PDPL

Chapter 1 – Preamble

Preamble

In DR. LİDA ÇİTELİ (“DR. LİDA ÇİTELİ”), we show sensitivity towards the safety of your personal data, and it is our priority to process and keep any types of personal data, which belong to any persons related with us, including our patients and clients, who benefit from our services, and our business partners, in conformity with the Personal Data Protection Law No.: 6698 (KVKK).

By the present Personal Data Protection and Processing Policy (Policy), DR. LİDA ÇİTELİ organizes basic principles, which are adopted for protection, safekeeping and disposal of personal data, and thus, it has become sustainable by being applied as a corporate policy.

Objective

The objective of the present Policy is to protect, process and protect the personal data, which are being processed by DR. LİDA ÇİTEL in conformity with the legal legislation that constitutes the basis of the present Policy, and to determine the principles and procedures with regards to deletion, disposal and anonymization of processed personal data, and to inform real persons, whose data are processed by DR. LİDA ÇİTELİ, in this respect.

Scope

This Policy is related with any personal data, which belong to our patients, clients, website users, employees, employee candidates, officers of our doctor's office, visitors, customers, business partners (suppliers, contractors and officers, shareholders and employees of institutions, with which we have similar business relationships) and third parties, and which are processed automatically and which are processed non-automatically by being part of any data recorder. In this context, entire content of the present Policy may apply to aforementioned personal data owners, and only some provisions of the same may apply to them as well.

Application of the Policy and Relative Legislation This Policy is prepared on the basis of the Personal Data Protection Law No.: 6698, Regulation No.: 30286 Regarding Data Controller Register, and Regulation No.: 30224 Regarding Deletion, Disposal or Anonymization of Personal Data. Regulations that are applied in relation with processing, protection and disposal of personal data shall be prioritized. In case there are any discrepancies between the Legislation and Policy, DR. LİDA ÇİTELİ agrees that the effective legislation shall be applied.

Enforcement of the Policy

The present Policy, which is issued by DR. LİDA ÇİTELİ, has become effective on 01.01.2021 by being published on the website of DR. LİDA ÇİTELİ. The present Policy may be updated from time to time due to legal changes, changes that may occur in personal data processing processes of DR. LİDA ÇİTELİ or due to any other reasons.

In case the present Policy is updated completely or on the basis of specific articles, effective date of the Policy shall be updated. The present Policy shall be published on the website of DR. LİDA ÇİTELİ at https://www.drlidaciteli.com/ and it shall be opened to the access of concerned persons upon the request of personal data owners.

Definitions

Below you may find the terms that are used in application of the present Policy:

Express Consent	It refers to the type of consent, which is related with a specific subject, which is based on information and which is explained on the basis of free will
Buyer Group	It refers to the real or legal persons category, to whom the data controller transfers personal data
Anonymization	It refers to the process of changing the status of personal data so that they may not be related with any identified or identifiable real persons even by matching the same with other data
Employee(s)	It refers to workers, who have business relations with DR. LİDA ÇİTELİ in accordance with the Labour Law and students/graduates, who are doing their internships (compulsory/optional)
Related User(s)	It refers to persons, who process personal data within the body of DR. LİDA ÇİTELİ or in the direction of powers and instructions given by DR. LİDA ÇİTELİ, except for persons or units that are liable to store, protect and backup data technically
Disposal	It refers to deletion, disposal or anonymization of personal data permanently
Recording Medium	It refers to any type of medium, which accommodates the personal data that are processed by methods that are automatic completely or partially or that are processed by methods that are non-automatic by being a part of any data recording system
Personal Data	“Personal data” means any information relating to an identified or identifiable natural person
Data Subject	“Data subject” (natural person concerned) means the natural person, whose personal data are processed,
Processing of Personal Data	“Processing of personal data” means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, retention, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,
Personal Data Processing Inventory	“Personal data processing inventory” means the inventory which are detailed by explanations of the followings; personal data processing operations performed by data controllers according to their business processes, purposes and legal basis of personal data processing, data category, recipient group, maximum retention period which is formed relating to the group of person subject to data and necessary for the purpose for which personal data are processed, personal data envisaged to be transferred to foreign countries, and measures taken relating to data security.
Personal Data Protection Board	It refers to the board, which is established by DR. LİDA ÇİTELİ to make sure that the rules of the personal data protection legislation are followed, to adopt resolutions that are required to maintain, sustain, manage and develop such activities, and to present the same to the senior management, and which conducts required coordination activities within the body of DR. LİDA ÇİTELİ, and which is established with the participation of officers from various units
Board	“Board” means the Personal Data Protection Board
Authority	“Authority” means the Personal Data Protection Authority
KVKK / Law	It refers to the Personal Data Protection Law No.: 6698
Special Categories of Personal Data	Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data
Periodic Disposal	Periodic disposal means, in such cases where the reason of processing no longer exists, erasure, destruction or anonymization of the personal data ex officio for the period laid down by the personal data retention and disposal policy.
Policy	It refers to the present Personal Data Protection, Processing and Disposal Policy, in which the principles that are adopted for processing, safekeeping and disposal of personal data by DR. LİDA ÇİTEL
Erasure	Erasure of personal data is the process of rendering personal data inaccessible and non-reusable for the users concerned, by no means
Data Processor	“Data Processor” means the natural or legal person who processes personal data on behalf of the data controller upon its authorization
Data Controller	“Data Controller” means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system
Data Filing System	“Data filing system” means the system where personal data are processed by being structured according to specific criteria
Data Controllers' Registry	It refers to the Data Controllers' Registry, which is kept by the Personal Data Protection Board and which is publicly available
Disposal	Disposal of personal data is the process of rendering personal data inaccessible, non-recoverable and non-reusable for the users concerned, by no means

Definitions that are provided under KVKK shall apply to terms that are not defined under the present Policy.

Chapter 2 – General Considerations Regarding Processing Of Personal Data

DR. LİDA ÇİTELİ acts in conformity with the following while conducting personal data processing activities;

1- General principles;
2- Personal data processing conditions;
3- Conditions for processing special categories of personal data.

Processing Personal Data in Conformity with General Principles

Processing in Conformity with the Law and Good Faith

DR. LİDA ÇİTELİ acts in conformity with principles, which are stipulated under legal regulations, and general rules of reliability and good faith with regards to processing of personal data. In this context, our doctor's office conducts personal data processing activities flexibly in accordance with the law and principle of good faith.

Ensuring that Personal Data are Accurate and Up-to-Date, if Required

DR. LİDA ÇİTELİ shows required level of effort to make sure that processed personal data are kept accurate and up-to-date in consideration of fundamental rights of personal data owners and its own legal rights. DR. LİDA ÇİTELİ takes required administrative and technical measures in this respect, and enables personal data owners to correct their personal data and to confirm the trueness of their personal data.

Processing Personal Data for Specified, Explicit and Legitimate Purposes

DR. LİDA ÇİTELİ determines the purpose of processing personal data specifically and explicitly, and conducts data processing activities in conformity with specified, explicit and legitimate purposes.

Personal Data Being Relevant, Limited and Proportionate to the Purposes, for which they are processed

DR. LİDA ÇİTELİ processes personal data in connection with data processing purposes and within limits that are required by such purposes. DR. LİDA ÇİTELİ refrains from processing personal data, which are not related with the purpose of processing data or which are not required.

Being Stored for the Period Laid Down by Relevant Legislation or the Period Required for the Purpose for which the personal data are processed

DR. LİDA ÇİTELİ holds personal data only for the period stipulated under relative legislation or only for the period required for the purpose, for which the personal data are processed. In this context, DR. LİDA ÇİTELİ detects whether any time is stipulated for keeping personal data under relative legislation at first, and if any time is stipulated for such purpose, DR. LİDA ÇİTELİ acts accordingly, and unless any time is stipulated for such purpose, personal data are kept as much as the the period required for the purpose, for which the personal data are processed. In case such period is terminated or in case any reasons for processing any personal data do not exist any more, then we delete, destroy or anonymize your personal data. You may find detailed information on this issue at Chapter 5 of the present Policy.

Processing Personal Data According to Conditions for Processing Personal Data

DR. LİDA ÇİTELİ conducts personal data processing activities in conformity with data processing conditions for processing personal data, which are stipulated under the personal data protection legislation.In this context, personal data processing activities are conducted only in case of the existence of below data processing conditions:

Obtaining Explicit Consent of the Data Subject

Personal data may not be processed without the explicit consent of the data subject in accordance with the law. For DR. LİDA ÇİTELİ to be able to conduct the personal data processing activity, data subject must give his/her explicit consent for processing the data related with him/her with his/her free will, by being informed on the subject sufficiently, by leaving no room for doubt and by being limited with the purpose of data processing procedure.

Exemptions, in which Explicit Consent is not Requested for Processing Personal Data

DR. LİDA ÇİTELİ is entitled to process personal data without obtaining one's explicit consent, in case of the of the below conditions that are stipulated under the law exist:

In case it is Stipulated under Laws Explicitly

Personal data of the data subject may be processed in conformity with the law and relative legal regulation, in case such issue is stipulated under laws explicitly.

Not Being Able to Obtain the Explicit Consent of the Data Subject due to Physical Disability and Obligation to Process Personal Data

Personal data may be processed without obtaining explicit consent, if it is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid. For example, personal data of the data subject may be processed, in case the consent of the data subject may not be obtained since he/she was unconscious or in case it is intended to protect the integrity of his/her life or body during any medical intervention.

Direct Relationship Between Establishment or Implementation of a Contract and Personal Data Processing Activity

Personal data may be processed, in case processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or implementation of a contract.

Obligation to Fulfil Personal Data Processing Liability so that DR. LİDA ÇİTELİ may Fulfil her Legal Liability

DR. LİDA ÇİTELİ shall be entitled to process the personal data of any data subject, in case she is obliged to do so in order to fulfil her legal liability.

Personal Data that are Made Public by the Data Subject in Person

Personal data that are made public by the data subject in person, i.e. that are announced to the public in any way whatsoever, may be processed without explicit consent.

Data processing is Necessary for Establishment, Exercise or Protection of any Right0

In case data processing is necessary for establishment, exercise or protection of any right, personal data may be processed without explicit consent.

Processing of Data is Necessary for Legitimate Interests Pursued by DR. LİDA ÇİTELİ

In case processing of data is necessary for legitimate interests pursued by DR. LİDA ÇİTELİ, personal data may be processed without explicit consent, provided that such processing does not violate fundamental rights and freedoms of the data subject.

Processing of Special Categories of Personal Data in Conformity with Processing Conditions

Special categories of personal data may only be processed with the explicitly consent of relative data subject. However, in cases that are stipulated under laws, special categories of personal data may be processed with the explicit consent of relative data subject, except for data related with sexual life and personal health. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. Therefore, unless otherwise stated under the KVKK, personal health data may only be processed within the scope of explicit consent or by the personnel of the doctor's office, who are subject to the confidentiality obligation.

DR. LİDA ÇİTELİ takes measures that are defined by the Board in relation with processing and protection of special categories of personal data. DR. LİDA ÇİTELİ shows maximum sensitivity towards protection and safety of special categories of personal data, and applies carefully the technical and administrative measures that are related with protection of special categories of personal data, and required audits are being performed within the body of DR. LİDA ÇİTELİ.

Processing of Personal Data in conformity with Conditions of Transfer

DR. LİDA ÇİTELİ may transfer the personal data of any data subject and special categories of personal data to any third parties in the direction of the purposes of personal data processing and on the basis of the explicit consent of relative data subject, if any, and in case no such consent is obtained, by being limited with valid legal reasons, provided that required safety measures are taken. In this context, DR. LİDA ÇİTELİ acts in conformity with the personal data transfer conditions, which are stipulated under Article Nos.: 8 and 9 of the Law.

Domestic Transfer of Personal Data

DR. LİDA ÇİTELİ conducts domestic data transfer activities in conformity with data processing conditions in accordance with Article 8 of the Law (See Chapter Two, article nos.: 2.1, 2.2 and 2.3).

Transfer of Personal Data Abroad

DR. LİDA ÇİTELİ conducts data transfer activities to abroad in conformity with data processing conditions in accordance with Article 9 of the Law (See Chapter Two, article nos.: 2.1, 2.2 and 2.3). In cases where personal data are transferred without obtaining explicit consent in accordance with the KVKK, the foreign country, to which personal data are going to be transferred, must satisfy one of the following conditions:

Foreign country, to which personal data are going to be transferred, must be listed among countries, which provide sufficient level of protection, by the Board, and
In case sufficient level of protection is not provided, data controllers in Turkey and in relative foreign country must undertake to provide adequate level of protection in written and a permit must be obtained from the Board in this respect.

Buyer Groups, to which Personal Data are Transferred

In accordance with Article Nos.: 8 and 9 of the Law, DR. LİDA ÇİTELİ is entitled to transfer the personal data of data subjects to business partners, who provide service to DR. LİDA ÇİTELİ, to its suppliers, contractors, experts, brokers, banks and financial institutions, consultancy and audit firms, which provide support to DR. LİDA ÇİTELİ in various areas, such as law and tax etc., officers of the doctor's office, its shareholders, legally authorized public institutions and private persons, and service providers, which provide support to DR. LİDA ÇİTELİ domestically and in abroad in terms of retention and archiving of personal data and information technologies (server, hosting, software and cloud computing etc.) so that they may continue to conduct their commercial activities and business processes. Classification of buyer groups, to which personal data are transferred, may be found in Chapter 3 of the present Policy.

In case of transfer of personal data, DR. LİDA ÇİTELİ makes sure that any third parties, to whom personal data are transferred, act in conformity with the present Policy. In this context, required protective regulations are added to contracts that are signed with any third parties, and also, relative technical measures are taken.

Chapter 3 – Categories Of Personal Data Processed By Dr. Li̇da Çi̇teli̇, Purposes Of Processing And Transfer, And Buyer Groups, To Which Personal Data Are Transferred

Personal Data Categories

Categories of personal data, which are processed within the scope of personal data processing activities conducted by DR. LİDA ÇİTELİ, and relative explanations are provided below:

Personal Data Categories	Explanation
ID Data	Data that contain ID details of the data subject: name-surname, Republic of Turkiye ID Number, marital status, sex, nationality, mother's-father's name and surname, date and place of birth and any other ID details, and various other documents that include such data, such as driver's licenses, identity cards, passports and birth certificates etc., and tax ID numbers, SGK (Social Security Institution) numbers and etc.
Contact Data	Details that are used for contact purposes, such as telephone numbers, addresses, e-mail addresses and fax numbers etc., and various other documents that contain such details, such as residence certificates etc.
Personal Data of Family Members/Relatives	It refers to personal data, which are related with the family members and relatives of the data subject and which are collected within the scope of the activities of our doctor's office or which are collected to protect the legal and other interests of the doctor's office/relative data subject. For example: Contact details and detailed ID of family members etc.
Financial Data	It refers to any personal data, which are related with any information, documents and records that indicate the financial result of the legal relationship established between our doctor's office and data subject. For example: Credit card details, income details and IBAN number etc.
Employee's Personal Data	It refers to personal data, which are processed to obtain information that constitute the basis for establishment of personal rights of natural persons, provided that there is a labour relationship between our doctor's office and relative data subject.
Contact and Complaint Management Data	It refers to any personal data, which are obtained during collection and assessment of any types of requests or complaints related with our doctor's office.

Special Categories of Personal Data

It refers to personal data, which are determined in the law based on the principle of numerus clausus, and which may cause discrimination against data subjects, in case they are processed. For Example: Medical data, including blood groups, biometric data and details on association memberships etc.

Process Security Data	It refers to personal data, which are processed to ensure technical, administrative, legal and commercial safety of the data subject and our doctor's office.
Categories of Data Subject	Below you may find definitions and descriptions related with our clients, platform users, employees, employee candidates, business contacts (authorized representatives, shareholders and employees of suppliers, agencies, brokers, experts and institutions, with which we have similar relationships) and third parties, who are included to the scope of the present Policy.
Data Subject Categories	Explanation
Clients	It refers to natural persons, who purchase, use or used the products and services that are provided by our doctor's office.
Website and Social Media Users	It refers to natural persons, who visit/visited and/or use/used various websites of our doctor's office, such as https://www.drlidaciteli.com/ etc., and our social media accounts etc. for any purpose.
Employees	It refers to natural persons, who have a labour relationship with our doctor's office.
Employee Candidates	It refers to natural persons, who make a job application to our doctor's office by any method and who submit their resumes and/or job application forms and relative details to the review of our doctor's office.
Officers of the Doctor's Office	It refers to natural persons, who are listed among the senior management of DR. LİDA ÇİTELİ and/or who are authorized to represent DR. LİDA ÇİTELİ and natural person representatives of legal persons. Board members are assessed with such scope.

Business Contacts (Natural person suppliers, contractors, natural person representatives of legal persons and experts)

DR. LİDA ÇİTELİ has business relationships with natural persons, natural person representatives of legal persons, employees, who are employed within the body of such persons, and any natural person experts within the scope of implementation of its activities.

Other Third Parties	It refers to any other natural persons, who are not included to any other data subject category.
Classification of Personal Data Processed by DR. LİDA ÇİTELİ by Data Subjects	Aforementioned personal data subject categories and personal data categories, which are included to the scope of processing activity, are detailed by being matched in below table:
Personal Data Categories	Explanation
ID Data	Patients, Clients, Website and Social Media Users, Employees, Employee Candidates, Contractors and Employees of Contractors, Suppliers and Employees of Suppliers, Experts and Other Third Parties
Contact Data	Patients, Clients, Website and Social Media Users, Employees, Employee Candidates, Contractors and Employees of Contractors, Suppliers and Employees of Suppliers, Experts and Other Third Parties
Personal Data of Family Members / Relatives	Patients, Employees
Financial Data	Patients, Clients, Employees, Employee Candidates, Contractors and Employees of Contractors, Suppliers and Employees of Suppliers, Experts and Other Third Parties
Employee's Personal Data	Patients, Employees, Employee Candidates
Communication and Complaint Management Data	Patients, Clients, Website and Social Media Users, Employees, Employee Candidates, Contractors and Employees of Contractors, Suppliers and Employees of Suppliers, Experts and Other Third Parties

Special Categories of Personal Data	Patients, Clients, Employees and Other Third Parties
Process Data	Patients, Clients, and Website and Social Media Users
Marketing Data	Patients, Clients, and Website and Social Media Users
Process Safety Data	Patients, Clients, Website and Social Media Users, Employees, Employee Candidates, Contractors and Employees of Contractors, Suppliers and Employees of Suppliers, Experts and Other Third Parties

Purposes of Processing Personal Data

DR. LİDA ÇİTELİ conducts personal data processing activities in the direction of below purposes. Purposes of processing personal data are defined for each business unit clearly and in detail with correlation of business processes and personal data categories, and are processed to the Personal Data Inventory of DR. LİDA ÇİTELİ.

To make required plans, assessments and activities by business units of DR. LİDA ÇİTELİ to ensure that our clients benefit from services provided by DR. LİDA ÇİTELİ;
To provide information on publicity activities, promotions, campaigns, offers, events and etc. by conducting advertisement and marketing activities for services provided by DR. LİDA ÇİTELİ, to be engaged in corporate communication activities, and to provide products and services by personalizing the same according to inclinations, usage habits and requirements of data subjects;
To organize corporate communication activities and similar events, campaigns and invitations in this context, and to provide information on the same, and to conduct market research activities;
To ensure corporate safety;
To be engaged in statistical activities;
To obtain data on the number, type, visiting frequency, behaviours of users and to obtain similar statistics to improve digital and virtual platforms, which are presented to clients and patients of DR. LİDA ÇİTELİ, and to provide an efficient and personalized experience to the users of website and social media accounts, and to provide personalized contents and advertisements based on the interests and requirements of the users of website and social media accounts;
To follow and assess requests, suggestions and complaints presented by data subjects, and to be engaged in client satisfaction management activities and planning, statistics and satisfaction assessment activities in this context;
To manage relations with contractors, agencies, experts, suppliers and firms, with which we have similar business relations, and to conduct business and commercial relations;
To conduct relative processes within the scope of subcontracting applications and subcontracts;
To ensure legal and commercial safety of DR. LİDA ÇİTELİ and persons, who have business relations with DR. LİDA ÇİTELİ (to plan administrative operations in relation with services provided by DR. LİDA ÇİTELİ, such as assessment and inspection of clients/contractors/suppliers (authorized representatives or employees), and legal adaptation process etc.);

Exercise of legal rights, use of information regarding the transaction history as evidence in case of dispute after the termination of the legal relationship;

Determination and implementation of commercial, legal and business strategies of DR. LİDA ÇİTELİ;
Execution of financial affairs policies of DR. LİDA ÇİTELİ;
Implementation of human resources policies and recruitment processes of DR. LİDA ÇİTELİ, control and inspect employees and organizing employee rights, and fulfilment of legal liabilities that source from working relationships;
Planning, control and execution of information security processes, and management of information technology infrastructure;
To be engaged in planning and reporting activities, to prepare visitor/client statistics and similar reviews within the scope of the activities of DR. LİDA ÇİTELİ;
Compliance with the relevant domestic legislation, provision of information requested by public institutions and organizations, and fulfilment of reporting obligations.

Methods and Reasons of Collecting Personal Data

DR. LİDA ÇİTELİ collects personal data of data subjects by following methods;

Through the website of DR. LİDA ÇİTELİ, through various social media platforms, through e-mails, short messages (SMS) or multimedia messages (MMS) that are used within the scope of the activities of DR. LİDA ÇİTELİ,
Through various other communication methods, including printed and electronic forms,
Through contracts and policies signed within the scope of the activities of DR. LİDA ÇİTELİ, commercial offers that are presented, printed and electronic forms, documents and correspondences,
Through business cards and other documents given by you within the scope of our meetings, and
Through third parties via doctor's offices of DR. LİDA ÇİTELİ, its business contacts or firms, from which DR. LİDA ÇİTELİ supplies services/products; through various methods, either verbally, in writing or electronically, fully or partially automated or as part of any data recording system.

Personal data, which are collected in the direction of above methods, are kept, according to data processing conditions that are stipulated under Chapter 2 of the present Policy and in the direction of aforementioned personal data processing purposes, by conforming to periods that are stipulated under KVKK and other legislations and by taking any administrative and technical measures that are required.

Buyer Groups, to which Personal Data are Transferred

DR. LİDA ÇİTELİ may transfer the personal data, which are included to the scope of the present Policy, to below listed buyer groups in the direction of specified purposes in accordance with KVKK. Buyer groups, to which personal data are transferred, and transfer purposes are defined clearly and in detail by correlating personal data categories, and are processed to DR. LİDA ÇİTELİ Personal Data Inventory.

Buyer Groups	Personal Data Transfer Purposes
Contractors and Subcontractors	Limited with fulfilment of purposes related with business relations established with Contractors and Subcontractors.
Suppliers and Business Partners	Limited with provision of services provided by our doctor's office and provision of services required to perform the activities of our doctor's office.
Legally Authorized Public Institutions and Organizations	Limited with purposes requested by concerned public institutions and organizations within the limits of powers delegated to them.
Legally Authorized Private Persons	Limited with purposes requested by concerned private persons within the limits of powers delegated to them.

DR. LİDA ÇİTELİ transfers personal data in conformity with conditions that are stipulated under Chapter 2 of the present Policy.

Chapter 4 – Considerations Regarding Protection Of Personal Data

In accordance with Article 12 of KVKK, DR. LİDA ÇİTELİ takes all necessary technical and organizational measures to provide an appropriate level of security for the purposes of preventing unlawful processing of personal data, preventing unlawful access to personal data and ensuring protection of personal data within the bounds of possibility and category of the data that shall be protected, and thus, DR. LİDA ÇİTELİ performs required audits or hires other third parties to perform the same.

Ensuring Safety of Personal Data

Measures that are Taken to Prevent Unlawful Processing of Personal Data, to Prevent Unlawful Access to Personal Data and to Ensure Protection of Personal Data

Main technical measures that are taken to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure protection of personal data are as below:

DR. LİDA ÇİTELİ takes technical measures to protect personal data to the extent permitted by technology and relative measures are updated. Inspections are performed regularly in order to ensure that relative measures are implemented.
Software and systems are installed and used to ensure data safety, and Data recording environments are protected via various software and systems, particularly by virus protection programs and safety walls, in order to prevent any unlawful interventions that may be made on the personal data internally and externally.
Authority to access personal data is limited in the direction of specified data processing purpose, and such powers are reviewed regularly.
Technical safety systems are established for retention areas, safety tests and researches are conducted to determine security gaps on information systems, and current or potential risks that are determined as a result of relative tests and researches are removed.
Systems and backup programs that are consistent with technological developments legally are used in order to ensure that personal data are kept safely.
Special categories of personal data, which are transferred from flash memories, CDs and DVDs are transferred by being encrypted.

Administrative Measures that are Taken to Prevent Unlawful Processing of Personal Data, to Prevent Unlawful Access to Personal Data and to Ensure Protection of Personal Data

Main administrative measures that are taken to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure protection of personal data are as below:

Personal Data Protection Board is established and became active within the body of DR. LİDA ÇİTELİ in order to ensure sustainability and conformity with laws.
Employees of DR. LİDA ÇİTELİ are informed and trained on protection of personal data regularly, as well as processing of personal data lawfully.
All of the activities that are conducted by DR. LİDA ÇİTELİ are analysed specific to each business unit in detail, and as a result of such analysis, personal data processing activities are defined in consideration of commercial activities that are performed by such business units, are processed to the personal data inventory, and are being updated by DR. LİDA ÇİTELİ regularly.
Requirements, which must be fulfilled in relation with personal data processing activities that are conducted by business units of DR. LİDA ÇİTELİ, and which must be fulfilled to ensure the doctor's office conforms to personal data processing conditions, are defined for each business unit and detailed activity.
Awareness is raised before relative business units and implementation rules are determined in order to meet requirements for conformity, and internal policies are implemented to ensure sustainability of such issues and practices, and inspections are being conducted.
Provisions, which aim to ensure that personal data are processed and protected lawfully and are kept confidential, are added to contracts and documents signed with employees, third parties, clients, contractors, subcontractors, experts and other suppliers, and liabilities of parties are organized explicitly, and provisions, which impose sanctions against data processing activities that are in violation of the law and contract, are stipulated.

Inspection of Measures that are Taken to Protect Personal Data

DR. LİDA ÇİTELİ conducts required inspections within its body or hires any third parties to conduct the same in accordance with KVKK. Results of such inspections are reported to the Personal Data Protection Board, senior management and department, which is related with the subject, within the scope of internal activities of the doctor's office, relative actions are planned, and actions, which are planned to improve relative measures, are pursued by relative data subjects and Personal Data Protection Board.

Measures that shall be Taken, In case Personal Data are Disclosed Unlawfully
In case the personal data processed are obtained or disclosed by others by unlawful means, DR. LİDA ÇİTELİ shall communicate the breach to the data subject and notify the Board on such issue as soon as possible.
Protection of Special Categories of Personal Data
The law attributes great importance on a set of personal data due to the risk of causing relative persons to suffer damages and/or causing discrimination when they are processed unlawfully. Such data are personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data. DR. LİDA ÇİTELİ shows maximum level of sensitivity towards protection of special categories of personal data, which are defined as being included to a "special category" by law and which are processed lawfully.
DR. LİDA ÇİTELİ shows maximum level of sensitivity towards safety of special categories of personal data, and conducts required inspections within the body of the doctor's office in this respect.

Protection of the Legal Rights of Data Subjects

DR. LİDA ÇİTELİ protects all of the legal rights of data subjects by applying relative Policy and Law, and takes any measures required to protect such rights. You may find detailed information on rights of data subjects in Chapter 6 of the present Policy.

Chapter 5 – Considerations Regarding Retention And Disposal Of Personal Data

Data retention Devices where Personal Data are Stored and Disposed of

Personal data, which are processed by DR. LİDA ÇİTELİ, may be stored in various devices based on various criteria, such as category of the data, processing purposes and usage frequency etc. In this context, DR. LİDA ÇİTELİ stores the personal data of data subjects in below environments safely in conformity with relative legislation, particularly in the direction of the provisions of KVKK.

Electronic environments:

Servers: Central server, data central servers
Software: Third party software in cloud infrastructure, software vary by data processing purposes etc.
Databases
Electronic Devices: Network Devices, Computers, Laptops, Portable Media Devices (flash memories, hard disks etc.), Printers, Mobile Phones

Physical medium:

Unit cabinets
Physical archive of DR. LİDA ÇİTELİ

Personal Data Retention and Disposal Periods

DR. LİDA ÇİTELİ stores personal data for the purposes foreseen in relevant legislation or for a period required for the purpose, for which they are processed. In this context, DR. LİDA ÇİTELİ acts according to the period that is stipulated for retention of personal data under relative legislation at first, and unless such period is stipulated, then DR. LİDA ÇİTELİ stores personal data for the period that is required for processing the same in connection with services provided during processing such data. In case such period expires, in case the data subject withdraws his/her personal data or in case the purpose, for which the personal data is stored, does not exist any more, then DR. LİDA ÇİTELİ deletes, destroys or anonymises relative personal data. You may find the detailed information on the retention period of personal data, which are stored by DR. LİDA ÇİTELİ, in Annex-1 of the present Policy.

Legal, Technical and Administrative Reasons that Require retention of Personal

If the purpose to process personal data no longer exists, in case the data subject withdraws his/her personal data or in case the retention periods, which are stipulated under relative legislation and/or by our doctor's office, expire, then;

Personal data may be stored to the extent stipulated by laws and/or in conformity with periods stipulated by laws in order to fulfil various legal liabilities, such as providing evidence in possible future legal disputes or claiming rights regarding personal data or establishing the necessary defense etc. While establishing such periods, limitation period are determined on the basis of the limitation period for claiming subject rights. In this case, stored personal data are not accessed for any other purpose, and we only access to any personal data when it is required to use the same in relative legal dispute.
Data, which shall be disposed of by deletion, disposal or anonymization, may be stored until next periodic disposal date at latest.
Personal data are deleted, disposed of or anonymized after the termination of aforementioned periods.

Legal, Technical and Administrative Reasons that Require Disposal of Personal Data

DR. LİDA ÇİTELİ disposes of the personal data that the doctor's office stores in following cases;

In case purposes, which require processing of personal data, and reasons, which require retention of the same, are terminated,
In case the data subject withdraws his/her consent, in cases where personal data processing procedure is performed by being subject to the condition of obtaining explicit consent only,
In case the data subject requests disposal of his/her personal data by using his/her rights, which are included to the scope of KVKK and which are indicated in Chapter 6 of the present Policy, and in case such application is accepted by DR. LİDA ÇİTELİ or in case the Board resolves that such request is appropriate after receiving a complaint upon refusal of such request, and
In case there is no condition, which may adjust keeping personal data any longer, although the maximum period that requires retention of personal data has expired.

Retention of Personal Data Safely

DR. LİDA ÇİTELİ takes required technical and administrative measures to the extent permitted by technology in order to ensure that processed personal data are kept in safe environments and to prevent them from being disposed of in the direction of illegal purposes, as well as being lost or amended. You may find detailed information on personal data safety in Chapter 4 of the present Poicy under the heading titled "Considerations Regarding Protection of Personal Data".

Below you may find main technical measures that DR. LİDA ÇİTELİ takes specific to retention of personal data:

Software and systems, which may ensure safety of data, are installed in order to ensure that personal data are stored in safe environments.
Technical safety systems are established for retention areas, safety tests and researches are conducted to determine security gaps on information systems, and current or potential risks that are determined as a result of relative tests and researches are removed.
DR. LİDA ÇİTELİ takes technical measures to the extent permitted by technology in order to protect personal data, and such measures are being updated. Inspections are conducted regularly in relation with application of such measures.
Systems and backup programs that are consistent with technological developments legally are used in order to ensure that personal data are kept safely.
Authority to access personal data is limited, and only authorized persons are authorized access such data only in the direction of the purpose of storing such data.

Below you may find main administrative measures that are taken by DR. LİDA ÇİTELİ specific to retention of personal data:

Employees of DR. LİDA ÇİTELİ are informed and trained on protection of personal data regularly, as well as processing of personal data lawfully.

Disposal of Personal Data in conformity with the Law

Main technical and administrative measures that are taken by DR. LİDA ÇİTELİ for disposal of personal data are as below:

Provisions, which aim to ensure that personal data are processed and protected lawfully and are kept confidential, are added to contracts and documents signed with employees, third parties, clients, contractors, subcontractors, experts and other suppliers, and liabilities of parties are organized explicitly, and provisions, which impose sanctions against data processing activities that are in violation of the law and contract, are stipulated.

General Conditions Regarding Disposal of Personal Data

DR. LİDA ÇİTELİ disposes of personal data by deleting, destroying or anonymizing the same ex officio or upon the request of the data subject, in case the purpose, which requires processing and keeping personal data, disappears, although such personal data are processed in conformity with the law and provisions of other relative laws.

DR. LİDA ÇİTELİ acts in conformity with aforementioned technical and administrative measures, provisions of relative legislation, Board resolutions and present Policy during deletion, destruction or anonymization of personal data. Any procedures that are performed in relation with deletion, disposal and anonymization of personal data are recorded by DR. LİDA ÇİTELİ, and such records are kept for three years in minimum, except for other legal liabilities.

Unless the board adopts a resolution on the contrary, DR. LİDA ÇİTELİ selects the suitable option out of the methods for deletion, disposal or anonymization of personal data. Suitable method is selected and applied by explaining the grounds for selecting relative method, if requested by relative data subject.

Methods for Disposal of Personal Data

Deletion of Personal Data

It refers to the procedure of making personal data inaccessible and nonreusable by relative users. DR. LİDA ÇİTELİ may use below methods to delete personal data based on the recording medium, in which the data are recorded:

Recording Medium	Data Disposal Method
Third party software in cloud infrastructure, various software on the basis of data processing purposes etc.	Giving Instruction to Delete
Various software on the basis of data processing purposes	Deletion via Software
Databases	Deletion by a Command from the Database
Data that are available in databases and servers	Termination of the Rights of Access of Relative User to the Directors where Relative File is Located and Giving Deletion Command
Softcopies and Hardcopies	Blanking (it refers to the procedure of cutting the personal data, which are available on a certain document, and making the same invisible in an unrecoverable way by using ink and making the same non-readable by using technical solutions.)

Disposal of Personal Data

Disposal of personal data is the process of rendering personal data inaccessible, non-recoverable and non-reusable for the users concerned, by no means. DR. LİDA ÇİTELİ may use one or several of below methods to delete personal data based on the recording medium, in which such data are stored:

Recording Medium	Data Disposal Method
Medium that keep data magnetically (Tape cartridges etc.)	Demagnetization (It refers to elimination of data available on any magnetic media by exposing the media to a high magnetic field via passing it through a special device.)
Medium where such data are stored magnetically and optically (DVDs, CDs, hard disks and etc.), Hardcopies and Softcopies	Physical Disposal (It refers to melting, incineration or pulverization of optical media and magnetic media; using physical disposal methods for hardcopies, such shredders or incineration method.)
Magnetic and rewritable optical medium (DVD-r etc.)	Rewriting (It is a process, in which the recovery of old data is prevented by writing random data of 0 and 1 at least seven times on the magnetic media and rewritable optical media.)
Media that store data magnetically (Tape hard disks etc.)	Disposal by “Block Erase” Command
Third party software in the cloud infrastructure	Encrypting the recording medium and destroying all of the copies of encryption keys as a result of the deletion procedure

Anonymization of Personal Data

Anonymization of personal data means that the personal data cannot be associated with any other identifiable or identifiable person, even by matching it with other data. In order to make the personal data anonymous, the personal data must be rendered unrelated to a specific or identifiable natural person, even by using the suitable techniques for the recording medium and relevant field of activity, such as the return of data by the data controller or recipient groups and matching the data with other data etc. DR. LİDA ÇİTELİ may use one or several of below methods to anonymize personal data:

Removing the Variables: It is a method of anonymization provided by completely deleting one or more of the variables from the table.
Removing the Records: In this method, anonymity is reinforced by subtracting a line containing singularity in the data set.
Generalization: It is the process of converting relevant personal data from a special value to a more general value.
Regional Masking: In this method, the risk of predictability is reduced, if the combination of the values of a particular record creates a very visible condition, and it is likely to cause the individual to become distinguishable in the relevant community, whereas the value that creates the exception is changed to "unknown".
Lower and Upper Limit Coding: The upper and lower limit coding method is defined by defining a category for a given variable and combining the remaining values within the grouping created by this category.
Global Coding: All records in the data set are replaced by this new definition by creating a common and new group for selected values.
Sampling: In the sampling method, a subset from the cluster is described or shared, rather than the entire data set.
Micro-Joining: With this method, all records in the data set are first arranged in a meaningful order and then the value of each subset of that variable is replaced with the average value by taking the average of the value of the specified variable.
Data Exchange: The data exchange method refers to record changes obtained by exchanging values of a variable subset between the pairs selected from the records.
Adding Noise: It refers to making additions and subtractions in order to achieve the determined distortions in a selected variable.
Other statistical methods to strengthen anonymization (K-Anonymity, L-Diversity, T-Closeness etc.)

Periodic Disposal Periods of Personal Data

DR. LİDA ÇİTELİ deletes, destroys or anonymizes personal data at the time of first periodic disposal period following the date when DR. LİDA ÇİTELİ is held liable to delete, destroy or anonymize personal data.

Periodic disposal period of DR. LİDA ÇİTELİ is 6 months, but DR. LİDA ÇİTELİ agrees that the Board may shorten the periods, which are stipulated under the present article and disposal periods table, in case there is potential for occurrence of irrecoverable and irreparable damages and in case laws are violated explicitly.

Unit Responsible for retention and Disposal Processes of Personal Data

A "Personal Data Protection Committee" is established within the body of DR. LİDA ÇİTELİ in order to conduct personal data retention and disposal processes and to take necessary actions in accordance with the present Policy. Detailed information on this issue is provided in Chapter 7 of the present Policy.

Persons, who are among the members of the Personal Data Protection Committee, are liable to fulfil all of their responsibilities completely with regards to personal data retention and disposal proceses as organized under the present Policy.

Chapter 6 – Rights Of Data Subjects And Considerations Regarding Usage Of Such Rights

Rights of Data Subjects in accordance with KVKK

In accordance with Article 11 of KVKK, data subjects have the right to take below actions in relation with their personal data by applying to DR. LİDA ÇİTELİ;

To find out whether their personal data are processed,
To request information if their personal data have been processed,
To learn the purpose of processing personal data and whether they are used properly,
To know the third parties to whom personal data are transferred domestically or in abroad,
If personal data are incomplete or processed incorrectly, to request correction of the same, and to request relative transactions to be notified to third parties, to whom personal data have been transferred,
To request deletion or destruction of personal data and to request the notification of third parties, to whom personal data are transferred, in case grounds that require personal data to be recorded do not exist any more, although personal data have been processed in accordance with the provisions of KVKK and other relevant legislations,
To raise objection to the occurrence of any results, which are to the disadvantage of the data subject, by analysing the processed data exclusively through automated systems,
To request compensation, if the data subject suffers damage due to unlawful processing of personal data.

Conditions, in Which the Data Subject may not Exercise His/Her Rights

Data subjects may not make any claims with regards to any of the below cases within the scope of rights listed in Section 6.1 since below cases are excluded from the scope of KVKK in accordance with Article 28 of the Law:

Processing of personal data by natural persons within the scope of activities that are completely related with the data subject or his/her family members, who are living in with the data subject, provided that relative personal data are not provided to any third parties and provided that liabilities that are related with safety of personal data are followed, and
Processing of personal data for various purposes, such as research, planning and statistics by making it anonym before official statistics.
Processing of any personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, without prejudice to national defense, national security, public security, public order, economic security, privacy or personal rights,
Processing of any personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to provide national defense, national security, public security, public order or economic security, and
Processing of personal data by judicial authorities or enforcement authorities with respect to investigations, prosecutions, proceedings or executions.

Pursuant to Article 28/2 of the Personal Data Protection Law, data subjects may not exercise any of the rights, which are listed under Article 6.1 of the present Policy, in following cases, except for the right to claim damages:

If any personal data are processed for crime prevention or crime investigation purposes.
If any personal data that are made public by the data subject are processed.
If any personal data must be processed for performance of supervisory or regulatory duties, and for conducting disciplinary investigations or prosecutions by authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law, and
If any personal data must be processed for protection of the economic and financial interests of the State in relation to budget, tax and financial matters.

Exercise of Data Subject's Rights

Data subjects may exercise their rights, which are stipulated under Article 6.1 of the present Policy, by completing the application form, a sample of which is available in Annex-2 of the present Policy and at https://www.drlidaciteli.com/, and by signing it with their wet signature or by sending the same to the registered e-mail address of DR. LİDA ÇİTELİ with their secure electronic signature or mobile signature or by sending the same to the electronic e-mail address of DR. LİDA ÇİTELİ, which is notified earlier and which is registered in relative systems. Method that must be used while making such application is explained in detail in the "Application Form within the Scope of the Personal Data Protection Law", address of which is provided above.

If any data subject wishes to use such right via his/her agent, then relative data subject must forward documents, which are issued or approved by authorized authorities and which certify his/her identity, and supporting documents, if any, to DR. LİDA ÇİTELİ annexed to the application form.

Response of DR. LİDA ÇİTELİ to Applications

DR. LİDA ÇİTELİ shall conclude claims, which are referred to DR. LİDA ÇİTELİ, as soon as possible and in thirty days at latest in consideration of the type of such claims. In case any cost accrues due to fulfilment of such claims, fees that are stipulated under the tariff issued by the Board may be claimed.

DR. LİDA ÇİTELİ may accept such claims and may also reject the same by providing relative grounds. DR. LİDA ÇİTELİ provides its response to the data subject in written or in the electronic environment. In case the claim that is made in the application is accepted, DR. LİDA ÇİTELİ shall fulfil the requirements of the claim duly.

Right of the Data Subject to File a Complaint Before the Board

In case any application is used, in case the response given is found unsatisfactory or in case a response is not given to any claim timely, then relative data subject shall be entitled to file a complaint before the Board in thirty days from the date when he/she received the response of DR. LİDA ÇİTELİ and in sixty days from the application under any circumstances.

Chapter 7 – Governance Structure Of Processing, Retention And Disposal Of Personal Data

Unit Responsible for Processing, retention and Disposal of Personal Data

A "Personal Data Protection Committee", which is authorized to make decisions and to present the same to senior management and which conducts required coordination activities within the body of DR. LİDA ÇİTELİ and which is established with the participation of authorities from various units, is established by DR. LİDA ÇİTELİ in order to ensure that the doctor's office conforms to the personal data protection legislation, and in order to maintain, sustain, manage and improve such activities.

Duties of the subject committee are as below:

To coordinate and manage any activities, which are related with processing, retention, protection and disposal of personal data that are kept within the body of DR. LİDA ÇİTELİ, on the basis of business units,
To prepare fundamental policies with regards to processing, retention, protection and disposal of personal data, and to submit the same to the approval of the senior management for being enforced.
To ensure that policies, which are related with processing, retention, protection and disposal of personal data, are implemented, to manage the process of conformity to the legislation and policy made effective by the doctor's office, and to submit relative reports to the senior management.
To coordinate communication made with data subjects within the scope of activities conducted by DR. LİDA ÇİTELİ under the title of data controller, and to conduct required organization activities for such purposes.
To organize required activities and arrangements within the body of the doctor's office with regards to requests, demands, complaints and notifications provided by the Board, and to organize relative processes.
To organize required activities and arrangements within the body of the doctor's office with regards to requests, demands, complaints and notifications referred by data subjects, and to organize relative processes.
To update the personal data processing inventory and to monitor and report data processing activities, to process the same to the inventory, and to make necessary updates in VERBİS (Data Controllers' Registry Information System), in case there are any changes.
To organize trainings to raise employees' awareness, to ensure continuation of trainings, and to measure efficiency of trainings.
To increase awareness and to provide information in relation with processing, retention, protection and disposal of personal data within the body of DR. LİDA ÇİTELİ and in institutions, with which DR. LİDA ÇİTELİ collaborates.
To decide how the inspection shall be conducted on personal data processing activities, and to establish coordination in this context.
To determine technical and administrative measures, which third parties, who process personal data, take in relation with data safety, or to ensure that the same are determined, and to conduct inspections or to ensure that inspections are conducted.
To detect risks, which may occur in personal data processing activities, and to ensure that necessary measures are taken, to submit action plans and improvement suggestions to the senior management, and to coordinate implementation of such measures.
To make inspections within the body of the doctor's office to ensure conformity to KVKK, to make required organizations, if inspection services shall be outsourced, and to ensure that measures, which shall be taken in relation with detected risks, are determined and assessed.
To participate in assessments by collaborating with consultant firms on Protection of Personal Data, and to submit reports.
To monitor developments with regards to Board announcements and legislation, to ensure implementation of the same, if required, and to make required notifications.
To manage process related with violation of data privacy, to define responsible person/teams and their duties, and to conduct reporting activities and corrective actions.

Chapter 8 – Updating, Conformity And Amendments

Updating and Conformity

DR. LİDA ÇİTELİ reserves its right to make amendments on the present Policy and on other policies, which are connected and related with the present Policy, due to amendments that are made on the Law, in accordance with Board resolutions or in the direction of developments in the sector or information systems.

Amendments that are made on the present Policy are applied on the text immediately and clarifications on amendments are provided at the end of the Policy.

Amendments

Policy for processing, protection and disposal of personal data is issued.

Annex-1 – Table For Retention And Disposal Periods Of Personal Data

Process	Retention Peri̇od	Disposal Peri̇od [1]
Replying to court/execution information related with employees, clients and third parties	For 10 years after termination of employment relationship	In 180 days
Employee Financing Processes	For 10 years after termination of employment relationship	In 180 days
Contracts signed with clients, contractors, suppliers and third parties	For 10 years after expiry of contract	In 180 days
Recruitment and payrolling	For 10 years after termination of employment relationship	In 180 days
Occupational health and safety practices	For 10 years after termination of employment relationship	In 180 days
Payment procedures	For 10 years after termination of employment relationship	In 180 days
Implementation of contract processes	For 10 years after termination of employment relationship	In 180 days
Creation and Maintenance of Employee's Personnel File	For 10 years after termination of employment relationship	In 180 days
Software system accounts created for employees, installation of process security information	For 1 year after termination of employment relationship	In 180 days
Management of clients' indemnity claims, making assessment on damages and losses	For 10 years after occurrence of damages	In 180 days

[1] It refers to the period when the personal data, which are kept by DR. LİDA ÇİTELİ, shall be disposed of after expiry of the retention period.