Introduction

This privacy policy has been prepared within the scope of Article 10 of the Personal Data Protection Law No. 6698. As DR. ERHAN BAYRAM CLINIC, we prioritize patient privacy in our medical practice activities. For this purpose, the personal data transmitted by our patients, patient relatives, employees and other persons related to the clinic who benefit from the health and consultancy services we provide are processed and stored in accordance with the relevant legislation, especially the Turkish Constitution, international agreements and the Personal Data Protection Law No. 6698.

In accordance with GDPR and as the Data Controller, your personal data will be recorded, stored, updated, disclosed/transferred to third parties in cases permitted by the legislation, classified, anonymized, de-identified and destroyed. This text provides explanatory information regarding the processing of your personal data as the data controller.

Collection and Processing of Personal Data

Within the scope of our services, various information is collected from our patients, their legal representatives, our employees and third parties. The information collected is obtained in accordance with the data processing principles and conditions stipulated in the Personal Data Protection Law No. 6698.

Of the special categories of personal data; health data can only be processed by persons under confidentiality obligation or authorized institutions/organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without the explicit consent of the data subject. In addition, all special categories of personal data can be processed when sufficient measures determined by GDPR are taken as required by law.

Your personal data shared in the clinic is recorded, stored, modified and rearranged by being obtained through automatic or non-automatic methods, including the website, surveys, social media applications, all channels, verbally, in writing, visually or electronically.

Within the scope of GDPR, any operation performed on data is considered "processing of personal data".

Collected Personal Data (Examples)

Below are examples of data groups collected. The content may vary depending on the scope of service/relationship.

• Identity information: Name, surname, identity card/passport/driver's license copy, ID number, place/date of birth, marital status, gender, insurance/protocol number, etc.
• Contact information: Address, telephone, relative's contact number, e-mail, consultation line call records, etc.
• Financial information: Bank account/IBAN, credit card information, billing information, etc.
• Social security / insurance data: Private health insurance and social security related data.
• Security records: Camera recordings for clinic security purposes, EEG recordings, etc.
• Health data: Laboratory/test results, examination data, prescription information, medical diagnosis, all health data obtained during treatment and care process (including special categories of data).
• Biometric and visual data: Service-related photographs, video and audio recordings.
• Remote consultation data: Identity, contact, health, sexual life and genetic data obtained during video consultation, as well as audio-visual data and client file records.

In general, all types of personal data that you share with our clinic, both special and general categories, are within the scope of collected data.

Purposes of Collecting Personal Data

Your shared personal data may be processed for the following purposes:

• Fulfillment of legal obligations (regulations No. 3359, 663 and relevant legislation).
• Fulfillment of contractual responsibilities and service delivery.
• Planning, financing and management activities related to health services.
• Information sharing with the Ministry of Health and other public institutions/organizations in case of legal necessity.
• Protection of public health, preventive medicine, diagnosis, treatment and care services.
• Providing information to judicial authorities in legal processes.
• Providing consultation/advisory services and taking data security measures.
• Appointment notification, fraud monitoring, patient satisfaction measurement, training and quality processes.
• Drug/medical device supply, personnel management and human resources operations.
• Marketing, media and communication activities (with approval).

Your personal data can be stored in both physical and digital archives; may be transferred to contracted institutions when necessary.

Explicit Consent in Processing Personal Data

In accordance with GDPR Art. 5 and Art. 6, personal data cannot be processed without the explicit consent of the data subject. However, there are exceptional cases specified in the law (e.g., explicitly provided for in laws, vital danger, related to the establishment/performance of the contract, fulfillment of the legal obligation of the data controller, etc.).

Special categories of personal data (race, ethnic origin, political thought, philosophical belief, religion, attire, trade union membership, health, sexual life, criminal conviction, biometric/genetic data, etc.) cannot be processed without the explicit consent of the data subject as a general rule. However, data related to health and sexual life can be processed without seeking explicit consent in some cases regulated by law (public health, preventive medicine, treatment, financing planning, etc.).

In short; data will be processed in accordance with the law and the principle of honesty, in a manner related to the purpose, limited and measured, accurate and up-to-date.

Processing and Storage Period of Personal Data

Your personal data will be processed in accordance with the periods determined by GDPR and relevant legislation (prescription periods, etc.) and as long as the purposes stated in this text exist. The storage period of health data is generally 20 years.

Persons and Organizations to Which Your Personal Data May Be Transferred

Your personal data may be transferred to institutions/organizations permitted by relevant legislation; for example:

• Social Security Institution, Ministry of Health and its sub-units
• Security forces under the Ministry of Interior, prosecutor's office, courts and other official authorities
• Private insurance companies, laboratories, imaging centers and business partners
• Lawyers, consultants, auditors in case of legal dispute
• Domestic organizations and third parties from whom we receive contractual services

Example partner institutions: Biolab Medical Microbiology Laboratories, Talatpaşa Medical Laboratory, Barış Medical Imaging Center.

Data processors (examples): SAFİYE ARI (ID: 18005532914), ECE AYYÜREK (ID: 18778499452), FATMA KAYA (Physiotherapist, ID: 63217415234).

In addition, categorical transfers mentioned in the privacy policy (identity, social security, financial advisor, etc.) may be transferred to relevant parties.

What Should You Do If Your Personal Information Changes?

In case of a change in your personal data, you need to inform us so that the records can be updated. As per our procedures, we will check the accuracy of your contact and address information periodically by requesting your confirmation.

Personal Data of Children

Personal data belonging to individuals under the age of 18 is processed with the consent of the minor's parent or guardian in cases requiring explicit consent.

Personal Data Collection Methods

Data is collected in the following ways:

1. The data subject submitting documents in physical environment
2. Sending patient history/biography information by physical or virtual methods such as e-mail
3. By non-automatic methods (verbal statement, etc.)
4. By filling out forms and verbal statements

Rights of the Personal Data Owner

In accordance with GDPR Article 11, the personal data owner has the following rights:

• Learning whether personal data is being processed
• Requesting information about this if it has been processed
• Learning the purpose of processing and whether it is used in accordance with the purpose
• Knowing the third parties to whom data is transferred domestically or abroad
• Requesting correction if data has been processed incompletely or incorrectly
• Requesting deletion or destruction of personal data within the scope of GDPR Article 7 (evaluation will be made within the framework of legislation for health data)
• Requesting notification of the operation to third parties if data is corrected/deleted/destroyed
• Objecting to an outcome against you by being analyzed by automatic systems
• Claiming compensation if damage has been suffered due to unlawful processing
• Withdrawing your consent for data processing at any time

You can make your rights requests from your e-mail address registered in your previous notification, with a secure electronic signature or mobile signature to our KEP address, or by postal/address with a wet signature. Your request will be concluded free of charge as soon as possible and at the latest within 30 (thirty) days depending on the nature of your request. If the transaction requires cost, the tariff determined by the Board may be applied.