Personal Data Protection and Processing Policy

Este Medical Group (data controller) prioritizes the protection of personal data of its clients, employees, and other individuals it interacts with in accordance with the high standards of service quality, respect for individual rights, transparency, and integrity, as regulated by the Personal Data Protection Law. Ensuring patient privacy and carefully processing and safeguarding all personal data related to patients is essential. This policy is established to protect and process the personal data of not only our patients but also companions, visitors, and the employees of institutions we cooperate with, in line with the fundamental principles outlined in legislation.

The purpose of this policy is to ensure transparency by informing individuals whose personal data is processed, including our patients, companions, visitors, employees, company officials, and employees and officials of institutions we cooperate with, regarding personal data processing activities carried out by our company in compliance with legislation. In this context, administrative and technical measures are taken for the processing and protection of personal data in accordance with Law No. 6698 and relevant regulations. Individuals whose personal data are processed under this policy are referred to as Data Subjects, Related Persons, or Personal Data Owners.

‍Explicit Consent: Consent based on information and freely given regarding a specific subject.

Anonymization: Altering personal data in such a way that it can no longer be associated with an identifiable individual. For example, masking, aggregation, and data corruption techniques may be used to anonymize data. Necessary precautions are taken within our company to prevent anonymized personal data from being made identifiable by any means, in accordance with KVKK.

Employees, Shareholders, and Officials of Partner Institutions: Refers to individuals in institutions with whom we have business relationships, such as partners and suppliers, but not limited to these.

Processing of Personal Data: Any operation performed on personal data, including collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, retrieval, classification, or prevention of use, whether partially or fully by automated means or manually as part of a data recording system.

Personal Data: Any information related to an identifiable or identified individual, such as national ID, name, surname, email, phone number, residence address, date of birth, and bank account number.

Sensitive Personal Data: Includes data on race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs; appearance, association membership, health, sexual life, criminal record, and biometric and genetic data.

Third Party: Refers to third-party individuals associated with the mentioned individuals, ensuring transaction security or protecting the rights and interests of the individuals mentioned (e.g., employees or officials of service providers, companions).

Data Processor: Refers to a person or legal entity authorized by the data controller to process personal data on their behalf, such as our IT service providers.

Data Controller: Refers to the individual who determines the purposes and means of processing personal data and who manages the place where data is systematically held (data recording system).

Our company has registered with the VERBIS system as a data controller under the KVKK. A Personal Data Responsible Team has been established within the company. In cases requiring a decision, this team consults an expert lawyer and implements decisions following management approval.

Personal data processed may vary based on provided health tourism services and is collected through physical and/or digital means. Health data, among others, is collected verbally, in writing, or digitally from patients, doctors, healthcare personnel, subcontractors and employees, firms involved in commercial activities, our call center, our website, and similar channels.

General and sensitive personal data is processed for the following purposes:

• Execution of health tourism services,
• Protection of public health,
• Planning and management of internal procedures,
• Ensuring that health tourism services are carried out in compliance with legislation,
• Conducting analysis for service improvement,
• Performing risk management and quality enhancement activities,
• Conducting research,
• Fulfilling legal and regulatory requirements,
• Billing for services,
• Verifying identity,
• Verifying association with partner institutions,
• Responding to all inquiries and complaints related to our health tourism services,
• Taking necessary technical and administrative measures for data security,
• Financial reconciliation related to services provided with partner institutions, banks, and entities that cover health expenses (public and private),
• Sharing information as requested with the Ministry of Health and other public institutions,
• Fulfilling contractual and legal obligations.

‍Categories of Processed Personal Data‍

1. Identity Information: All information on identification documents, such as driver’s license, national ID card, passport, bar card, marriage certificate.
2. Contact Information: Information for establishing communication with the data subject, such as phone number, address, residence, and email.
3. Location Data: Data that enables the location of an identifiable individual to be determined.
4. Family and Relatives Information: Information about family members and relatives processed to protect the legal interests of the institution and the data subject.
5. Physical Space: Personal data related to recordings and documents, such as camera recordings and fingerprint records.
6. Transaction Security Information: Data processed to ensure our technical, administrative, legal, and commercial security.
7. Financial Information: Personal data related to any documents and records showing financial results.
8. Employee Candidate Information: Personal data related to individuals who have applied for employment (e.g., CVs).
9. Personnel Information: Personal data related to payroll information, disciplinary investigation records, social security details, employment and termination records, asset declarations, CVs, performance evaluations, interview results, employment contracts, start and termination details.
10. Legal Transactions: Personal data processed to identify and pursue our legal claims and rights and fulfill our legal obligations.

The personal data listed above may be processed in compliance with the relevant legislation, including the Fundamental Law on Health Services, the Decree Law on the Organization and Duties of the Ministry of Health and Affiliated Institutions, and other regulations.

Our company undertakes to process personal data in accordance with the following principles:

• Compliance with the law and principles of honesty,
• Ensuring data accuracy and updating when necessary,
• Processing data for specific, clear, and legitimate purposes,
• Limiting processing to relevant, adequate, and proportional purposes,
• Retaining data only for the period necessary as per relevant legislation or processing purposes.

Personal data processing can be carried out based on one or more of the following conditions, in addition to obtaining explicit consent:

• The existence of the Data Subject’s Explicit Consent,
• Explicit stipulation in the Law,
• Impossibility of obtaining consent due to practical reasons,
• Direct relevance to the establishment or performance of a contract,
• Fulfilling the company’s legal obligations,
• Publicization of personal data by the data subject,
• Data processing is necessary for the establishment or protection of rights,
• Data processing is necessary for the legitimate interest of our company (without violating KVKK principles or infringing constitutionally protected rights).

Sensitive personal data is processed by our company under sufficient precautions as determined by the Personal Data Protection Board and only in the following circumstances:

• If the data subject has provided explicit consent, or
• Without explicit consent, only in cases permitted by law for non-health and non-sexual life-related sensitive data,
• For health and sexual life-related sensitive data, only by authorized persons or institutions for purposes such as public health protection, preventive medicine, medical diagnosis, treatment, and care services.

Technical and Administrative Measures

Under Article 12 of the KVKK and applicable regulations, our company takes the following technical and administrative measures based on available technological means and application costs:

• Necessary software and hardware are identified; strong passwords are used on computers and email accounts.
• Confidentiality responsibilities have been established in employment contracts and conveyed through training, which continue even after the employee’s departure.
• Infrastructure for data backups has been established.
• Authorized personnel for accessing data on computers are designated.
• Client files and information are disclosed only to relevant persons, authorized public institutions, or judicial authorities within legal regulations.
• Before processing personal data, the company fulfills its obligation to inform individuals.
• A personal data processing inventory has been prepared.

Your personal data may be shared in accordance with the basic principles set by the Law, as well as for the purposes specified above, with the Ministry of Health, affiliated sub-units, and family medicine centers; private insurance companies (health, retirement, life insurance); Social Security Institution, law enforcement agencies, Population and Citizenship Affairs General Directorate, Turkish Pharmacists’ Association, prosecution offices and courts; domestic or international hospitals, clinics, medical centers, and third parties providing health services in cooperation for medical diagnosis; hotels, transportation companies, consultants, regulatory and supervisory bodies, and official authorities, and service providers and business partners we cooperate with. Your personal data is not shared with foreign countries.

‍Rights of the Data Subject

Data subjects have the right to request information on whether personal data is processed, access data if processed, verify the purpose of use, learn about third-party disclosures, request corrections in case of incorrect data, request deletion or destruction of personal data, notify third parties of corrections, object to unfavorable outcomes resulting from automated processing, and seek compensation for damages due to unlawful processing. These rights can be exercised by submitting a petition to our company.

The use of security cameras and recording of visitor entries and exits also constitutes data processing by our company, conducted in compliance with the Personal Data Protection Law and security legislation.

This policy is deemed effective upon publication on the company website.