PERSONAL DATA DESTRUCTION POLICY
The data controller, “Estepalace Estetic Health Tourism and Consultancy Services LLC,” stores and destroys your personal data in accordance with the general principles and regulations specified in this Personal Data Storage and Destruction Policy, which is prepared in accordance with the Constitution, the Personal Data Protection Law No. 6698 and the Regulation on the Deletion, Destruction or Anonymization of Personal Data and other relevant legislation.
With this Policy, the Company aims to set out the general principles regarding the storage and destruction of a person’s data subject to personal data processing activities within the scope of the Personal Data Protection Law and to fulfill the obligations determined by the legislation.
Open Consent: Consent on a specific issue, based on the voluntary given information,
Buyer Group: The category of a legal person to whom the data controller transfers personal data,
Anonymization: Making personal data impossible to be associated with an identified person under any circumstances, even by matching with other data.
User: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data,
Destruction: Deletion, destruction or anonymization of personal data,
Personal Data: Any information relating to an identified or identifiable natural person (e.g. name-surname, TR ID, e-mail, address, date of birth, credit card number, bank account number
Data Subject: The person whose personal data is processed,
Personal Data Processing: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,
Sensitive Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data,
Periodic Destruction: In the event that all of the conditions for processing personal data specified in the Personal Data Protection Law disappear, the deletion, destruction or anonymization process specified in this Policy and to be carried out ex officio at recurring intervals,
POLICY-REGULATED RECORDING ENVIRONMENTS
It covers all personal data subject to data processing activities within the scope of the Personal Data Protection Law. In addition, the documents referred to by the Policy include both physical and digital copies.
It stores all personal data subject to data processing activities within the scope of the Personal Data Protection Law in the following environments where personal data is processed by fully or partially automated or non-automated means, provided that they are part of any data recording system:
Company computers, e-mail accounts, desktops, employee’s devices (e.g. mobile phone), backup areas, paper files, folders, guestbooks, CD, DVD, USB, Hard disks, printers, copiers, etc.
REASONS REQUIRING THE STORAGE AND DISPOSAL OF PERSONAL DATA
The following principles are taken as basis in personal data processing activities:
Compliance with the law and the rule of honesty,
Ensuring that personal data is accurate and up-to-date when necessary,
Processing for specific, explicit, and legitimate purposes,
Being relevant, limited, and proportionate to the purpose for which they are processed,
Retention for the period stipulated in the relevant legislation or required for the purpose they are processed.
Our Company stores and uses personal data for personal data processing and in accordance with the conditions for processing personal data specified in Articles 5 and 6 of the Personal Data Protection Law, and destroys personal data upon the request of the personal data owner if all of these conditions disappear:
Explicit Consent of the Personal Data Owner: The first condition for processing personal data is the owner’s explicit consent.
Explicit Provision in the Regulations: The personal data of the data subject may be processed in accordance with the law without obtaining his/her explicit consent if expressly provided for in the Regulations.
Failure to Obtain Explicit Consent of the Personal Data Owner Due to Actual Impossibility: The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid to protect his/her or another person’s life or physical integrity.
Direct Relevance to the Establishment or Performance of the Contract: Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process personal data belonging to the parties.
Legal Obligation: If data processing is mandatory for our Company to fulfill its legal obligations, the data of the personal data owner may be processed.
Publicization of Personal Data by the Personal Data Owner: If the data subject has made his/her personal data public by himself/herself, the relevant personal data may be processed and limited to publicization.
Data Processing is Mandatory for the Establishment or Protection of a Right: If data processing is mandatory for the establishment, exercise, or protection of a right, the data subject’s personal data may be processed.
Data Processing is Mandatory for the Legitimate Interest of our Company: Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of our company.
DELETION, DESTRUCTION, OR ANONYMIZATION OF PERSONAL DATA
Personal data will be deleted, destroyed, or anonymized by the company upon the request of the data subject if the provisions of the relevant legislation that constitute the basis for the processing of personal data are amended or abolished, the purpose requiring the processing or storage of personal data disappears, in cases where the processing of personal data is carried out only based on explicit consent, the data subject withdraws his/her explicit consent, the maximum period requiring the storage of personal data has expired. No condition justifies the storage of personal data for a longer period.
Unless otherwise decided by the Personal Data Protection Board, our Company chooses the appropriate method of ex officio deletion, destruction or anonymization of personal data according to technological possibilities and implementation cost. Upon the request of the personal data owner, the justification of the appropriate method is explained. Necessary technical and administrative measures are taken in each of these processes.
TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN
Our Company takes the necessary technical and administrative measures in accordance with the provisions of Article 12 of the Personal Data Protection Law, the general principles stated above, this Policy, and the decisions of the Personal Data Protection Board, according to the technological possibilities and the cost of implementation regarding the following issues:
Necessary software and hardware have been identified. Strong passwords are used on computers and e-mail accounts.
What needs to be protected in terms of protecting customer information has been conveyed to our personnel through trainings, and their responsibilities have been put in writing in their employment contracts. (Confidentiality Agreements) This obligation continues even after the relevant persons leave their positions.
Necessary infrastructure has been established for the backup of all data.
Employees who can access data on computers have been identified.
Customer files and information are provided only to the relevant persons themselves, to their relatives to whom they have given written consent, to the relevant public institutions and organizations within the framework of the legislation and to the competent judicial authorities in judicial cases.
Before starting to process personal data, the Authority fulfills the obligation to inform the data subjects.
A personal data processing inventory has been prepared.
STORAGE AND DESTRUCTION PERIODS
Our Company retains and destroys personal data only for the period specified in the legislation it is obliged to comply with or for the period required for the purpose for which they are processed.
In case the personal data owner requests the destruction of his/her personal data by applying to our company:
If all the conditions for processing personal data have disappeared: It finalizes the request of the personal data owner within thirty days at the latest and informs the personal data owner, and if the personal data subject to the request has been transferred to third parties, it notifies this situation to the third party and ensures that the necessary actions are taken before the third party.
If all the conditions for processing personal data have not disappeared: It may reject the request of the personal data owner by explaining the reason in accordance with the third paragraph of Article 13 of measures in accordance with the provisions of Article 12 and notifies the rejection to the personal data owner in writing or digitally within thirty days at the latest.
PERIODIC DESTRUCTION PERIODS
Personal data are destroyed in the first periodic destruction process following the date the obligation to destroy personal data arises. In this context, if the obligation to destroy personal data arises, it is subject to destruction in 6-month periods.
THE PROCESS STORAGE PERIOD DIESTRUCTION PERIOD
This Policy is deemed to have entered into force upon its publication on the website.
Personal Data Protection and Processing Policy
Within the framework of the principles of superior service quality, respect for the rights of individuals, transparency and honesty determined by the data controller “Estepalace Estetic Health Tourism and Consultancy Services LLC,” it is of great importance to protect the personal data of its customers, employees and other persons with whom it has a relationship in line with the regulations determined by the Personal Data Protection Law.
We pay great attention to patient privacy and processing and preserving all kinds of personal data belonging to our patients in the best possible way and with care. This policy has been prepared to protect and process the personal data of our patients as well as companions, visitors, and employees of the organizations we cooperate with within the framework of the basic principles in the legislation.
The purpose of this Policy is to ensure transparency by informing the persons whose personal data is processed, especially our patients, companions, visitors, employees and corporate officials of the institutions we cooperate with, and third parties, within the scope of personal data processing activities carried out by our company in accordance with the legislation. In this context, administrative and technical measures are taken to process and protect personal data in accordance with Law No. 6698 and relevant legislation. Persons whose personal data are processed within the scope of this policy are referred to as Data Subject or Personal Data Owner.
Open Consent: Consent on a specific issue, based on voluntarily provided information.
Anonymization: Changing personal data in such a way that it loses its personal data nature and this situation cannot be reversed. For example, masking, aggregation, data corruption, etc. techniques to make personal data impossible to associate with a natural person. It is possible to anonymize personal data for various purposes but in accordance with the request and/or consent of the person concerned not to violate the scope of Personal Data Protection Law and explicit consent. Our company will take necessary measures to prevent the anonymized personal data from being identifiable by various methods.
Employees, Shareholders and Authorities of the Organizations we cooperate with: It refers to real persons, including shareholders and officials of these organizations (not limited to business partners and suppliers) with ones we have all kinds of business relations.
Processing of Personal Data: It refers to all kinds of operations performed on personal data, such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Personal Data: It refers to any information relating to an identified or identifiable person. All information that makes the person identifiable is regulated as personal data, and information such as TR Identity Number, Name and Surname, e-mail address, telephone number, residence address, date of birth, bank account number can be given as examples of personal data.
Sensitive Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data refers to data of special nature.
Third-party: Refers to third-party real persons who are associated with the above-mentioned parties to ensure the security of commercial transactions between them or to protect the rights of the above-mentioned persons and to obtain benefits (For example, employees or officials of the company from which the service is received, Companion, etc.).
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted. For example, the IT company that holds our data.
Data Controller: It refers to the person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system).
Within the scope of Personal Data Protection Law, our company has the data controller title and is registered to the VERBIS system. A team (Personal Data Officer Team) has been established in our company. In cases requiring a decision to be taken, the Personal Data Officer team receives the opinion of a Lawyer/lawyer specialized in personal data, and the decision taken following the approval of the management is put into practice.
Although the personal data processed may vary depending on the health services provided, it is collected by physical and/or digital methods. Personal data of a special nature and personal data of a general nature, especially health data collected verbally, in writing or digitally by our patients, physicians, healthcare personnel, etc., our employees, subcontractor companies and their employees and companies engaged in all kinds of commercial activities, our call center, our company’s website, online services, and similar means, are processed for the following and other purposes that may arise in the future:
Conducting medical diagnosis, treatment and care services,
Public health protection,
Planning and management of preventive medicine health services and financing,
Informing our patients about appointments
Planning and managing internal procedures,
Analyzing the fulfillment of health services in accordance with the legislation for the purpose of development,
Fulfillment of risk management and quality improvement activities,
Conducting research,
Fulfillment of legal and regulatory requirements,
Billing for our services,
Confirming your identity
Confirmation of your relationship with contracted institutions,
- Sharing any information requested by private insurance companies within the scope of financing health services,
Responding to all your questions and complaints regarding our health services,
Taking all necessary technical and administrative measures within the scope of data security,
Ensuring financial reconciliation with our contracted institutions, banks, and all organizations (public and private) from which health expenditures are collected regarding the health services provided to you,
Sharing the information requested by the Ministry of Health and other public institutions and organizations in accordance with the relevant legislation,
Measuring patient satisfaction, increasing patient satisfaction,
It may be collected and processed to fulfill purposes such as contracts and fulfilling our legal obligations.
CATEGORIZATION OF PROCESSED PERSONAL DATA
Identity Information: All information about the identity of the person in documents such as driver’s license, identity card, passport, legalID, marriage certificate
Contact Information: Information for contacting the data subject such as phone number, address, residence, e-mail
Location: Data that clearly belongs to an identified or identifiable person and which is included in the data recording system and which are used to determine the location of the data subject
Family Members and Close Rerlatives: Information about the family members and relatives of the personal data owner, that belongs to an identified or identifiable person and is included in the data recording system and processed to protect the legal interests of the relevant Institution and the data owner
Physical Space: Personal data related to records and documents such as camera recordings, fingerprint records, visual and audio recordings
Process Security Information: Personal data processed to ensure our technical, administrative, legal, and commercial security while conducting our activities
Financial Information: Personal data processed regarding information, documents and records showing all kinds of financial results
Employee Candidate Information: Personal data processed about individuals who applied to become an employee (CV or resume information)
Personal Information: Personal data related to Payroll Information, Disciplinary Investigation, SSI information, employment entry-exit document records, property declaration information, resume information, information about performance evaluation reports, interview results, content of the employment contract, employment start information, termination information
Legal Action: Personal data processed within the scope of determination and follow-up of our legal receivables, rights and performance of our debts and our legal obligations
The abovementioned personal data may be processed within the framework of the provisions of the Basic Law on Health Services No. 3359, the Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliated Organizations, the Regulation on Private Hospitals, the Personal Health Data Regulation and the regulations of the Ministry of Health, etc., and may be transferred to the physical archives and information systems of our company and/or our suppliers.
Our Company accepts that personal data will be processed in accordance with the following principles:
Compliance with the law and the rule of honesty,
Ensuring that personal data is accurate and up-to-date when necessary,
Processing for specific, explicit and legitimate purposes,
Being relevant, limited and proportionate to the purpose for which they are processed,
Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed
The explicit consent of the personal data subject is only one of the legal grounds that allow personal data to be processed in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity. In case the processed data is personal data of a special nature, the following conditions shall apply:
Explicit Consent of the Personal Data Owner,
Explicit Provision in the Laws,
Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility
Direct Relevance to the Establishment or Performance of the Contract
Fulfillment of the Company’s Legal Obligation:
Publicization of Personal Data by the Personal Data Owner:
Data Processing is Mandatory for the Establishment or Protection of a Right:
Data Processing is Mandatory for the Legitimate Interest of our Company (The expression of the legitimate interests of the company can in no way be contrary to the principles determined by the Personal Data Protection Law, the purpose of processing personal data and cannot interfere with the essence of the right guaranteed by the Constitution).
Our Company processes special categories of personal data in the following cases, provided that adequate measures to be determined by the Personal Data Protection Board are taken:
If the personal data subject has explicit consent or,
If the personal data owner does not have explicit consent; personal data of special nature other than the health and sexual life of the personal data owner, in cases stipulated by law,
Sensitive personal data relating to the health and sexual life of the personal data subject are processed only to protect public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services, and financing by persons or authorized institutions and organizations under the obligation of confidentiality.
TECHNICAL AND ADMINISTRATIVE MEASURES
Our Company takes the necessary technical and administrative measures by the provisions of Article 12 of the Personal Data Protection Law and the Regulation, the general principles stated above, this Policy and the decisions of the Personal Data Protection Board, according to the technological possibilities and the cost of implementation regarding the following issues:
Necessary software and hardware have been identified. Strong passwords are used on computers and e-mail accounts.
What needs to be protected in terms of protecting customer information has been conveyed to our personnel through trainings, and their responsibilities have been put in writing in their employment contracts. (Confidentiality Agreements) This obligation continues even after the relevant persons leave their positions.
Necessary infrastructure has been established for the backup of all data.
Employees who can access data on computers have been identified.
Customer files and information are provided only to the relevant persons, to their relatives to whom they have given written consent, to the relevant public institutions and organizations within the framework of the legislation and to the competent judicial authorities in judicial cases.
Before starting to process personal data, the Authority fulfills the obligation to inform the data subjects.
A personal data processing inventory was prepared.
The personal data owners in question are enlightened on these issues through the texts posted in our Company or otherwise made available to the guests.
Your personal data will be processed in accordance with the basic principles stipulated by the Law and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law. In accordance with the basic principles stipulated by the Law and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law and for the above-mentioned purposes, our company, the Ministry of Health, its sub-units and family medicine centers, private insurance companies (health, pension and life insurance and similar), the Social Security Institution, the General Directorate of Security and other law enforcement agencies, the General Directorate of Population, the Pharmacists Association of Turkey, prosecution offices and courts, laboratories located in Turkey or abroad with which we cooperate for medical diagnosis, medical centers and third parties providing health services, the health institution to which the patient is referred or to which the patient himself/herself applies, your duly authorized representatives, third parties from whom we receive consultancy, regulatory and supervisory institutions and official authorities, our suppliers and support service providers whose services we benefit from or cooperate with. Your personal data is not shared with foreign countries.
Regarding the processed personal data, the person concerned has the right to learn whether personal data is processed or not, to request information if it has been processed, to access and request personal health data, to learn whether it is used in accordance with the purpose, to learn the third parties to whom it is transferred, to request correction in case of incorrect processing, to request the deletion or destruction of personal data, to request notification of the correction to the third parties transferred in case of incorrect processing, to object to the unfavorable result by analyzing it through automated systems, to demand the compensation of the damage suffered due to unlawful processing of personal data. The rights described above can be exercised by applying to our Company with a petition.
Personal data processing activities are carried out by our Company through the use of security cameras and taking video recordings at guest entrances and exits. In this context, our company acts in accordance with the Personal Data Protection Law and security legislation.
Only authorized employees and/or employees of the supplier company have access to the records recorded and stored in digital media. Camera recordings are kept for 2 months.
This Policy shall be deemed to have entered into force upon its publication on the website.
Clarification fort he Article
As “Estepalace Estetic Health Tourism and Consultancy Services LLC,” we use some technologies (cookies) such as cookies, pixels, gifs to improve your experience while visiting our website. The use of these technologies is carried out in accordance with the legislation we are subject to, especially the Personal Data Protection Law No. 6698.
The purpose of this Cookie Clarification article is to inform you about the processing of personal data obtained during the use of cookies on our website for website visitors (Data Owner). In this text, we would like to explain to you what kind of cookies we use on our website for what purposes and how you can control these cookies. Under Articles 5 and 8 of the Personal Data Protection Law and/or in the presence of exceptions in the relevant legislation, your personal data may be processed in accordance with your consent where required by the legislation; otherwise, without your consent for the above purposes.
Cookies
We use cookies on our website for various purposes and process your personal data through them. These purposes are mainly the following:
– To perform the basic functions necessary for the operation of the Website.
– Analyzing the Website and improving its performance. For example, determining the number of visitors to the Website and making performance adjustments accordingly
– To increase the functionality of the Website and provide ease of use. For example, posting to third-party social media channels through the Website
We may share your personal data with third parties that benefit from your Company’s services, companies with which we have commercial relations, limited to the realization of the above-mentioned purposes and all performed in accordance with the legislation.
The cookies we use on our Website:
Functionality and Preference Cookies: These cookies remember your preferences and choices on the website and ensure that the services offered on our site are personalized for you. For example, it allows us to remember your language choice on our website or the font size you have selected while reading a article.
Social Media Cookies: These cookies enable the collection of information about your use of social media. For example, cookies can be used to create personalized ads or to use information from your Facebook/Twitter accounts to conduct market research.
Performance and Analysis Cookies: Thanks to these cookies, we can analyze your use of our website and its performance and improve the services we provide to you. For example, thanks to these cookies, we can determine which pages our visitors view the most, whether our site is working properly, and possible issues.
We also use cookies to promote products and services on our website or in media other than ours. We may also cooperate with some of our business partners to provide you with advertising and promotion within or outside our site. You have the possibility to customize your preferences regarding cookies by changing your browser settings.
You can submit your requests within the scope of Article 11 of the Law, which “regulates the rights of the data subject”, in written form to our Company at Mecidiyeköy Mahallesi Atakan Sokak Honeycomb No:7-9/16 Şişli/İstanbul address, in accordance with the “Communiqué on the Procedures and Principles of Application to the Data Controller” or via the “ID Application Form” section on our website. We may stop using the cookies on our site, change their types or functions, or add new cookies. Our Company will not have any responsibility if the Data Owner has not provided updated information.
The Data Owner accepts that he/she may not be able to fully benefit from the operation of the WebSste if he/she makes a request that will result in the inability to use any of his/her personal data by the Company and declares that any liability arising in this context will belong to him/her.
For more detailed information about the processing of your personal data by the Company, we recommend that you review the heading “Protection of Personal Data” at ……………………………………………………
DISCLOSURE AND CONSENT FORM FOR THE PERSONAL DATA PROCESSING
In health service provision, as “Estepalace Estetic Health Tourism and Consultancy Services LLC,” we process your personal data and your consent in accordance with the Personal Data Protection Law No. 6698 (Law). The scope of personal data processing is recording, processing, storing, updating and transferring the data to third parties when permitted by the legislation, and we would like to enlighten you regarding our mutual rights and obligations under the legislation:
1-All your personal data including your health data (data such as identity information, telephone number, address, insurance number, diseases and similar data) is necessary for the establishment of the contract, protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing; informing you about the appointment, if it’s made; fulfilling legal and regulatory requirements; billing for our services; confirming your identity; sharing information requested with the Ministry of Health and other public institutions and organizations in accordance with the relevant legislation; sharing information requested with private insurance companies within the scope of financing health services; to be able to respond to all your questions and complaints regarding our health services; to take all necessary technical and administrative measures within the scope of system data security and applications; It can be processed for research and similar purposes. Your personal data is processed by complying with the data processing and statute of limitations in the legal legislation regarding the provision of health services.
2 – Your personal data may be collected verbally, in writing, or electronically through the website, social media, call center, mobile applications and similar means and may be kept in both digital and physical forms.
3 – Your personal data collected will be processed in accordance with the basic principles stipulated by the Law and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law. In accordance with the basic principles stipulated by the Law and within the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law and for the above-mentioned purposes, our company, the Ministry of Health, its sub-units and family medical centers, private insurance companies (health, pension and life insurance and similar), the Social Security Institution, the General Directorate of Security and other law enforcement agencies, the General Directorate of the Population, the Pharmacists Association of Turkey, prosecution offices and courts, laboratories located in Turkey or abroad which we cooperate for medical diagnosis, medical centers and third parties providing health services, the health institution to which the patient is referred or to which the patient himself/herself applies, your duly authorized representatives, third parties from whom we receive consultancy, regulatory and supervisory institutions and official authorities, our suppliers and support service providers whose services we benefit from or cooperate with within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law.
4 – Our company takes adequate and necessary technical and administrative measures to protect your personal data processed during the provision of health services in accordance with the data protection legislation.
5 – Regarding your processed personal data; you have the right to learn whether it is processed, to request information if it has been processed, to access and request personal health data, to learn whether it is used for its intended purpose, to learn the third parties to whom it is transferred, to request correction in case of incorrect processing, to request the deletion or elimination of personal data, to request notification of the correction to the third parties transferred in case of incorrect processing, to object to the unfavorable result by analyzing it through automated systems, to request the compensation of the damage incurred due to unlawful processing of personal data.
6 – You can exercise your rights described above by applying to us with a petition. We will evaluate your request within thirty days at the latest, and the result will be notified to you.
7 – Declaration of Consent: I accept, declare and confirm that the necessary clarification has been made to me, that I have read and understood the text, and that I expressly consent to the processing of my personal data specified herein without any influence and to the transfer of my personal data to “Estepalace Estetic Health Tourism and Consultancy Services LLC,” and the real and legal persons mentioned above.
Date :
ID numebr:
Name and Last Name :
Signature :