Skip to content

Personal Data Protection Policy

The protection of personal data is among the top priorities of ABC Health Services (“Company”). The most critical aspect of this matter is the protection and processing of personal data of our job applicants, company shareholders, company officials, visitors, employees, shareholders, and officials of the institutions we collaborate with, as well as third parties, governed by this Policy.

According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of their personal data. The Company, in line with the constitutional right to the protection of personal data, demonstrates the necessary care for the protection of personal data of job applicants, company shareholders, company officials, visitors, employees, shareholders, and officials of the institutions we collaborate with, as well as third parties, governed by this Policy, and establishes it as a Company policy.

Within this scope, the Company takes the necessary administrative and technical measures to protect personal data processed within the framework of legal regulations.

The fundamental principles adopted by the Company in the processing of personal data under this Policy are as follows:

  • Processing personal data in compliance with the law and principles of honesty,
  • Keeping personal data accurate and up-to-date when necessary,
  • Processing personal data for specific, explicit, and legitimate purposes,
  • Processing personal data in a manner that is relevant, limited, and proportionate to the purposes for which they are processed,
  • Retaining personal data for the period stipulated by the relevant legislation or required for the purpose for which they are processed,
  • Informing and enlightening personal data subjects,
  • Establishing the necessary system for personal data subjects to exercise their rights,
  • Taking necessary measures for the protection of personal data,
  • Acting in compliance with relevant legislation and the Personal Data Protection Board (KVK Board) regulations when transferring personal data to third parties in line with the purposes of processing,
  • Demonstrating the necessary sensitivity in processing and protecting special categories of personal data.

ARTICLE 1: PURPOSE OF THE POLICY

The primary purpose of this Policy is to ensure transparency and trust by informing individuals whose personal data is processed by the Company, including our customers, employees, job applicants, company shareholders, company officials, visitors, employees, shareholders, and officials of the institutions we collaborate with, as well as third parties, about the lawful personal data processing activities conducted by the Company.

ARTICLE 2: CONTENT AND DEFINITIONS

This Policy pertains to all personal data processed by automatic or non-automatic means, which are part of a data recording system, belonging to our employees, job applicants, company shareholders, company officials, visitors, employees, shareholders, and officials of the institutions we collaborate with, as well as third parties.

The scope of application of this Policy for the personal data subject groups mentioned above may cover the entire Policy or only a portion of it.

The definitions of the terms used in this Policy are as follows:

  • Recipient Group: The category of real or legal persons to whom personal data is transferred by the data controller.
  • Explicit Consent: Consent that is specific, informed, and freely given.
  • Anonymization: Rendering personal data impossible to associate with an identified or identifiable natural person, even by matching with other data.
  • Employee: Company personnel.
  • Electronic Environment: Environments where personal data can be created, read, modified, and written using electronic devices.
  • Non-Electronic Environment: All non-electronic environments, including written, printed, visual, etc.
  • Service Provider: Real or legal persons providing services to the institution under a specific contract.
  • Data Subject: The natural person whose personal data is processed.
  • Relevant User: Persons processing personal data within the data controller’s organization or on behalf of the data controller, excluding those responsible for the technical storage, protection, and backup of data.
  • Destruction: Deletion, destruction, or anonymization of personal data.
  • Law: Law No. 6698 on the Protection of Personal Data.
  • Recording Medium: Any medium where personal data processed wholly or partly by automatic or non-automatic means, which are part of a data recording system, are stored.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Personal Data Processing Inventory: An inventory detailing the personal data processing activities carried out by data controllers in line with their business processes, including the purposes and legal grounds for processing, data categories, recipient groups, and data subject groups, as well as the maximum retention period, personal data transferred abroad, and data security measures.
  • Processing of Personal Data: Any operation performed on personal data, such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or blocking.
  • Board: Personal Data Protection Board.
  • Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, association, foundation, or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.
  • Periodic Destruction: The process of deletion, destruction, or anonymization carried out automatically at recurring intervals when all conditions for processing personal data under the law are no longer met.
  • Policy: Personal Data Retention and Destruction Policy.
  • Company: ABC Health Services
  • Data Processor: Real or legal persons processing personal data on behalf of the data controller based on the authority granted by the data controller.
  • Data Recording System: A recording system where personal data is processed according to certain criteria.
  • Data Controller: Real or legal persons determining the purposes and means of processing personal data and responsible for establishing and managing the data recording system.
  • Data Controllers Registry Information System: An information system created and managed by the Presidency, accessible via the internet, for data controllers to use in applications to the Registry and other related procedures.
  • VERBIS: Data Controllers Registry Information System.
  • Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.

ARTICLE 3: IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION

The relevant legal regulations in force regarding the processing and protection of personal data will primarily apply. In case of any inconsistency between the legislation in force and the Policy, the Company acknowledges that the legislation in force will prevail.

The Policy has been established by concretizing the rules set forth by the relevant legislation within the scope of the Company’s practices.

ARTICLE 4: EFFECTIVENESS OF THE POLICY

This Policy, prepared by our Company, enters into force on the date it is published on our website. If there are any innovations or changes in the Policy, the effective date will be updated.

The Policy is published on our Company’s website and made available to personal data subjects upon request.

ARTICLE 5: MATTERS REGARDING THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the KVKK, our Company takes all necessary administrative, technical, and legal measures to prevent the unlawful processing of personal data, unauthorized access to data, and to ensure the safekeeping of data, and conducts all necessary audits in this regard.

ARTICLE 6: ENSURING THE SECURITY OF PERSONAL DATA

6.1 Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data

Our Company takes technical and administrative measures to ensure the lawful processing of personal data, considering technological possibilities and implementation costs.

Technical Measures Taken to Ensure Lawful Processing of Personal Data

The main technical measures taken by our Company to ensure the lawful processing of personal data are listed below:

  • Personal data processing activities within our Company are monitored through established technical systems.
  • Technical measures taken are periodically reported to the relevant person as part of the internal audit mechanism.
  • Personnel knowledgeable in technical matters are employed.

Administrative Measures Taken to Ensure Lawful Processing of Personal Data

The main administrative measures taken by our Company to ensure the lawful processing of personal data are listed below:

  • Employees are informed and trained on the protection of personal data and the lawful processing of personal data.
  • All activities carried out by our Company are analyzed in detail for each business unit, and personal data processing activities are identified for each commercial activity carried out by the relevant business units.
  • Personal data processing activities of our Company’s business units are determined for each business unit and detailed activity to ensure compliance with the personal data processing conditions required by Law No. 6698.
  • Awareness is raised, and implementation rules are determined for each business unit to meet the legal compliance requirements, and necessary administrative measures are implemented through Company policies and training.
  • Contracts and documents governing the legal relationship between our Company and employees include provisions obliging employees not to process, disclose, or use personal data, except as required by the Company’s instructions or legal exceptions, and awareness is raised among employees, and audits are conducted.

6.2 Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

Our Company takes technical and administrative measures to prevent the disclosure, access, transfer, or any other form of unlawful access to personal data due to negligence or unauthorized access, considering the nature of the data to be protected, technological possibilities, and implementation costs.

Technical Measures Taken to Prevent Unlawful Access to Personal Data

The main technical measures taken by our Company to prevent unlawful access to personal data are listed below:

  • Technical measures in line with technological developments are taken, and the measures taken are periodically updated and renewed.
  • Access and authorization technical solutions are implemented in line with the legal compliance requirements determined for each business unit.
  • Technical measures taken are periodically reported to the relevant person as part of the internal audit mechanism, and risk factors are re-evaluated to produce necessary technological solutions.
  • Virus protection systems and firewalls, including software and hardware, are installed.
  • Personnel knowledgeable in technical matters are employed.

Administrative Measures Taken to Prevent Unlawful Access to Personal Data

The main administrative measures taken by our Company to prevent unlawful access to personal data are listed below:

  • Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.
  • Access and authorization processes for personal data are designed and implemented within the Company in line with the legal compliance requirements for each business unit.
  • Employees are informed that they cannot disclose personal data they have learned to others in violation of the KVKK provisions or use it for purposes other than the processing purpose, and that this obligation continues even after their employment ends, and necessary commitments are obtained from them.
  • Contracts with persons to whom personal data is lawfully transferred by our Company include provisions obliging them to take necessary security measures to protect personal data and ensure compliance with these measures within their organizations.

6.3 Storing Personal Data in Secure Environments

Our Company takes necessary technical and administrative measures to store personal data in secure environments and prevent their destruction, loss, or alteration for unlawful purposes, considering technological possibilities and implementation costs.

Technical Measures Taken to Store Personal Data in Secure Environments

The main technical measures taken by our Company to store personal data in secure environments are listed below:

  • Systems in line with technological developments are used to store personal data in secure environments.
  • Expert personnel in technical matters are employed.
  • Technical security systems are installed for storage areas, and technical measures taken are periodically reported to the relevant person as part of the internal audit mechanism, and risk factors are re-evaluated to produce necessary technological solutions.
  • Backup programs are used to ensure the secure storage of personal data in compliance with the law.

Administrative Measures Taken to Store Personal Data in Secure Environments

The main administrative measures taken by our Company to store personal data in secure environments are listed below:

  • Employees are trained on ensuring the secure storage of personal data.
  • In cases where technical requirements necessitate outsourcing for the storage of personal data, contracts with relevant firms to whom personal data is transferred include provisions obliging them to take necessary security measures to protect personal data and ensure compliance with these measures within their organizations.

6.4 Auditing the Measures Taken for the Protection of Personal Data

In accordance with Article 12 of the KVKK, our Company conducts or commissions the necessary audits within its organization. The results of these audits are reported to the relevant unit within the Company’s internal operations, and necessary activities are carried out to improve the measures taken.

6.5 Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

In accordance with Article 12 of the KVKK, our Company will ensure that in case personal data processed by the Company is obtained by others through unlawful means, this situation is reported to the relevant personal data subject and the KVK Board as soon as possible.

If deemed necessary by the KVK Board, this situation may be announced on the KVK Board’s website or through another method.

ARTICLE 7: SAFEGUARDING THE RIGHTS OF DATA SUBJECTS; CREATING CHANNELS FOR DATA SUBJECTS TO COMMUNICATE THEIR RIGHTS TO OUR COMPANY AND EVALUATING THEIR REQUESTS

Our company implements the necessary channels, internal procedures, administrative, and technical arrangements in accordance with Article 13 of the Law on Personal Data Protection (KVKK) to evaluate the rights of data subjects and to provide the necessary information to data subjects.

If data subjects submit their requests in writing regarding the rights listed below, our company will process the request as soon as possible and, at the latest, within thirty days free of charge, depending on the nature of the request. However, if the process requires an additional cost, a fee will be charged according to the tariff determined by the KVK Board. Data subjects have the following rights:

  • To learn whether personal data is being processed,
  • If personal data has been processed, to request information regarding this,
  • To learn the purpose of processing personal data and whether they are used in accordance with the purpose,
  • To know third parties to whom personal data has been transferred, both within the country and abroad,
  • In case of personal data being processed inaccurately or incompletely, to request correction and to request the notification of the correction to third parties to whom the personal data has been transferred,
  • To request the deletion or destruction of personal data when the reasons for processing cease, even if it was processed in compliance with the KVK Law and other relevant laws, and to request the notification of the deletion or destruction to third parties to whom the personal data has been transferred,
  • To object to a result being drawn against them by exclusively automated systems processing their data,
  • To request compensation for the damage in case of harm due to unlawful processing of personal data.

More detailed information regarding the rights of data subjects is provided in this Policy.

Article 8: Protection of Special Categories of Personal Data

The KVK Law assigns special importance to certain personal data due to the risk of causing harm or discrimination in case they are processed unlawfully. These data include race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, clothing and attire, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

Our company acts with great sensitivity to protect personal data that is classified as “special category” and processed in accordance with the law. In this regard, the technical and administrative measures taken by our company for the protection of personal data are carefully applied, particularly regarding special categories of personal data, and necessary audits are conducted within the company.

Detailed information on the processing of special category personal data is provided in this Policy.

Article 9: Increasing Awareness and Auditing of Business Units Regarding the Protection and Processing of Personal Data

Our company organizes necessary training for business units to raise awareness regarding preventing unlawful processing of personal data, unlawful access to data, and ensuring data retention.

Necessary systems are established for the existing and newly hired employees within business units to increase their awareness regarding personal data protection, and professional individuals are involved when needed.

Article 10: Increasing Awareness and Auditing of Business Partners and Suppliers Regarding the Protection and Processing of Personal Data

Our company provides training and seminars for business partners to raise awareness regarding preventing unlawful processing of personal data, unlawful access to data, and ensuring data retention.

Training sessions for business partners are repeated periodically, and necessary systems are established to increase awareness regarding the protection of personal data. If required, professional individuals are involved.

Article 11: Matters Related to the Processing of Personal Data

Our company processes personal data in accordance with Article 20 of the Constitution and Article 4 of the KVK Law, following the principles of legality, accuracy, and up-to-dateness when necessary, for specific, clear, and legitimate purposes, and in a manner that is relevant, limited, and proportionate. We retain personal data for the period required by law or the purpose for processing the personal data.

Our company acts in accordance with Article 20 of the Constitution and Article 10 of the KVK Law by enlightening data subjects and providing necessary information if they request it.

Our company complies with the regulations for processing special categories of personal data as outlined in Article 6 of the KVK Law.

Article 12: Processing Personal Data in Compliance with Legal Principles

12.1 Processing in Accordance with the Law and the Principle of Integrity:
Our company acts in accordance with the principles brought by legal regulations regarding the processing of personal data, as well as the general principle of security and integrity.

12.2 Ensuring Data Minimization

Our company ensures that personal data is processed only to the extent necessary for the purpose for which it is collected. Personal data is only retained for the time necessary to fulfill its intended purpose and for the duration required by law.

12.3 Ensuring Accuracy and Relevance of Data

Our company takes necessary measures to ensure that personal data is accurate and up-to-date. If personal data is inaccurate or incomplete, our company will take corrective actions to rectify the situation, ensuring that the data is accurate and complete.

12.4 Ensuring Security of Personal Data

Our company implements all necessary technical and organizational measures to protect personal data from unlawful processing, accidental loss, destruction, or damage. These measures include ensuring that access to personal data is limited to authorized individuals and securing the data using encryption, pseudonymization, and other security protocols.

12.5 Notification of Data Breach

In the event of a data breach that may affect the rights and freedoms of data subjects, our company is committed to notifying the relevant authorities and the affected individuals within the time frame required by the KVK Law. We will provide the necessary information and details regarding the nature of the breach and the corrective actions taken.

Article 13: Transferring Personal Data

Our company may transfer personal data to third parties under the conditions set forth by the KVK Law, including but not limited to:

  • To our business partners, suppliers, and service providers, when necessary for the purposes of processing the data;
  • To authorities and organizations, in compliance with applicable laws and regulations, when necessary for legal obligations or the protection of public interest;
  • To authorized international entities or organizations, when required for legitimate purposes.

Article 14: Rights of Data Subjects Regarding Data Transfer

In the event that personal data is transferred to third parties, data subjects have the right to request information regarding the recipients of their data and the purposes for which the data is being used. Data subjects may also request that their personal data be corrected, deleted, or destroyed if it is incorrect or processed unlawfully.

Article 15: Data Protection Officer and Contact Information

Our company has appointed a Data Protection Officer (DPO) to ensure compliance with the KVK Law and to manage any inquiries or requests related to personal data. Data subjects can contact the DPO using the contact information below for any queries related to personal data processing:

  • Data Protection Officer:
  • Email: info@abchealthservices.com
  • Phone Number: +90 232 892 25 00

Article 16: Amendments to This Policy

Our company reserves the right to update or amend this Policy as necessary to reflect changes in the legal requirements, business operations, or other relevant factors. Any changes to this Policy will be communicated to data subjects via appropriate channels, and the updated version will be available on our website.

Open chat
1
Hello 👋
Can we help you?