PDPL
Personal Data Protection and Processing Policy
1. PURPOSE AND SCOPE OF THE POLICY
Processing and protecting personal data in compliance with the law is of great importance for the Data Controller.
Data Controller Title: Assoc. Prof. Dr. Ata Can
Data Controller Address: İnönü, Nizamiye Cd. No:9 D:No:1, 34373 Şişli/İstanbul
Data Controller Phone: 0536 576 66 66
Data Controller E-mail: atababay@yahoo.com
Data Controller Website: https://dratacan.com/
This Personal Data Protection and Processing Policy (“Policy”) has been prepared to ensure that personal data processing activities are carried out in compliance with the Personal Data Protection Law No. 6698 (the “Law”), as well as the regulations, circulars, and guidelines issued within the scope of the Law, and to ensure the Company’s overall compliance with the PDPL.
The Policy also sets forth the principles, procedures, and guidelines for the processing, retention, and protection of personal data.
2. DEFINITIONS
Within the scope of this Policy, the following terms are defined as:
Explicit Consent: Consent that is related to a specific subject, based on information, and declared with free will.
Relevant User: Persons who process personal data within the organization of the Data Controller or based on the authority and instructions received from the Data Controller, excluding the person or unit responsible for technical storage, protection, and backup of the data.
Destruction: Deletion, destruction, or anonymization of personal data.
Law: The Personal Data Protection Law No. 6698 dated 24.03.2016.
Recording Medium: Any environment where personal data is processed, whether fully or partially automatic, or non-automatic provided that it is part of a data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed on personal data, wholly or partially automated, or non-automated provided that it is part of a data recording system, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or preventing its use.
Deletion of Personal Data: Making personal data inaccessible and unusable for Relevant Users.
Erasure of Personal Data: Making personal data inaccessible, irretrievable, and unusable by anyone.
Board: The Personal Data Protection Board.
Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures, biometric and genetic data.
Periodic Destruction: The process of deletion, destruction, or anonymization carried out ex officio at recurring intervals when all of the conditions for processing personal data specified in the Law no longer exist.
Data Subject / Relevant Person: The natural person whose personal data is processed.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
3. PROCESSING OF PERSONAL DATA
3.1 Principles Followed in the Processing of Personal Data
Personal data shall be processed in accordance with the fundamental principles set out in the Law. Accordingly, personal data will be:
Processed lawfully and in accordance with the rules of good faith.
Accurate and, where necessary, kept up to date.
Processed for specific, explicit, and legitimate purposes.
Relevant, limited, and proportionate to the purpose for which they are processed.
Retained for the period required by relevant legislation or for the purpose for which they are processed.
3.2 Conditions for Processing Personal Data
Personal data not considered “special categories” may be processed based on at least one of the following legal grounds, or with the explicit consent of the data subject:
Clearly stipulated by law.
Necessary for the performance of a contract.
Necessary for the Data Controller to fulfill its legal obligation.
Necessary for the establishment, exercise, or protection of a right.
Necessary for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
3.3 Processing of Special Categories of Personal Data
The procedures and principles for processing special categories of personal data are set out in the “Policy on the Processing of Special Categories of Personal Data,” which is published by our institution.
This policy is available at: https://dratacan.com/
3.4 Information to Data Subjects
Data subjects are informed in accordance with the Law, including:
The identity of the Data Controller,
The purposes of processing personal data,
The persons or entities to whom the data may be transferred,
The method and legal basis of data collection,
And their rights under the Law.
Rights of Data Subjects:
To learn whether their personal data is processed,
To request information if their personal data has been processed,
To learn the purpose of processing and whether it is used for its purpose,
To know the third parties to whom their personal data is transferred domestically or abroad,
To request correction if personal data is incomplete or incorrectly processed,
To request deletion or destruction of personal data under the conditions set forth in Article 7 of the Law,
To request notification of such corrections, deletions, or destruction to third parties to whom data is transferred,
To object to decisions resulting from the analysis of personal data exclusively by automated systems,
To request compensation if they suffer damages due to unlawful processing of personal data.
Applications can be made in writing to the Data Controller’s address listed above or electronically through the official website. Responses will be provided free of charge within 30 days at the latest. However, if the process entails an additional cost, a fee may be charged in accordance with the tariff determined by the Board.
4. PURPOSES OF PROCESSING PERSONAL DATA
Personal data may be processed for the following purposes:
Managing recruitment processes of job candidates,
Fulfillment of contractual and legal obligations for employees,
Managing employee benefits and entitlements,
Ensuring compliance with legal regulations,
Conducting financial and accounting transactions,
Ensuring physical security of premises,
Conducting legal affairs,
Managing communication activities,
Carrying out occupational health and safety practices,
Managing contractual processes,
Handling requests and complaints,
Ensuring the security of movable property and resources,
Providing information to authorized persons, institutions, and organizations,
Conducting dental and oral health treatment and planning,
Carrying out promotional and marketing activities.
5. RETENTION AND DESTRUCTION OF PERSONAL DATA
Personal data is retained for as long as required by the purpose of processing and the applicable legal regulations. After this period, data is destroyed either periodically (every six months) or within thirty days upon request of the data subject, using the deletion, destruction, or anonymization methods specified in legislation.
A detailed retention period table is included in the Policy.
6. TRANSFER OF PERSONAL DATA
6.1 Domestic Transfer of Personal Data
Personal data may be transferred to:
Judicial authorities and lawyers in case of legal disputes,
Certified public accountants for tax and financial obligations,
Contracted banks for salary payments,
District/Provincial Health Directorates for staff documentation,
Ministry of Health systems for healthcare personnel tracking,
Social Security Institution for employment notifications,
Tax offices for declarations,
Insurance companies for patients with private insurance,
Referral health institutions in case of patient transfers,
Authorized software companies for archiving purposes.
7. PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the Law, our clinic ensures:
Prevention of unlawful processing of personal data,
Prevention of unlawful access to personal data,
Protection of personal data.
Administrative Measures and Technical Measures are detailed in the Policy, including staff training, confidentiality agreements, access restrictions, encryption, logging, and cybersecurity practices.
8. RIGHTS OF DATA SUBJECTS AND EXERCISE OF RIGHTS
Data subjects may submit requests regarding their rights as described in Article 11 of the Law through written application or electronic channels.
The Data Controller shall respond within 30 (thirty) days. If the process entails a cost, a fee determined by the Board may apply.
9. COORDINATION OF DATA PROTECTION AND PROCESSING PROCEDURES
The coordination of personal data protection and processing is carried out by the Data Controller or authorized personnel.
10. UPDATES TO THE POLICY
Our clinic reserves the right to amend this Policy due to changes in legislation, Board decisions, or technological/sectoral developments. Updates will be reflected in the Policy text and listed in the Updates Table.
11. FINAL PROVISIONS
This Personal Data Protection and Processing Policy has been prepared by the Data Controller and announced to the relevant persons by publication:
Within the clinic premises, and
On the website https://dratacan.com/.
