Prof. Dr. Taner YİĞİT
General Surgeon
×
Purpose of the Policy
The purpose of this Policy is to set out the principles for the processing of personal data obtained by the Clinic of Prof. Dr. Taner Yiğit (the “Clinic”), in accordance with Article 20 of the Constitution titled “Privacy of Private Life,” the Law on the Protection of Personal Data no. 6698 (“the Law”), and the provisions of current regulations and communiqués. This includes protecting the fundamental rights and freedoms of data subjects (employees, employee candidates, patients, patient relatives, suppliers, interns, visitors, and other related third parties), ensuring that the data controller carries out data processing activities in compliance with the law, and establishing the principles for the protection, storage, and, when necessary, destruction of the personal data obtained.
Scope of the Policy
Based on the understanding that any operation performed on data, such as obtaining, recording, storing, keeping, changing, rearranging, disclosing, transferring, acquiring, making available, classifying, or preventing the use of any information related to an identified or identifiable natural person, either wholly or partly by automatic means, or by non-automatic means as part of any data recording system, is considered a data processing activity performed by the Clinic of Prof. Dr. Taner Yiğit in its capacity as data controller, this Policy sets forth the procedures and principles for the data processing activities carried out by the Clinic of Prof. Dr. Taner Yiğit, thus defining its scope.
Application of the Policy and Relevant Legislation
Your personal data and personal health data have been prepared in accordance with the purposes explained in this policy text and the rules set out in the Basic Law on Health Services no. 3359, the Decree-Law on the Organization and Duties of the Ministry of Health and its Affiliated Institutions no. 663, the Regulation on Private Hospitals, the Regulation on the Processing of Personal Health Data and the Protection of Privacy, related regulations, and the rules specified in the regulation, communiqués, decisions, and guidelines published by the Board, particularly Law no. 6698. If there are changes in the Law or other relevant legislation after the publication date of the Policy by the Clinic of Prof. Dr. Taner Yiğit, and if the Policy becomes inconsistent with these changes, the amended provisions and rules shall apply. The Clinic of Prof. Dr. Taner Yiğit monitors all communiqués, decisions, and guidelines published by the Board, and the rules stipulated by the Policy are kept up-to-date.
Entry into Force of the Policy
The Policy has been published on the Clinic of Prof. Dr. Taner Yiğit’s website at www.drtaneryigit.com and entered into force on the date of its publication.
2.1. Ensuring Personal Data Security
Pursuant to Article 12 of Law No. 6698, the data controller is obliged to take all necessary administrative and technical measures to ensure an appropriate level of security for the purpose of:
Preventing the unlawful processing of personal data,
Preventing unlawful access to personal data,
Ensuring the preservation of personal data.
For the reasons explained, the Clinic of Prof. Dr. Taner Yiğit implements security measures to prevent the unlawful processing, transfer, and disclosure of personal data to third parties, unauthorized access, and security deficiencies arising through other means. Explanations regarding the administrative and technical measures taken are included in Section VI. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA.
2.2. Protection of Special Categories of Personal Data
Among special categories of personal data, the health data of the relevant individuals may be processed without seeking the explicit consent of the data subject, only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons who are under the obligation of secrecy or by authorized institutions and organizations. In addition, regardless of the type, all special categories of personal data can only be processed if adequate measures determined by the KVKK are taken, as required by law.
The personal data you share with us within the scope of our clinical activities are collected, recorded, stored, changed, and rearranged by the Clinic of Prof. Dr. Taner Yiğit through automatic or non-automatic methods, via all channels including the internet site, surveys, social media applications such as social responsibility projects, as well as verbally, in writing, visually, or electronically, through the consultation line/call center, internet site, verbal, written, and similar channels, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing. Any transaction carried out on data within the scope of the KVKK is considered “processing of personal data.”
Furthermore, your personal data may be processed when you use our consultation line or internet page for information, appointments, complaints, or other purposes related to service provision, when you visit our clinic or internet site, and when you navigate this site.
Data that are inherently sensitive and that may cause the data subject to suffer victimization or discrimination if they fall into the hands of third parties are considered “Special Categories of Personal Data” under the Law. Special categories of personal data consist of data concerning a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, association, foundation, or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data. Special categories of personal data cannot be processed without the explicit consent of the data subject. The Clinic of Prof. Dr. Taner Yiğit takes all necessary measures for the protection of special categories of personal data, and the principle is to avoid obtaining and processing such data as much as possible.
3.1. Processing of Personal Data in Compliance with Principles Stipulated in Legislation
Pursuant to Article 4 of the Law, the principles to be applied in the processing of your personal data are:
Processing in compliance with the law and the rule of good faith,
Being accurate and, where necessary, up-to-date,
Processing for specified, explicit, and legitimate purposes,
Being relevant, limited, and proportionate to the purposes for which they are processed,
Retention for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
3.2. Conditions for Processing Personal Data
Personal data obtained by the Clinic of Prof. Dr. Taner Yiğit cannot be processed without the explicit consent of the data subject, except for the exceptions stipulated in the Law. Your personal data may be processed without explicit consent in the1 following cases:
If it is expressly provided for by law,
If it is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, or of a third party,
If the processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract,
If it is mandatory for the data controller to fulfill its legal obligation,
If the personal data has been made public by the data subject himself/herself,
If data processing is mandatory for the establishment, exercise, or protection of a right,
If data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
3.3. Exceptions to the Obligation to Obtain Explicit Consent
Expressly provided for by law
One of the conditions for data processing is that it is explicitly provided for by law. The provisions contained in the laws regarding the processing of personal data can constitute a data processing condition. In such a case, the explicit consent of the data subject is not required.
Actual impossibility
In cases where it is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, or of a third party, the personal data of the data subject can be processed without obtaining explicit consent.
Directly related to the establishment or performance of the contract
If data processing is mandatory for the establishment of a contract to which the data subject is a party or during the performance of the contract, the processing of personal data without explicit consent may be possible.
Fulfilling the legal obligation of the Clinic of Prof. Dr. Taner Yiğit
Personal data can be processed without explicit consent for the purpose of fulfilling the legal obligations that the Clinic of Prof. Dr. Taner Yiğit, in its capacity as the data controller, must fulfill.
Made public by the data subject
Personal data that has been made public by the data subject, in other words, personal data that has been disclosed to the public in any way, can be processed without explicit consent. Even in this case, the personal data made public cannot be used for purposes other than the purpose of disclosure.
Mandatory for the establishment, exercise, and protection of a right
In cases where it is mandatory for the establishment, exercise, or protection of a right, the personal data of the data subject can be processed without explicit consent.
Mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject
If the processing of personal data is mandatory for the data controller and the data processing activity does not harm the fundamental rights and freedoms of the data subject, personal data can be processed without explicit consent.
The legitimate interest of the data controller is directed towards the benefit and gain that will be obtained as a result of the processing to be carried out. The benefit obtained by the data controller must relate to a legitimate, sufficiently effective to compete with the fundamental rights and freedoms of the data subject, specific, and currently existing interest. It must be a transaction related to the data controller’s current activities and that will provide a benefit in the near future.
3.4. Processing of Special Categories of Personal Data
The processing of special categories of personal data is subject to Article 6 of the Law, and processing without the explicit consent of the data subject is prohibited.
A person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are special categories of personal data. The data included in this scope are limited in number and cannot be expanded by interpretation.
Due to their nature, special categories of personal data are data that may cause the data subject to suffer discrimination and victimization if they are learned. Therefore, they must be protected much more strictly than other personal data.
Special categories of personal data other than health and sexual life
Special categories of personal data other than those related to health and sexual life can be processed without seeking the explicit consent of the data subject in cases stipulated by the laws.
Special categories of personal data related to health and sexual life
Special categories of personal data related to health and sexual life can only be processed by persons under the obligation of secrecy or by authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.
3.5. Informing and Enlightening the Data Subject
During the acquisition of personal data, data subjects are informed by the Clinic of Prof. Dr. Taner Yiğit, in its capacity as data controller, or by persons authorized by it. The procedures and principles regarding the information provided are specified in the Clarification Texts on the Protection of Persona2l Data published by the Clinic of Prof. Dr. Taner Yiğit, and the information briefly includes the following elements:
The identity of the data controller and its representative, if any,
The purpose for which the personal data will be processed,
To whom and for what purpose the personal data can be transferred,
The method and legal reason for collecting personal data,
The rights of the data subject, as shown in Article 11 of the Law.
Identity of the data controller and its representative
According to Article 10 of the Law, personal data obtained from data subjects (employees, employee candidates, patients, patient relatives, suppliers, pharmacies, visitors, interns, and other related third parties) are processed by the Clinic of Prof. Dr. Taner Yiğit in its capacity as data controller, and the contact information of the relevant unit can be obtained from the e-mail address info@drtaneryigit.com or from www.drtaneryigit.com.
Purposes of processing personal data
The processing of personal data is carried out for specified, explicit, and legitimate purposes and is based on the principle of informing the data subjects. The purposes for which your obtained data is processed are included in Section V. CATEGORIZATION AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY THE CLINIC OF PROF. DR. TANER YİĞİT of the Policy.
Persons to whom personal data is transferred and the purposes of transfer
Within the framework of the data controller’s obligation to inform the data subject, the persons to whom personal data is transferred and the purposes of the transfer must be clearly specified. Personal data cannot be transferred to third parties without the explicit consent of the data subject. The recipient groups to whom personal data are transferred by the Clinic of Prof. Dr. Taner Yiğit and the purposes of the transfer are shown in Section IV. TRANSFER OF PERSONAL DATA.
Method and legal reason for collecting personal data
In accordance with Articles 5 and 6 of the Law, the data controller must clearly state which of the conditions for personal data processing the processing is based on. The method and means of data collection are determined by the data controller. The conditions for processing personal data, i.e., the legality conditions, are enumerated in a limited number in the Law (m.5-6), and these conditions cannot be expanded.
The data controller, the Clinic of Prof. Dr. Taner Yiğit, first evaluates whether the purpose of the personal data processing activity is based on one of the processing conditions other than explicit consent. If this purpose does not meet at least one of the conditions other than explicit consent specified in the Law, then the explicit consent of the person is sought for the continuation of the data processing activity.
4.1. Domestic Transfer
Personal data cannot be transferred without the explicit consent of the data subject. However:
In the second paragraph of Article 5,
In the third paragraph of Article 6, provided that adequate measures are taken,
If one of the conditions specified in the above articles is present, personal data can be transferred without seeking the explicit consent of the data subject.
Accordingly, if it is expressly provided for by law (1), if it is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, or of a third party (2), if the processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract (3), if it is mandatory for the data controller to fulfill its legal obligation (4), if the personal data has been made public by the data subject himself/herself (5), if data processing is mandatory for the establishment, exercise, or protection of a right (6), if data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject, personal data belonging to the relevant person can be transferred to third parties without obtaining explicit consent.
Your personal data and personal health data are transferred within the framework of the purposes explained in this policy text and the Basic Law on Health Services no. 3359, the Decree-Law on the Organization and Duties of the Ministry of Health and its Affiliated Institutions no. 663, the Law on the Protection of Personal Data no. 6698, the Regulation on Private Hospitals, the Regulation on the Processing of Personal Health Data and the Protection of Privacy, and related regulations to:
The Ministry of Health, Social Security Institution, General Directorate of Security and other law enforcement agencies, CİMER, SABİM, Ministry of Labor, General Directorate of Population, courts and enforcement offices, Turkish Pharmacists’ Association, regulatory and supervisory institutions, insurance companies, representatives authorized by patients, collaborating laboratories and other centers, and the Electronic Medical Records and Electronic Health Records systems for the purposes of fulfilling our contractual and legal obligations and carrying out the administrative, commercial, and economic activities of our clinic.
Information regarding the recipient groups to whom the personal data processed by the Clinic of Prof. Dr. Taner Yiğit are transferred is included in Annex 4 – Third Parties to Whom Personal Data is Transferred and Purposes of Transfer of this Policy.
4.2. International Transfer
Personal data cannot be transferred abroad without the explicit consent of the data subject. However, personal data may be transferred abroad without seeking the explicit consent of the data subject, provided that one of the conditions specified in the second paragraph of A3rticle 5 and the third paragraph of Article 6 of the Law exists and:
There is adequate protection in the foreign country to which the personal data will be transferred,
If adequate protection is not available, the data controllers in Turkey and the relevant foreign country commit in writing to provide adequate protection and the Board’s permission is obtained.
The data categorization obtained by the Clinic of Prof. Dr. Taner Yiğit and the purposes observed in the processing of personal data for each category of data subject are shown in the relevant parts of the clarification texts on our website.
Administrative and technical measures are taken by the Clinic of Prof. Dr. Taner Yiğit to securely store personal data and to prevent the unlawful processing and access to personal data.
To ensure personal data security, the Clinic of Prof. Dr. Taner Yiğit identifies all personal data processed, and the likelihood of risks that may arise regarding the protection of this data; when determining these risks, the following are taken into account: whether the personal data is special categories of personal data (1), the level of confidentiality required by its nature (2), and the nature and magnitude of the damage that may arise for the data subject in case of a security breach (3).
After defining and prioritizing these risks, control and solution alternatives to reduce or eliminate these risks are evaluated in line with the principles of cost, applicability, and usefulness, and the necessary technical and administrative measures are planned and implemented.
6.1. Administrative Measures
It is of great importance for employees to make the initial intervention, even if they have limited knowledge, regarding attacks that may damage personal data security and cyber security. For this reason, awareness and information studies are carried out within our internal organization in our capacity as data controller.
Providing the necessary training to employees on issues such as the unlawful disclosure and sharing of personal data, carrying out awareness activities for employees, and creating an environment where security risks can be identified; the role and responsibilities of everyone working within the data controller regarding personal data security are determined in their job descriptions, regardless of their position, and employees are ensured to be aware of their role and responsibility in this matter.
On the other hand, confidentiality agreements are signed as part of the employee recruitment process, and a disciplinary process is implemented that will be initiated if employees do not comply with security policies and procedures.
In case of any change in the policies and procedures implemented regarding personal data security, training is conducted to notify and explain the change to the employees, and information regarding data security and security threats is kept up-to-date.
Personal data must be accurate and up-to-date when necessary, pursuant to Article 4 (b) and (d) of the Law, and must be retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed. In this context, the processed data is processed in accordance with the principles and rules that must be observed in the data processing activity and is retained for the period necessary for the purpose for which they are processed. The retention periods of personal data processed by the Clinic of Prof. Dr. Taner Yiğit are shown in Section VIII. STORAGE AND DESTRUCTION OF PERSONAL DATA of this Policy.
The table below summarizes the administrative measures taken to ensure data security:
| Administrative Measures | |
| Preparation of Personal Data Processing Inventory | |
| Corporate Policies (Access, Information Security, Usage, Storage, and Destruction, etc.) | |
| Contracts (Between Data Controller-Data Controller, Data Controller-Data Processor) | |
| Confidentiality Agreements | |
| Internal Periodic and/or Random Audits | |
| Risk Analyses | |
| Employment Contract, Disciplinary Regulation (Addition of Provisions Compliant with the Law) | |
| Corporate Communication (Crisis Management, Informing the Board and the Data Subject, Reputation Management, etc.) | |
| Training and Awareness Activities (Information Security and Law) | |
| Notification to the Data Controllers Registry Information System (VERBİS) | |
| Personal Data Security Policy and Procedures | |
| Rapid Reporting of Personal Data Security Problems | |
| Monitoring of Personal Data Security | |
| Creation of Disciplinary Regulations Containing Data Security Provisions for Employees | |
| Minimizing Personal Data as Much as Possible | |
| Preparation and Implementation of Corporate Policies on Access, Information Security, Usage, Storage, and Destruction | |
| Removal of Authorities in This Area for Employees Who Change Positions or Leave the Job | |
| Including Data Security Provisions in Signed Contracts | |
| Identification of Existing Risks and Threats | |
| Conducting Internal Periodic and/or Random Audits | |
| Protocols and Procedures for Special Categories of Personal Data Security Have Been Determined and Implemented | |
| Ensuring Awareness of Data Processing Service Providers Regarding Data Security |
6.2. Technical Measures
Firewalls and network gateways are used among the measures taken to protect the information technology systems containing personal data against unauthorized access and threats from third parties over the internet. The firewall used ensures that breaches to the information network are stopped, and the network gateway restricts employees’ access to websites or online platforms that pose a threat to personal data security.
In addition, regular checks are provided regarding the proper functioning of the software and hardware and the adequacy of the security measures taken for the systems. Access to systems containing personal data is restricted, and within this scope, employees are granted access authority to the extent necessary for the jobs and duties they perform and their authority and responsibilities, and access to the relevant systems is provided using a username and password. When creating these passwords, personal information related and easily guessed sequences of numbers or letters are avoided as much as possible.
Access authorization and control matrices are created within the data controller’s organization, and products such as antivirus and antispam that regularly scan the information system network and detect threats are used to protect against malicious software.
To ensure data security, necessary measures are taken to ensure that paper documents containing personal data, as well as servers, backup devices, CD, DVD, USB, and similar other storage devices, are accessible only to authorized personnel, and to increase physical security in this regard.
The table below summarizes the administrative measures taken to ensure data security:
| Technical Measures | |
| Authorization Matrix | |
| Authority Control | |
| Access Logs | |
| User Account Management | |
| Network Security | |
| Application Security | |
| Encryption | |
| Intrusion Detection and Prevention Systems | |
| Data Loss Prevention Software | |
| Backup | |
| Firewalls | |
| Up-to-date Anti-Virus Systems | |
| Deletion, Destruction, or Anonymization | |
| Key Management |
7.1. Camera Surveillance Activity Carried Out at Building, Facility Entrances and Inside
Camera surveillance activity is carried out within the scope of the Law on Private Security Services in the Clinic of Prof. Dr. Taner Yiğit’s building, working areas, common areas, parking lot, and surroundings to ensure security and to protect the interests related to ensuring the security of the Clinic of Prof. Dr. Taner Yiğit and other persons. Camera surveillance activity is carried out in compliance with the Law and within the scope of the data processing conditions listed in both the Law and this Policy.
7.2. Tracking of Guest Entries and Exits Carried Out at Building, Facility Entrances and Inside
Identity information belonging to guests visiting the Clinic of Prof. Dr. Taner Yiğit is subject to personal data processing activity for the purpose of controlling and tracking entries and exits to the Clinic of Prof. Dr. Taner Yiğit’s building and ensuring security. The personal data processed within the scope of this activity are carried out only for the purpose of logging the entry and exit of guests, and the relevant personal data are recorded in the data recording system in electronic or physical environments.
8.1. Personal Data Retention Periods
Your personal data held by the Clinic of Prof. Dr. Taner Yiğit is retained for the period necessary for the data processing activity; in the event that the obligation to erase, destroy, or anonymize personal data arises, it is erased, destroyed, or anonymized within the first periodic destruction period following the date on which this obligation arises.
The Clinic of Prof. Dr. Taner Yiğit acts in accordance with the general principles shown in Article 4 and the technical and administrative measures shown in Article 12 of the Law regarding the erasure, destruction, or anonymization of your personal data.
All procedures regarding the erasure, destruction, or anonymization of personal data by us are recorded and kept for at least 30 years during the processing of personal data due to a legal obligation.
The personal data expert personnel assigned by the Clinic of Prof. Dr. Taner Yiğit for data storage and destruction is the person responsible for the execution and supervision of the personal data storage and destruction policy.
8.2. Obligation to Erase, Destroy, and Anonymize Personal Data
Personal data processed by the Clinic of Prof. Dr. Taner Yiğit are erased, destroyed, or anonymized ex officio or upon the request of the data subject, in accordance with the provisions of Article 7 of the Law and the “Regulation on the Erasure, Destruction or Anonymization of Personal Data” published in the Official Gazette dated October 28, 2017, and numbered 30224, prepared by the Personal Data Protection Board, when the reasons requiring processing cease to exist.
Erasure of personal data
The erasure of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way.
All necessary technical and administrative measures are taken to ensure that the erased personal data are inaccessible and unusable for the relevant users.
Destruction of personal data
The destruction of personal data is the process of making personal data inaccessible, irrecoverable, and unusable by anyone in any way. The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.
Anonymization of personal data
The anonymization of personal data is the process of making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching it with other data.
While all necessary technical and administrative measures are taken by the Clinic of Prof. Dr. Taner Yiğit to anonymize your personal data, methods compliant with our personal data storage and destruction policy are applied to anonymize it.
8.3. Techniques for Erasure, Destruction, and Anonymization of Personal Data
The techniques for the erasure, destruction, or anonymization of personal data processed by the Clinic of Prof. Dr. Taner Yiğit are shown below, and which technique will be applied may vary depending on the nature of the personal data processed.
For this, it is necessary to first determine the personal data subject to erasure, destruction, or anonymization (1), identify the relevant users for each personal data using an access authorization and control matrix or a similar system (2), determine the authorization and methods of the relevant users for access, retrieval, and reuse (3), and close and eliminate the access, retrieval, and reuse authorization and methods of the relevant users within the scope of personal data (4).
The path followed in the erasure of personal data is as follows:
Giving a deletion command in cloud or application type solutions,
Blackening, cutting, or making data invisible in paper environments,
Deletion using appropriate software for data on portable media.
The path followed in the destruction of personal data is as follows:
Physical destruction by melting, burning, or pulverizing optical media and magnetic media,
Other destruction processes performed in paper or electronic environments.
9.1. Rights of the Personal Data Subject
Pursuant to Law No. 6698, in your capacity as the data subject, you have the right to:
Learn whether your personal data is processed,
Request information if your personal data has been processed,
Learn the purpose of the processing of your personal data and whether they are used in accordance with their purpose,
Know the third parties to whom your personal data is transferred domestically or abroad,
Request the rectification of incomplete or inaccurate personal data,
Request the erasure or destruction of your personal data within the framework of the conditions stipulated in Article 7,
Request that the operations regarding the rectification of incomplete or inaccurate processing and the erasure or destruction of the data be notified to third parties to whom the personal data has been transferred,
Object to the occurrence of an outcome against you by analyzing the processed data exclusively through automated systems,
Request compensation for damages in the event that you suffer damage due to the unlawful processing of your personal data.
9.2. Exercise of Rights by the Personal Data Subject
Requests related to the implementation of the Law by the data subject (relevant person) must be submitted to the Clinic of Prof. Dr. Taner Yiğit in writing to the contact e-mail address info@drtaneryigit.com or the address Harbiye Mah. Abdi İpekçi Cad. Milli Reasurans İş Hanı. -2 (D Blok) No:61 İç Kapı No: 6 Şişli/İstanbul. The “Data Subject Application Form” published on the Clinic of Prof. Dr. Taner Yiğit’s website must be used for application requests.
9.3. Response of the Clinic of Prof. Dr. Taner Yiğit to Applications
The application request is finalized by the Clinic of Prof. Dr. Taner Yiğit as soon as possible, depending on the nature of the request. This period cannot exceed 30 days from the date the request is properly served on us. However, if the transaction requires any cost, a fee may be requested according to the tariff determined by the Personal Data Protection Board.
| Term | Description |
| Explicit Consent | Consent that is informed and freely given for a specific subject. |
| Anonymization | Rendering personal data impossible to be associated with an identified or identifiable natural person in any way, even by matching it with other data. |
| Recipient Group | The category of natural or legal persons to whom personal data is transferred by the data controller. |
| Direct Identifiers | Identifiers that directly reveal, disclose, and make distinguishable the person they are related to, on their own. |
| Indirect Identifiers | Identifiers that, when combined with other identifiers, reveal, disclose, and make distinguishable the person they are related to. |
| Data Subject (Relevant Person) | The natural person whose personal data is processed. |
| Relevant User | Natural or legal persons who process personal data within the data controller’s organization or based on the authority and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data. |
| Destruction | The erasure, destruction, or anonymization of personal data. |
| Law | The Law on the Protection of Personal Data dated 24/3/2016 and numbered 6698. |
| Blackening | Operations such as crossing out, painting, and blurring the entirety of personal data so that it cannot be associated with an identified or identifiable natural person. |
| Recording Medium | Any medium where personal data is processed wholly or partly by automatic means, or by non-automatic means as part of any data recording system. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Processing of Personal Data | Any operation performed on personal data, such as obtaining, recording, storing, keeping, changing, rearranging, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data wholly or partly by automatic means, or by non-automatic means as part of any data recording system. |
| Board | The Personal Data Protection Board. |
| Authority | The Personal Data Protection Authority. |
| Data Processor | The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.4 |
| Data Recording System5 | The recording system in which personal data is structu6red and processed according to specific criteria. |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system. |
| Identity Information | Your first name, last name, T.R. Identity Number, passport number or temporary T.R. Identity Number, place and date of birth, marital status, gender, insurance or patient protocol number, and other identity data that can identify you. |
| Contact Information | Your address, phone number, e-mail address and other communication data, audio recordings of calls kept by customer representatives or patient services as required by call center standards, and personal data obtained when you contact us via e-mail, letter, or other means. |
| Accounting Information | Your financial data such as your bank account number, IBAN number, credit card information, billing information; data related to private health insurance and Social Security Institution data for the purpose of financing and planning health services; camera recording images kept for security and audit purposes if you visit our clinic. |
| Health Information | Your laboratory results, test results, examination data, appointment information, prescription information, including but not limited to, any personal data related to health and sexual life obtained during or as a result of the provision of medical diagnosis, treatment, and care services; other personal data including the resume obtained if you apply for a job at the Clinic of Prof. Dr. Taner Yiğit, and any personal data related to your service contract if you are an employee or related employee of the Clinic of Prof. Dr. Taner Yiğit. |
| Data Subject Categories | Description |
| Employee | Refers to persons working within the Clinic. |
| Employee Candidate | Refers to natural persons who apply for a job at the Clinic by submitting a resume or other methods. |
| Intern | Refers to persons who apply the profession they are studying, practically within the Clinic to increase their professional knowledge. |
| Patient | Refers to natural persons who benefit from the services offered by the Clinic. |
| Patient Relative | Refers to companions or relatives of patients using the services offered by the Clinic. |
| Supplier | Refers to natural persons from whom services are procured and the employees of legal entities. |
| Visitor | Refers to 3rd parties visiting the Clinic. |
| Other Related 3rd Parties | Refers to persons who apply to or communicate with the Clinic other than those listed. |
| Transferred Person/Unit | Purpose of Transfer |
| Ministry of Health | Transfer of information required to be transferred for public health and under legislation. |
| Social Security Institution | Transfer of information for the purpose of carrying out the social security procedures of employees, employee candidates, and patients. |
| Authorized Public Institutions and Organizations | Sharing/transferring of information and documents requested by the relevant public institutions and organizations, limited to the purpose. |
| Suppliers | Transfer of personal data limited to the purpose of procuring the services received from suppliers. |
Any personal data obtained by the Clinic of Prof. Dr. Taner Yiğit may be processed for the purposes listed: confirming your identity, protecting public health, preventive medicine, conducting medical diagnosis, treatment and care services, planning and managing health services and financing, planning and managing the daily operations of our clinic, providing medication, informing you about your appointment if you make one, fulfilling risk management and quality improvement activities, making evaluations for the development of health services, conducting research, fulfilling legal and regulatory requirements, confirming your relationship with contracted institutions, invoicing for our health services, sharing requested information with private insurance companies within the scope of health services financing, sharing requested information with the Ministry of Health and relevant public institutions and organizations in accordance with the relevant legislation, responding to all your questions and complaints regarding our health services, taking all necessary technical and administrative measures within the scope of data security of our clinic’s systems and applications, analyzing your health service usage for the development and improvement of our health services and storing your health data, providing necessary information in line with the requests and audits of regulatory and supervisory institutions and official authorities, training and development of our employees, monitoring, preventing and reversing misuse and unauthorized transactions, preserving information regarding your health data that must be stored according to relevant legislation, ensuring financial reconciliation with contracted institutions regarding the health services provided to you, measuring patient satisfaction and, without being limited to these, conducting medical diagnosis, treatment and care services, development of health services and planning and management of financing, increasing patient satisfaction, research, and similar purposes.
| Personal Data Category | Retention Period | Legal Basis |
| Health Data (Biometric and genetic and examination data, laboratory, test, analysis, and examination results, check-up and prescription information, patient records, and health data, including but not limited to, and patient relative information obtained when necessary) | 30 Years from the end of the personal data processing activity | Regulation on Private Hospitals, Turkish Penal Code |
| All Records Related to Accounting and Financial Transactions | 10 Years | Law No. 6102, Law No. 213 |
| Cookies and Log Records | 6 Months – Maximum 2 Years | Internet Law No. 5651 |
| Traffic Information Regarding Online Visitors | 2 Years | Law No. 5651 |
| Personal Data Related to Suppliers | 10 Years after the end of the legal relationship | Law No. 6102, Law No. 6098, and Law No. 213 |
| Personal Data Protection Board Transactions | 10 Years | Personal Data Storage and Destruction Policy of the Personal Data Protection Authority Published by the KVKK |
| Contracts | 10 Years from the Termination of the Contract | Law No. 6102 and Law No. 6098 |
| Human Resources Processes | 10 Years from the End of the Activity | Labor Law No. 4857 and Relevant Legislation |
| Visitor Record | 2 Years from the End of the Event | Personal Data Storage and Destruction Policy of the Personal Data Protection Authority Published by the KVKK |
| Personnel File Data Stored within the Scope of the Labor Law | 10 Years from the Termination of the Employment Relationship | Labor Law No. 4857 and Relevant Legislation and Turkish Code of Obligations No. 6098 |
| Data Collected within the Scope of OHS Legislation (Health reports, OHS Training, records related to Occupational Health and Safety activities, etc.) | 15 Years from the Termination of the Employment Relationship | Occupational Health and Safety Law No. 6331 and Relevant Legislation |
| Data Kept within the Scope of SSI Legislation (Entry declarations, premium/service documents, etc.) | 10 Years from the Termination of the Employment Relationship | Social Insurance and General Health Insurance Law No. 5510 and Relevant Legislation |
| Applicant Data if Job Application is Not Accepted (CV, Resume, Cover Letter, Application Form, etc.) | 1 Year | Sectoral customs apply. |
| Personal Data Processed in Contractual Relationships | 10 Years Subsequent to the Termination of the Contract | Turkish Code of Obligations No. 6098 |
| Personal Data Related to Tax Records | 5 Years | Tax Procedure Law No. 213 |
| Personal Data Processed for Security Purposes According to CCTV Cameras (Camera Records) | 90 Days | Sectoral Custom |
| Traffic Information Processed During the Use of the Clinic Internet Network, Internet Access, and Remote Connection (IP address, start and end time of the service provided, type of service utilized, amount of data transferred, and subscriber identity information, if any, etc.) | 2 Years | Law No. 5651 on the Regulation of Publications Made in the Internet Environment and Fighting Against Crimes Committed Through These Publications |
| Personal Data of a Deceased Person | At Least 20 Years | Regulation on Personal Health Data published in the Official Gazette dated 21.06.2018 and numbered 30808 |