Personal Data Protection Law

Kiss. Dr. KUBİLAY MURAT ÖZDENER CLINIC PERSONAL DATA PROTECTION AND PROCESSING POLICY

It is forbidden to copy, reproduce, use, publish and distribute, in whole or in part, any content contained in this Policy without permission, except for individual use. Legal action will be taken against those who do not comply with this ban, in accordance with the Law on Intellectual and Artistic Works No. 5846. All rights of the product are reserved.

1- INTRODUCTION

The Clinic of Op. Dr. Kubilay Murat ÖZDENER (hereinafter referred to as the "Clinic") is located at Barbaros Mah. Büyükelçi Sk. No:12 Daire: 1, 06680 Çankaya/ANKARA. The Clinic is a legal entity responsible for data within the scope of the Law on Protection of Personal Data No. 6698 (hereinafter referred to as the "KVKK"). Personal data owners, who are natural and legal persons, have their personal data collected, processed, and transferred for the purposes specified below in accordance with Law No. 6698 on the Protection of Personal Data and other relevant legislation applicable to the Clinic.

The Clinic demonstrates utmost sensitivity towards the security of personal data. With this awareness, personal data of the data owners are processed and stored in compliance with Law No. 6698 on the Protection of Personal Data, and other secondary regulations constituting the said Law, as well as other relevant legislation.

2- OBJECTIVE OF POLICY DEVELOPMENT

The primary purpose of this Policy is to establish the principles regarding the lawful processing of personal data and the protection of personal data by the Clinic, and to ensure transparency by informing individuals whose personal data are processed by our Clinic.

In line with the fundamental regulations envisaged by this Policy, all necessary administrative and technical measures will be taken within the Clinic's operations regarding the processing and protection of personal data. Essential internal procedures will be established, and all necessary training will be provided to raise awareness. It is aimed to establish appropriate and effective audit mechanisms by taking all necessary measures to ensure compliance of shareholders, authorities, employees, and business partners with KVKK processes.

3- SCOPE OF THE POLICY

This Policy and the provisions of the Law apply to natural persons who process personal data and to legal entities who process personal data either entirely or partially through automated means or through non-automated means as part of any data recording system.

The Policy on the Protection and Processing of Personal Data applies to all personal data processed by our Clinic's Employees, Interns, and external individuals (such as job applicants, suppliers, relatives of patients, patients and candidates, employees and representatives of suppliers, Clinic partners, visitors) either entirely or partially through automated means or through non-automated means as part of any data recording system.

4- ABBREVIATIONS AND DEFINITIONS

The following abbreviations, definitions, and terms are used in the implementation of these Policies and the Law:

Explicit Consent - Consent based on information regarding a specific subject, freely given and expressed with free will.

Withdrawal of Explicit Consent - The act of an individual withdrawing their consent given to the data controller, based on information and exercised with free will, to affect future actions.

Transfer - Disclosure of personal data obtained by the data controller to a natural or legal person, public institutions and organizations, or other authorities, domestically or internationally.

Active Consent Method - A consent method requiring active action by the individual, indicating that consent is not given by remaining inactive.

Publicizing - Any intentional disclosure of personal data by the data subject.

Recipient / Recipient Group - The category of natural or legal persons to whom personal data are transferred by the data controller.

Anonymization - Rendering personal data unidentifiable or not associable with any identifiable natural person, even if matched with other data.

Informing - Information provided by the data controller or the authorized person to the data subject during the collection of personal data, regarding the purposes for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred, the method and legal basis of personal data collection, and other rights of the data subject.

Right to Apply - The right of the data subject to submit their requests related to the implementation of Law No. 6698 in writing or through other methods regulated by the Regulation on the Procedures and Principles of Application to the Data Controller.

Biometric Data - Personal data derived from specific (unique) technical processes related to an individual's physical, physiological, and behavioral characteristics enabling their unique identification and confirmation, such as facial images or dactyloscopic data.

Employee/Employees - A natural person employed by the Clinic. (Worker, Staff, Official, Employee)

Audit - Inspection conducted by the data controller within its own institution or organization or outsourced to ensure compliance with the provisions of the Law.

Right to Rectification - The right of the data subject to request the correction of incomplete or inaccurate personal data from the data controller.

Electronic Environment - The environment where personal data are processed, stored, and transmitted through electronic devices.

Non-Physical/Electronic Environment - All written, visual, printed, etc., environments other than electronic environments.

Physical Destruction - Making personal data physically inaccessible by processes such as melting optical or magnetic media, burning, pulverizing paper or metal shredders.

Genetic Data - Data providing unique information about an individual's physiology or health, obtained from the analysis of a biological sample obtained from the individual, related to the individual's inherited or acquired characteristics.

Necessity Test - A test used to assess whether the processing of personal data by the data controller is necessary within the framework of legal bases other than explicit consent.

Data Subject - The natural person whose personal data is processed.

Related User - A natural or legal person who processes personal data within the data controller's organization or, except for the person or unit responsible for the technical storage, protection, and backup of data, processes personal data under the authorization and instructions received from the data controller.

Duty to Register - The obligation related to the registration, as per the Regulation on the Data Controllers' Registry.

Personal Contact - A natural person declared by the data controller during registration to the Data Controllers Registry for communication with the Authority regarding the obligations of legal entity data controllers established in Turkey or legal entity data controllers representatives not established in Turkey, within the scope of Law No. 6698 and secondary regulations issued based on this Law.

Health Data - Any kind of health information about an identified or identifiable natural person.

Personal Data - Any information related to an identified or identifiable natural person.

Processing of Personal Data - Any operation performed on personal data, whether wholly or partially automated or non-automated means, such as collection, recording, storage, preservation, alteration, restructuring, disclosure, transfer, retrieval, making available, classification, or prevention of use.

Personal Data Retention Period - The maximum period specified in the relevant legislation or necessary for the purpose for which the personal data have been processed, in compliance with Law No. 6698 and other applicable laws.

Personal Data Retention and Destruction Policy - Policy used as a basis for determining the maximum period necessary for processing personal data and for the deletion, destruction, or anonymization process, within the meaning of the Policy.

Board - The Personal Data Protection Board or the Clinic Personal Data Protection Board.

DPA - Personal Data Protection Authority

DPAB - Personal Data Protection Authority Board

Log - The time-stamped record of events generated by information systems.

Matrix - Determination of authorities and roles, definition of tasks, determination of responsibilities, and definition of information flow for processes.

Masking/Anonymization - Procedures such as blurring, painting over, or frosting certain areas of personal data, so that they cannot be associated with an identified or identifiable natural person.

Legitimate Interest - The legitimate, effective, specific, and existing benefit of the data controller in processing personal data activity, without harming the fundamental rights and freedoms of the data subject.

Automated Processing - Processing of personal data by structuring through electronic or information systems according to certain criteria with minimal human intervention and effort.

Proportionality - Limiting the processed personal data to what is necessary for the realization of the purpose of data processing, maintaining a reasonable balance between the processed data and the purpose of data processing.

Special Categories of Personal Data - Data revealing race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, attire, membership in associations, foundations, or unions, health, sex life, criminal convictions, and security measures related to an individual, as well as biometric and genetic data.

Passive Consent Method - A consent method where it is expressly stated that personal data will not be processed, and if not, personal data can be processed without the individual's active action.

Periodic Destruction - Resen deletion, destruction, or anonymization process to be carried out at repeated intervals as specified in the personal data retention and destruction policy when all processing conditions specified in the Law have ceased to exist.

Policy - Policy on the Protection and Processing of Personal Data and Policy on the Retention and Destruction of Personal Data.

Profiling - The form of personal data processing exclusively by automated systems, including the analysis or prediction of specific personal characteristics concerning the individual's job performance, economic situation, health, personal preferences, interests, reliability, behaviors, location, or movements.

Obligation of Confidentiality - The obligation of the data controller or data processor not to disclose to others or not to use for purposes other than the purpose of processing personal data that they have learned in violation of Law No. 6698.

Deletion - The process of making personal data inaccessible and unusable by any means by relevant users.

Complaint - An application made by the data subject to the Personal Data Protection Authority Board (DPAB) and the Clinic Personal Data Protection Board (C-PDAB) after the data subject's application to the data controller has been rejected, the response has been found inadequate, or no response has been received within the specified period.

Klinik – Dr. Kubilay Murat Özdener Clinic

Overwriting - The process of preventing the recovery of old data by writing random data consisting of at least seven repetitions of 0s and 1s onto magnetic media and rewritable optical media.

Data Security - All technical and administrative measures taken to prevent the unlawful processing of personal data, to prevent unauthorized access to personal data, and to ensure the preservation of personal data.

Data Processor - A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Breach Notification - When personal data processed by the data controller is obtained by others through unlawful means, the data controller must notify the relevant individual and the DPA as soon as possible.

Data Category - The class of personal data belonging to the group or groups of data subjects based on common characteristics.

Data Record Category (System) - The system where personal data is structured and processed based on specific criteria.

Data Subject Group - The category of data subjects whose personal data is processed by data controllers.

Data Minimization - The collection and processing of data by the data controller in a limited, measured, and linked manner in accordance with the processing conditions specified in the Law and the purposes aimed at fulfilling these conditions.

Data Owner - Data Subject (The person whose data is processed)

Data Leakage - The unauthorized transfer of personal data from within an organization to an external target or recipient through electronic or physical methods.

Data Controller - A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Data Controllers Registry - A registry system, as required by the Law, where data controllers are obliged to register, publicly maintained by the Personal Data Protection Authority (DPA) and under the supervision of the Board (KVKK).

VERBIS (Data Controllers Registry Information System) - An informatics system created and managed by the Presidency of the Personal Data Protection Authority (DPA), accessed via the internet, which data controllers will use for registry applications and other relevant transactions.

Data Controller Representative - A legal entity or a Turkish citizen natural person authorized to represent non-resident data controllers for the purposes specified in Article 11 of the Regulation on the Data Controllers Registry.

Data Subject - Data Subject (The person whose data is processed)

Adequate Measures - Measures to be taken by the data controller to enable the processing of special categories of personal data.

Destruction - The process of making personal data inaccessible, irretrievable, and unusable by anyone in any way.

Regulation - The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

5-GENERAL PRINCIPLES FOR PROCESSING PERSONAL DATA

In accordance with Article 4 of the Personal Data Protection Law, the Clinic hereby agrees to process the personal data covered by this Policy in accordance with the following principles:

a. Compliance with the law and fairness principle

The Clinic, as the data controller, undertakes to conduct its personal data processing activities in compliance with all applicable and forthcoming legislation, including the Constitution and the Personal Data Protection Law, as well as the fairness principle envisaged in Article 2 of the Civil Code.

b. Accuracy and currency

The Clinic takes all necessary measures to ensure the accuracy and currency of personal data to the extent permitted by technology in its data processing activities. Administrative and technical mechanisms established by the Clinic will be operated to correct and verify inaccurate or outdated personal data based on requests from data subjects to the Clinic as the data controller and situations deemed necessary by the Clinic itself.

c. Processing for specific, clear, and legitimate purposes

Personal data processed by the Clinic is limited to services provided or to be provided in compliance with the requirements of relevant legislation, and the purpose of processing personal data is clearly and definitively determined before the data processing begins.

d. Processing limited to the purpose they are processed for, related, and proportionate

Personal data processed by the Clinic is related to and limited to the purpose of processing, and is processed to the extent necessary for the realization of this purpose. It is a fundamental principle to avoid the processing of personal data that is unrelated to the purpose of processing and unnecessary.

e. Processing limited to the period prescribed by legislation or the purpose of processing

Personal data is kept in accordance with the periods prescribed by relevant legislation or for the period required by the purpose of processing. At the end of the period prescribed by legislation or the period required by the purpose of processing, personal data is deleted, destroyed, or anonymized by the Clinic. Necessary administrative and technical measures will be taken to prevent the retention of data beyond the required period.

6-CONDITIONS FOR PROCESSING PERSONAL DATA

The Personal Data Protection Law regulates the conditions for processing personal data, and the Clinic processes personal data in accordance with the conditions specified below.

Conditions for Processing Personal Data: Except for the exceptions listed in the Personal Data Protection Law, the Clinic processes personal data only with the explicit consent of the data subjects. However, in the presence of the following situations specified in the law, personal data may be processed even without the explicit consent of the data subject:

-Explicit provision in the laws,

-Necessity for the protection of life or physical integrity of the data subject or someone else where it is impossible to obtain consent due to physical impossibility or where consent is not legally valid,

-Necessity for the establishment or performance of a contract, provided that it is directly related to the parties of the contract,

-Necessity for the data controller to fulfill its legal obligation,

-The data subject has already made the data public,

-Necessity for the establishment, exercise, or protection of a right,

-Necessity for the legitimate interests pursued by the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Conditions for Processing Special Categories of Personal Data: The Clinic shows special sensitivity in the processing of special categories of personal data, which are believed to be more critical from various perspectives for the protection of data subjects. In this context, these types of data are not processed without the explicit consent of the data subjects, provided that adequate measures determined by the Board are taken. However, except for health-related data, special categories of personal data can be processed without the explicit consent of the data subject in cases provided for by laws. Nevertheless, health and data related to sexual life can be processed without explicit consent if the following reasons exist and adequate measures are taken:

-Preservation of public health,

-Preventive medicine,

-Medical diagnosis,

-Execution of treatment and care services,

-Planning and management of healthcare services and their financing.

7-PERSONAL DATA SUBJECT GROUPS

Clinic Shareholders and Partners: Refers to the shareholders and partners of Op. Dr. Kubilay Murat Özdener Clinic.

Employees/Interns: Refers to the individuals who work within the Clinic and those who are interns.

Employee/Intern Candidates: Refers to individuals who have applied to work or intern at the Clinic.

Suppliers: Refers to both natural and legal persons who provide goods or services to the Clinic, as well as their employees and representatives.

Customers: Refers to natural or legal persons who purchase goods or services from the Clinic, as well as their employees and representatives.

Supplier/Customer Candidates: Refers to individuals or entities seeking to provide goods or services to the Clinic or to purchase goods or services from the Clinic, along with their employees and representatives.

Visitor: Refers to individuals who physically visit the location of the Clinic.

8-DATA CATEGORIES

The data of the relevant individuals are processed under the following categories:

Identity Information: Data containing information about the individual's identity (such as name, surname, ID number, nationality, parents' names, place of birth, date of birth, gender, photographs, as found in documents like driver's license, identity card, passport, as well as tax office, tax number, etc.).

Contact Information: Information such as phone number, address, email, fax, IP address, etc.

Financial Information: Information, documents, and records showing any financial consequence created depending on the type of legal relationship established between the Clinic and the data subject, such as IBAN number, bank account number, assets, credit card information, income information, debt-credit information, financial profile, etc.

Customer Information: Data related to customers who benefit from the Clinic's goods or services (such as title, address, tax office, tax number, etc.).

Customer Transaction Information: Records related to the use of our products and services by customers, as well as information such as instructions and requests from customers regarding the use of our products and services.

Transaction Security Information: Personal data processed to ensure our administrative, technical, commercial, and legal security while conducting our commercial activities (such as passwords, log records, etc.).

Legal Transaction and Compliance Information: Personal data processed for the identification, tracking, and performance of our legal receivables and rights, our legal obligations, and compliance with our Clinic's Policies.

Request/Complaint Management Information: Personal data regarding any requests and/or complaints directed to our Clinic, and their evaluation.

Visual and Audio Data: Data with visual or audio characteristics such as photographs, camera recordings, etc.

Physical Space Security Information: Personal data such as video camera recordings, visitor records, etc., taken during entry to the physical space, inside the physical space, and during stay, for the purpose of security.

Audit and Inspection Information: Personal data processed during internal or external audit activities for the fulfillment of our legal obligations and compliance with our Clinic's Policies.

Employee Candidate Information: Personal data such as interviews, resumes (CVs), etc., of individuals who have applied to our Clinic in any way.

Vehicle Information: Data related to vehicles associated with the data subject, such as brand, license plate, etc.

Location Data: Personal data such as GPS location, address, map, travel data, etc., determining the location of our employees while using the Clinic's vehicles.

Family Members and Close Relatives Information: Personal data regarding the family members, close relatives (parents, spouses, children, etc.), and other individuals who can be contacted in emergencies for the protection of the legal and other interests of the Clinic and the data subject, conducted within the framework of the operations carried out by our Clinic.

Marketing Information: Personal data processed for the marketing of our products and services customized according to the usage habits, preferences, and needs of the data subject, and reports and evaluations created as a result of this processing.

Special Categories of Personal Data: Data specified in Article 6 of the Law (health data, data on sexual life, appearance, biometric data, religion, memberships of foundations and associations, etc.).

9- PERSONAL DATA COLLECTION AND PROCESSING PURPOSES OF PERSONAL DATA SUBJECTS IN THE PERSONAL DATA SUBJECT GROUPS

Within the scope of the commercial, legal, contractual, or any other relationship established between the Clinic and the Individual; Personal Data are collected and processed directly from the relevant individual in electronic or physical environments, within the framework of the purposes detailed below and in accordance with the legality reasons specified in Article 5, Paragraph 2, and subsequent articles of Law No. 6698, or with the explicit consent in cases where such a reason does not exist. The necessary details regarding this matter have been specified in the information texts prepared separately for each data subject and presented to the data subjects in physical and electronic environments (such as the website, Clinic center).

The processing purposes of your personal data: Ensuring the legal and commercial security of the Clinic, maintaining professional activities, managing human resources and employment policies, fulfilling legal obligations, and protecting legitimate interests.

Your personal data may be processed by the Clinic for purposes and legal reasons similar to but not limited to those listed below.

• Fulfillment of the purpose necessary for the performance of the employment contract,
• Approval of leave, display of remaining leave, arrangement of leave,
• Completion of employee termination procedures,
• Ensuring payroll transactions,
• Payment of salaries to employees,
• Especially to fulfill the requirements within the scope of the Labor Law, Occupational Health and Safety Law, Social Security Law, and relevant legislation; Creating personnel files, SGK notifications, İŞKUR notifications, police notifications along with incentive and legal obligation notifications,
• Ensuring the opening of mandatory individual retirement insurance accounts,
• Ensuring the control of entries and exits of employees,
• Payment of salary deductions due to execution files of employees, Fulfillment of court decisions,
• Making legal notifications for work accidents, Conducting occupational health and safety procedures,
• Compliance with other information storage, reporting, and information obligations stipulated by legislation, relevant regulatory authorities, and other authorities,
• Ensuring internal security of the Clinic and workplace security,
• Administration of the Clinic, conduct of business, implementation of Clinic policies,
• Communication with employees,
• Monitoring the use of Clinic vehicles for the competence of employees assigned or allocated with vehicles, for the safety of employees and the conduct of work,
• Ensuring the printing of business cards,
• Recording of documents collected during employee application and interview processes, planning of training, tracking of employees attending training sessions,
• Facilitation of communication for celebratory purposes,
• Ensuring communication with relevant individuals in emergencies and similar other purposes.

10-THIRD PARTIES TO WHICH PERSONAL DATA ARE TRANSFERRED AND PURPOSES OF TRANSFER

In accordance with the personal data processing conditions specified in Articles 5 and 6 of Law No. 6698 on the Protection of Personal Data and limited to the purposes stated in this policy, the Clinic may transfer personal data to third parties and institutions in compliance with Article 8 of the Law on the Protection of Personal Data.

To Service Recipients; Personal data is transferred in a limited manner to ensure the fulfillment of the purposes of the sales contract regarding the sale of goods and services.

To Suppliers; Personal data is transferred in a limited manner to ensure the provision of services necessary for the Clinic's commercial activities, which are obtained as a buyer from the supplier.

To Clinic Partners; Personal data is transferred in a limited manner for the design and control purposes of the strategies related to the commercial activities of the Clinic, in accordance with the relevant legislation.

To Legally Authorized Public Institutions and Organizations; Personal data is transferred in a limited manner for the purpose requested by the relevant public institutions and organizations within the scope of their legal authority.

To Legally Authorized Private Institutions; Personal data is shared in a limited manner regarding issues falling within the scope of the activities carried out by the relevant private institutions and organizations.

By the Clinic, personal data may be transferred to foreign countries declared to have adequate protection by the Personal Data Protection Board or, in the absence of adequate protection, to foreign countries where data controllers in Turkey and the relevant foreign country have explicitly committed to providing adequate protection in writing, and with the permission of the Personal Data Protection Board. This transfer will be carried out in accordance with Article 9 of the law.

11-PERSONAL DATA RETENTION PERIODS

The Clinic stores personal data for the periods specified in the relevant laws and regulations if stipulated.

If there is no period specified in the legislation regarding how long personal data should be stored, personal data is stored for a period determined by the activity conducted by the Clinic while processing the data, in accordance with the practices of the Clinic and the customs of the industry. Subsequently, according to the nature of the data, they are deleted, destroyed, anonymized, or rendered unintelligible in accordance with the Personal Data Retention and Destruction Policy prepared by the Clinic.

If the purpose of processing personal data has ceased, or the storage periods determined by the relevant legislation or the Clinic have ended, personal data may be retained only for the purpose of serving as evidence in possible legal disputes, asserting the relevant rights associated with the personal data, or establishing a defense. In such cases, the storage periods are determined based on examples of requests previously made to the Clinic regarding similar issues, despite the expiration of the statute of limitations periods. In this case, the stored personal data is not accessed for any other purpose, and access to the relevant personal data is provided only when necessary for the relevant legal dispute. After the expiration of these periods, the personal data is deleted, destroyed, or anonymized.

12-ENSURING THE SECURITY OF PERSONAL DATA

In accordance with the provisions of the Personal Data Protection Law, the Clinic takes necessary technical and administrative measures to prevent the unlawful processing of personal data, prevent unauthorized access to data, and ensure the preservation of data at an appropriate security level, and carries out necessary audits in this context.

Despite having taken all technical and administrative measures, if personal data is unlawfully obtained by third parties, the Clinic promptly notifies the relevant units.

The administrative and technical measures taken by the Clinic are detailed below:

a. Administrative Measures

• Employees are trained on technical measures to prevent unauthorized access to personal data.
• Access and authorization processes for personal data within the Clinic are designed and implemented in accordance with legal compliance requirements for personal data processing at the unit level.
• Records are added to documents regulating the relationship between the Clinic and its employees, stating that personal data must be processed in compliance with the Personal Data Protection Law, personal data must not be disclosed, personal data must not be used unlawfully, and the obligation of confidentiality regarding personal data continues even after the termination of the employment contract. Non-compliance with these obligations by employees may result in sanctions, including termination of the employment contract.
• Employees are informed that they cannot disclose personal data they have learned contrary to the provisions of the Personal Data Protection Law, cannot use it for purposes other than processing, and are informed that this obligation continues even after their departure from their position, and necessary commitments are obtained from them in this regard.
• Contracts concluded with persons to whom personal data are transferred contain provisions stating that these persons will take necessary security measures for the protection of personal data and ensure compliance with these measures within their organizations.
• In case personal data processed by the Clinic are obtained by others through unlawful means, the Clinic informs the relevant parties and the Board as soon as possible.
• The Clinic employs knowledgeable and experienced personnel regarding the processing of personal data and provides necessary training to its staff on personal data protection legislation and data security.
• The Clinic conducts necessary audits to ensure the implementation of legal provisions within its legal entity and corrects any privacy and security vulnerabilities identified during audits.

b. Technical Measures

The following technical measures related to personal data are taken by the Clinic:

• Current antivirus systems are used.
• Firewalls are utilized.
• Necessary security measures are taken regarding access to physical environments containing personal data.

13-INFORMATION OBLIGATION REGARDING PERSONAL DATA

The Clinic informs the data subjects of their rights in accordance with Article 10 of the Personal Data Protection Law and guides them on how these rights can be exercised.

To assess the rights of data subjects and provide necessary information to them, the Clinic operates the necessary channels, internal processes, administrative, and technical arrangements in accordance with Article 13 of the Personal Data Protection Law.

Within the scope of Article 10 of the Personal Data Protection Law, data subjects must be informed before or at the latest during the acquisition of personal data. The information that must be provided to data subjects within the framework of this information obligation includes:

1. The identity of the data controller and, if any, their representative,
2. The purposes for which personal data will be processed,
3. To whom and for what purpose the processed personal data may be transferred,
4. The method and legal basis of personal data collection,
5. Other rights listed in Article 11 of the Personal Data Protection Law.

14- DATA SUBJECT RIGHTS AND EXERCISING THESE RIGHTS

In accordance with Article 10 of the Personal Data Protection Law, the Clinic informs the data subjects of their rights and guides them on how to exercise these rights as regulated in Article 11. The Clinic also operates the necessary channels, internal processes, administrative, and technical arrangements to assess the rights of data subjects and provide necessary information to them in accordance with Article 13 of the Personal Data Protection Law.

a. Rights of Data Subjects Whose Personal Data is Processed

Data subjects whose personal data is processed have the following rights:

• To learn whether their personal data is being processed,
• To request information if their personal data has been processed,
• To learn the purpose of processing personal data and whether they are used in line with this purpose,
• To know the third parties to whom personal data are transferred domestically or abroad,
• To request the correction of incomplete or inaccurate personal data and to request notification of this correction to third parties to whom the personal data have been transferred,
• To request the deletion or destruction of personal data in accordance with the law and to request notification of this deletion to third parties to whom the personal data have been transferred, in case the reasons requiring processing cease to exist,
• To object to the occurrence of a result against them by solely analyzing processed data through automated systems,
• To demand compensation for damages in case of suffering damages due to the unlawful processing of personal data.

b. Cases Where Data Subjects Cannot Assert Their Rights

Data subjects whose personal data is processed cannot assert their rights listed above in Article 28 of the Personal Data Protection Law, except for the right to demand compensation for damages, in the following cases, as they are excluded from the scope of the Personal Data Protection Law:

• Processing of personal data for research, planning, and statistical purposes by anonymizing them officially,
• Processing of personal data within the scope of freedom of expression for art, history, literature, or scientific purposes or for expressing opinions, provided that it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights, or does not constitute a crime,
• Processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities for ensuring national defense, national security, public security, public order, or economic security,
• Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial, or execution procedures.

In accordance with Article 28/2 of the Personal Data Protection Law, data subjects whose personal data is processed cannot assert their rights listed above in Article 20.1.1, except for the right to demand compensation for damages, in the following cases:

• Processing of personal data for the prevention of crime or for the investigation of crimes,
• Processing of personal data that has been made public by the data subject,
• Processing of personal data by authorized public institutions and organizations or professional organizations with regulatory duties for the purposes of inspection, regulation, disciplinary investigation, or prosecution,
• Processing of personal data for the protection of the State's economic and financial interests concerning budget, taxation, and financial matters.

15- EXERCISING DATA SUBJECT RIGHTS

Data subjects whose personal data is processed can submit their requests regarding their rights specified in this Policy to the Clinic by filling out and signing the Application Form with information and documents identifying themselves. They can do so through the following methods or other methods determined by the Personal Data Protection Board:

• By submitting the personally signed copy of the completed Clinic form in person, via registered mail, or through a notary to the address "Barbaros Mah. Büyükelçi Sk. No:12 D:aire: 1, 06680 Çankaya/ANKARA",
• By completing the Clinic's form and signing it with a "secure electronic signature" within the scope of Law No. 5070 on Electronic Signature, then sending the securely signed form to the address kubilaymurat.ozdener@hs01.kep.tr or to the registered email address,
• By providing the following information:

a) Name, surname, and signature if the application is in writing, b) Republic of Turkey Identity Number for Turkish citizens, nationality or passport number for foreigners, c) Residential or business address for notification purposes, ç) If available, the email address, phone number, and fax number for notification purposes, d) Subject of the request. If the request is made with a letter, the application will be accepted by the Clinic. Otherwise, the application will not be considered valid.

For third parties to make requests on behalf of data subjects whose personal data is processed, there must be a special power of attorney issued through a notary in the name of the person making the request on behalf of the data subject.

16- APPROVAL, EFFECTIVENESS, EXECUTION, AND UPDATING OF THE POLICY

The Personal Data Protection and Processing Policy of Op. Dr. Kubilay Murat Özdener Clinic has been approved by the Clinic's Authorized Representatives (Clinic Manager or Directors) on behalf of the Clinic Board of Directors.

The effective date of the Personal Data Protection and Processing Policy of Op. Dr. Kubilay Murat Özdener Clinic is 15.08.2021. This Policy will be made available to interested parties in specific locations within the Clinic and will be provided to data subjects upon request from the accounting department.

The execution of the Personal Data Protection and Processing Policy is carried out by the Clinic's Authorized Representatives/Managers (Clinic Board of Directors/Authorized Manager) and the responsible department managers on behalf of the Clinic Board of Directors.

The Personal Data Protection and Processing Policy is reviewed as needed, and the necessary sections or parts are updated when required.

17- DATA CONTROLLER INFORMATION

NAME/TITLE: Kubilay Murat ÖZDENER

ADDRESS: Barbaros Mah. Büyükelçi Sk. No:12 D:aire: 1, 06680 Çankaya/ANKARA

WEBSITE: https://www.kubilaymuratozdener.com

EMAIL ADDRESS: kubilaymurat.ozdener@hs01.kep.tr