Can Medical Assistance logo

Personal Data Protection Law

Protection of Personal Data

CONTENTS

ENTRANCE

1. PURPOSE AND SCOPE OF THE POLICY
2. DEFINITIONS AND ABBREVIATIONS
3. GENERAL PRINCIPLES OF PROCESSING PERSONAL DATA
3.1. Compliance with the law and honesty rule
3.2. accuracy and timeliness
3.3. Processing for specific, explicit and legitimate purposes
3.4. Processing data in a limited and measured way in connection with the purpose for which they are processed
3.5. Processing limited to the period stipulated by the provisions of the legislation or required by the purpose of processing
4. TERMS OF PROCESSING PERSONAL DATA
4.1. Terms of Processing Personal Data
4.2. Conditions for Processing Special Quality Personal Data
5. METHODS OF COLLECTING AND PROCESSING PERSONAL DATA
5.1. Personal Data Subject Groups
5.2. Data Categorization
5.3. Purposes of Collection and Processing of Personal Data of Personal Data Owners in Personal Data Subject Groups
5.4. Associating Data Subject Groups with Data Categories of These Persons
6. PRINCIPLES OF TRANSFERRING PERSONAL DATA
7. TRANSFER OF PERSONAL DATA ABROAD
7.1. Transfer of Personal Data Abroad
7.2. Transfer of Private Personal Data Abroad
8. STORAGE OF PERSONAL DATA
9. MEASURES RELATED TO THE PROTECTION OF PERSONAL DATA
9.1. Technical Measures
9.2. Administrative Measures
9.3. Supervision of the Measures Taken for the Protection of Personal Data
10. DATA RESPONSIBLE LIABILITY TO LIGHTEN
11. İZMİR PRIVATE CAN HOSPITAL'S ANSWER TO APPLICATIONS
11.1. İzmir Private Can Hospital's Response Procedure and Time to Applications
11.2. Information that İzmir Private Can Hospital may request from the Applicant Personal Data Owner
11.3. İzmir Private Can Hospital's Right to Reject the Application of the Personal Data Owner
12. REVISION AND REVOCATION
13. ENFORCEMENT
14. EXECUTION

ENTRANCE

İZMİR ÖZEL CAN HOSTANESİ ANONİM ŞİRKETİ (hereinafter referred to as “İzmir Özel Can Hospital” or “Hospital”) Ataşehir Mah. 8019/16 Sok. No:18 It is located in the center of Çiğli/İZMİR.

İzmir Private Can Hospital is the legal person responsible for the data within the scope of the Law No. 6698 on the Protection of Personal Data (hereinafter referred to as the "KVK Law").

Personal data owners are natural persons whose personal data are collected, processed and transferred in accordance with the KVK Law no.

İzmir Private Can Hospital shows maximum sensitivity to the security of personal data. With this awareness, the personal data of personal data owners are processed and stored in accordance with the KVK Law No. 6698 and other legislation constituting the secondary regulations of the Law.

1. PURPOSE AND SCOPE OF THE POLICY

With this Policy, it is aimed to implement the regulations to be brought by İzmir Private Can Hospital within the framework of the basic principles to be explained below in order to comply with the KVK Law, by the shareholders, officials, employees and business partners of İzmir Private Can Hospital.

In line with the basic regulations envisaged by this Policy, all kinds of administrative and technical measures will be taken in terms of processing and protecting personal data within the operation of İzmir Private Can Hospital, necessary internal procedures will be established, and all necessary training will be provided to raise awareness. Appropriate and effective control mechanisms will be established by taking all necessary measures to ensure that shareholders, officials, employees and business partners comply with KVKK processes.

This Policy regulates the obligations of İzmir Private Can Hospital in order to direct the internal functioning in accordance with the basic principles to be observed in all these processes and the regulations introduced by the KVK Law. The internal procedures to be established within the framework of the KVK Law and the relevant legislation and the harmonization activities to be carried out by İzmir Private Can Hospital regarding the protection of personal data will be organized. All employees of Izmir Private Can Hospital are obliged to act in accordance with the regulations introduced by this Policy, the KVK Law and all other relevant legislation while performing their duties.

In case of non-compliance with this Policy and the provisions of the relevant legislation, in addition to the criminal and legal liability stipulated by the provisions of the legislation, sanctions that may lead to the termination of the contract with just cause, depending on the nature of the event, will be applied in İzmir Private Can Hospital.

2. DEFINITIONS AND ABBREVIATIONS

Within the scope of the KVK Law, İzmir Private Can Hospital will have the title of data controller and will be registered in the VERBIS system. In the first paragraph of Article 11 of the Regulation, “Data controller obligations of legal entities residing in Turkey within the scope of the Law are fulfilled by the authorized body authorized to represent and bind the legal entity in accordance with the provisions of the relevant legislation, or by the person or persons specified in the relevant legislation. The body authorized to represent the legal entity may assign one or more persons regarding the obligations to be fulfilled in terms of implementation of the Law.

Persons to whom the management and representation of the company have been determined by the Board of Directors in accordance with the relevant articles of the TCC, are responsible for the transactions and actions that take place within the limits of their authority under the TCC, TCC and TCK. Especially in law enforcement

They were elected as authorized to represent the company and testify in prosecutor's offices, public institutions and courts.

The Director of each department will be responsible for supervising and reporting to the Board of Directors and the Executive Board whether the Relevant Users in the departments act in accordance with this Policy and Disposal Policy prepared within the framework of the Law and Regulation.

3. GENERAL PRINCIPLES OF PROCESSING PERSONAL DATA

İzmir Private Can Hospital accepts that it will process the personal data remaining within the scope of this Policy in accordance with the following principles in line with Article 4 of the KVK Law:

3.1. Compliance with the law and honesty rule

İzmir Private Can Hospital, as a data controller and as a prudent trader, processes personal data in accordance with the provisions of the Constitution and KVK Law, in accordance with the provisions of all legislation in force and to come into force, and in accordance with the honesty rule stipulated by Article 2 of the Civil Code. agrees to carry out its activities.

3.2. accuracy and timeliness

İzmir Private Can Hospital takes all necessary measures to ensure the accuracy and up-to-dateness of personal data, to the extent permitted by technique, in the processing of personal data.

Administrative and technical mechanisms established by Izmir Private Can Hospital will be operated for the correction and verification of erroneous or outdated personal data, in line with the requests of the person concerned, as the data controller, to Izmir Private Can Hospital and the situations that Izmir Private Can Hospital itself deems necessary.

3.3. Processing for specific, explicit and legitimate purposes

Personal data is processed by İzmir Private Can Hospital in accordance with the law, limited to the services provided or to be provided with the requirements of the relevant legislation provisions, and the purpose of processing personal data is determined clearly and precisely before the data is processed.

3.4. Processing data in a limited and measured way in connection with the purpose for which they are processed

Personal data is processed by İzmir Private Can Hospital in connection with and limited to the purposes of processing and to the extent necessary for the realization of this purpose. In this context, it is essential to avoid the processing of personal data that is not related to the purpose of processing the data and that is not needed.

3.5. Processing limited to the period stipulated by the provisions of the legislation or required by the purpose of processing

Personal data is kept in line with the periods stipulated by the provisions of the relevant legislation or for the period required by the purpose of processing the data.

At the end of the period stipulated by the legislation provisions or at the end of the period required by the purpose of processing the data, personal data is deleted, destroyed or anonymized by İzmir Private Can Hospital. Necessary administrative and technical measures will be taken to prevent data from being retained at the end of the required period.

4. TERMS OF PROCESSING PERSONAL DATA

The processing conditions of personal data are regulated by the KVK Law, and personal data is processed by İzmir Private Can Hospital in accordance with the conditions stated below.

4.1. Terms of Processing Personal Data

Apart from the exceptions listed in the KVK Law, İzmir Private Can Hospital processes personal data only by obtaining the explicit consent of the data subjects.

In the case of the following conditions listed in the Law, personal data can be processed even without the explicit consent of the data owner:

clearly stipulated in the law, It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally recognized, It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract. It is mandatory for the data controller to fulfill its legal obligation, It has been made public by the data owner himself, Data processing is mandatory for the establishment, exercise or protection of a right, Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.

4.2. Conditions for Processing Special Quality Personal Data

İzmir Private Can Hospital shows special sensitivity in the processing of personal data of special nature, which is believed to be of more critical importance for data owners from various aspects. In this context, provided that adequate measures determined by the Board are taken, such data are not processed without the explicit consent of the data owners.

However, special categories of personal data other than health and sexual life data can also be processed without the explicit consent of the data owner in cases stipulated by law. However, data related to health and sexual life can be processed without obtaining explicit consent, provided that adequate precautions are taken and in the presence of the following reasons:

Protection of public health, Preventive medicine, medical diagnosis, Execution of treatment and care services, Planning and management of health services and its financing.

5. METHODS OF COLLECTING AND PROCESSING PERSONAL DATA

İzmir Private Can Hospital processes personal data of real persons based on the Personal Data Processing Inventory, which must be prepared in accordance with the KVK Law and within the scope of the 5th, 7th, 9th and 10th articles of the Regulation and must contain the information below.

Although the Personal Data Processing inventory title is not included in this Policy, if the following information is included in this title and the following titles, the relevant items will be considered as "Personal Data Processing Inventory".

Personal data processing purposes, Data category Recipient group or recipient groups to which data is transferred Data subject contact groups Associating the data category with the data subject person groups Personal data projected to be transferred to foreign countries Measures taken regarding data security The maximum period required for the purposes for which personal data is processed

5.3 Purposes of Collection and Processing of Personal Data of Personal Data Owners in Personal Data Subject Groups

İzmir Private Can Hospital processes the personal data of its shareholders and officials in order to carry out the activities written in the Introduction section within the framework of its legal obligations arising from the Turkish Commercial Code, Tax Procedure Law, Labor Law and other relevant legislation. These personal data are obtained from the records kept in official institutions regarding İzmir Private Can Hospital, from the minutes of the company's general assembly and board of directors meeting, from the documents kept regarding the corporate and management processes of the company.

Izmir Private Can Hospital, the data in the data category of the authorized real persons of the tenants who continue their activities within the framework of the lease agreement in the independent sections of the hospital; To ensure the performance of the lease agreement between the parties, to ensure that all tenants act in accordance with the rules due to the responsibility of the data controller in ensuring the general security and order of the hospital, and in case of violation of the obligations in the contracts, to issue warnings, to apply to enforcement and lawsuits and to take other measures saves for the purpose.

The personal data of the tenants in the hospital are obtained through lease agreements, addendums, additional agreements, protocols, e-mail correspondence, and business cards given by the tenants themselves.

İzmir Private Can Hospital records the authorized real persons of the suppliers and subcontractors who assist in the performance of the hospital's activities, and the real person employees assigned by these suppliers and subcontractors to control whether they fulfill their duties and to ensure the order of the company's activities. Personal data of suppliers and subcontractors are obtained through e-mails sent and received as a result of communication with them, phone calls, and transfer of business card and website information.

İzmir Private Can Hospital requests and processes the personal data of the personnel and interns working within its body in order to complete the mandatory documents to be included in the personnel file of the persons within the scope of the implementations of the Labor Law and the Occupational Health and Safety Law in effect, in order to register with the SGK. These personal data include the CVs they submit with their explicit consent at the stage of employment and job application, job application forms, CV viewing methods offered by human resources software programs (such as Kariyer.net, LinkedIn) that provide candidate pool services, and answers to those asked to them during the interview and answered with their consent. obtained through their answers to the questions.

İzmir Private Can Hospital requests and processes personal data from real persons applying for a job in order to communicate with the person for interview purposes during the recruitment process and to determine whether the qualifications and experiences of the person during the interview and the vacant position to be recruited are compatible. These personal data can be used by applicants to send their CVs to the human resources department with their explicit consent, to answer questions asked with their consent during the interview, or to view the CVs offered by human resources software programs (Kariyer.net, LinkedIn) that provide advertisement publishing and candidate pool services. obtained by the methods.

İzmir Private Can Hospital records the data of the employees and authorized real persons of the business partners with which it cooperates, within the framework of the establishment of the business partnership. It records the personal data of these people in order to ensure that the services provided by the goods and service suppliers and necessary to carry out the commercial activities of the shopping center are provided in İzmir Private Can Hospital and to supervise this. These personal data are obtained from signed contracts, sent invoices, device delivery minutes, e-mail correspondence, telephone and other communications and business cards.

Plate information, information in the complaint and request form, and identity information of all visitors to the campus where İzmir Private Can Hospital operates are obtained in order to ensure the security of the campus where the hospital operates. If people call the Call Center or the relevant departments of the hospital to convey their requests and complaints, their voice recordings are processed in order to ensure the quality of service. The data provided by individuals at the counter, at the desk or on the WI-FI login screen are processed for the purposes of ensuring the quality of service, fulfilling the activities and security reasons. Images of people who visit Izmir Private Can Hospital campus for whatever reason are obtained with 24/7 security camera image methods.

6. PRINCIPLES OF TRANSFERRING PERSONAL DATA:

İzmir Private Can Hospital collects the personal data of data owners within the scope of the personal data processing conditions specified in Articles 5 and 6 of the KVK Law No. 6698 and limited to the purposes specified in this Policy, in accordance with the 8th and 9th articles of the KVK Law. 3. will be able to transfer it to persons and institutions.

The scope of the above-mentioned persons to whom the transfer is made and the data transfer purposes are stated below. These persons and Institutions;

a. Izmir Private Can Hospital affiliated institutions and organizations and business partners,

b. Izmir Private Can Hospital supplier/tenant/subcontractors

c. Shareholders of Izmir Private Can Hospital,

D. Izmir Private Can Hospital officials,

to. Public institutions and organizations that are legally authorized to receive information,

f. They are private law legal persons authorized to obtain legal information.

7. TRANSFER OF PERSONAL DATA ABROAD

İzmir Private Can Hospital is established for foreign countries declared to have adequate protection by the KVK Board (“Foreign Country with Sufficient Protection”) or, in the absence of sufficient protection, where the data controllers in Turkey and the relevant foreign country undertake in writing to provide adequate protection and the KVK Board It can transfer personal data to foreign countries where .

In this direction, İzmir Private Can Hospital acts in accordance with the regulations stipulated in Article 9 of the KVK Law.

7.1 Transfer of Personal Data Abroad

Izmir Private Can Hospital can transfer personal data to Foreign Countries with Sufficient Protection or Where Data Controller Undertakes Sufficient Protection is available, if there is explicit consent of the personal data owner or if there is no explicit consent of the personal data owner, in line with the legitimate and lawful personal data processing purposes, in the presence of one of the following conditions:

If there is a clear regulation in the law regarding the transfer of personal data, If it is necessary for the protection of the life or physical integrity of the personal data owner or someone else, and the personal data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid; If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract, If personal data transfer is mandatory for İzmir Private Can Hospital to fulfill its legal obligations, If the personal data has been made public by the personal data owner, If personal data transfer is necessary for the establishment, exercise or protection of a right, Personal data transfer is mandatory for the legitimate interests of Izmir Private Can Hospital, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

7.2. Transfer of Private Personal Data Abroad

İzmir Private Can Hospital by showing due diligence, taking the necessary security measures and taking the adequate precautions prescribed by the KVK Board; In line with the legitimate and lawful personal data processing purposes, it can transfer the sensitive data of the personal data owner to the Foreign Countries where the Data Controller has Sufficient Protection or Undertakes Sufficient Protection in the following cases.

If the personal data owner has express consent, or If the personal data owner does not have express consent; Special categories of personal data other than the health and sexual life of the personal data owner (race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, criminal convictions and security measures) and biometric and genetic data), in cases stipulated by law, Persons or authorized institutions and organizations that are under the obligation to keep confidential, only for the protection of public health, the execution of preventive medicine, medical diagnosis, treatment and care services, the planning and management of health services and their financing. covered by the processing. As a rule, personal data obtained by İzmir Private Can Hospital is not shared with abroad. The personal data of foreign nationals, Turkish nationals living abroad or people who come to İzmir Private Can Hospital through companies established in a foreign country can be shared with the relevant public institution, insurance company or intermediary institutions and organizations.

8. STORAGE OF PERSONAL DATA

The personal data we obtain are securely stored physically or electronically for an appropriate period of time in order for İzmir Private Can Hospital to carry out its medical and commercial activities.

Within the scope of these activities, İzmir Private Can Hospital acts in accordance with the obligations stipulated in all relevant legislation, especially the KVK Law, regarding the protection of personal data.

In the event that the purposes for processing personal data are terminated, personal data will be deleted, destroyed or anonymized ex officio by Izmir Private Can Hospital or upon the request of the relevant parties, with the exception of cases where personal data is allowed or required to be kept for a longer period of time in accordance with the relevant legislation. .

In case of deletion of personal data by means of such methods, these data will be destroyed in a way that cannot be used again and cannot be recovered.

However, in cases where the data controller has a legitimate interest, personal data may be kept until the statute of limitations specified in the Code of Obligations or other legislation concerning İzmir Private Can Hospital, provided that it does not harm the fundamental rights and freedoms of the data subjects, despite the expiration of the purpose of processing and the periods specified in the relevant laws. can be stored. After the expiry of the aforementioned statute of limitations, personal data will be deleted, destroyed or anonymized.

9. MEASURES RELATED TO THE PROTECTION OF PERSONAL DATA

İzmir Private Can Hospital takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the illegal processing of the personal data it processes, to prevent illegal access to the data and to ensure the preservation of the data, in accordance with the conditions determined in the KVK Law. make or have inspections made.

In the event that the processed personal data is captured by third parties through unlawful means, despite all the technical and administrative measures have been taken, İzmir Private Can Hospital informs the relevant units as soon as possible.

9.1. Technical Measures

Technical measures are taken in accordance with the developments in technology, the measures taken are updated periodically and Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on the basis of business units. Access authorizations are limited and authorizations are reviewed regularly. The technical measures taken are checked periodically, the risky issues are re-evaluated and the necessary technological solution is produced. Software and hardware including virus protection systems and firewalls are installed. Personnel knowledgeable in technical matters are employed and system vulnerabilities are checked. Security scans are regularly passed to detect security vulnerabilities in applications where personal data is collected. The vulnerabilities found are closed. It is ensured that personal data is destroyed in a way that cannot be recycled and does not leave an audit trail. With the penetration tests, the risks, threats, vulnerabilities and vulnerabilities, if any, regarding the information systems of our Company are revealed and necessary precautions are taken. Necessary measures are taken for the physical security of our company's information systems equipment, software and data. Procedures are established and implemented for the distribution of access authorizations and roles, the authorization matrix is ​​applied, the accesses are recorded and the inappropriate accesses are kept under control, and the destruction processes in accordance with the storage and destruction policy are defined and implemented. Backup programs are used to keep personal data safe. Information systems are kept up-to-date and strong passwords are used in electronic environments where personal data is processed. As a result of real-time analysis with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored. Session record is kept. In order to ensure the security of information systems against environmental threats, hardware and software (firewalls, network access control, systems that prevent malicious software, etc.) measures are taken. Risks to prevent unlawful processing of personal data are determined, appropriate technical measures are taken against these risks, and technical controls are carried out for the measures taken. Access procedures are established within the company, and reporting and analysis studies are carried out regarding access to personal data. Inappropriate access or access attempts are kept under control by recording the accesses to the storage areas where personal data is stored. The Company takes the necessary measures to ensure that the deleted personal data is inaccessible and reusable for the relevant users. In case personal data is unlawfully obtained by others, a system and infrastructure has been established by the Company to notify the relevant person and the Board. Passwords are used in electronic environments where personal data is processed. Data backup programs are used to keep personal data safe. Access to personal data stored in electronic or non-electronic media is limited according to access principles. Users are provided with a unique username and password when logging into the systems. A separate policy has been determined for the security of sensitive personal data. Special quality personal data security trainings have been provided for employees involved in special quality personal data processing, confidentiality agreements have been made, and the authorizations of users who have access to data have been defined. Adequate security measures are taken for the physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entries and exits are prevented by ensuring physical security. If sensitive personal data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted. If it is required to be transferred via paper media, necessary precautions are taken against the risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a "confidential" format.

9.2. Administrative Measures

Employees are trained on technical measures to be taken to prevent unlawful access to personal data. Employees are given training on the KVK Law by the Legal Counsel. Personal data access and authorization processes are designed and implemented in İzmir Private Can Hospital in accordance with the legal compliance requirements for personal data processing on a business unit basis. İzmir Private Can Hospital states that it is necessary to act in accordance with the obligations stipulated in the KVK Law in order to legally process personal data in all kinds of documents that regulate the relationship between its personnel and contain personal data, that personal data should not be disclosed, that personal data should not be used unlawfully, and that personal data should not be used illegally. It has added records that the confidentiality obligation regarding the employment contract with İzmir Private Can Hospital continues even after the termination of the employment contract. Employees are informed that the personal data they learn cannot be disclosed to others in violation of the provisions of the KVK Law and cannot be used for purposes other than processing, and that this obligation will continue after they leave their job, and necessary commitments are taken from them in this direction. The contracts concluded by Izmir Private Can Hospital with the persons to whom personal data are transferred in accordance with the law; Provisions are added that the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data and ensure that these measures are complied with in their own institutions. If the processed personal data is obtained by others unlawfully, İzmir Private Can Hospital notifies the person concerned and the Board as soon as possible. İzmir Private Can Hospital employs knowledgeable and experienced personnel about the processing of personal data and provides its personnel with the necessary training within the scope of personal data protection legislation and data security. İzmir Private Can Hospital carries out and has the necessary inspections made in order to ensure the implementation of the provisions of the Law within its own legal entity. Confidentiality and security vulnerabilities as a result of audits İzmir Private Can Hospital is also responsible for the third parties to whom it transfers personal data, in accordance with the provisions of this Policy and the KVK Law, to fulfill their obligations to legally process and preserve the data and to access the data in accordance with the law, in accordance with the article of the KVK Law. For this reason, İzmir Private Can Hospital should take commitments that include providing these conditions in contracts and all kinds of regulations while transferring data to third parties and authorizing it to conduct audits. Again, İzmir Private Can Hospital should specifically inform all its personnel about the responsibilities arising from the processes of transferring personal data to third parties. Trainings are provided on prevention of illegal processing of personal data, prevention of illegal access to personal data, ensuring the protection of personal data, communication techniques, technical knowledge, skills and other relevant legislation in order to improve the quality of employees. Confidentiality agreements are signed by the employees regarding the activities carried out by the company. A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures. Before starting to process personal data, the Authority fulfills its obligation to inform the relevant persons. Personal data processing inventory has been prepared. It is ensured that our employees are trained and informed about the legal processing of personal data. It is ensured that the personal data that is not needed is deleted, destroyed or anonymized. All reasonable precautions are taken to prevent theft, loss or corruption of information. Disciplinary procedure is applied for employees who do not comply with security policies and procedures, and the obligation to inform the relevant persons is fulfilled. Periodic and random audits are carried out within the company and information security trainings are provided for the employees.

9.3. Supervision of the Measures Taken for the Protection of Personal Data

Within the scope of the KVK Law, İzmir Private Can Hospital will have the title of data controller and will be registered in the VERBIS system.

In the first paragraph of Article 11 of the Regulation, “Data controller obligations of legal persons residing in Turkey within the scope of the Law are fulfilled by the authorized body authorized to represent and bind the legal entity in accordance with the provisions of the relevant legislation, or by the person or persons specified in the relevant legislation. The body authorized to represent the legal entity may assign one or more persons regarding the obligations to be fulfilled in terms of implementation of the Law.

Persons to whom the management and representation of the company have been determined by the Board of Directors in accordance with the relevant articles of the TCC, are responsible for the transactions and actions that take place within the scope of their authority within the scope of the TCC, UK and TCC.

In particular, they were elected as authorized to represent the company in law enforcement, prosecutors' offices, public institutions and courts, and to make statements.

The Director of each department will be responsible for supervising and reporting to the Board of Directors and the Executive Board whether the Relevant Users in the departments act in accordance with this Policy and Disposal Policy prepared within the framework of the Law and Regulation. In cases that require a decision to be taken, the decision taken will be put into practice following the decision of the Board of Directors after the opinion of the Legal Counsel is taken.

10. DATA RESPONSIBLE LIABILITY TO LIGHTEN

İzmir Private Can Hospital informs itself of the rights of the personal data owner in accordance with Article 10 of the KVK Law and guides the personal data owner on how to use these rights.

İzmir Private Can Hospital carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the KVK Law in order to evaluate the rights of personal data owners and to provide necessary information to personal data owners.

Within the scope of Article 10 of the KVK Law, data owners must be informed before or at the latest during the acquisition of personal data. The information to be conveyed to the data owners within the framework of the said disclosure obligation is as follows:

Identity of the data controller and its representative, if any, For what purpose personal data will be processed, To whom and for what purpose the processed personal data can be transferred, Method and legal reason for collecting personal data, Other rights listed in Article 11 of the KVK Law. In order to fulfill its obligation of disclosure, İzmir Private Can Hospital has prepared disclosure statements on the basis of the process and the persons whose data are processed, to be submitted to the data owners within the scope of the above-mentioned KVK Law provision.

After the disclosure statements were submitted to the data owners, explicit consent statements were also prepared for data processing activities and data categories that require the explicit consent of the data owner in order for Izmir Private Can Hospital to carry out its activities.

On the other hand, İzmir Private Can Hospital has no obligation to inform in cases listed under Article 28(1) of the KVK Law.

11. İZMİR PRIVATE CAN HOSPITAL'S ANSWER TO APPLICATIONS

11.1. İzmir Private Can Hospital's Response Procedure and Time to Applications

Personal data owner, 11.1.2 of this section. In the event that it forwards its request to İzmir Private Can Hospital in accordance with the procedure in the section titled, İzmir Private Can Hospital will conclude the relevant request free of charge within thirty days at the latest, depending on the nature of the request.

However, if a fee is foreseen by the KVK Board, the fee in the tariff determined by the KVK Board will be charged from the applicant by İzmir Private Can Hospital.

11.2. Information that İzmir Private Can Hospital may request from the Applicant Personal Data Owner

İzmir Private Can Hospital may request information from the person concerned in order to determine whether the applicant has personal data. In order to clarify the issues in the application of the personal data owner, the personal data owner may ask questions about his application.

11.3. İzmir Private Can Hospital's Right to Reject the Application of the Personal Data Owner

İzmir Private Can Hospital may reject the application of the applicant in the following cases by explaining the reason:

Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics. Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings. The processing of personal data is necessary for the prevention of crime or for criminal investigation. Processing of personal data made public by the personal data owner. Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters. The possibility of the personal data owner's request to prevent other people's rights and freedoms Making demands that require disproportionate effort The requested information is publicly available.

12. REVISION AND REVOCATION

In case this Policy is revised or repealed, the revised version of the Policy or a new policy sample will be announced in the relevant places.

13. ENFORCEMENT

This Policy enters into force on 28.01.2018.

14. EXECUTION

All department Directors are responsible for the follow-up and coordination of all works and transactions within the scope of the KVK Law and the regulations of the Data Protection Board of the board of directors of İzmir Private Can Hospital, which is responsible for fulfilling the obligations of the data controller and the data controller for the execution of this Policy.