• Küçükbakkalköy, Ahmet Yesevi Cd No: 8, 34750 Ataşehir/İstanbul +90 216 345 07 22
Free consultation

Create an Appointment

Booking a visit online takes just a few minutes.


  • Küçükbakkalköy, Ahmet Yesevi Cd
    No: 8, 34750 Atasehir/Istanbul
Make an Appointment
Facebook-f Instagram X-twitter
Click here
EmpDent

KVKK

Homepage/KVKK

1. DATA CONFIDENTIALITY COMMITMENT

1.1 This Personal Data Protection Policy ("Policy") EMP HEALTH SERVICES TRADE INC. It determines the principles to be complied with within the Company and / or by the Company while fulfilling its obligations to protect Personal Data and processing Personal Data in accordance with the provisions of the relevant legislation, especially the Law No. 6698 on the Protection of Personal Data.

1.2 The Company undertakes to act in accordance with this Policy and the procedures to be implemented in accordance with the Policy in terms of Personal Data within its own structure.

2. POLICY PURPOSE

The main purpose of this Policy is to determine the principles regarding the methods and processes for the processing and protection of Personal Data by the Company.

3. POLICY SCOPE

3.1 This Policy covers all activities regarding Personal Data processed by the Company and applies to such activities.

3.2 This Policy does not apply to data that does not qualify as Personal Data.

3.3 This Policy may be amended from time to time with the approval of the Board of Directors if required by the KVK Regulations or when deemed necessary by the Company or the Committee. In case of any incompatibility between the PDP regulations and this Policy, the PDP Regulations shall prevail.

4. DEFINITIONS

The definitions used in this Policy shall have the following meanings;

Open Consent: It refers to consent based on being informed about a specific issue and expressed with free will.

Anonymization: It refers to making Personal Data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching it with other data.

Disclosure Obligation: It refers to the obligation of the Data Controller or the person authorized by the Data Controller to provide information to the Data Subject within the scope of Article 10 of the KVKK during the acquisition of Personal Data.

Personal Data: Any information relating to an identified or identifiable natural person (for the purposes of this procedure, the term "Personal Data" shall also include, to the extent appropriate, "Sensitive Personal Data" as defined below)

Personal Data Processing: It refers to all kinds of operations performed on the data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of Personal Data by fully or partially automatic or non-automatic means provided that it is part of any data recording system.

Committee Refers to the Company's Personal Data Protection Committee.

Board: Personal Data Protection Board.

Institution: Personal Data Protection Authority.

KVKK: Law No. 6698 on the Protection of Personal Data.

KVK Regulations: Law No. 6698 on the Protection of Personal Data and other relevant legislation for the protection of Personal Data, binding decisions, principle decisions, provisions, instructions issued by regulatory and supervisory authorities, courts and other official authorities, and applicable international agreements and any other legislation for the protection of data.

KVK Policies: It refers to the policies issued by the Company on the protection of Personal Data.

KVK Procedures: It refers to the procedures that determine the obligations that the Company, employees and the Committee must comply with within the scope of KVK Policies.

Sensitive Personal Data: "Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Erase and Destroy: Refers to the irreversible destruction or disposal of Personal Data.

Data Inventory: "Personal Data Processing" refers to the inventory containing information such as Personal Data Processing processes and methods, Personal Data Processing purposes, data category, third parties to whom Personal Data is transferred, etc. for the Company's Personal Data processing activities.

Data Processor: It refers to the natural or legal person who processes Personal Data on behalf of the Data Controller by being authorized by the Data Controller.

Data Owner: Refers to all natural persons whose Personal Data is processed by or on behalf of the Company.

Data Controller: Refers to the natural and legal person who processes Personal Data by specifying the purposes and ways of Processing, and who is responsible for the establishment and management of the data recording system.

Data Controller Contact Person: Refers to the real person who is notified to the registry by the data controller for the communication to be established with the Authority regarding the PDP Regulations.

5. PERSONAL DATA PROCESSING PRINCIPLES

5.1 Processing of Personal Data in Compliance with the Law and Good Faith

The Company processes Personal Data in accordance with the law and good faith and based on the principle of proportionality.

5.2 Taking Necessary Measures to Ensure that Personal Data is Accurate and Up-to-Date When Necessary

The Company takes all necessary measures to ensure that Personal Data is complete, accurate and up-to-date and updates the relevant Personal Data in the event that the Data owner requests changes to Personal Data within the scope of KVKK Regulations.

5.3 In line with Specific, Explicit and Legitimate Purposes of Personal Data Processing

Before the processing of Personal Data, the purpose for which Personal Data will be processed is determined by the Company. In this context, the Data Owner is enlightened within the scope of KVK Regulations and their Explicit Consent is obtained where necessary.

5.4 Relevant, Limited and Proportionate to the Purpose for which Personal Data is Processed Being

The Company processes Personal Data only in exceptional cases within the scope of KVK Regulations (Article 5.2 and Article 6.3 of KVKK) or for the purpose within the scope of Explicit Consent obtained from the Data Subject (Article 5.1 and Article 6.2 of KVKK) and in accordance with the principle of proportionality. The Data Controller processes Personal Data in a manner that is suitable for the realization of the specified purposes and avoids processing in cases that are not related to the realization of the purpose or are not needed.

5.5 For the Purpose Stipulated in the Relevant Legislation or for the Purpose for which Personal Data are Processed Storage for the Required Period Editing

5.5.1 The Company retains Personal Data for as long as necessary in accordance with the purpose. If the Company wishes to retain Personal Data for a period longer than the period stipulated in the KVK Regulations or required by the purpose of Personal Data Processing, the Company acts in accordance with the obligations specified in the KVK Regulations.

5.5.2 After the period required for the purpose of processing Personal Data expires, Personal Data shall be deleted, destroyed or anonymized. In this case, it is ensured that third parties to whom the Company transfers Personal Data also Delete, Destroy or Anonymize Personal Data.

5.5.3 The Committee is responsible for the operation of the Deletion, Destruction, Anonymization processes. In this context, the necessary procedure is established by the Committee.

6. PERSONAL DATA PROCESSING

Personal Data may be processed by the Company only within the scope of the following procedures and principles.

6.1 Open Reza

6.1.1 Personal Data shall be processed after the notification to be made to the Data Subjects within the framework of the fulfillment of the Disclosure obligation and in case the Data Subjects give Explicit Consent.

6.1.2 Data Subjects are informed of their rights before obtaining Explicit Consent within the framework of the Disclosure Obligation.

6.1.3 Explicit Consent of the Data Owner is obtained by methods in accordance with the KVK Regulations. Explicit Consents are provably maintained by the Company for the required period within the scope of KVK Regulations.

6.1.4 The Committee is obliged to ensure that the Disclosure Obligation is fulfilled in terms of all Personal Data Processing processes and that Explicit Consent is obtained when necessary and that the Explicit Consent obtained is preserved. All department employees who process Personal Data are obliged to comply with the instructions of the Contact Person and the Committee, this Policy and the KVK Procedures annexed to this Policy.

6.2 Personal Data Without Explicit Consent Processing

In cases where it is foreseen to Process Personal Data without obtaining Explicit Consent within the scope of KVKK Regulations (Article 5.2 of KVKK), the Company may process Personal Data without obtaining the Data Owner's Explicit Consent. In the event that Personal Data is processed in this way, the Company Processes Personal Data within the limits set by the KVK Regulations. In this context;

6.2.1 Personal Data may be processed by the Company without Explicit Consent if expressly stipulated by law.

6.2.2 Personal Data may be processed by the Company without Explicit Consent if it is mandatory for the protection of the life or physical integrity of the Data Owner himself/herself or someone else other than the Data Owner who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.

6.2.3 Provided that it is directly related to the establishment or performance of a contract, if it is necessary to process Personal Data belonging to the parties to the contract, Personal Data may be processed by the Company without the explicit consent of the Data Subjects.

6.2.4 If the Processing of Data is mandatory for the Company to fulfill its legal obligation, Personal Data may be processed by the Company without the explicit consent of the Data Subjects.

6.2.5 Personal Data made public by the data subject may be processed by the Company without obtaining Explicit Consent.

6.2.6 If the Processing of Personal Data is mandatory for the establishment, exercise or protection of a right, Personal Data may be processed by the Company without obtaining Explicit Consent.

6.2.7 Provided that it does not harm the fundamental rights and freedoms of the Data Owner, Personal Data may be processed by the Company without Explicit Consent if data processing is mandatory for the legitimate interests of the Company.

7. SPECIAL CATEGORIES OF PERSONAL DATA PROCESSING

7.1 Special Categories of Personal Data may only be processed if the Data Subject's Explicit Consent is present or if processing is explicitly required by law for Special Categories of Personal Data other than sexual life and personal health data.

7.2 Personal data relating to health and sexual life may only be processed without explicit consent by persons under the obligation of confidentiality (e.g. Company Physician) or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

7.3 When Processing Sensitive Personal Data, the measures determined by the Board are taken.

7.4 For employees involved in the processing of Sensitive Personal Data;

7.4.1.The Company will provide regular trainings on KVK Regulations and the security of Special Categories of Personal Data.

7.4.2.It will have confidentiality agreements.

7.4.3.It will clearly define the scope and duration of authorization of users authorized to access Sensitive Personal Data.

7.4.4.Periodically perform authorization checks.

7.4.5.Immediately revoke the authorization of employees who change their position or leave their job and immediately take back the inventory allocated to the relevant employee.

7.5 In the event that Sensitive Personal Data is transferred to electronic media, the Company in relation to the electronic media where Sensitive Personal Data is processed, stored and / or accessed;

7.5.1.It will continuously monitor the security updates of the environments where Sensitive Personal Data are located.

7.5.2.If Sensitive Personal Data is accessed through a software, it will make user authorizations for this software.

7.5.3.In case of remote access to Sensitive Personal Data, it will provide a two-stage authentication system.

7.6.In the event that Sensitive Personal Data is processed in a physical environment, the Company regarding the physical environments where the Data is processed, stored and/or accessed;

7.6.1.Ensure that adequate security measures (against electric leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where Sensitive Personal Data is located.

7.6.2.It will prevent unauthorized entry and exit by ensuring the physical security of these environments.

7. In case of transfer of Sensitive Personal Data, Company;

7.1 If it is necessary to transfer Sensitive Personal Data via e-mail, encrypted corporate e-mail address or Registered Electronic Mail ("KEP") will use the account.

7.2 In the event that it is necessary to physically transfer Sensitive Personal Data in paper form, it will take the necessary measures against risks such as theft, loss or unauthorized viewing of the document and will send the document in the format of "confidential documents".

7.3 In addition to the above regulations, the Committee and the Contact Person shall act in accordance with the PDP Regulations, in particular the Personal Data Security Guide published by the Board regarding the security of Personal Data, including Special Categories of Data.

7.4 In any case that requires the Processing of Sensitive Personal Data, the Committee shall be informed by the relevant employee.

7.5 If it is not clear whether a data is Special Categories of Personal Data, the relevant department shall seek the opinion of the Committee.

8. STORAGE OF PERSONAL DATA DURATION

Personal Data are kept within the Company for the duration of the relevant legal retention periods and are kept for the period necessary for the realization of the activities related to this data and the purposes specified in this Policy. Personal Data whose purpose of use has ended and the legal retention period has expired are deleted, destroyed or anonymized by the Company in accordance with Article 7 of the KVKK.

9. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA MAKING

9.1 When the legitimate purpose for processing Personal Data no longer exists, the relevant Personal Data shall be deleted, destroyed or anonymized. Situations where Personal Data must be Deleted, Destroyed or Anonymized are monitored by the Committee and departments.

9.2 The Committee is responsible for the operation of the Deletion, Destruction and Anonymization processes. In this context, the necessary procedure is established by the Committee.

9.3The Company may not store Personal Data with the possibility of future use in mind.

9.4 All Deletion, Destruction and Anonymization Activities to be implemented by the Company on Personal Data will be carried out in accordance with the principles set out in the Personal Data Storage, Destruction Policy.

10. TRANSFER OF PERSONAL DATA AND PERSONAL DATA THIRD PERSONS BY PROCESSING

The Company may transfer Personal Data to a third natural or legal person in the country and / or abroad in accordance with the KVK regulations, provided that it takes the necessary measures in line with the purposes of Personal Data Processing. In this case, the Company ensures that third parties to whom it transfers Personal Data also comply with this Policy. In this context, necessary protective regulations are added to the contracts concluded with the third party. Each employee is obliged to comply with the processes in this Policy in case of Personal Data transfer.

10.1 Personal Data to Third Parties in Turkey Transfer

10.1.1 Personal Data may be transferred by the Company to third parties in Turkey without Explicit Consent in exceptional cases specified in Article 5.2 of the KVKK and Article 6.3 provided that adequate measures are taken, or in other cases, provided that the Data Owner's Explicit Consent is obtained (Article 5.1 and Article 6.2 of the KVKK).

10.1.2 Company employees and the Committee are jointly and severally responsible for ensuring that the transfer of Personal Data to third parties in Turkey complies with the PDP Regulations.

10.2 Transfer of Personal Data to Third Parties Abroad

10.2.1 Personal Data may be transferred by the Company to third parties abroad, provided that the Data Owner's Explicit Consent is obtained (Article 5.1 and Article 6.2 of the KVKK).

10.2.2 In the event that Personal Data is transferred without Explicit Consent in accordance with the KVK Regulations, one of the following conditions must also exist in terms of the foreign country to which it will be transferred;

10.2.3 The foreign country to which the Personal Data will be transferred is in the status of countries with adequate protection by the Board,

10.2.4 If the foreign country where the transfer will take place is not included in the Board's list of safe countries, the Company and the Data Controllers in the relevant country to obtain permission from the Board by making a written commitment that adequate protection will be provided.

10.2.5 Company employees, the Committee and its Representative are jointly and severally responsible for ensuring that the transfer of Personal Data to third parties abroad complies with the PDP Regulations.

11. COMPANY DISCLOSURE OBLIGATION

In accordance with Article 10 of the KVKK, the Company informs the Data Subjects before the Processing of Personal Data. In this context, the Company fulfills its Disclosure Obligation during the acquisition of Personal Data. The notification to be made to the Data Subjects within the scope of the Disclosure Obligation includes the following elements respectively;

11.1 Identity of the Data Controller (and its representative, if any),

11.2 The purpose for which Personal Data will be processed,

11.3 To whom and for what purpose the processed Personal Data may be transferred,

11.4 The method and legal reason for collecting Personal Data,

11.5 The rights of Data Subjects listed in Article 11 of the LPPD.

11.6 In accordance with Article 20 of the Constitution of the Republic of Turkey and Article 11 of the LPPD, the Company shall provide the necessary information if the Data Subject requests information.

11.7 If requested by the Data Subjects in accordance with the KVKK Regulations, the Company shall provide the Data Subject with the necessary information regarding the personal data it processes.

11.8 The employee who follows the relevant process and the Committee are jointly and severally responsible for ensuring that the necessary Disclosure Obligation is fulfilled before the processing of Personal Data.

11.9 Third parties in the status of data processors undertake with a written contract that they will act in accordance with the above-mentioned obligations before starting data processing.

12. DATA SUBJECTS (DATA SUBJECTS) RIGHTS

12.1 The Company responds to the following requests of the Data Subjects whose Personal Data it processes in accordance with the KVK Regulations;

12.1.1 Learning whether Personal Data is Processed by the Company,

12.1.2 In case of Processing of Personal Data, to request information regarding this

12.1.3 To learn the purpose of processing Personal Data and whether they are used in accordance with their purpose,

12.1.4To know the third parties to whom Personal Data is transferred domestically or abroad,

12.1.5.To request correction of Personal Data in case of incomplete or incorrect processing by the Company,

12.1.6.To request the deletion or destruction of Personal Data by the Company in the event that the reasons requiring the Processing of Personal Data disappear, to be evaluated within the principles of purpose, duration and legitimacy,

12.1.7.In case of correction, deletion or destruction of Personal Data by the Company, to request notification of these transactions to third parties to whom Personal Data is transferred,

12.1.8.In the event that the processed Personal Data is analyzed exclusively through automated systems, to object to this result in the event of a result to the detriment of the Data Owner,

12.1.9.In case Personal Data is processed in violation of the law and the Data Owner suffers damage for this reason, to demand the compensation of the damage.

In cases where Data Subjects want to exercise their rights and / or think that the Company does not act within the scope of this Policy while processing Personal Data, they can submit their requests to the e-mail address given below, which may change from time to time, by filling out the form on the company's website or by creating their own requests to meet the conditions determined by the Authority, They can send their applications by e-mail (the e-mail address registered in the system should be checked) or by secure electronic signature or mobile signature to the Company's KEP address or to the postal address below, which may change from time to time, together with a wet signed petition with documents certifying their identity, by hand or through a notary public, or by other methods determined by the Authority that may be added to them in the future. Current application methods and application content should be confirmed from the legislation prior to application.

Data Controller : EMPCLINICS HİZMETLERI TİCARET A.Ş

Mail : Küçükbakkalköy, Ahmet Yesevi Cd No:8, 34750 Ataşehir/İstanbul

In the event that Data Subjects submit their requests regarding their rights listed above to the Company in writing, the Company shall finalize the request free of charge within (30) thirty days at the latest, depending on its nature. In the event that an additional cost arises regarding the finalization of the requests by the Data Controller, the fees in the tariff determined by the Personal Data Protection Board may be requested by the Data Controller.

13. DATA MANAGEMENT AND SECURITY

13.1 The Company establishes a Committee to fulfill its obligations under the PDP Regulations, to ensure and supervise the implementation of the PDP Procedures required for the implementation of this Policy, and to make suggestions for their functioning.

13.2 All employees involved in the relevant process are jointly and severally responsible for the protection of Personal Data in accordance with this Policy and KVK Procedures.

13.3 Personal Data processing activities by the Company are audited by technical systems according to technological possibilities and implementation cost.

13.4 Personnel knowledgeable in technical issues related to Personal Data Processing activities are employed.

13.5 Company employees are informed and trained on the protection and processing of Personal Data in accordance with the law.

13.6 Company employees may access Personal Data only within the authority defined to them and in accordance with the relevant PDP Procedure. Any access and processing made by the employee in excess of his/her authorization is unlawful and is a reason for termination of the employment contract for just cause.

13.7 If the Company employee suspects that the security of Personal Data is not adequately ensured or detects such a security gap, he/she shall notify the Committee.

13.8 A detailed PDP Procedure for the security of Personal Data is established by the Committee.

13.9 Each person to whom a Company device is allocated is responsible for the security of the devices allocated for their use.

13.10 Each Company employee or person working within the Company is responsible for the security of the physical files in their area of responsibility.

13.11 In the event that there are security measures requested or to be requested additionally for the security of Personal Data within the scope of KVK Regulations, all employees are obliged to comply with additional security measures and to ensure the continuity of these security measures.

13.12 In the Company, software and hardware including virus protection systems and firewalls are installed in accordance with technological developments in order to store Personal Data in secure environments.

13.13 Backup programs are used in the Company to prevent loss or damage to Personal Data and adequate security measures are taken.

13.14 Necessary measures will be taken to protect the documents containing Personal Data to the Company with encrypted systems. In this context, Personal Data will not be stored in common areas and on the desktop. Files, folders, etc. containing Personal Data will not be moved to the desktop or common folder, the information on the Company computer will not be transferred to another device such as USB, etc., and will not be taken out of the Company without the prior written approval of the Committee.

13.15 The Committee, together with the Board of Directors, is responsible for taking technical and administrative measures for the Protection of all Personal Data within the Company, continuously monitoring developments and administrative activities, preparing the necessary PDP Procedures and announcing them within the Company, ensuring and supervising compliance with them. In this context, the Committee organizes the necessary trainings to increase the awareness of employees.

13.16 If a department within the Company processes Sensitive Personal Data, this department will be informed by the Committee about the importance, security and confidentiality of the Personal Data they process and the relevant department will act in accordance with the Committee's instructions. Only limited employees will be authorized to access Sensitive Personal Data and their list and follow-up will be made by the Committee.

13.17 All Personal Data processed within the Company is considered as "Confidential Information" by the Company.

13.18 Company employees have been informed that their obligations regarding the security and confidentiality of Personal Data will continue after the termination of the business relationship and a commitment has been obtained from the Company employees to comply with these rules.

14 DATA BREACH RESPONSE PLAN

14.1 The employee who notices the attitude and behavior contrary to the Personal Data Protection Law and the relevant legislation immediately notifies the COMPANY Personal Data Protection Committee.

14.2 In case the processed personal data is obtained by others illegally, the institution shall be notified within 72 hours.

14.3 Following the determination of the persons affected by the data breach in question, the relevant persons shall be notified as soon as reasonably possible, directly if the contact address of the relevant person can be reached, and if not, by appropriate methods such as publication on the data controller's own website.

14.4 If the data controller fails to notify the Board within 72 hours for a justifiable reason, the reasons for the delay shall be explained to the Board together with the notification to be made.

14.5 In the notification to the Board, the institution https://ihlalbildirim.kvkk.gov.tr "Personal Data Breach Notification Form" published at the address is used.

14.6 In cases where it is not possible to provide the information in the form at the same time, this information shall be provided in stages without delay.

14.7 The data controller shall ensure that the information on data breaches, their effects and the measures taken are recorded and made available for the Board's review.

14.8 In the event that the personal data held by the data processor is obtained by others through unlawful means, the data processor shall notify the committee without any delay in this regard.

The relevant plan is reviewed periodically by the committee.

15. EDUCATION

15.1 The Company provides the necessary trainings to its employees on the protection of Personal Data within the scope of the Policy and the attached PDP Procedures and PDP Regulations. It can offer these trainings in person or online.

15.2 In the trainings, the definitions of Special Categories of Personal Data and the practices for their protection are specifically addressed.

15.3 If an employee of the Company accesses Personal Data physically or in a computer environment, the Company provides training to the relevant employee specific to these accesses (e.g. the computer program accessed).

16. AUDIT

The Company has the right to regularly and ex officio audit that all employees, departments and contractors of the Company act in accordance with this Policy and KVK Regulations at any time and ex officio without any prior notice and conducts the necessary routine audits in this context. The Committee establishes a PDP Procedure for these audits. It submits it to the approval of the management and ensures the implementation of the said procedure.

17. VIOLATIONS

17.1 Each employee of the Company reports to the Committee the business, transaction or action that he / she thinks is contrary to the procedures and principles specified in the KVK Regulations and this Policy. In this context, the Committee creates an action plan for the relevant violation in accordance with this Policy and KVK Procedures.

17.2 As a result of the information provided, the Committee prepares the notification to be made to the Data Owner or the Authority regarding the violation, taking into account the provisions of the legislation in force on the subject, especially the KVK Regulations. The Contact Person carries out the correspondence and communication with the Authority.

18. RESPONSIBILITIES

Within the Company, responsibilities are assigned to employees, departments and committees respectively. In this context, the Committee responsible for the implementation of the Policy is appointed by the Company Management through a Management decision or bodies authorized to sign and bind, and changes in this context are also made in the same way.

19. TO BE MADE IN POLICY CHANGES

19.1 This Policy may be amended by the Company from time to time with the approval of the Management.

19.2 The Company shares the updated Policy text with its employees via e-mail or makes it accessible to employees and Data Subjects via the following web address.

20. EFFECTIVE DATE OF THE POLICY

This version of the Policy 01/01/2023 It was approved by the Company's Board of Directors and entered into force.