POLICY ON THE PROTECTION AND PROCESSING OF SENSITIVE PERSONAL DATA
TANSAN SPECIAL HEALTH SERVICES AND TRADE LTD.
(TANSAN PRIVATE CLINIC)
POLICY ON THE PROTECTION AND PROCESSING OF SENSITIVE PERSONAL DATA
- Purpose
This Policy on the Processing and Protection of Special Category Personal Data (“Policy”) is issued in accordance with Law No. 6698.
This policy has been established to determine the procedures and principles for the protection and processing of special category personal data held by Tansan Özel Sağlık Hizmetleri ve Ticaret Ltd. Şti. (the Company), which acts as the data controller under the Personal Data Protection Law ("KVKK"), within the scope of data security.
In accordance with the fundamental principles established by the Company; the processing of personal data of employees, patients, patient relatives/caregivers/guardians-parents-representatives, shareholders/partners, service providers, supplier representatives/supplier employees, visitors, and any other third parties whose personal data is held within the company's polyclinic for any reason; is carried out in accordance with the Turkish Constitution, international agreements, the Personal Data Protection Law No. 6698, and relevant legislation within the framework of this Specially Qualified Personal Data Protection and Processing Policy.
The processing and handling of Special Category Personal Data is carried out by the Company in accordance with the Policy prepared for this purpose.
2. Special Category Personal Data under the KVKK
Under the KVKK, data relating to an individual's race, ethnic origin, political opinion, philosophical belief, religion, denomination, or other beliefs, attire, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data, are considered special category personal data; The Company acts in accordance with the principles set forth in the KVKK and Article 13 of the Constitution when processing individuals' special category personal data and takes all sufficient and necessary measures additionally determined by the Personal Data Protection Board.
- Processing of Special Category Personal Data
Special category personal data may be processed with the explicit consent of the data subject or in the limited circumstances specified in the KVKK. The law distinguishes between different types of special category personal data. Accordingly, the law regulates the circumstances under which personal data relating to health and sexual life, and other special category personal data, may be processed without explicit consent.
- Conditions for Processing Special Category Personal Data
According to the KVKK, special category personal data may be processed with explicit consent. Again, according to the KVKK, the processing of special category personal data is possible in the following cases, apart from the explicit consent of the relevant person:
a- Personal data of a special nature, other than health and sexual life, only as provided by law
in states,
b-Personal data related to healthand sexual life, but only for the protection of public health, preventive
the practice of medicine, the provision of medical diagnosis, treatment, and care services, and health services
for the purpose of planning and managing its financing, under a duty of confidentiality
may be processed by individuals or authorized institutions and organizations.
| Processing Conditions | Scope | Example |
| Explicit Consent of the Relevant Person | The relevant person's explicit consent has been obtained | Obtaining consent from volunteers in the context of clinical trials |
| Statutory Provision | Personal data other than health and sexual life data may be processed without the explicit consent of the data subject. Tax Laws, Labor Law, Turkish Commercial Code, etc., impose stricter conditions for processing sensitive data. |
Information regarding the employee's union membership must be kept in their personnel file as required by law. |
| Protection of public health, preventive medicine, medical diagnosis, treatment, and care services, as well as the planning, management, and financing of health services | The processing of personal data by persons or authorized institutions and organizations subject to confidentiality obligations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, as well as the planning, management, and financing of health services. | Health data processed by the doctor about the patient |
- Measures Regarding the Processing of Special Category Personal Data
The company, as the data controller, takes the following measures in the processing of Special Category Personal Data:
a- This Policy has been established to ensure the security of special category personal data in a systematic manner, with clearly defined boundaries and rules, and in a manageable and sustainable way.
b- For employees involved in the processing of special category personal data;
aa- Regular training is provided on the Law and related regulations, as well as on the Security of Special Category Personal Data.
bb- Privacy rules are enforced, and confidentiality agreements are signed with employees.
Users with access rights to datahave their scope of authority and duration clearly defined.
Authorization checks are performed periodically.
ee- The permissions of employees who change roles or leave the company are immediately revoked, and in such cases, the inventory assigned to them by the Data Controller is returned.
c- Environments where Special Category Personal Data is processed, stored, and/or accessed, if electronic;
aa- Personal Data is stored using cryptographic methods.
bb- Cryptographic keys are stored securely and in separate environments.
cc- Transaction records of all actions performed on personal data are securely stored.
is being logged,
Security updates for environments containing personal data are continuously monitored, necessary security tests are regularly performed/commissioned, and test results are recorded.
ee- Technical controls are implemented to prevent the unlawful processing of personal data (e.g., penetration testing), and risks, threats, vulnerabilities, and weaknesses are identified. Appropriate technical measures are taken to address these risks, and necessary precautions are implemented.
ff- If personal data is accessed through software, user authorizations for this software are performed, security tests for these software programs are conducted/commissioned regularly, and test results are recorded.
gg- If remote access to personal data is required, this access is provided through a two-factor authentication system.
d- Environments where Special Category Personal Data is processed, stored, and/or accessed, if the environment is physical;
aa- Sufficient security measures (such as fire extinguishing systems, climate control, etc.) are taken against situations such as electrical leakage, fire, flooding, theft, etc., depending on the nature of the environment where Special Category Personal Data is located.
bb- The physical security of these environments is ensured, preventing unauthorized access.
e- If the transfer of Special Category Personal Data is required;
aa- If personal data needs to be transferred via email, it is transferred in encrypted form using a corporate email address or a Registered Electronic Mail (KEP) account.
bb-If it needs to be transferred via media such as portablememory, CD, DVD, etc., it must be encrypted.
and the cryptographic key is stored in a different environment.
cc- If data transfer is performed between servers in different physical environments, data transfer is carried out by establishing a VPN between the servers or using the sFTP method.
dd- If personal data must be transferred via paper, necessary precautions are taken against risks such as theft, loss, or unauthorized viewing of the documents, and the documents are sent in a "Confidential" format.
- Transfer of Special Category Personal Data
The Company may transfer the Special Category Personal Data it has lawfully obtained to third parties in accordance with the purposes of data processing, taking the necessary security measures. In this regard, the Company may transfer Special Category Personal Data to third parties if one of the processing conditions specified in the section above and the conditions specified below is met.
a- If the Data Subject has given explicit consent,
b- If there is an explicit provision in the laws regarding the transfer of Special Category Personal Data,
c- If it is necessary to protect the life or physical integrity of the Data Subject or another person, and the Data Subject is unable to express consent due to actual impossibility or their consent is not legally valid;
d- If the transfer of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract,
If the transfer of personal data is necessary for the company to fulfill its legal obligations,
f- If Special Category Personal Data has been made public by the Data Subject,
g- If the transfer of Special Category Personal Data is necessary for the establishment, exercise, or defense of a legal claim,
h- Provided that it does not harm the fundamental rights and freedoms of the Data Subject, if the transfer of personal data is mandatory.
- Transfer of Special Category Personal Data Abroad
The Company may transfer the Data Subject's Special Category Personal Data to foreign countries where the data controller has adequate protection or commits to adequate protection, in accordance with legitimate and lawful Personal Data processing purposes, by exercising due diligence, taking the necessary security measures, and implementing the adequate safeguards prescribed by the Board.
a- If the data subject has given explicit consent or
b- If the data subject has not given explicit consent;
aa- Special category personal data of the relevant Data Subject other than their health and sex life (race, ethnicity
origin, political opinion, philosophical belief, religion, denomination, or other beliefs, attire and clothing,
data on membership in associations, foundations, or unions, criminal convictions, and security measures
(including biometric and genetic data), in cases provided for by law,
bb- Personal data of a special nature relating to the health and sex life of the Data Subject may only be processed by persons or authorized institutions and organizations bound by confidentiality obligations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.
- Update
This policy is subject to the decisions of the Personal Data Protection Board and changes in legislation.
will be updated.