The Trusted Name in Healthcare

444 6 112
Contact Us
info@letoonhospital.com.tr
Letoon Private HospitalLetoon Private Hospital

PERSONAL DATA PROCESSING AND PROTECTION POLICY

1. Purpose

Since the date the KVKK (Law on the Protection of Personal Data) entered into force, we have attached great importance to the protection of personal data belonging to all real persons with whom we come into contact in any manner while conducting our commercial activities, and to the fulfillment of the requirements stipulated under the KVKK in a complete manner. The primary purpose of this Procedure is to provide explanations regarding the personal data processing activities lawfully carried out by the Company and the systems adopted for the protection of personal data; and within this scope, to ensure transparency by informing individuals whose personal data are processed by our company, including but not limited to our customers, potential customers, employees, employee candidates, company officials, visitors, and the employees and officials of institutions with which we cooperate, as well as third parties.

2. Scope

This Procedure relates to all personal data of our Employees, Employee Candidates, Company Officials, Customers, Potential Customers, Visitors, Employees of Institutions with which we cooperate, and Third Parties whose personal data are processed, whether processed by automatic means or non-automatic means provided that they form part of any data filing system.

3. Definitions

Matters Regarding the Processing of Personal Data

According to the Personal Data Protection Law No. 6698 ("KVKK"), everyone has the right to demand the protection of their personal data. Regarding the protection of personal data, which is a Constitutional right, Fetmed Özel Sağlık Hizm. Tic. Ltd. AŞ. ("Company") demonstrates the necessary diligence for the protection of the personal data of its customers, potential customers, employees, employee candidates, company officials, visitors, and the employees and officials of institutions with which it cooperates, as well as third parties, managed under this Procedure, and incorporates this practice as a Company procedure.

Within the scope of the application of the Law and this Procedure:

  • Explicit consent: Consent regarding a specific subject, based on information and expressed with free will.
  • Anonymization: Rendering personal data impossible to be associated with an identified or identifiable real person under any circumstances, even by matching it with other data.
  • Relevant user: Persons who process personal data within the organization of the data controller or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of data.
  • Destruction: The erasure, destruction, or anonymization of personal data.
  • Law: The Personal Data Protection Law No. 6698.
  • Personal Data Owner / Data Subject: Customers, or non-customer individuals whose personal data are processed, including potential customers, employees, employee candidates, shareholders, visitors, institutions and organizations with which a business relationship is established within the framework of a contract executed (support services, independent auditing, rating, consultancy, service, procurement, cooperation, solution partnership, etc.) along with their employees, shareholders, and officials, and third-party real persons.
  • Personal Data: Any information relating to an identified or identifiable real person.
  • Processing of personal data: Any operation performed upon personal data, such as obtaining, recording, storing, retaining, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use thereof, by fully or partially automatic means or by non-automatic means provided that they form part of any data filing system.
  • Board: The Personal Data Protection Board.
  • Authority: The Personal Data Protection Authority.
  • Customer: The relevant real person who receives services from the Company pursuant to the contract signed with the Company and whose data is processed.
  • Data processor: The real or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller.
  • Data filing system: The registration system where personal data are structured and processed according to specific criteria.
  • Data controller: The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

4. Responsibilities

Approval and Enforcement

This procedure shall enter into force following the approval of the Chief Physician.

  • Users of the Procedure: All employees are responsible.

5. Procedure

Fundamental Principles in the Processing of Personal Data

  • Processing in Accordance with the Law and Good Faith: Our Company acts in compliance with the principles introduced by legal regulations and the rule of general trust and good faith in the processing of personal data.
  • Being Accurate and, Where Necessary, Up-to-Date: Necessary measures are taken to ensure that the personal data processed by the Company are accurate and up-to-date, and data subjects are provided with the necessary opportunities by making notifications to ensure that the processed data reflect the actual situation.
  • Processing for Specific, Explicit, and Legitimate Purposes: Our Company clearly and precisely determines the legitimate and lawful purpose of personal data processing. Our Company processes personal data to the extent connected with and necessary for the services it provides. The purpose for which personal data will be processed by our Company is set forth before the personal data processing activity begins.
  • Being Relevant, Limited, and Proportionate to the Purpose for Which They Are Processed: Data are processed by the Company in accordance with the KVKK and other relevant legislation, suitable for the realization of the purposes determined according to data categories, in a relevant and proportionate manner to the fulfillment of the purpose, and the processing of personal data that are not required is avoided.
  • Retention for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for Which They Are Processed: Personal data processed by the Company are retained only for the period envisaged in the relevant legislation or necessary for the purpose for which they are processed. In this context, the Company complies with the period if a duration is specified in the relevant legislation for data retention; if no such period is specified, it retains the data only for the period necessary for the purpose for which they are processed. The Company does not store data based on the possibility of future use.

Conducting Personal Data Processing Activities in Compliance with the KVKK

The conditions for processing personal data are regulated under the KVKK, and personal data are processed by the Company in accordance with the aforementioned conditions specified below.

  • Except for the exceptions listed in the Law, the Company processes personal data only by obtaining the explicit consent of the data subjects. In the presence of the following cases listed in the Law, personal data may be processed even without the explicit consent of the data subject:
  • It is clearly envisaged in the laws,
  • It is mandatory for the protection of the life or physical integrity of the person or another person who is unable to express their consent due to actual impossibility or whose consent is not granted legal validity,
  • It is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract,
  • It is mandatory for the data controller to fulfill their legal obligation,
  • It has been made public by the data subject themselves,
  • Data processing is mandatory for the establishment, exercise, or protection of a right,
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

The Company demonstrates a specific sensitivity in processing special categories of personal data, which are believed to be of more critical importance for protection from various perspectives regarding the data subjects. In this context, provided that adequate measures determined by the Board are taken, such data are not processed without the explicit consent of the data subjects. However, special categories of personal data excluding those relating to health and sexual life may be processed without the explicit consent of the data subject in cases envisaged by the laws. On the other hand, data concerning health and sexual life may be processed without obtaining explicit consent, provided that adequate measures are taken, only in the presence of the reasons listed below:

  • Protection of public health,
  • Operation of preventive medicine,
  • Medical diagnosis,
  • Execution of treatment and care services,
  • Planning and management of health services and financing.

Provision of Clarification and Information to the Personal Data Owner

In accordance with Article 10 of the KVKK, our Company clarifies and informs the personal data owners during the collection of personal data. In this context, the Company provides clarification regarding the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal ground of personal data collection, and the rights held by the personal data owner.

Article 20 of the Constitution sets forth that everyone has the right to be informed about personal data concerning them. Accordingly, "requesting information" is listed among the rights of the personal data owner in Article 11 of the KVKK. In this scope, our Company provides the necessary information in the event that the personal data owner requests information, in accordance with Article 20 of the Constitution and Article 11 of the KVKK.

5.2.1. Purposes of Processing Personal Data

Your special categories of personal data, primarily your health data, and your personal data may be processed by the Company in a connected, limited, and proportionate manner for the purposes listed below, including but not limited to:

  • Your name, surname, T.R. Identity number, temporary T.R. Identity number, passport number, place and date of birth, marital status, gender, insurance or patient protocol number, and other identification data that defines you.
  • Your address, telephone number, electronic mail address.
  • Your data regarding health and sexual life obtained during the execution of medical diagnosis, treatment, and care services, such as your test results, laboratory and imaging results, medical examination data, prescription information, and your health data including but not limited to these.
  • Your IBAN number, credit card information.
  • Your closed-circuit camera system video and audio recordings captured during your visit to our hospitals.
  • Your voice call recordings maintained in the event you contact our Call Center.
  • Your private health insurance data and Social Security Institution data for the purpose of financing and planning health services.

Our Company processes personal data exclusively limited to the purposes and conditions within the personal data processing terms specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the Personal Data Protection Law No. 6698. These purposes and conditions are:

  • It is clearly envisaged in the Laws that our Company conducts the relevant activity regarding the processing of your personal data,
  • The processing of your personal data by our Company is directly related to and necessary for the establishment or performance of a contract,
  • The processing of your personal data is mandatory for our Company to fulfill its legal obligation,
  • Provided that your personal data have been made public by you; processing thereof by our Company in a manner limited to your purpose of making it public,
  • The processing of your personal data by our Company is mandatory for the establishment, exercise, or protection of the rights of our Company, you, or third parties,
  • It is mandatory to conduct personal data processing activities for the legitimate interests of our Company, provided that it does not harm your fundamental rights and freedoms,
  • It is mandatory to conduct personal data processing activities by our Company for the protection of the life or physical integrity of the personal data owner or another person, and in this case, the personal data owner is unable to express their consent due to actual impossibility or legal invalidity,
  • The processing of special categories of personal data excluding the health and sexual life of the personal data owner is envisaged in the laws,
  • The processing of special categories of personal data concerning the health and sexual life of the personal data owner by persons under the obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and financing.

Under the conditions specified above; our Company may process personal data for the following purposes, including but not limited to:

  • Protection of public health, execution of preventive medicine, medical diagnosis, treatment, and care services,
  • For the purpose of planning and managing health services and financing,
  • Verifying your identity,
  • Informing you about the appointment if you schedule one,
  • Confirming your relationship with institutions contracted with our hospital,
  • Fulfilling legal and regulatory requirements,
  • Financing your health services, covering your examination, diagnosis, and treatment expenses by Patient Services, Financial Affairs, and Marketing departments,
  • Sharing requested information with the Ministry of Health and other public institutions and organizations in accordance with the relevant legislation,
  • Sharing all kinds of information requested by private insurance companies within the scope of financing health services,
  • Analyzing your use of health services for the purpose of improving the services we offer,
  • Planning and executing business activities and business continuity assurance activities,
  • Tracking financial and/or accounting affairs,
  • Providing information arising from the legislation to authorized institutions,
  • Planning and executing corporate communication activities,
  • Ensuring the execution of our Company's human resources policies,
  • Ensuring the legal and commercial security of our Company and persons in a business relationship with our Company,
  • Conducting satisfaction evaluation activities for our existing customers, organization, and event management,
  • Conducting occupational health and safety activities,
  • Executing information and physical security processes,
  • Verifying the information of the person performing transactions via our corporate website and mobile applications.

5.2.2. Erasure, Destruction, and Anonymization of Personal Data

Erasure of personal data: The process of rendering Personal Data inaccessible and non-reusable in any way for the relevant users.

Destruction of data: The process of rendering Personal Data inaccessible, irretrievable, and non-reusable by anyone in any way.

Anonymization of data: Ensuring that Personal Data cannot be associated with an identified or identifiable real person under any circumstances, even if matched with other data.

5.3.1. Transfer of Personal Data

Your personal data processed within the scope of the explained purposes may be shared with the following institutions and persons in accordance with the fundamental principles envisaged in the KVKK and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the KVKK:

  • The Ministry of Health and its subordinate sub-units,
  • Your representatives whom you have authorized,
  • Private insurance companies,
  • The Social Security Institution,
  • The General Directorate of Security and other law enforcement forces,
  • The General Directorate of Population and Citizenship Affairs,
  • The Turkish Pharmacists' Association,
  • Courts and all kinds of judicial authorities, central and other third parties,
  • Attorneys,
  • Laboratories, medical centers, ambulance, medical device, and health service providers with whom we cooperate for medical diagnosis and treatment,
  • Our suppliers, on a limited basis for the purpose of providing services.

Transfer of Personal Data Abroad

Our Company may transfer the personal data and special categories of personal data of the personal data owner to third parties abroad by taking the necessary security measures in line with lawful personal data processing purposes. Personal data are transferred by our Company to foreign countries declared to have adequate protection by the Personal Data Protection Board ("Foreign Country with Adequate Protection") or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the respective foreign country undertake adequate protection in writing and the approval of the Personal Data Protection Board is obtained ("Foreign Country Where the Data Controller Undertaking Adequate Protection is Located"). Our Company acts in compliance with the regulations envisaged in Article 9 of the KVKK in this direction.

Personal Data Processing Activities Conducted at Building and Facility Entrances and Within the Premises, and Website Visitors

Personal data processing activities conducted by the Company at building/facility entrances and within the facilities are carried out in accordance with the Constitution, the KVKK, and other relevant legislation. For the purpose of ensuring security, personal data processing activities are carried out by our Company regarding monitoring via security cameras in our Company's buildings and facilities, as well as tracking guest entry and exit. Personal data processing activities are thus conducted by our Company through the use of security cameras and the recording of guest entries and exits. The monitoring activity via security cameras carried out by the Company aims to protect its interests regarding ensuring the safety of the company and other persons, and in this context, our Company acts in compliance with the Constitution, the KVKK, and other relevant legislation.

Video recordings of our visitors are captured through the camera monitoring system at the entrances of and within our Company's buildings and facilities. Within the scope of the camera monitoring activity, our Company aims to increase the quality of the service provided, ensure its reliability, guarantee the safety of the company, customers, and other persons, and protect the interests of customers regarding the services they receive. Regulations set forth in the KVKK are complied with when conducting camera monitoring activities for security purposes by our Company. Camera monitoring activities carried out by our Company are maintained in accordance with the Law on Private Security Services and the relevant legislation.

Only a limited number of Company employees have access to records recorded and maintained in digital environments. The limited number of persons who have access to the records declare that they will protect the confidentiality of the data they access via a confidentiality commitment. In accordance with Article 12 of the KVKK, necessary technical and administrative measures are taken by our Company to ensure the security of personal data obtained as a result of the camera monitoring activity.

While obtaining the names and surnames of persons who come to our Company's buildings as guests, or through texts posted within the Company or presented to guests' access in other ways, the relevant personal data owners are clarified in this context. Data obtained for the purpose of guest entry-exit tracking are processed solely for this purpose, or the relevant personal data are recorded into the data filing system in physical environments. For the purpose of ensuring security by our Company and for the purposes specified in this Procedure, internet access can be provided to our Visitors who request it during the time you stay within our Buildings and Facilities. In this case, log records regarding your internet access are recorded in accordance with the mandatory provisions of Law No. 5651 and the legislation issued pursuant to this Law; these records are processed only if requested by authorized public institutions and organizations or to fulfill our relevant legal obligation in audit processes to be carried out within the Company.

Log records obtained within this framework are accessible only by a limited number of Company employees. Company employees who have access to the aforementioned records access these records only to use them in requests coming from authorized public institutions and organizations or in audit processes, and share them with legally authorized persons. The limited number of persons who have access to the records declare that they will protect the confidentiality of the data they access via a confidentiality commitment. Clarification is provided for those visiting the Website through the Cookie Policy.

Personal Data Categories

  • Identity (such as name, surname, mother's and father's name, mother's maiden name, date of birth, place of birth, marital status, identity card serial/sequence number, T.R. identity number)
  • Contact (such as address number, e-mail address, contact address, registered electronic mail address (KEP), telephone number)
  • Location (location information of the venue where the person is located)
  • Personnel (such as payroll information, disciplinary investigation, employment entry-exit document records, asset declaration information, resume information, performance evaluation reports)
  • Legal Action (such as information in correspondences with judicial authorities, information in the lawsuit file)
  • Customer Transaction (such as call center records, invoice, promissory note, check information, information on teller receipts, order information, request information)
  • Physical Venue Security (such as entry-exit log information of employees and visitors, camera recordings)
  • Transaction Security (such as IP address information, website entry-exit information, password and passcode information)
  • Risk Management (such as information processed for the management of commercial, technical, and administrative risks)
  • Finance (such as balance sheet information, financial performance information, credit and risk information, asset information)
  • Professional Experience (such as diploma information, attended courses, in-service training information, certificates, transcript information)
  • Marketing (shopping history information, survey, cookie records, information obtained through campaign work)
  • Visual and Audio Recordings (such as visual and audio recordings)
  • Race and Ethnic Origin (such as race and ethnic origin information)
  • Political Opinion Information (such as information indicating political opinion, political party membership information)
  • Philosophical Belief, Religion, Sect, and Other Beliefs (such as information regarding religious affiliation, information regarding philosophical belief, information regarding sect affiliation, information regarding other beliefs)
  • Dress and Attire (information regarding dress and attire)
  • Association Membership (such as association membership information)
  • Foundation Membership (such as foundation membership information)
  • Trade Union Membership (such as trade union membership information)
  • Health Information (such as information on disability status, blood type information, personal health information, device and prosthesis information used)
  • Sexual Life (such as information regarding sexual life)
  • Criminal Conviction and Security Measures (such as information regarding criminal convictions, information regarding security measures)
  • Biometric Data (such as palm information, fingerprint information, retina scan information, facial recognition information)
  • Genetic Data (such as genetic data)
  • Other Information (such as data types to be determined by the user)

Data Subject Person Groups

  • Employee Candidate
  • Employee
  • Subject (of an experiment)
  • Subject of news
  • Shareholder/Partner
  • Potential Product or Service Buyer
  • Exam Candidate
  • Intern
  • Supplier Employee
  • Supplier Official
  • Product or Service Recipient
  • Parent / Guardian / Representative
  • Visitor
  • Other

Technical and Administrative Measures Taken Regarding the Processing and Protection of Personal Data

The Company takes all kinds of necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data. The measures envisaged in Article 12 of the KVKK are as follows:

  • To prevent unlawful processing of personal data,
  • To prevent unlawful access to personal data,
  • To ensure the retention of personal data.

As the Data Controller, the Company has initiated the necessary process for the implementation of the following Technical and Administrative Measures to improve the KVKK Compliance process:

  • Authority Matrix
  • Authority Control
  • Access Logs
  • User Account Management
  • Network Security
  • Application Security
  • Encryption
  • Penetration Testing
  • Intrusion Detection and Prevention Systems
  • Log Records / Data Masking
  • Data Loss Prevention (DLP) Software
  • Backup
  • Firewalls
  • Up-to-Date Anti-Virus Systems
  • Erasure, Destruction, or Anonymization
  • Key Management
  • Preparation of Personal Data Processing Inventory
  • Corporate Policies (Access, Information Security, Use, Retention, and Destruction, etc.)
  • Contracts (Between Data Controller – Data Controller, Data Controller – Data Processor)
  • Confidentiality Commitments
  • Internal Periodic and/or Random Audits
  • Risk Analyses
  • Employment Contract, Disciplinary Regulation (Addition of Provisions Compliant with the Law)
  • Corporate Communication (Crisis Management, Board and Data Subject Information Processes, Reputation Management, etc.)
  • Training and Awareness Activities (Information Security and Law)
  • Notification to the Data Controllers Registry Information System (VERBİS)

Rights of the Personal Data Owner Listed in Article 11 of the KVKK

As personal data owners, in the event that you submit your requests regarding your rights to our Company using the methods regulated below in this Personal Data Protection Law Clarification Text, our Company will finalize the request free of charge within 30 (thirty) days at the latest, depending on the nature of the request. However, if a fee is envisaged by the Personal Data Protection Board, the fee in the tariff determined by our Company will be charged. In this context, personal data owners have the right to:

  • Learn whether personal data are processed or not,
  • Request information if personal data have been processed,
  • Learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  • Know the third parties to whom personal data are transferred domestically or abroad,
  • Request correction of personal data if they are processed incompletely or incorrectly and request notification of the operation performed within this scope to third parties to whom personal data are transferred,
  • Request the erasure or destruction of personal data in the event that the reasons requiring their processing cease to exist, despite being processed in accordance with the provisions of the KVKK and other relevant laws, and request notification of the operation performed within this scope to third parties to whom personal data are transferred,
  • Object to the occurrence of a result against the person themselves by analyzing the processed data exclusively through automated systems,
  • Demand the compensation of the damage in the event of suffering damage due to the unlawful processing of personal data.

6. Related Documents

  • KU.YD.111 – Employee Confidentiality Commitment
  • KU.YD.106 – Personal Data Protection Contract
  • KU.RB.001 – Personal Data Clarification Text Consent Form

PREPARED BY: Hospital Manager
CONTROLLED BY: Quality Management Director
APPROVED BY: Chief Physician

KU.YD.112 – Personal Data Processing and Protection Policy – Revision (01)