Law On Processıng and Protectıon Of Specıal Categorıes Of Personal Data
CHAPTER 1
1.1 PREAMBLE
Dr. Lida ÇİTELİ attaches great amount of importance to protection and processing of personal data legally in accordance with the Personal Data Protection Law No.: 6698 (“Law”), and all relative plans and activities are implemented in consideration of such issue. Dr. Lida Çiteli takes any administrative and technical measures that are required for protection of personal data. Since special categories of personal data may cause data subjects to be exposed to discrimination or to suffer damages in case they are disclosed and due to the character and sensitivity of special categories of personal data, special categories of technical and administrative measures are being taken in addition to administrative and technical measures taken for general categories of personal data for processing, protecting and securing special categories of personal data.
1.2. OBJECTIVE
The objective of the present Policy for Processing and Protection of Special Categories of Personal Data (“Policy”) is to take any technical and administrative measures, which are required for processing, protecting and securing special categories of personal data in accordance with the Constitution, Personal Data Protection Law No.: 6698, relative legislation, resolution of the Personal Data Protection Board with the Resolution No.: 2018/10, dated 31.01.2018 and within the framework of other relative resolutions, and to inform Data Subjects by ensuring that Dr. Lida Çiteli fulfills her liabilities with regards to special categories of personal data that are held by Dr. Lida Çiteli under the title of data controller.
1.3. SCOPE
This Policy is related with any of the personal data of our patients, clients, website users, employees, job candidates, officers in our doctor’s office, visitors, our business connections (suppliers, contractors and representatives, shareholders and employees of institutions, with which we established similar business relations) and third parties, which are processed automatically or non-automatically, provided that such data are a part of a data recording system.
In this context, the present Policy may apply to aforementioned personal data holder groups completely, but only some of its provisions may also apply to the same.
1.4. DEFINITIONS
Below you may find the definitions that are used for implementation of the present Policy:
|
EXPLICIT CONSENT |
means freely given, specific and informed consent. |
|
RECIPIENT GROUP |
The category of natural or legal person to whom personal data is transferred by the data controller. |
|
ANONYMIZATION |
means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data. |
|
EMPLOYEE(S) |
Employees, who established a business relationship with DR. LİDA ÇİTELİ in accordance with the Labour Law, and students/graduates, who are completing their internship (mandatory/optional) |
|
RELEVANT USER |
Persons, who process personal data within the organization of DR. LİDA ÇİTELİ or in line with the authorization and instructions received from DR. LİDA ÇİTELİ, excluding the person or unit responsible for the technical storage, protection and backup of the data. |
|
DISPOSAL |
It refers to deletion, destruction or anonymization of personal data in an unrecoverable way |
|
RECORDING ENVIRONMENT |
Any environment where personal data is processed by fully or partially automatic or non-automatic means, provided that it is a part of any data recording system. |
|
PERSONAL DATA |
Any information regarding an identified or identifiable natural person. |
|
DATA SUBJECT |
It refers to any natural person whose personal data is processed. |
|
PROCESSING OF PERSONAL DATA Obtaining, |
recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. or any action performed on the data, such as preventing its use. |
|
PERSONAL DATA INVENTORY |
Personal data processing activities carried out by data controllers depending on their business processes; The inventory they create by associating the personal data with the purposes and legal reason for processing personal data, the data category, the transferred recipient group and the data subject person group, and detailing the maximum retention period required for the purposes for which personal data are processed, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security. |
|
PERSONAL DATA PROTECTION COMMITTEE |
It refers to the committee, which is authorized by DR. LİDA ÇİTELİ to make decisions and submit them to the senior management to ensure that the personal data protection legislation is followed, maintained, managed and developed, and which establishes required level of coordination and which is established with the involvement of officers from various units within the body of DR. LİDA ÇİTELİ. |
|
BOARD |
Personal Data Protection Board |
|
AUTHORITY |
Personal Data Protection Authority |
|
KVKK / LAW |
Personal Data Protection Law No.: 6698 |
|
SPECIAL CATEGORIES OF PERSONAL DATA |
Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data. |
|
PERIODIC DISPOSAL |
It refers to the process of deleting, destroying or anonymizing personal data specified in the personal data storage and disposal policy and to be carried out ex officio at recurring intervals in case all of the processing conditions for personal data specified in the law are eliminated. |
|
POLICY |
It refers to the present "Policy for Protection, Processing and Disposal of Personal Data", in which the principles that are adopted for processing, storage and disposal of personal data are organized by DR. LİDA ÇİTELİ. |
|
DELETION |
It refers to the process of making personal data inaccessible and nonreusable by users. |
|
DATA PROCESSOR |
It refers to real or legal persons, who process personal data on behalf of the data controller, based on the authority given by the data controller. |
|
DATA CONTROLLER |
It refers to natural or legal persons, who determine the purposes and means of processing personal data and are responsible for establishing and managing the data recording system. |
|
DATA RECORDING SYSTEM |
It refers to a recording system, in which personal data is structured and processed according to certain criteria. |
|
DATA CONTROLLERS REGISTRY |
It refers to the data controllers registry, which is kept by the Personal Data Protection Authority and which is open to the public. |
|
DISPOSAL |
It refers to the process of making personal data inaccessible, non-recovarable and nonreusable by anyone |
Definitions that are provided in KVKK shall apply to definitions that are not available in the present Policy.
CHAPTER 2
PROTECTION AND PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA, PROCESSING PURPOSES OF SPECIAL CATEGORIES OF PERSONAL DATA, AND BASIC PRINCIPLES FOR PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
2.1. Special Categories of Personal Data
It refers to data regarding individuals' race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and attire, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric data and genetic data.
2.2. Protection of Special Categories of Personal Data
Since special categories of personal data are comprised of data that may cause the data subject to suffer discrimination or damages, if they are disclosed, administrative and technical measures, which are taken by Dr. Lida Çiteli for protection of such personal data legally, are applied in relation with special categories of personal data, and necessary audits are being performed within the body of the doctor’s office of Dr. Lida Çiteli. Furthermore, necessary procedures are being conducted by taking satisfactory measures that are determined by the Board for processing of special categories of personal data.
2.3 Processing of Special Categories of Personal Data
Dr. Lida Çiteli shows sensitivity particularly during processing of special categories of personal data, which are believed to be more critical in terms of being protected for the benefit of the data subject. Dr. Lida Çiteli processes special categories of persona data in conformity with principles that are specified in the present Policy, by taking any types of administrative and technical measures, including methods that shall be determined by the Board, and in case of the presence of below circumstances:
(i) Personal data, except for data concerning health and sexual life, may be processed without seeking explicit consent of the data subject, in cases that are stipulated under laws explicitly, i.e. in case there is an explicit provision for processing of personal data under laws. Otherwise, explicit consent of the data subject shall be obtained to process special categories of such personal data.
(ii) Personal data concerning health and sexual life may only be processed without seeking explicit consent of the data subject by the persons subject to an obligation of secrecy or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. Otherwise, explicit consent of the data subject shall be obtained to process special categories of such personal data. "
2.4. Purposes of Processing Special Categories of Personal Data
Special categories of personal data may be processed in the direction of the conditions for processing personal data as stipulated under Article Nos.: 5 and 6 of the Law in conformity with the principles, which are stipulated under Article 4 of the Law, and in line with the procedures and principles that are stipulated under relative legislation. Dr. Lida Çiteli may process and preserve the special categories of personal data, which are collected duly, within the scope of business relations, products, services or commercial activities or within the framework of other relations established with Data Subjects and within the scope of below purposes, which require the same to be processed, to the extent associated and restricted with such purposes.
Purposes of Processing Special Categories of Personal Data;
Conducting legal conformity processes,
Management of operations,
Fulfilment of financial procedures,
Determination and fulfilment of commercial and business strategies,
Fulfilment of service obligations based on the service contract,
Conducting emergency management processes,
Fulfilment of liabilities that source from business contracts and legislation in relation with employees,
Conducting the vested rights and interests processes for employees,
Conducting business activities for employees, Assessment of employee application processes,
Conducting activities according to the legislation,
Planning human resources activities,
Conducting occupational health / safety activities, and
Notifying authorized persons, institutions and organizations.
2.5. General Principles for Processing Special Categories of Personal Data
One of the most important issues for Dr. Lida Çiteli is to act in conformity with general principles that are stipulated under the legislation for processing special categories of personal data. In this context, according to the Constitution and KVKK, Dr. Lida Çiteli is required to act in conformity with below principles during processing of special categories of personal data.
a. Being Engaged in Personal Data Processing Activities Consistent with the Law and Good Faith
Dr. Lida Çiteli processes special categories of personal data in conformity with Article 4 of the KVKK, consistent with the law and good faith, by pursuing accurate, current, if required, and specific, explicit and legal goals, to the extent associated and restricted with relative goals. In this context, Dr. Lida Çiteli considers the principle of proportionality while processing special categories of personal data and does not use special categories of personal data out of the scope of relative goals.
b. Ensuring that Personal Data are True and Current, if required
Dr. Lida Çiteli ensures that special categories of personal data, which she processes in consideration of fundamental rights and legal interests of data subjects, are accurate and up-to-date, and takes necessary measures in such direction and establishes systems to create such environment.
c. Processing for Specific, Explicit and Legal Purposes
Dr. Lida Çiteli processes special categories of personal data in conformity with legal and lawful grounds, in connection with activities that the doctor’s office conducts, and to the extent necessary. Dr. Lida Çiteli defines the purpose of processing special categories of personal data even before the beginning of the activity to process personal data.
d. Being Associated, Restricted and Limited to the Processing Purpose
Dr. Lida Çiteli processes special categories of personal data in a way that allows achieving specified purposes and avoids processing personal data that are not associated or required for achieving relative purpose. Dr. Lida Çiteli is not engaged in processing special categories of personal data that are directed for meeting requirements that may occur subsequently.
e. Preserving Personal Data for a Period Stipulated under Relative Legislation or Required for the Purpose of Processing Personal Data
According to Article 138 of the Turkish Penal Code and Article Nos.: 4 and 7 of the KVKK, Dr. Lida Çiteli preserves the special categories of personal data that she processed only for the period, which is stipulated under relative legislation and laws or which is required for processing personal data.
In this context, Dr. Lida Çiteli firstly detects whether any period is stipulated for retention of special categories of personal data under relative legislation, and acts according to such period, if any. Unless there is any legal period, special categories of personal data are preserved for a period required in the direction of processing personal data. Special categories of personal data are disposed of at the end of specified retention periods on the basis of periodic disposal periods or in conformity with the application of the data subject and consistent with specified disposal methods (deletion and/or disposal and/or anonymization). You may find the details in the Personal Data Retention and Disposal Policy.
CHAPTER 3
TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA AND RELATIVE CONDITIONS:
3.1. Transfer of Special Categories of Personal Data
During transfer of special categories of personal data, Dr. Lida Çiteli takes required measures sensitively in conformity with the legislation since such data have a nature that may cause the data subject to suffer damages or to be subjected to discrimination, if they are disclosed to any third person. In this context, Dr. Lida Çiteli may transfer special categories of personal data any third parties by taking required administrative and technical measures in the direction of processing purposes and in conformity with the legislation.
3.2. Conditions for Transfer of Special Categories of Personal Data
a. Conditions for Transfer of Special Categories of Personal Data Domestically:
Dr. Lida Çiteli may transfer special categories of personal data to any third parties domestically by taking required administrative and technical measures in the direction of processing purposes and in conformity with the legislation, provided that the explicit consent of the data subject is obtained. As a rule, special categories of personal data may not be transferred to any third parties, who are domiciled domestically, without obtaining the explicit consent of the data subject.
However, except for the personal data that are related with health and sexual life, various personal data may be transferred without obtaining the explicit consent of the data subject, if it is envisaged explicitly by laws, i.e. if there is an explicit provision with regards to processing/transfer of special categories of personal data under the law, with which relative activity is associated. In this direction, except for the personal data that are related with health and sexual life, special categories of personal data may only be transferred under below circumstances:
- If the explicit consent of the Data Subject is obtained,
- If there are any explicit regulations under laws with regards to the Transfer of Special Categories of Personal Data,
- If it is mandatory to protect the life or bodily integrity of the Data Subject, and if the data subject is not in a situation to disclose his/her consent due to de facto impossibilities or if the data subject's consent is not recognized legally; and
- In case it is required to transfer personal data of contract parties, special categories of personal data may only be transferred under below circumstances, provided it is required in relation with drawing up or execution of a contract directly,
- If it is required for Dr. Lida Çiteli to transfer personal data in order to fulfil her legal liability,
- If Special Categories of Personal Data are made public by the Data Subject,
- If it is mandatory to transfer Special Categories of Personal Data to establish, exercise or protect a right, and
- If it is mandatory to transfer personal data for legal interests of Dr. Lida Çiteli, provided that fundamental rights and freedoms of the Data Subject are not damaged.
In case it is aimed to protect public health, to provide services related with protective medicine, medical diagnosis, treatment and healthcare, and to plan and manage healthcare services and finance, then personal data that are related with health and sexual life may be transferred, without obtaining explicit consent of the Data Subject, by taking required measures sufficiently.
b. Conditions for Transfer of Special Categories of Personal Data Abroad:
Dr. Lida Çiteli may transfer special categories of personal data abroad, in the direction of legal purposes for processing special categories of personal data, by exercising due diligence, by taking required administrative and technical measures, which are envisaged by the legislation, and by taking measures that are deemed as required by the Board. As a rule, special categories of personal data may not be transferred abroad without obtaining the explicit consent of the data subject.
However, except for special categories of personal data that are related with health and sexual life, various special categories of personal data may be transferred to countries, which are determined and announced by the Board and which provide sufficient amount of protection to such data, without obtaining the explicit consent of the data subject, if it is envisaged explicitly by laws, i.e. if there is an explicit provision with regards to processing/transfer of special categories of personal data under the law, with which relative activity is associated. Unless sufficient degree of protection is provided, then special categories of personal data may only be transferred, in case the data controller undertakes to provide sufficient degree of protection and in case the Board gives its consent in this respect.
In case it is aimed to protect public health, to provide services related with protective medicine, medical diagnosis, treatment and healthcare, and to plan and manage healthcare services and finance, then personal data that are related with health and sexual life may be transferred to countries, which are determined and announced by the Board and which provide sufficient amount of protection to such data, without obtaining explicit consent of the Data Subject. Unless sufficient degree of protection is provided, then special categories of personal data may only be transferred, in case the data controller undertakes to provide sufficient degree of protection and in case the Board gives its consent in this respect. "
CHAPTER 4
ERASURE, DESTRUCTION OR ANONYMIZATION OF SPECIAL CATEGORIES OF PERSONAL DATA
Despite being processed in compliance with the provisions of this Law and other relevant laws, personal data shall be erased, destructed or anonymized by Dr. Lida Çiteli, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist.
Below rules must be followed during erasure, destruction or anonymization of personal data; general principles that are stipulated under Article 4 of the Law, technical and administrative measures that must be taken within the scope of Article 12, provisions of relative legislation, Board resolutions and Data Retention and Erasure Policy.
CHAPTER 5
SECURITY OF SPECIAL CATEGORIES OF PERSONAL DATA
In order to ensure that special categories of personal data are stored securely, to prevent processing and accessing the same illegally and to erase personal data in conformity with the law, Dr. Lida Çiteli takes required technical and administrative measures in conformity with liabilities that are stipulated under Article 12 of the Law and in line with satisfactory measures that are determined by the Board for special categories of personal data in accordance with paragraph four of Article 6. In this context, technical and administrative measures, which are taken by Dr. Lida Çiteli, are determined in the Policy for Processing and Protection of Personal Data and Policy for Retention and Erasure of Personal Data. During activities related with processing, security and protection of special categories of personal data, Dr. Lida Çiteli also takes below measures in addition to technical and administrative measures, which are listed under aforementioned policies.
5.1 Measures that are taken for Employees, who are involved in the process of processing Special Categories of Personal Data:
Trainings are being provided to employees, who are providing services in relation with relative legislation and processing, security, protection and retention etc. of special categories of personal data.
Non-disclosure agreements are being signed with employees and disciplinary procedures are being applied.
Scope of the powers and expiry dates of such powers are defined for employees, who are authorized to access special categories of personal data.
Powers of such employees are checked periodically.
Powers of employees, who change their positions or who quit their job, are cancelled immediately. In this content, any items that are provided to such employees are returned.
5.2. Measures Regarding Electronic Media Where Special Categories of Personal Data are Processed, Stored and/or Accessed:
Data are being stored by using cryptographic methods.
Cryptographic keys are stored in secure and various media.
Activities that are performed on the data are being logged securely.
Security updates that are related with the media where data are stored are being followed constantly, and security tests are being performed/made to be performed regularly, and test results are being recorded.
If data are being accessed via software, we ensure that such authorities are assigned to users with regards to the software, that such software are subjected to security tests regularly and that relative test results are recorded.
If it is required to access data remotely, minimum 2 step identity verification system is being applied. "
5.3. Measures Regarding Physical Environments Where Special Categories of Personal Data are Processed, Stored and/or Accessed:
Physical environments where special categories of personal data are available (cabinets and archives etc.) are being locked.
Satisfactory security measures are being taken (against leakage of electricity, flood and theft etc.) based on the character of the environment where special categories of personal data are available.
Unauthorized accesses are being prevented by ensuring the physical security of such environments.
5.4. Measures Regarding Transfer of Special Categories of Personal Data:
If it is required to transfer special categories of personal data by e-mail, then such data are being transferred by encrypting them via corporate e-mail or Registered E-mail (KEP). Password for relative file are not being provided in the content of relative e-mail.
If it is required to transfer special categories of personal data by various environments, such as flash memories, CDs and DVDs etc., then such data are being encrypted by using cryptographic methods and cryptographic keys are being kept in various environments.
If special categories of personal data are being transferred among various different physical environments, then data transfer is being performed by establishing a VPN between servers or by using STFP method.
If it is required to transfer special categories of personal data as a hardcopy, required measures are being taken against various risks, such as theft and loss of relative documents or being disclosed to unauthorized persons etc., and relative documents are being sent in the format of “confidential documents”. "
CHAPTER 6
6.1 APPLICATION OF THE POLICY AND RELATIVE LEGISLATION
Relative legal regulations, which are effective with regards to processing and protection of special categories of personal data, shall be prioritized. In case there are any conflicts between applicable legislation and Policy, Dr. Lida Çiteli agrees that applicable legislation shall be implemented. The policy arranges the rules, which are stipulated under relative legislation, by concretizing the same in respect of applications of Dr. Lida Çiteli. In case there are any changes in the Policy, effective date and relative articles of the Policy shall be updated in such direction.
6.2. EFFECTIVE DATE OF THE POLICY
The present policy shall become effective on 07/11/2022. The present Policy shall be published in the following website of Dr. Lida Çiteli; https://www.drlidaciteli.com/, and it shall be presented to the access of data subjects upon the request of relative data owners.
6.3.DISTRIBUTION
Policy shall be declared to third parties and employees of Dr. Lida Çiteli by being published at the website of Dr. Lida Çiteli.
