1.PURPOSE
6698 Numbered Law on Protection of Personal Data (Law) is published in the Official Gazette No 29677 of 7 April 2016. Law protects the fundamental rights and freedoms of natural persons, including the privacy of individuals, which is also protected by the Constitution, and defines the obligations of natural and legal persons who process personal data.
For Yedikule Surp Pırgiç Armenian Hospital Foundation Economic Establishment, confidentiality and security of personal data of our patients/patient relatives, potential patients, our Economic Enterprise Board of Directors, our Managers, employees, employee candidates, interns, visitors, suppliers, the foundation we are affiliated with, the employees, shareholders and officials of the institutions we cooperate with, and 3rd persons are of great importance. Yedikule Surp Pırgiç Armenian Hospital Foundation Economic Enterprise aims to fulfill the requirements for compliance with the Law and to establish a data protection and processing internal service principles to the international standards, thanks to the works that were started and continued long before the Law came into effect. The main purpose of these principles is to ensure transparency by informing the persons whose personal data are processed by the Yedikule Surp Pırgiç Armenian Hospital Foundation Economic Establishment, especially the persons listed above.
2.SCOPE
All personal data processed by the Hospital, including our patients, patient relatives, employees, suppliers, stakeholders and third parties, falls within the scope of this Procedure.
This Procedure applies to the activities for the processing of all personal data owned or managed by the Yedikule Surp Pırgiç Armenian Hospital Foundation Economic Establishment, and is prepared in accordance with the Law, other relevant legislation as well as international standards regarding personal data.
3.ABBREVIATIONS
LAW: Law on Protection of Personal Data
ISMS: Information Security Management System
SPEH: Yedikule Surp Pırgiç Armenian Hospital Foundation Economic Establishment
4.DEFINITIONS
Explicit Consent: The consent given only for and limited to a particular transaction, based on information and free will, clear enough to leave no room for doubt.
Anonymization: It is the rendering of personal data so that it cannot be associated with an identified or identifiable natural person even by matching with other data.
Data Subject: The natural person whose personal data is processed, for example, patients, patient relatives, suppliers, visitors, employees and employee candidates.
Personal Data: Any information that identifies or makes a natural person identifiable. For example, name-surname, TCKN, e-mail, address, date and place of birth, social security number, images, credit card number, bank account number, etc.
Sensitive Personal Data: It is information that, if learned, may cause the Data Subject to be victimized or exposed to discrimination (including but not limited to data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data) Therefore, the processing of information regarding legal persons is not within the scope of the Law.
Processing of Personal Data: Any kind of operation performed on the data, such as collecting, recording, storing, keeping, updating, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of, personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system.
Data Controller: Person or persons holding the title of registered data controller, who determines the purposes and means of processing of the personal data registered in the SPEH database, establishes a data recording system and is responsible for its management, who is registered as data controller when the Data Controllers Registry is created.
Data Processor: Real or legal persons who process personal data on behalf of SPEH based on the authority given by SPEH.
5. RELATED DOCUMENTS
All documents and records containing personal data.
6. SUBJECT
These principles define the collection, processing, transfer, storage, data security, deletion, destruction and anonymization, destruction of Personal Data within the organization of SPEH.
6.1. COLLECTION OF PERSONAL DATA
Processed personal data may vary depending on the type and nature of SPEH's services. Personal data can be collected verbally, in writing or electronically through automatic or non-automatic methods, offices, consultation, website, social media channels, institutions with which it has business relations, stakeholders and similar means.
As long as the services of SPEH are used, personal data can be processed and updated when necessary in order to ensure the accuracy and timeliness of the data. In addition, personal data can be collected and processed when visiting the Hospital building, Hospital Campus, physical or Internet pages and/or other social and digital channels of SPEH in order to benefit from the services, or when participating in activities such as events, seminars, organizations, trainings organized by SPEH.
6.2. PROCESSING OF PERSONAL DATA
SPEH will perform the personal data processing in accordance with the processing conditions specified in Article 5 and Article 6 of the Law, for the purposes of determining and implementing commercial and business strategies, and handling human resources processes, and for other purposes to be notified during the acquisition of personal data:
Purposes of Processing
Include following but not limited to:
• To carry out hospital activities,
• To provide support services within the scope of the contract and within the framework of service standards,
• To determine the preferences and needs of patients and their relatives and to shape and update the services provided by the Hospital within this scope,
• To ensure the fulfillment of legal obligations as required or mandated by the legislation,
• Surveys, promotions and sponsorships,
• To evaluate job applications,
• To liaise with people who have a business relationship with the hospital,
• To make legal reporting,
• To issue bills,
• To ensure communication with all relevant institutions and organizations specific to SPEH,
• To carry out corporate communication,
• To provide information about the job posting and employment that is suitable for the person,
• To send newsletters or make notifications by e-mail.
6.2.1. Processing in accordance with the rules of law and good faith
SPEH processes personal data in accordance with the law and the rule of good faith in accordance with Article 4 of the Law, adopts the principle of "transparency" towards data subjects and informs personal data subjects about the use of their own information. Clarity and good faith are the basis for informing, clear information is given about the purpose of processing and use of the personal data collected, and the data is processed within this framework.
6.2.2. Ensuring that personal data is accurate and, where necessary, up to date
SPEH ensures that the personal data it processes are accurate and up-to-date. For this reason, updating in order to keep personal data accurate and up-to-date are carried out by the relevant units.
6.2.3. Processing for specific, clear and legitimate purposes
SPEH collects and processes personal data for legitimate and lawful purposes. SPEH processes personal data in a reasonable manner and to the extent necessary, in connection with the activities/processes they carry out.
6.2.4. Personal data is relevant, limited and measured for the purpose they are processed
SPEH refrains from processing personal data that is not relevant or needed for the purpose of processing. In this context, it is essential to minimize data processing activity.
6.2.5. Storage of personal data for the duration of our legitimate commercial interests and stipulated by legal regulations
SPEH retains the personal data it processes only for the period required by the relevant legislation and laws, or for the period required by the personal data processing purpose, if a period is not stipulated in the legislation
However, in cases where the data controller has a legitimate interest, and purpose of processing has ceased and the periods specified in the relevant laws expired, personal data may be kept until the expiration of the general statute of limitations (ten years) regulated in the Code of Obligations, provided that it does not harm the fundamental rights and freedoms of the data subjects,
After the expiry of the aforementioned statute of limitations, personal data will be erased, destroyed or anonymized in accordance with the Control of Records procedure mentioned above.
6.2.6. Processing of sensitive personal data
Sensitive personal data are processed by taking the organizational and technical measures as required by the laws and by SPEH, if there is express consent or in cases where the legislation requires it.
Since sensitive personal data related to health and sexual life can be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, conducting medical diagnosis, treatment and care services, planning and managing health services and financing, they are not processed by SPEH, except if these data belongs to patients and employees. Such data of patients and employees may be processed by the persons as stipulated by the law.
6.3. TRANSFERRING PERSONAL DATA
6.3.1. Transferring personal data locally
Personal data can be transferred to legally authorized public institutions and organizations, legally authorized private legal persons in order to fulfill the purposes specified in this regulation; to SPEH suppliers outsourced by SPEH from the supplier and to SPEH suppliers, the service providers or other third parties and/or overseas on a limited basis in order to provide the necessary services to carry out their commercial activities, by taking the necessary security measures subject to the conditions and purposes of personal data processing as defined in Article 8 and Article 9 of the Law.
6.3.2. Transferring personal data overseas
Personal data can be transferred by SPEH to foreign countries declared to have adequate protection by the KVK Board (“Foreign Country with Adequate Protection Level”) or, in the absence of adequate protection, data controllers residing in Turkey and in the relevant foreign country which undertake in writing to provide adequate protection, and to the foreign countries which are permitted by the KVK Board (“Foreign Country where the Data Controller Undertaking Adequate Protection is Available”). In this context, SPEH will act in accordance with the regulations stipulated in Article 9 of the Law.
6.3.3. Measures taken to transfer personal data in accordance with the law
6.3.3.1. Technical measures
Arranging in-hospital technical organization for the processing and storage of personal data in accordance with the legislation,
Setting up the technical infrastructure to ensure the security of databases where personal data will be stored,
Following and auditing the processes of the technical infrastructure created,
Updating and renewing the technical measures periodically,
Using protection systems, firewalls and similar software or hardware security products for risky situations and setting up security systems in accordance with technological developments,
Employing staff who are experts in technical matters.
Implementing the 27001 Information Security Management System
6.3.3.2. Organizational measures
Informing employees about the legal protection and processing of their personal data and to provide necessary training,
Keeping records of the measures to be taken in case of unlawful processing of personal data by the Employees in the contracts made with the Employees and/or in the Hospital practices,
Supervising the processing of personal data made by data processors.
6.4. STORAGE OF PERSONAL DATA
6.4.1. SPEH keeps personal data for as long as required by the relevant legislation or for the purpose for which they are processed, and for the period required by the purpose of processing personal data, without prejudice to the storage periods stipulated in the legislation.
In cases where personal data is processed for more than one purpose, it is erased, destroyed or anonymized by SPEH in accordance with the provisions of the legislation, in case the purposes of processing the data have ceased or there is no legislative barrier to erase the data upon the request of the Data Subject.
If the purpose of processing personal data has ceased and the storage periods defined by the relevant legislation and the institution is ended, personal data can be stored only to provide evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. Despite the expiry of the statute of limitations and the statute of limitations for asserting the right as mentioned in the establishment of the periods here, the storage periods are determined based on the examples of the requests made to the hospital on the same issues before. In this case, the stored personal data is not accessed for any other purpose, and only when necessary to use it in the relevant legal dispute, access to the relevant personal data is allowed. Here, too, personal data is erased, destroyed or anonymized after the aforementioned period expires.
6.4.2. Measures taken regarding the storage of personal data
6.4.2.1. Technical measures
Establishing technical infrastructures and related control mechanisms for the deletion, destruction and anonymization of personal data, (ISO 27001)
Taking the necessary measures for the safe storage of personal data,
Employing staff with technical expertise,
Creating business continuity and emergency plans against possible risks and developing systems for their implementation, (under the control of ISMS Team)
Establishing security systems in accordance with technological developments regarding the storage areas of personal data.
6.4.2.2. Organizational measures
Raising awareness by informing employees about the technical and organizational risks related to the storage of personal data,
In case of cooperation with third parties for the storage of personal data, provisions, which provide for the necessary security measures for the protection and safe storage of the personal data transferred to the persons to whom the personal data is transferred, are inserted into contracts made with the companies to which the personal data is transferred.
6.5. SECURITY OF PERSONAL DATA
6.5.1. SPEH, takes the necessary organizationals and technical measures according to the technological possibilities and implementation costs in order to
To prevent illegal processing,
To prevent illegal access,
To ensure that it is stored in accordance with the law.
6.5.2. Organizational measures taken to prevent the unlawful processing of personal data.
Training and informing employees about the legal processing of personal data, to
Evaluating the activities carried out by SPEH in detail for all business units, and the processing of personal data in particular for the commercial activities carried out by the relevant units as a result of the said evaluation,
Including the arrangements for the persons processing personal data to take the necessary security measures in the contracts made with companies that process personal data in cases where cooperation is made with third parties for the purpose of processing the data
Carrying out the inspections as found suitable by the Board of Directors, to act in accordance with the "Disciplinary Procedure" and the decision of the Disciplinary Board.
6.5.3. Technical measures taken to prevent unlawful access to personal data
Employing employees with technical expertise,
Updating and renewing the technical measures periodically,
Establishing access authorization procedures within the company,
Establishing the data recording systems used in the company in accordance with the legislation and making periodic audits,
Educating and informing employees about accessing and authorizing personal data,
Setting up security systems within the scope of technological developments in order to prevent unlawful access to personal data.
6.6. ERASURE, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA - DISPOSAL
In case the reasons for processing cease to exist, Surp Pırgiç Armenian Hospital, on its own decision or upon the request of the personal data owner, erases, destroys or anonymizes personal data.
In accordance with Article 28 of the Law, anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is excluded from the scope of Law and the explicit consent of the personal data subject will not be sought.
6.6.1. Erasure and Destruction Techniques of Personal Data,
6.6.1.1. Physical Destruction
Personal data can also be processed in non-automatic ways, provided that it is part of any data recording system. While such data is being erased/destroyed, a system of physical destruction of personal data is applied so that it cannot be used later.
6.6.1.2. Secure Deletion Software
When erasing/destroying data that is completely or partially processed by automatic means and stored in digital media, methods are used to erase the data from the relevant software in a way that cannot be recovered.
6.6.1.3. Sending to a Specialist for Secure Deletion
In some cases, SPEH may hire an expert to erase personal data on its behalf. In this case, personal data is securely erased/destroyed by the person who is an expert in this field, in a way that cannot be recovered.
6.6.2. Techniques to Anonymize Personal Data
6.6.2.1. Masking
Data masking is a method of anonymizing personal data by removing the basic determining data of personal data from the data set.
6.6.2.2. Aggregation
With the data aggregation method, many data are aggregated and personal data is rendered incapable of being associated with any person.
6.6.2.3. Data Derivation
With the data derivation method, a more general content is created than the content of personal data and it is ensured that personal data cannot be associated with any person.
6.6.2.4. Data Shuffling (Permutation)
With the data hashing method, the values in the personal data set are mixed and the association between the values and individuals is broken.
6.7.RIGHTS OF PERSONAL DATA SUBJECT
According to Article 11 of Law, data subject has right
To learn whether your personal data is processed,
If your personal data has been processed, to request information about it,
To learn the purpose of processing personal data and whether they are used in accordance with its purpose,
To learn the third parties to whom your personal data is transferred, locally or overseas
To request correction of your personal data if it is incomplete or incorrectly processed,
When you request the deletion or destruction of your personal data with the correction of incomplete or inaccurate data, to request it be notified to the third parties to whom your personal data has been transferred,
To request the deletion or destruction of personal data in the event that the reasons requiring its processing ceased to exist, and to request the notification of the operation made within this scope to the third parties to whom the personal data has been transferred,
To object an infavorable result for you from the analysis of the data processed through exclusively automated systems,
If data subject suffers damage due to the unlawful processing of personal data, to demand the compensation of this damage.
6.7.1. Using personal data rights
To use their their rights listed above as defined in the Article 11 of the Law,Personal Data Subjects should submit a wet signed copy of the data subject application form provided at www.surppirgic.com to the contact addresses of Yedikule SPEH by mail, e-mail or registered letter with return receipt, or other methods to be determined by the KVK Board.
6.7.2. Evaluation of the application
6.7.2.1. Application response time
Requests regarding personal data will be responded free of charge as soon as possible depending on their nature and in any case within 30 (thirty) days at the latest.
Additional information and documents may be requested during the application or while the application is being evaluated.
6.7.2.2. Right to refuse application
Applications regarding personal data can be refused by SPEH by providing the reasons in the following case
Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate the privacy or personal rights of private life or constitute a crime,
Processing of personal data made public by the Personal Data Subject,
The application is not based on a just cause,
The application contains a request contrary to the relevant legislation,
Failure to comply with the application procedure.
6.7.3. Evaluation procedure of the application
In order for the response period to start, the requests must be sent with a written and wet signature, via a notary public or registered e-mail (KEP) or by other methods determined by the KVK Board, with identity proof of the applicant.
If the request is accepted, the relevant process will be applied and the notification is made in written or electronic form. In case of refusal of the request, the applicant is notified in writing or electronically along with a description of the reason.
6.7.4. Right to filing a complaint to the Personal Data Protection Board
In the event that the application is rejected, the answer given is insufficient or no response is given in due time, the applicant has the right to file a complaint with the KVK Board within 30 (thirty) days from the date of learning the answer and in any case within 60 (sixty) days from the application date.
7. RESPONSIBILITY FOR THE COLLECTION, PROCESSING, TRANSFER, STORAGE, SECURITY AND DISPOSAL OF PERSONAL DATA
These principles are followed by Yedikule SPEH, Foundation Legal Counsel, Information Technologies, Quality, Human Resources and other relevant departments, the revision is made by the Quality Management Director based on the new requests received by these departments, submitted for the approval of the Integrated Management System Representative (Deputy Chief Physician), and published after approval.
In the event that personal data is processed by another natural or legal person on behalf of SPEH, SPEH and the data processors are jointly responsible as the data controller.
As the data controller, SPEH periodically checks the compliance of data processors with the provisions of the relevant legislation in order to ensure that the trust they provide to the relevant persons who share their personal data with it is maintained in the same way by the affiliated foundation, service providers, suppliers and contractors.
8. APPLICATION OFFICER and PUBLISHING
In the event that all or certain articles of the Guidelines are updated, the updates will become effective on the date they are published. It is published on the website www.surppirgic.com in its latest updated version and made available to the relevant persons upon the request of the personal data subjects.
In case of inconsistency between KVKK and other relevant legislation provisions and these principles, KVKK and other relevant legislation provisions will be applied first.
These principles are reviewed at least once a year and updated as needed.
9. APPROVAL OF THE PROCEDURE
The principles established by the Quality Management Director enter into force on the date of publication with the approval of the Integrated Management System Representative (Vice Chief Physician). These principles are retained in two different media as printed paper and electronic media.
