PERSONAL DATA

If stipulated in the relevant laws and regulations, our Company retains personal data for the periods specified therein.

If no period is specified in the legislation regarding how long personal data should be retained, personal data are processed for the period required in accordance with our Company’s practices and commercial customs related to the services provided while processing such data, and then deleted, destroyed or anonymized. Detailed information on this matter is included in this Policy.

If the purpose of processing personal data has ended; and the retention periods determined by the relevant legislation and the Company have expired; personal data may only be retained for the purpose of serving as evidence in possible legal disputes or for the assertion or defense of a right related to the personal data. In determining the retention periods in this context, the statute of limitations for asserting the aforementioned right and examples of requests previously directed to our Company on similar matters, even after the expiration of the statute of limitations, are taken as basis. In this case, the retained personal data are not accessed for any other purpose and are accessed only when it is necessary to use them in the relevant legal dispute. After the expiration of the aforementioned period, personal data are deleted, destroyed or anonymized.

ARTICLE 22: CATEGORIZATION OF PERSONAL DATA SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED BY OUR COMPANY

Although our Company processes the personal data of the personal data subject categories listed below, the scope of application of this Policy is limited to our customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of institutions we cooperate with, and third parties.

The personal data protection and processing activities of our employees shall be evaluated under the Personal Data Protection and Processing Policy.

Although the categories of persons whose personal data are processed by our Company are within the scope specified above, persons outside these categories may also submit requests to our Company within the scope of the PDPL; such requests shall also be evaluated within the scope of this Policy.

Below, clarification is provided regarding the concepts of customer, potential customer, visitor, employee candidate, shareholder and board member, natural persons in institutions we cooperate with, and third parties related to these persons within the scope of this Policy.

ARTICLE 23: CATEGORIES AND THEIR DESCRIPTIONS

Visitor; Natural persons who have entered the physical premises owned by our Company for various purposes or who visit our websites.

Third Parties; Third-party natural persons related to the parties in order to ensure the security of commercial transactions between our Company and the parties or to protect the rights and interests of the aforementioned persons, or natural persons who do not fall within the scope of this Policy and the Company Employees Personal Data Protection and Processing Policy.

Employee Candidate; Natural persons who have applied to our Company for employment by any means or who have shared their résumé and related information with our Company.

Company Shareholder; Natural persons who are shareholders of our Company.

Company Official; Members of the board of directors and other authorized natural persons of the Company.

Employees, shareholders and officials of institutions we cooperate with; Natural persons (including but not limited to business partners, offices, suppliers and their employees, shareholders and officials) within institutions with which our Company has any kind of business relationship.

ARTICLE 24: THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED BY OUR COMPANY AND PURPOSES OF TRANSFER

In accordance with Article 10 of the PDPL, our Company informs the personal data subject about the groups of persons to whom personal data are transferred.

In accordance with Articles 8 and 9 of the PDPL, our Company may transfer the personal data of service recipients to the following categories of persons:

  1. Company business partners,
  2. Company suppliers,
  3. Company affiliates,
  4. Company shareholders,
  5. Legally authorized public institutions and organizations,
  6. Legally authorized private law persons.

The scope of the above-mentioned persons to whom data are transferred and the purposes of transfer are as follows:

  1. Limited to ensuring the fulfillment of the purposes of establishing the business partnership,
  2. Limited to ensuring that services obtained externally from suppliers and necessary for our Company to carry out its commercial activities are provided to our Company,
  3. Limited to ensuring the execution of our Company’s commercial activities requiring the participation of affiliates,
  4. Limited to the design and audit of strategies related to our Company’s commercial activities in accordance with legal legislation,
  5. Limited to the purpose requested within our legal authority in case legally authorized public institutions and organizations request information and documents from our Company within the framework of legal legislation,
  6. Limited to the purpose requested within our legal authority in case legally authorized private law persons request information and documents from our Company within the framework of legal legislation.

In transfers carried out by our Company, actions are taken in compliance with the matters regulated in the Policy.
ARTICLE 25: TECHNIQUES FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

25.1 Techniques for Deletion and Destruction of Personal Data

Although processed in accordance with relevant legal provisions, in the event that the reasons requiring processing cease to exist, our Company may delete or destroy personal data ex officio or upon the request of the personal data subject. The deletion or destruction techniques most commonly used by our Company are listed below:

  • Physical Destruction

Personal data may also be processed by non-automatic means provided that they form part of any data recording system. While deleting/destroying such data, the system of physically destroying the personal data in a manner that they cannot be used again is applied.

25.1.2 Secure Deletion from Software

While deleting/destroying data processed wholly or partially by automatic means and stored in digital environments, methods ensuring that the data are irretrievably deleted from the relevant software are used.

  • Secure Deletion by an Expert

In certain cases, the Company may enter into an agreement with an expert for the deletion of personal data on its behalf. In such cases, personal data are securely deleted/destroyed by the expert in a manner that they cannot be recovered.

25.2 Techniques for Anonymization of Personal Data

Anonymization of personal data means rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching them with other data. Our Company may anonymize personal data when the reasons requiring their lawful processing cease to exist.

In accordance with Article 28 of the PDPL; anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing falls outside the scope of the PDPL and the explicit consent of the personal data subject shall not be required. Since anonymized personal data fall outside the scope of the PDPL, the rights regulated under this Policy shall not apply to such data.

The anonymization techniques most commonly used by our Company are as follows:

  1. Masking

With data masking, the main identifying information of personal data is removed from the data set and the personal data are anonymized.

  1. Aggregation

Through the aggregation method, multiple data are combined and personal data are rendered incapable of being associated with any person.

  1. Data Derivation

Through the data derivation method, a more general content is created from the content of the personal data, ensuring that the personal data cannot be associated with any person.

  1. Data Shuffling

Through the data shuffling method, the values within the personal data set are mixed and the link between values and individuals is broken.

In accordance with Article 10 of the PDPL, our Company informs the personal data subject of their rights, guides the personal data subject on how to exercise these rights, and carries out the necessary channels, internal procedures, administrative and technical arrangements in accordance with Article 13 of the PDPL for the evaluation of the rights of personal data subjects and providing the necessary information to them.

ARTICLE 26: RIGHTS OF THE DATA SUBJECT AND EXERCISE OF THESE RIGHTS

26.1 Rights of the Personal Data Subject

Personal data subjects have the following rights:

  1. To learn whether personal data are processed
  2. To request information if personal data have been processed
  3. To learn the purpose of processing personal data and whether they are used in accordance with their purpose
  4. To know the third parties to whom personal data are transferred domestically or abroad
  5. To request correction of personal data if they are processed incompletely or incorrectly and to request notification of the transaction made within this scope to third parties to whom personal data are transferred
  6. To request deletion or destruction of personal data in the event that the reasons requiring processing cease to exist, although they have been processed in accordance with the PDPL and other relevant legal provisions, and to request notification of the transaction made within this scope to third parties to whom personal data are transferred
  7. To object to the emergence of a result against the person by analyzing the processed data exclusively through automated systems
  8. To request compensation for the damage in case of damage due to unlawful processing of personal data

26.2 Cases Where the Personal Data Subject Cannot Assert Their Rights

Pursuant to Article 28 of the PDPL, since the following cases are excluded from the scope of the PDPL, personal data subjects cannot assert the rights listed below in these matters:

  1. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics
  2. Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that national defense, national security, public security, public order, economic security, privacy of private life or personal rights are not violated or do not constitute a crime
  3. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security
  4. Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings

Pursuant to Article 28/2 of the PDPL; in the following cases, personal data subjects cannot assert their other rights listed below, except for the right to claim compensation for damages:

  1. If personal data processing is necessary for the prevention of a crime or for a criminal investigation.
  2. If personal data have been made public by the personal data subject themselves.
  3. If personal data processing is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution carried out by authorized public institutions and organizations and professional organizations with public institution status based on authority granted by law.
  4. If personal data are processed by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

26.3 Exercise of the Personal Data Subject’s Rights

Personal data subjects may submit their requests regarding the rights listed above in this section to our Company free of charge by the following methods:

  1. https://efcclinic.com by filling out the form available at the address, signing it with a wet signature and submitting it in person to Tevfikbey Mah. 2321 Sk. No:4 Küçükçekmece/ İSTANBUL
  1. By filling out the form available at https://efcclinic.com, signing it with a wet signature and sending it by cargo or post to Tevfikbey Mah. 2321 Sk. No:4 Küçükçekmece/ İSTANBUL,
  1. By filling out the form available at https://efcclinic.com, signing it with your “secure electronic signature” within the scope of the Electronic Signature Law No. 5070 and sending the securely electronically signed form via e-mail to [email protected]

It is not possible for third parties to submit requests on behalf of personal data subjects.

In order for a person other than the personal data subject to submit a request, a special power of attorney issued by the personal data subject in the name of the person who will apply must be available.

Personal data subjects shall fill out the “Application Form for Applications to be Made to the Data Controller by the Relevant Person (Personal Data Subject) Pursuant to the Personal Data Protection Law No. 6698” in their applications to exercise their rights. The method of application is explained in detail in this form.

26.4 Right of the Personal Data Subject to Lodge a Complaint with the Personal Data Protection Board

Pursuant to Article 14 of the PDPL, in cases where the application is rejected, the response is found insufficient or no response is given within the prescribed period; the personal data subject may lodge a complaint with the Personal Data Protection Board within thirty days from the date they learn of our Company’s response and in any case within sixty days from the date of application.

ARTICLE 27: COMPANY’S RESPONSE TO APPLICATIONS

27.1 Procedure and Period for Responding to Applications

If the personal data subject submits their request to our Company in accordance with the procedure set forth above in this section, our Company shall finalize the relevant request free of charge as soon as possible and at the latest within thirty days, depending on the nature of the request.

However, if the transaction requires an additional cost, our Company shall charge the applicant the fee determined by the Personal Data Protection Board.

27.2 Information That Our Company May Request from the Applicant Personal Data Subject

Our Company may request information from the relevant person in order to determine whether the applicant is the personal data subject.

Our Company may ask the personal data subject questions regarding their application in order to clarify the matters included in the application.

27.3 Right of Our Company to Reject the Application of the Personal Data Subject

Our Company may reject the application of the applicant by explaining the reason in the following cases:

  1. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
  2. Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that national defense, national security, public security, public order, economic security, privacy of private life or personal rights are not violated or do not constitute a crime.
  3. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
  4. Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
  5. If personal data processing is necessary for the prevention of a crime or for a criminal investigation.
  6. If personal data have been made public by the personal data subject themselves.
  7. If personal data processing is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution carried out by authorized public institutions and organizations and professional organizations with public institution status based on authority granted by law.
  8. If personal data processing is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial matters.
  9. If the request of the personal data subject is likely to prevent the rights and freedoms of other persons.
  10. If disproportionate effort is required.
  11. If the requested information is publicly available information.

ARTICLE 28: RELATIONSHIP OF THE COMPANY’S PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES

The fundamental policies drafted regarding the protection and processing of personal data, to which the principles set forth in this Policy are related, are specified. By establishing links between these policies and the fundamental policies conducted by the Company in other areas, harmonization is ensured between processes carried out by the Company for similar purposes under different policy principles.

Within the Company, a “Personal Data Protection Committee” has been established by the decision of the Company’s senior management to manage this Policy and other policies related to and connected with it. The duties of this committee are listed below.

  1. To prepare fundamental policies regarding the Protection and Processing of Personal Data and submit them to senior management for approval and entry into force.
  2. To decide how the implementation and supervision of policies regarding the Protection and Processing of Personal Data will be carried out, to make internal assignments within the company and ensure coordination within this framework, and to submit these matters to senior management for approval.
  3. To determine the matters required to ensure compliance with the Personal Data Protection Law and relevant legislation, to submit the actions to be taken to senior management for approval, to oversee their implementation and ensure coordination.
  4. To increase awareness within the Company and among the institutions with which the Company cooperates regarding the Protection and Processing of Personal Data.
  5. To identify risks that may arise in the Company’s personal data processing activities and ensure that necessary measures are taken; to submit improvement proposals to senior management for approval.
  6. To design and ensure the execution of training programs regarding the protection of personal data and the implementation of policies.
  7. To finalize applications of personal data subjects at the highest level.
  8. To coordinate the execution of information and training activities to ensure that personal data subjects are informed about personal data processing activities and their legal rights.
  9. To prepare amendments to fundamental policies regarding the Protection and Processing of Personal Data and submit them to senior management for approval and entry into force.
  10. To follow developments and regulations regarding the Protection of Personal Data and to make recommendations to senior management regarding actions to be taken within the Company in accordance with such developments and regulations.
  11. To coordinate relations with the Personal Data Protection Board and Authority.
  12. To perform other duties assigned by the Company’s senior management regarding the protection of personal data.

Some of the specified policies are intended for internal Company use. The principles of internal policies are reflected in publicly available policies to the extent relevant, aiming to inform the relevant persons within this framework and to ensure transparency and accountability regarding the personal data processing activities carried out by the Company.