Personal Data Protection and Privacy Policy
Scope: This Personal Data Protection and Privacy Policy is prepared to outline the set of rules for the processing of personal data by Dams Health Services Inc. (DAMS) and to provide necessary information.
Definitions:
- Personal Data: Any information relating to an identified or identifiable natural person.
- Special Categories of Personal Data: Data concerning a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, association, foundation, or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
- Explicit Consent: Consent that is based on being informed and is freely given for a specific subject.
- Anonymization: The process of rendering personal data impossible to be related to an identified or identifiable natural person, even when combined with other data.
- Processing of Personal Data: Any operation performed on personal data, whether by automated or non-automated means, such as collection, recording, storage, retention, alteration, organization, disclosure, transfer, acquisition, retrieval, classification, or prevention of use. This includes all operations performed on the data from the initial acquisition to the final processing stage.
- Data Subject: The natural person whose personal data is being processed.
- Data Recording System: A system where personal data is processed and structured according to specific criteria.
- Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
- Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
- Contact Person: The individual responsible for operating the procedures and communicating with the Board.
- KVKK: The Personal Data Protection Law numbered 6698, published in the Official Gazette on April 7, 2016, with issue number 29677, dated March 24, 2016.
- KVKK Working Group: The contact person authorized by DAMS.
- Board: The Personal Data Protection Board.
- Authority: The Personal Data Protection Authority.
- Policy: The “Personal Data Protection and Privacy Policy” of DAMS.
- Personal Health Data: Any information related to the physical and mental health of an identified or identifiable natural person, as well as information about the health services provided to the person.
- Erasure of Personal Data: The process of rendering personal data completely inaccessible and unusable by relevant users.
- Destruction of Personal Data: The process of rendering personal data completely inaccessible, irretrievable, and unusable by anyone.
- Periodic Disposal Process: The process of erasure, destruction, or anonymization of personal data, which is performed periodically and automatically when all conditions for the processing of personal data, as stipulated by the law, are no longer applicable, in accordance with the data retention and disposal policy.
- References: The relevant legislation concerning the Personal Data Protection Law (‘KVKK’), including but not limited to the Law numbered 6698, published in the Official Gazette on April 7, 2016, with issue number 29677, and all related regulations.
Amendments:
Our policy will be updated with a revision number in relation to the changes made to this policy at various times following the enactment of relevant legislation. The amendments shall come into effect on the date the updated Policy is published.
Purpose:
DAMS, who operates with an international health tourism authorization certificate in the healthcare sector, processes the personal data of patients, employees, suppliers, visitors, job applicants, or any other natural persons who establish a relationship through various purposes or channels, as a Data Controller within the scope of KVKK and for lawful purposes. The aim of this policy is to inform individuals about the data processing activities conducted by DAMS, to provide transparency regarding the protection of personal data, and to ensure clarity for data subjects.
General Principles of Personal Data Processing:
DAMS processes personal data in compliance with the following principles, within the scope of the purposes exemplified in the “Purposes of Personal Data Processing” section of this Policy:
- Processing in accordance with the law and good faith,
- Ensuring that the data is accurate and, where necessary, kept up to date,
- Processing for specific, explicit, and legitimate purposes,
- Processing data in a manner that is relevant, limited, and proportionate to the purposes for which they are processed,
- Retaining the data only for the duration prescribed by the relevant legislation or as long as necessary for the purpose for which they are processed.
Data Processed by DAMS:
Personal data is processed in compliance with the importance of data security and the privacy of private life. This is done considering the activities that can be carried out without explicit consent under Articles 5 and 6 of KVKK and under the confidentiality obligations stipulated in Article 6/3 for the purposes of medical diagnosis, treatment, and healthcare services, as well as the planning and management of healthcare services. For purposes other than these, data is processed through the explicit consent obtained from data subjects.
The personal data processed in line with the principles in this Policy vary depending on the type and nature of the relationship between DAMS and the data subject, the communication channels used, and the specific purpose of data processing. The personal data are as follows:
- Personal Information: Name, surname, Turkish ID number, age, occupation, title, employment information, education level, gender, criminal record information, career, IBAN, and other identifiers.
- Identification Documents: Photocopy of identity card, passport, driver’s license, temporary Turkish ID number, including details such as date of birth, place of birth, ID number, blood type, serial number, volume number, family serial number, and photograph as found on identification documents.
- Contact Information: Address, email, phone and fax numbers, social media addresses, as well as communication records within phone calls and email correspondence.
- Visual and Auditory Data: Security camera footage and audio recordings.
- Financial Data: Detailed financial information related to collection and payment activities.
- Health Data: Medical treatment information, diagnosis details, blood type, health reports, and details of medical treatment provided.
- Patient Photographs: Pre- and post-operation photographs of patients.
- Purposes of Personal Data Processing:
The personal data collected are processed by DAMS for the purposes of ensuring that our business units carry out the necessary work to enable you to benefit from the diagnosis and treatment services provided and to conduct business processes. These data are processed for the following purposes and under the conditions specified in Articles 5 and 6 of the Law:
- Identity verification,
- Appointment scheduling, appointment reminders, and notifications regarding changes and other information related to the provision of services,
- Evaluation of the patient and making a diagnosis,
- Provision of outpatient or inpatient treatment for the patient,
- Carrying out healthcare services for patient care and the supply of medications and medical equipment,
- Conducting pre-surgery preparation and execution activities,
- Performing necessary tests and examinations and managing related processes,
- Managing and overseeing the preparation and control processes for medications and materials,
- Conducting imaging and similar activities within the scope of diagnostic and treatment efforts for the patient,
- Monitoring the treatment process and creating medical records,
- Managing the patient’s personal belongings and providing storage services,
- Managing the processes related to the payment for the products and services offered by the institution,
- Conducting accounting and financial operations,
- Storing collected data in accordance with the legislation and for the required duration,
- Receiving and evaluating requests and complaints,
- Tracking and conducting legal processes,
- Complying with requests from official institutions and benefiting from health tourism incentives and support,
- Managing business processes related to contracted private insurance companies and/or other institutions,
- Managing information security processes,
- Conducting audits and ethical activities by official institutions and professional organizations,
- Conducting market research, promotion, and informational activities related to the products and services provided by the institution,
- Communicating with the patient to receive and evaluate feedback regarding the products and services offered by the institution,
- Ensuring workplace security,
- Personal data may be anonymized and used for academic publications in peer-reviewed journals, national and international meetings, conferences, and seminars for academic studies, scientific research, and educational purposes.
Transfer of Personal Data:
Your collected personal data and special categories of personal data may be transferred, within the scope of the purposes mentioned above and in accordance with the relevant provisions of the Turkish Commercial Code No. 6102, the Tax Procedure Law No. 213, the Turkish Civil Code No. 4721, the Code of Obligations No. 6098, the Basic Law on Health Services No. 3359, the Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliates, the Personal Data Protection Law No. 6698, the Regulation on Private Hospitals, the Regulation on Processing and Protection of Privacy of Personal Health Data, the Regulation on International Health Tourism and Tourist Health, as well as the regulations issued by the Ministry of Health and other relevant legislation. Your data may be transferred, in a limited and necessary manner, to our employees, doctors, auxiliary health personnel we work with, suppliers, service providers we collaborate with to deliver our services, legal advisors, legally authorized public institutions, and legally authorized private individuals, in accordance with the data processing conditions set forth in Articles 5 and 6 of the Law and the rules on the transfer of personal data specified in Articles 8 and 9 of the Law. Your personal data may also be transferred to contracted institutions, insurance companies, hospitals, or authorized representatives of contracted institutions for the execution of the service-related authorization and billing processes, as well as to facilitate your use of health, travel, complication, and similar insurances, and for the execution of payment transactions related to your treatment expenses. In the presence of your explicit consent, your relevant health data and other personal data may be transferred to your relatives or third parties specifically named by you, limited to your request. Additionally, with your explicit consent, communication may be established with you via email and social media applications.
Collection of Personal Data:
Your personal data are collected through our computer systems, tablets, customer information management software, online services provided on our website, and via email, WhatsApp, social media applications, physical health forms, cargo/mail, and face-to-face meetings, in order to achieve the purposes stated above. Your personal data are processed in accordance with the personal data processing conditions specified in Articles 5 and 6 of the Law. These data are processed for reasons such as the establishment and execution of a service contract, compliance with legal obligations, the establishment, use, or protection of a right, and for the necessity of our legitimate interests. Your health data, on the other hand, are processed under Article 6/3 of the Law by individuals bound by confidentiality obligations, for the purposes of conducting medical diagnosis, treatment, and care services, as well as the planning and management of healthcare services.
Personal Data Retention Period:
Personal data are retained by DAMS for the period specified by the relevant legal retention periods and for the duration necessary to fulfill the activities related to these data and the purposes outlined in this Policy. Personal data whose usage purpose has ended and whose legal retention period has expired will be deleted, destroyed, or anonymized.
Rights of the Data Subject under KVKK:
As the data subject, we inform you that, in accordance with Article 11 of the Law, you have the following rights:
- To learn whether your personal data is being processed,
- To request information regarding the processing of your personal data if it has been processed,
- To learn the purpose of processing your personal data and whether they are being used in accordance with the purpose,
- To know the third parties to whom your personal data have been transferred, whether domestically or abroad,
- To request the correction of your personal data if it has been processed incompletely or inaccurately and to request that the transaction performed in this regard be notified to the third parties to whom your personal data have been transferred,
- To request the deletion or destruction of your personal data if the reasons for processing no longer exist, even if it has been processed in accordance with the Law and other relevant legal provisions, and to request that the transaction performed in this regard be notified to the third parties to whom your personal data have been transferred,
- To object to the emergence of a result against you by analyzing your processed data exclusively through automated systems,
- To request compensation if you suffer damage due to the unlawful processing of your personal data.
Minors:
Individuals under the age of 18 must visit the Website under the supervision of their parents. They must not share any personal data without parental supervision. The personal data of individuals under the age of 18 is collected only upon the request of the parent who has parental authority.
Personal Data Security:
DAMS places great importance on protecting the confidentiality and security of personal data. Accordingly, the necessary technical and administrative security measures are taken to protect personal data against unauthorized access, damage, loss, or disclosure.
Responsibility:
The KVKK Working Group is responsible for the implementation and enforcement of the requirements of this policy. The contact person is responsible for ensuring all communication with the Board.
Enforcement and Monitoring:
This policy enters into force on the date it is published, and the KVKK Working Group is responsible for keeping the procedures up to date.
Revision History:
Revision No: 00
Document Published: 21.09.2024