Frigdent

Create an Appointment
Edit Content

FRIGDENT PERSONAL DATA PROCESSING, PROTECTION AND PRIVACY POLICY
A. PURPOSE AND SCOPE

FRIGDENT, operating under the FRIGDENT brand, has been complying with general legal rules since its establishment due to the fact that the legal order is one of the cornerstones of social life and has made maximum efforts to protect the rights and interests of individuals. The FRIGDENT Personal Data Processing, Protection and Privacy Policy determines the basic principles regarding the compliance of its activities with the regulations in the Personal Data Protection Law No. 6698 (“PDP Law”) and sets forth what FRIGDENT must do within this scope. With the implementation of the FRIGDENT PDP Policy regulations, the data security principles adopted by FRIGDENT will be made sustainable. The FRIGDENT PDP Policy has been prepared as a guide for the implementation of the regulations set forth by the PDP Law and relevant legislation. Personal data of employees, job candidates, visitors, patients, relatives of patients and third parties, institutions or organizations that are in relationship as service providers, and personal data of other third parties are within the scope of this Policy and this Policy is applied to all recording environments where personal data is processed and activities related to personal data processing owned or managed by FRIGDENT.

B. DEFINITIONS

The terms used in the legislation and also in the FRİGDENT KVKK Policy are listed below.

I. Personal Data: Any information related to an identified or identifiable natural person
II. Personal Data of Special Nature: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress code, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
III. Personal Data Owner/Relevant Person: The natural person whose personal data is processed. For example; employees.
IV. Explicit Consent: Consent expressed with free will and based on prior information regarding a specific subject,
V. Processing of personal data: Any operation performed on data such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system,
VI. Data processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller,
FRIGDENT PERSONAL DATA PROCESSING, PROTECTION AND PRIVACY POLICY
VII. De-identification: Processing of personal data in a manner that cannot be associated with the relevant person, provided that technical and administrative measures are taken to prevent the association of personal data with an identified or identifiable natural person, and without bringing it together with other data stored in a different environment,
VIII. Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person, even when matched with other data.

IX. Personal Data Protection Law: Personal Data Protection Law No. 6698 dated 24 March 2016, published in the Official Gazette No. 29677 dated 7 April 2016.

X. Personal Data Protection Board: Personal Data Protection Board.

XI. Personal Data Protection Institution: Personal Data Protection Institution.

C. IMPLEMENTATION OF THE POLICY AND RESPONSIBILITIES

All personnel, patients, relatives, visitors and relevant third parties throughout FRIGDENT are responsible for complying with the FRIGDENT KVKK Policy and monitoring the risks of compliance with the FRIGDENT KVKK Policy.

D. POLICY PRINCIPLES

1. BASIC PRINCIPLES ADOPTED BY FRIGDENT
The basic principles listed below are adopted to ensure compliance with the personal data protection legislation and to maintain compliance:
a. Personal data includes all kinds of information that belong to the person and enable the person to be identified, and therefore its protection constitutes the superior interest of the data owner. It should be acted with the awareness that it is an obligation to show due care to the data owner’s right to know which data is processed for which purpose and whether the data is transferred or not.
b. It carries out data processing activities in accordance with the law and the rule of honesty.
c. It should be ensured that the processed personal data is accurate and up-to-date when necessary, and if the data is incorrect, it should be corrected/updated.
d. Personal data is processed only for specific, clear and legitimate purposes and to the extent required by the purpose of processing. Excess data should not be processed with the assumption of future use, and the rights of the data owner and the purpose of processing should be considered together.
e. Processed personal data is kept for the period stipulated in the relevant legislation or required for the purpose for which it is processed. In particular, the time limit arising from Article 138 of the Turkish Penal Code and Articles 4 and 7 of the Personal Data Protection Law is respected. FRİGDENT deletes, destroys or anonymizes personal data upon the expiration of the period stipulated in the legislation or the elimination of the reasons requiring the processing of personal data.

2. PERFORMING PERSONAL DATA PROCESSING ACTIVITIES IN ACCORDANCE WITH KVKK
While carrying out personal data processing activities, they must act in accordance with the data processing conditions specified in Articles 5 and 6 of the KVK Law and the Patient Rights Regulation, the Regulation on Processing of Personal Health Data, provided that they comply with the basic principles. The following stages are followed in order in the data processing activity;

1- The data owner must be informed. In cases where explicit consent is required for data processing, information must be provided before obtaining consent (signature), and in cases where explicit consent (signature) is not required, before starting data processing, and it must be explained which data will be processed and why. In case of data processing by taking camera images, written warning signs must be placed in the necessary places.
2- It must be determined whether the data processing conditions are present, and if the conditions are not present, they must not carry out the personal data processing activity. In the following cases, the existence of data processing conditions is accepted and consent is not required:
• It is clearly stipulated in the laws (for example, it is mandatory to obtain the employee’s identity information due to the obligation to notify the Social Security Institution).
• It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or execution of a contract (for example, it is mandatory to obtain the name, surname and bank account information of the seller in order to pay for the purchased product).
• Personal data may be processed if it is mandatory for the data controller to fulfill its legal obligation, if it is made public by the relevant person, if data processing is mandatory for the establishment, exercise or protection of a right, if it does not harm the fundamental rights and freedoms of the relevant person, and if data processing is mandatory for the legitimate interests of the data controller.
• EXPRESS CONSENT MUST BE OBTAINED in cases other than the above cases or when processing “special data” such as health data.

 

3- It is necessary to limit the amount of data to be processed to “as much as necessary” and not to process more data than necessary for each processing purpose.

4- FRIGDENT personnel must comply with the rules set forth in the Constitution of the Republic of Turkey, the Turkish Penal Code, the Personal Data Protection Law and other relevant legislation, and the FRIGDENT KVKK Policy, within the scope of processing personal data. Within the scope of these explanations, personal data processing will be carried out at FRIGDENT within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the Personal Data Protection Law and within the scope of the purposes specified below;

Patient, patient relative and business partners data;
• Data processing due to contractual relationship; Personal Data belonging to the patient, patient relative or business partner (in case the business partner is a legal entity, the authorized person of the business partner) can be processed for the establishment, implementation and termination of the contract without the need for obtaining additional consent. Personal data before the contract and at the stage of starting the contract;
can be processed for the purpose of preparing an offer, preparing a purchase form or meeting the demands of the Personal Data Owner regarding the implementation of the contract.
• Data processing due to FRIGDENT’s legal obligation or explicitly foreseen by law; Personal data may be processed without obtaining consent if the processing is explicitly stated in the relevant legislation or for the purpose of fulfilling a legal obligation determined by legislation. The type and scope of data processing must be necessary for the legally permitted data processing activity and must comply with the relevant legal provisions.

• Data processing in accordance with FRIGDENT’s legitimate interest; Personal data may be processed without obtaining consent when it is necessary for a legitimate interest. Legitimate interests are generally legal (e.g. collection of receivables) or economic (e.g. avoiding contract breaches) interests.

Personnel data;

• Processing of Personal Data for the employment relationship; Personal Data is processed without obtaining consent if it is necessary for the establishment, implementation and termination of the employment contract. The candidates’ Personal Data is processed when the employment relationship is initiated. If the candidate is rejected, the candidate’s information is stored for an appropriate data retention period for a later selection stage, at the end of which the candidate is deleted, destroyed or anonymized.
• Data processing performed due to explicit provision in the law or FRIGDENT’s legal obligation; Personal Data belonging to the employee may be processed without obtaining consent in order to fulfill a legal obligation specified by the legislation or if the processing is explicitly stated in the relevant legislation.

• Processing of data in accordance with legitimate interest; Personal Data belonging to the employee may be processed without obtaining consent when a legitimate interest of FRIGDENT is required (e.g. filing, enforcement or defense of legal rights). In personal cases where the interests of employees need to be protected, personal data is not processed for legitimate interest purposes. Before processing the data, it is determined whether there are interests requiring protection. When data belonging to employees is processed based on FRIGDENT’s legitimate interest, it is examined whether the processing is proportionate. It is checked whether FRIGDENT’s legitimate interest in taking this control measure does not violate a right of the relevant employee that needs to be protected, and it is applied only if it is proportionate.
Visitor Data;
Visitor Data may be processed without the need for obtaining additional consent (in accordance with FRIGDENT’s legitimate interest) for the purpose of ensuring the safety of FRIGDENT and/or personnel and/or patients (contractual and legal obligations), by recording camera recordings and in visitor books, in order to ensure security and order in the premises and as evidence in possible future legal cases. A warning that the camera recording has been taken must be written in the necessary places.

3. PERFORMING PERSONAL DATA TRANSFER IN ACCORDANCE WITH KVKK

In personal data transfers to be carried out by FRİGDENT (active sharing of personal data with third parties or opening of personal data to third parties), the personal data transfer conditions regulated in Articles 8 and 9 of the Personal Data Protection Law must be complied with. Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures of individuals, and other data, except for biometric and genetic data, may be transferred in the following cases:
• It is clearly provided for in the laws (for example, due to the SGK legislation, it is mandatory to notify the employee’s identity information to the SGK).
• It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or execution of a contract (for example, it is mandatory to transfer the name, surname and account information of the seller to the bank in order to pay for the purchased product).
• Personal data may be transferred if it is necessary for the data controller to fulfill its legal obligation, if it is made public by the relevant person, if data processing is necessary for the establishment, exercise or protection of a right, if it does not harm the fundamental rights and freedoms of the relevant person, if data processing is necessary for the legitimate interests of the data controller (for example, it is mandatory to transfer data on the medications used by the personnel or their illnesses, if any, to healthcare personnel when necessary).

• Personal data cannot be transferred abroad without the explicit consent of the relevant person.

 

4. ENSURING THE SECURITY OF PERSONAL DATA
FRIGDENT must take all necessary measures, within the possibilities, according to the nature of the data to be protected, in order to prevent the unlawful disclosure, transfer, unlawful access to personal data, or any other security deficiencies that may occur. In this context, administrative and technical measures must be taken, a control system must be established within the company, and the process must be implemented in accordance with the Personal Data Protection Law in case of unlawful disclosure of personal data.
a. Administrative Measures Taken to Ensure Lawful Processing and Transfer of Personal Data and to Prevent Unlawful Access to Personal Data are as follows:
• Trains and raises awareness of its employees regarding the protection of personal data.
• In cases where personal data is subject to transfer, records stating that the party to whom personal data is transferred will fulfill its obligations to ensure data security are added to the contracts concluded with the persons to whom personal data is transferred. In this context, the transferee party is committed to take all necessary measures to protect personal data and to ensure that these measures are implemented in their own organizations.

• The processes carried out by the personnel are examined in detail, and the personal data processing activities carried out within the scope of the process are determined for each unit.

In this context, the steps to be taken to ensure that the data processing activities carried out comply with the personal data processing conditions stipulated in the Personal Data Protection Law are determined.
b. Technical Measures Taken to Ensure Lawful Processing and Transfer of Personal Data and to Prevent Unlawful Access to Personal Data are as follows:
• Regarding the protection of personal data, technical measures have been taken to the extent that technology allows, and the measures taken should be updated and improved in parallel with developments.

• Expert personnel are employed in technical matters.

• Regular inspections should be carried out to ensure the implementation of the measures taken.

• Software and systems that will ensure security are updated.

• The authority to access personal data being processed by the personnel is limited to the relevant subject employee in line with the determined processing purpose.
c. Conducting Audit Activities Regarding the Protection of Personal Data
The compliance, operation and effectiveness of technical measures, administrative measures and practices taken by FRIGDENT within the scope of protecting and ensuring the security of personal data with the relevant legislation, policies, procedures and instructions are audited by the Chief Physician. The results of the audit activities carried out are reported. Regular monitoring of the planned actions regarding the audit results is the primary responsibility of the process owners. Activities that will ensure the development and improvement of the measures taken regarding the protection of data, not limited to the audit results, are carried out by the relevant unit.
d. Measures to be Taken in Case of Unlawful Disclosure of Personal Data FRIGDENT must immediately notify the KVKK Board and the relevant data owners in the event that the personal data they process is obtained by unauthorized persons in violation of the law. The Data Breach Notification Procedure must be implemented simultaneously.

 

5. LIABILITIES REGARDING PERSONAL DATA PROCESSING ACTIVITIES
FRIGDENT must comply with the obligations set forth by the Personal Data Protection Law for data controllers.
a. Obligation to Register with the Data Controllers Registry (VERBIS): The information that must be submitted to the Data Controllers Registry in the registration application is as follows:
1. Identity information and addresses of the data controller and its representative, if any,
2. The purpose of processing personal data,
3. Information on the data subject groups and the processed personal data categories of these persons,
4. Person or groups of persons to whom personal data may be transferred,
5. The maximum retention period required for the purpose of processing personal data,
6. Measures taken to ensure the security of processed personal data.
b. Obligation to Inform the Data Owner: The information that must be provided to data owners within the scope of the obligation to inform is as follows:
1. The identity of the data controller and its representative, if any,
2. The purpose for which personal data will be processed,
3. To whom and for what purpose the processed personal data may be transferred,
4. The method and legal reason for collecting personal data,
5. The rights of the data owner listed in Article 11 of the Personal Data Protection Law
c. Obligation to Collect and Transfer Personal Data in Accordance with Law: It must be explained to the data owner which data is processed for which purpose and whether the data is transferred or not, and the collected data must be processed in accordance with the law and the rule of honesty.
Personal data must be processed only for specific, clear and legitimate purposes and to the extent required by the purpose of processing, and it must be ensured that it is accurate and up-to-date. If the reason for processing the processed data has disappeared, they must establish the necessary internal systems for the deletion, anonymization or destruction of the data.
d. Obligation to Ensure Security of Personal Data: In order to prevent any loss of rights of the data owner, FRIGDENT must take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data. It is obliged to carry out or have carried out the necessary inspections within the scope of the operation of mechanisms to ensure data security.

e. Obligation to Fulfill the Decisions Made by the Personal Data Protection Board: FRIGDENT must act in accordance with the decisions made by the Personal Data Protection Board, which is the executive body of the Personal Data Protection Institution and operates to ensure that personal data is processed in accordance with fundamental rights and freedoms.

f. Obligation to Respond to Data Owner Applications: FRIGDENT, as the data controller, must finalize the written requests of data owners regarding their personal data as soon as possible and within thirty (30) days at the latest, depending on the nature of the request.
Personal data owners may apply to the data controllers and make requests regarding the following matters:
1. To learn whether personal data has been processed,
2. To request information if personal data has been processed,
3. To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
4. To know the third parties to whom personal data has been transferred domestically or abroad,
5. To request correction of personal data if it has been processed incompletely or incorrectly,
6. To request deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVKK,
7. To request notification of the situation to third parties to whom personal data has been transferred in the event of correction or deletion/destruction of data,
8. To object to the emergence of a result against the person by means of analysis of processed data exclusively through automated systems,
9. To request compensation for damages incurred due to unlawful processing of personal data.

PUBLISHING AND STORING THE E-POLITICS

The policy document is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the internet page. The printed paper copy is also kept in the file BY THE DATA CONTROLLER CONTACT PERSON.

F- POLICY UPDATE

It shall enter into force from the moment it is approved by the Board of Directors. This Policy shall be reviewed as needed and the necessary sections shall be updated. The application rules that will be arranged in accordance with this Policy and that will specify how the issues specified in this Policy shall be implemented in specific subjects shall be arranged in the form of additions to the relevant regulations. FRİGDENT KVKK Policy has been published on the website and made available to the public. In case of conflict between the current legislation, primarily the KVK Law, and the regulations included in this Policy, the provisions of the legislation shall apply.