GDPR

Policy on Protection and Processing of Personal Data

1. OBJECTIVE AND SCOPE

Aegean Health Office Sağlık Turizmi ve Danışmanlık Tic Ltd Şti hereinafter referred to as “ AHG” or “ Company” adopts personal data protection and privacy as a corporate culture. As part of the activities carried out, the Company pays strict attention, and shows maximum effort to process and protect the personal data of the relevant parties in compliance with applicable legal norms and universal rules of law. Also including those, which are associated with this web site, the Company is the Data Controller of the data you provided us, and it processes and protects the personal data within the scope of this Policy.

This PDP Policy covers the personal data of the related parties other than our employees, which are processed either automatically in whole or in part by Company as the data controller or through non-automatic methods as part of any data recording system. This PDP Policy indicates how the principles and procedures revealed by the relevant legislation are applied in PDP procedures of the Company.
Applicable legislation, secondary regulations, and universal rules of law in this respect shall initially apply for the protection and legal processing of personal data. In case of disputes between our PDP Policy and the applicable relevant regulations, applicable regulations shall prevail.

The Company may change this Policy from time to time, therefore please control again when using our services to be sure about seeing the current Policy.

2. DEFINITIONS

ABBREVIATION

DEFINITION

“Explicit Consent”

Consent regarding an issue based on disclosure and expressed through free will.

‘Disclosure Liability’’

The liability of the Company regarding the information given to the related parties by the Data Controller or the parties authorized by the Data Controller during the acquisition of the personal data pursuant to Article 10 of PDP Law and Communique on Principles and Procedures to be followed regarding Disclosure Liability.

“Relevant Party”, “Data Subject”

Natural persons, who are the data subjects whose personal data are processed by the Company or the parties/organizations authorized on behalf of the Company.

“Destruction”

Erasure, destruction, or anonymization of personal data.

“Personal Data”

Any information relating to an identified or identifiable natural person

“Anonymization of Personal Data”

Rendering personal data impossible to link with an identified or identifiable natural person, including matching them with other data.

“Processing of Personal Data”

Any operation which is performed on personal data, wholly or partially by automated means or non-automated means, which form part of a data recording system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, and preventing the use of the same.

“Erasure of Personal Data”

Rendering personal data impossible to be accessible or reusable by the relevant parties.

“Destruction of Personal Data”

Operation carried out to make the personal data inaccessible, unrecoverable, and reusable by anybody and in any way.

“Board”

Turkish Personal Data Protection Board

“Agency”

Turkish Personal Data Protection Agency organized and operating under the Board

“PDP Law”

Turkish Law no. 6698 on Protection of Personal Data

“GDPR”

The General Data Protection Regulation of European Union

“Law”

PDP Law, GDPR and all the other related law and regulations together

“PDP Policy”

Policy on Protection and Processing of Personal Data, adopted by the Company

“Special Categories of Personal Data”

Biometric and genetic data of the parties as well as the data regarding their race, ethnic origin, political opinion, philosophical belief, religion, communion or other beliefs, appearance, association, foundation or union membership, health, sexual life, penal condemnation, and safety measures.

“Creating Profile”

The use of automatic instruments to process personal data in order to solve certain things about people such as analyzing or estimating their performances in their activities, reliability, economic status, personal preferences, interests, attitudes, positions or activities.

“Company”

Aegean Health Office Sağlık Turizmi ve Danışmanlık Tic Ltd Şti

“VERBIS”, “Registry”

Data Controller Registry Data System maintained by Turkish Personal Data Protection Agency.

“Data Processor”

The natural or legal person who processes personal data on behalf of the data controller upon its authorization.

“Data Controller”

The natural or legal person who determines the purposes and means of processing personal data and that is responsible for the establishment and management of the data recording system.

3. PERSONAL DATA PROCESSING

3.1. Personal Data Categories and Purpose of Processing

Subject to and restricted with minimum one of conditions, specified in Article 5 and 6 of PDP Law, for the processing of personal data, The Company processes the data in accordance with the data processing objectives set out in Turkish Data Controllers Information System (VERBIS) and compliance with notably the principles stated in Article 4 of PDP Law and and Article 5 of GDPR regarding the processing of personal data and the general principles set forth in the Law. The Company informs the relevant parties about the data processing categories and objectives in the disclosure texts pursuant to Article 10 of PDP Law and Article 13 of the GDPR and the secondary legislation thereof.

3.2. Personal Data Collection Method

The Company collects the personal data electronically or in written, in physical and electronic environment in accordance with conditions of the personal data processing set out in PDP Law and this PDP Policy.
While acquiring the personal data, the Company adopts it as a principle to act in compliance with law. Company collects the data from the third parties as required by the activities of the company through data protection/transfer agreements and only to the extent as required by such activities and it takes actions to provide safety of data in this respect.

3.3. Relevant Party Disclosure

Pursuant to Article 10 of PDP Law and Article 13 of GDPR and the provisions of Turkish Communique on Principles and Procedures to be followed regarding Disclosure Liability, the Company informs the relevant parties during the acquisition of the personal data about the data controller of the personal data, data collection methods, the legal cause, and purposes of processing, to whom and for which objectives the personal data are transferred, and the rights owned by the relevant parties as part of the processing of personal data.

3.4. Basic Principles Regarding Personal Data Processing

The Company follows the ‘’General Principles’’ which are identified as compulsory to be followed while performing the personal data processing activities specified in Article 4 of PDP Law and Article 5 of GDPR.

3.4.1. Processing in compliance with Law and Good Faith

The Company manages personal data processing procedures in compliance with legal norms, international rules of law and good faith; informs the relevant parties as required to ensure the transparency of the processes; and considers the interests and reasonable expectations of the relevant party in these processes. In this context, the results of data processing activity, which are unexpected by the relevant party and that are not required to be expected, are prevented by the Company.

3.4.2. Ensuring Accuracy and Actuality of Personal Data (If needed)

As a rule, the personal data are processed as declared, and upon declaration of the relevant parties. Just as the Company is not obliged to investigate the accuracy of the data declared by the relevant parties, it is not allowed to carry out such an application as required by law and the working principles. The data are acknowledged to be accurate as declared. The Company shows required reasonable attention and care to keep the personal data accurate and up-to-date within its legal entity and that the same would not contain any misinformation. If the amendments to the processed personal data are informed to the Company by the relevant party, the Company takes action to ensure establishment of the required administrative and technical mechanism so that the personal data could be revised in the relevant database.

3.4.3. Processing for clear, explicit, and legal objectives

The company reveals its legal and lawful data processing purposes in a clear and explicit manner before starting personal data processing activity and it processes the personal data to the extent such data are in connection with the products and services of the company and as required for the same.

3.4.4. Relevance, Boundedness and Temperance with Purpose of Processing

Personal data are processed in connection with the purposes determined by the Company and disclosed to the relevant person and in a restricted and measured manner. In consideration of the balance between the processing of the data and the objective, which is desired to be achieved, the Company pays attention that processing is made to realize such objective.

3.4.5. Storage as required and envisaged by the respective legislation, and the time of purpose of processing

Company shall maintain the personal data as stipulated by the legislation and until the time required by the purpose of the processing. However, the personal data are deleted, disposed, or anonymized when the period anticipated by law terminates or the entire purposes of the processing have been removed. As a data controller, the Company has determined the storage times, disposal periods and the technical and administrative measures to be applied during retention in the Personal Data Storage and Disposal Policy and the Company knows that it is liable to store the personal data in compliance with these principles.
These principles are applied regardless of whether the Company processes the personal data based on explicit consent or in compliance with the other conditions of data processing. At this point, the Company processes the personal data in accordance with the conditions of data processing and the general principles and it further fulfills its liability to inform the relevant parties.

3.5. Conditions of Personal Data Processing

The Company processes the personal data upon explicit consent of the relevant party or in accordance with the terms and conditions in case of availability of one or several of the other conditions of data processing. If the processed personal data are special category of the personal data, the conditions which are stated under the following title of “Processing Special Category of Personal data” in this Policy are applied.

3.5.1. Explicit Consent of Relevant Party

This data processing condition shall apply if the explicit consent of the relevant party regarding a certain subject, which is given based on information and with free will, is available. Explicit consent obtained from the relevant party is maintained by the Company in a provable manner until the period required by PDP legislation. In case of availability of the following data processing conditions, personal data may be processed without any requirement for the explicit consent of the relevant party.

3.5.2. Explicit Consent of Relevant Party

This data processing condition shall apply if there is an explicit provision regarding the processing of such personal data in the relevant legislation.

3.5.3. Failure to receive the consent of related party due to actual impossibility

If it is compulsory to process any personal data to protect the life or bodily integrity of the person or any other persons, who are unable to disclose their consent due to actual impossibility or whose consent is not legally validated, the data of the relevant party are processed based on this condition of data processing.

3.5.4. Direct Relevance with Execution or Performance of an Agreement

If it is required to process the personal data on condition that it is directly in association with the execution or performance of any contract, which the relevant person is a party thereto, processing takes place based on this condition of data processing.

3.5.5. Data Controller Requirement to fulfil Legal Liability

If it is required to process the personal data so that the Company could fulfill its legal obligations, processing takes place based on this condition of data processing.

3.5.6. Disclosure of Personal Data by the Relevant Party

The personal data, which are made public the relevant party in person, are only processed as limited with the purpose of such disclosure.

3.5.7. Compulsory Data Processing to establish, use or protect a right

If it is required to process the data to establish, use or protect any right, the data of the relevant party are processed based on this condition of data processing.

3.5.8. Compulsory Data Processing for Legal Interests of Data Controller

If it is required to process the data for the legal benefits of the company on condition that fundamental rights and freedoms of the relevant party are not damaged, the data of the relevant party are processed based on this condition of data processing.

3.6. Processing Special Category of Data

The Company processes special category of the personal data by taking any essential administrative and technical measures, in compliance with the additional measures announced by Personal Data Protection Board and in case of availability of one of the following data conditions of data processing:

3.6.1. Availability of explicit consent of the Relevant Party.

3.6.2. Requirement by law the processing of special category of personal data other than the health and sexual life.

3.6.3. Processing the data regarding the health and sexual life to protect public health, carry out preventive medicine, medical diagnosis, treatment and care services and plan and manage health services and financing of such services by the parties under confidentiality obligation

3.7. Transfer of Personal Data

3.7.1. Domestic Transfer of Data

The Company transfers the personal data of the employees, including the special category of personal data as required by the regulations included in Article 8 of PDP Law, based on the purposes of processing personal data stated during disclosure to the third parties (i.e., the real or legal third parties, authorized institutions, and organizations) and by taking the required administrative and technical measures. Transfer recipient groups of the Company are set out in VERBIS application.

Company acts lawfully in data transferring activities. Data transfer to third parties to whom the personal data are transferred, is carried out only to the extend it is required by their business activities and the contractual relation thereof; transfer receipt groups, which are the data processors, are instructed through data transfer contracts in accordance with data security

3.7.2. Overseas Transfer of Data

Company may transfer the personal data overseas only as required by the regulations included in Article 9 of PDP Law and Articles between 44 to 48 of GDPR and by taking the required administrative and technical measures. This transfer is possible only upon realization of one of the following conditions:

3.7.2.1. To the foreign countries, which are stated to have adequate protection by the Board; or

3.7.2.2.In case of lack of sufficient protection, without seeking the explicit consent of the relevant party if the data controllers in Turkey and the foreign country have guaranteed sufficient protection in written and upon permission of the Board.

3.7.2.3. If one of the foregoing two conditions are not met, the personal data can be transferred overseas only upon the explicit consent of the data subject.

In case of availability of one of the foregoing conditions, the Company may transfer the personal data to information, archive companies or to the cloud service companies to provide data safety and for the infrastructure and services required for corporate electronic communication channels; to the foreign origin platforms and applications for service delivery through immediate messaging or online communication channels, which are widely and inevitably used today. Furthermore, the Company may transfer the foreign personal data to the suppliers to carry out supply of goods and services from the foreign suppliers and to the Global Partner of the Company pursuant to its business activities.

3.8. Storage and Destruction of Personal Data

As a data controller, the Company has determined storage times, disposal periods and the technical and administrative measures to be applied during retention in the Personal Data Storage and Disposal Policy and stated such periods separately for any category of personal data in VERBIS system. The Company knows that it is liable to store the personal data in compliance with these principles

Pursuant to PDP Law, personal data are collected up to the period stipulated in the relevant legislation or as required by the purpose of processing. At the end of such periods, the personal data are deleted, destructed, or anonymized by the Company at the end of the periodical destruction period specified in the relevant Policy pursuant to Regulation on Erasure, Destruction or Anonymization of Personal Data, or such data are anonymized so that the same could be used for analytical purposes. For further information please refer to the contact information included in this Employee PDP Policy.

4. PERSONAL DATA PROTECTION

Company takes technical and administrative measures based on the technological means and application costs to ensure lawful processing of personal data. Technical and administrative measures, which are taken for personal data protection, are applied with care and additional precautions in terms of special category of personal data and the required audits are performed periodically within the Company at the highest level and such measures are stated in VERBIS application.

Company has taken any proper safety measures to ensure processing of personal data only within the scope of the purposes set out in VERBIS system and reduce the risks such as ill-intentioned use, unauthorized access to, transfer, destruction, or amendment of personal data. These security measures also include the other measures taken about the issues such as transfer of personal data to the countries which fail to provide sufficient level of protection.

Personal data are confidential, and the Company acts in accordance with such confidentiality. Personal data can be accessed only by the persons, who are authorized to do so within the Company. In this context, it is ensured that the software is in accordance with the standards, the third parties are selected meticulously and that they would follow the applicable PDP Policy within the Company.

If the personal data are damaged or seized by unauthorized third parties due to attacks to the platforms operated by the Company or the system of the Company, although the Company takes essential data safety measures, the Company acts immediately to eliminate such breach and minimizes the damage of the related party. The Company informs the relevant parties and the Board immediately and takes necessary precautions.

5. THE RIGHTS OF RELATED PARTIES ON PERSONAL DATA AND EXERCISE OF SUCH RIGHTS

5.1. The Rights of Related Parties

According to the Constitution of the Republic of Turkey, everybody has the right to ask for the protection of their personal data. In this context, the rights of the relevant party on the personal data are listed in Article 11 of PDP Law and Articles between 12 to 23 of GDPR as follows:

  1. To learn if the personal data are processed,

  2. To request information regarding processed data,

  3. To ask sources where the personal data collected from, in case that it is not the data subject,

  4. To learn the purpose of processing of personal data and whether such data are used as required,

  5. To learn the categories of processing of personal data,

  6. To learn recipients or categories of recipient to whom the personal data have been or will be disclosed,

  7. To learn the envisaged period for which the personal data will be stored,

  8. To know the domestic or foreign third parties to whom the personal data are transferred,

  9. To request correction of personal data in case of incomplete or misprocessing of the data,

  10. To request erasure or disposal of personal data in accordance with the conditions set out in Article 7 of PDP Law and Article 17 of GDPR

  11. To obtain from the controller restriction of processing where one of the conditions sets out in Article 18 of the GDPR,

  12. To request a copy of the personal data undergoing processing,

  13. To receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller to which the personal data have been provided under the scope of Article 20 of the GDPR,

  14. To request notification of the third parties to whom the personal data are transferred about such erasure, disposal, or correction operations,

  15. To object to any outcome to the contrary of the data subject thereby analyzing the processed data exclusively through automatic systems under the scope of PDP Law and Article 22 of the GDPR,

  16. To claim indemnification of loss if the data subject incurs any loss due to processing of personal data contrary to PDP Law or GDPR,

  17. To lodge a complaint with a supervisory authority.

5.2. Exercising the Rights of the Related Parties

The relevant party may communicate its requests as part of the above-stated rights in written to the registered electronic mail (REM) address of the Company via safe electronic signature, mobile signature or by making use of the electronic mail address, which has been informed to the Company by the relevant party in advance and that is registered within the Company’s system. The relevant party may use the ‘’Data Subject application Form’’, which is available on the website of the Company for the application. Such an application must include ;

  1. Name, surname, and signature if the application is in written,

  2. T.R identity number for the citizens of Republic of Turkey, nationality, passport number or the identity number (if any) for the foreigners,

  3. Notification address or the address of the workplace,

  4. Electronic mail address (if any) for notification, telephone, and fax number,

  5. And the subject of the request.

Furthermore, it is essential to attach the data and documents regarding the issue to the application. The applications will only be considered if the applications are in Turkish. A special power of attorney, which is issued on behalf of the relevant parties through notary public, must be available so that third parties could make an application for the relevant parties.

5.3. Evaluating and Replying the Applications of the Related Parties

As set out in this policy, if the employees, as a relevant party, forward their requests regarding their above-mentioned rights to the Company in compliance with the application procedures stipulated in Turkish Communique on Principles and Procedures for Application to Data Controller in any event, the Company shall reply this request as soon as possible based on the nature of such request and free of charge within 30 (thirty) days as from the date of application at the latest. However, the Company is entitled to receive the fee specified in the tariff by the Board if the transaction requires an additional cost.

In written applications, the application date is the date on which the document is notified to the data controller or the representative of the data controller. In the applications made with other methods, the date on which the application is received by the data controller is the application date.

6. RELEVANCE OF PDP POLICY WITH OTHER POLICIES

In the policies, the Company states the application principles, which are determined for the protection of the personal data and disclose such policies to the public to the extent they are related. All Company policies prepared in this respect constitute a whole and the regulations complete one another. In this way, the Company aims to ensure transparency and accountability by informing the relevant parties about the processing of personal data.

7. ENFORCEMENT OF PDP POLICY AND AMENDMENTS TO THE POLICY

This PDP Policy is published on the website of the Company and enters into force on the date when it is published. Company may amend this PDP Policy at any time. Such amendments enter into force on the day when the recently amended PDP Policy is released.

8. CONTACT US

In case of any questions regarding this PDP Policy or our approach for the processing and protection of personal data or if you would like to exercise any one of the rights set out in this Employee PDP Policy, please be informed by making use of one of the following ways:

Aegean Health Office Sağlık Turizmi ve Danışmanlık Tic Ltd Şti
Address: Mansuroğlu Mh. 286/1 Sk. No:1 Ontan Rezidans Kat:1 Ofis:113 Bayraklı / İzmir 35535
Telephone:+90 535 976 60 66
Email: info@aegeanhealthgroup.com
REM Address: aegeanhealth@hs01.kep.tr

Contact us