Personal Data Processing Policy

Personal Data Protection Policy of Dr. Merdan Çelik’s Clinic

Data Controller:
Dr. Merdan Çelik’s Clinic prioritizes the protection of personal data belonging to clients, employees, and other individuals in relationships with the clinic, adhering to principles of exceptional service quality, respect for individual rights, transparency, and honesty. Personal data processing and storage activities are conducted in compliance with the Personal Data Protection Law (KVKK) and relevant regulations. Protecting patient privacy and handling personal data with the utmost care is of paramount importance to our clinic. This policy aims to safeguard personal data not only of patients but also of companions, visitors, and employees of our collaborating organizations, in accordance with the foundational principles outlined in the legislation.

Purpose of the Policy:
The purpose of this policy is to ensure transparency by informing patients, companions, visitors, employees, corporate representatives, and other relevant persons whose personal data are processed within the framework of KVKK-compliant activities carried out by our clinic. In line with Law No. 6698 and other relevant regulations, the necessary administrative and technical measures for processing and protecting personal data are implemented. Within the scope of this policy, individuals whose personal data are processed are referred to as “Data Subject,” “Relevant Person,” or “Personal Data Owner.”

Definitions

Explicit Consent:
Consent provided freely, informedly, and specifically regarding a particular subject.

Anonymization:
The transformation of personal data so that it cannot be associated with an identifiable individual, using methods like masking, aggregation, or data corruption. Anonymized data cannot be reidentified, and the necessary precautions are implemented within our clinic to ensure this.

Employees, Shareholders, and Authorized Representatives of Partner Institutions:
Individuals associated with organizations in business relationships with the clinic, such as employees, shareholders, or authorized representatives.

Personal Data Processing:
Any operation performed on personal data, whether partially or fully automated or by non-automated means that form part of a data recording system, including but not limited to collection, recording, storage, alteration, transfer, or classification.

Personal Data:
Information related to an identified or identifiable natural person, such as ID numbers, names, email addresses, phone numbers, home addresses, and bank account details.

Special Categories of Personal Data:
Data related to race, ethnicity, political opinions, religious or philosophical beliefs, health, sexual life, or biometric and genetic information, which are subject to heightened protection.

Third Parties:
Individuals indirectly involved in interactions with the clinic, such as service providers, companions, or individuals acting in a supporting capacity.

Data Processor:
A natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller.

Data Controller:
The person or entity determining the purposes and means of processing personal data and managing the data recording system.

Processing and Protection of Personal Data

As a data controller, our clinic is registered in the VERBIS system and operates a Personal Data Protection Team. Decisions on personal data matters are implemented following legal counsel and management approval.

Personal data collected through physical and digital means—including from patients, healthcare professionals, collaborators, or websites—may include sensitive health information and other general data processed for purposes such as:

• Medical diagnosis, treatment, and care services
• Protection of public health
• Planning and management of preventive healthcare services
• Notifying patients about appointments
• Risk management and quality improvement
• Fulfilling legal and regulatory requirements
• Billing for services
• Responding to inquiries or complaints
• Enhancing patient satisfaction

The clinic upholds key principles of lawful, fair, transparent, and purpose-limited data processing, ensuring accuracy, timely updates, and secure storage. Data processing is based on conditions such as explicit consent, legal obligations, or contractual necessity.

Categorization of Processed Data

1. Identity Information: Personal identifiers like ID cards, passports, and similar documents.
2. Contact Information: Phone numbers, email addresses, and physical addresses.
3. Location Data: Information about an individual’s geographic location.
4. Family Information: Data on family members or close relatives for legal purposes.
5. Physical Space Data: Records like surveillance footage or biometric data.
6. Financial Data: Details of financial transactions, records, and statements.
7. Employment Data: Information about employee or applicant qualifications.
8. Legal Records: Data related to legal claims, rights, and obligations.

Technical and Administrative Measures

The clinic implements the following safeguards:

• Strong passwords for digital systems and email accounts.
• Employee training and confidentiality agreements.
• Regular data backups and secure data access protocols.
• Notification of data subjects before processing begins.
• Maintenance of a comprehensive data processing inventory.

Our clinic ensures that personal data are processed in accordance with the principles set forth in Law No. 6698 and relevant regulations.