GDPR

*INFORMATION TEXT ON PROCESSING OF PERSONAL DATA*

"Information Text"

Pursuant to the provisions of the Personal Data Protection Law No. 6698 ("KVKK") and the General Data Protection Regulation of the European Union ("GDPR"), Dr. Sultan Buğday, operating at Mansuroğlu, EGE Sun Plaza, 295./2 Sk. No: 1/F, 35535 Bayraklı/İzmir, as a Gynecologist and Obstetrician (hereinafter referred to as "Physician/Clinic/Employer"), informs you about our mutual rights and obligations under the KVKK and GDPR regarding the recording, storage, updating, disclosure to third parties as required by legal regulations, transfer, classification, and processing of your personal data.

Within the legal framework, we are obliged to record, store, and arrange all records and documents necessary for providing health services (diagnosis, treatment, care services, etc.) in order to identify patient identity in accordance with the Basic Health Services Law, Private Hospitals Regulation, Health Implementation Communiqué, Patient Rights Regulation, and other legislation.

Your personal data may be shared with relevant authorities and persons such as the Ministry of Health, Provincial Health Directorates, Public Health Centers, Social Security Institution, and your private health insurer, in accordance with the requests of authorized bodies or within the scope of notification/obligation notifications to us, and/or as required by legal regulations.

*PURPOSES OF PROCESSING PERSONAL DATA, COLLECTION METHODS, AND LEGAL BASES*

Your personal data, including identity, address, phone number, medical history, and other necessary information, will be recorded, processed, and stored to establish a Physician-Patient relationship, fulfill contractual obligations, provide services to you, maintain mandatory medical records required by regulations and regulatory authorities, improve service quality, and provide requested/other products/services.

Your health data and personal information necessary for your treatments and applications, including blood type, laboratory and imaging results, tests, allergies, chronic diseases, sexually transmitted diseases, infectious diseases, past surgeries/operations, e-nabız information, continuously used medications, COVID-19 disease information, medical treatments, prescription information, harmful health habits, body analysis, and death information, will be processed for purposes such as creating patient files, preventive medicine, providing examination, medical diagnosis, treatment, and care services, following up after medical diagnosis and treatment processes, managing possible complication processes, contacting you directly, managing appointment processes, ensuring patient satisfaction and request management, fulfilling legal and contractual obligations, retaining health data that must be kept for specific periods, consulting with other relevant specialist physicians when necessary for appropriate treatment, complying with health tourism regulations, planning and managing health service financing, ensuring workplace safety, fulfilling legal responsibilities arising from doctor-patient relationships, fulfilling financial and administrative obligations, ensuring technical and commercial security, and fulfilling public obligations.

Your personal data will be processed based on the above-mentioned purposes and legal bases related to health services and in accordance with the rights and obligations mentioned above. Failure to provide your personal data may prevent us from fulfilling our legal obligations and may hinder the successful execution of your treatment and/or recovery processes.

Other contexts in which your personal data may be processed include:

HR operations, Clinic internal operations, Consequences of legal, technical, and administrative activities, Strategy, planning, and business partners/suppliers, customer management, customer satisfaction, Planning and implementation of corporate communication activities and events, Planning and implementation of clinic internal training programs, Clinic workplace safety, Execution of employee and occupational health and safety services, Execution of technical service operations, Execution of collection processes, Offering product-service promotions, information, personalized advertising, campaigns, and other benefits to customers through statistical analyses, Conducting studies to improve service quality and provide better service, Invoicing for services provided, Service procurement from external sources, Providing benefits to customers in non-expert areas and obtaining technology services, Planning and use of clinic activities.

For employees: Creating personnel files, Determining whether the job requirements are continuously met, Performing private health insurance, Creating health records, Taking occupational safety measures, Planning travel.

For job candidates: Managing the evaluation process for suitability for open positions. Within the scope of activities, the publication of visual and audio data related to the Clinic and its Employees, stands obtained in competitions, organizations, fairs, studies, and other events for the purpose of developing and sharing the work, Fulfilling legal obligations, Execution/follow-up of the Clinic's financial reporting and risk management processes, Execution/follow-up of legal affairs, Creation and follow-up of patient records. Planning and execution of the use of machines and equipment by employees, Planning and execution of procurement processes, Planning and execution of collection processes, Planning and execution of the use of the clinic's internet, common network, and computer use in accordance with the laws, Planning and execution of fairs, activities, social projects, product and corporate promotion of the Clinic.

The mentioned purposes are for information purposes, and updates that can be added by us to carry out the future operational activities of the Clinic will be announced.

Your personal data, depending on the healthcare service provided;

By coming to the Physician and Clinic for examination and treatment, through the health reports, laboratory and imaging results, analyses, health reports, and statements related to your health data that you provide to perform a medical evaluation of the treatment to be applied to you, through filling out the "Patient Information and Consent Form" related to the treatment to be applied by the Physician and Clinic, through the communication form you filled out on the corporate website of the Physician and Clinic, through the emails you send to the corporate email address of the Physician and Clinic, through the photo/video recordings taken before, after, and/or during the medical procedure applied to you within the Clinic, upon your request and when necessary; for the purpose of performing your diagnoses and controls online through remote access by the Physician and Clinic, by accepting the Privacy Policies and International Transfer Principles of the remote connection application service providers (WhatsApp/Zoom.us/Facetime/Skype/Messenger/Google/Instagram/Facebook etc.) you use, through the written/voice/visual (photo and/or video recording) messages you send to the Physician and Clinic and through the online voice/video calls you make via these applications, by accepting the Privacy Policies and International Transfer Principles of the social media accounts you are currently a user of, whose servers are located abroad (Instagram, YouTube, Facebook, Twitter, LinkedIn, etc.), through direct messaging or commenting on the profile accounts of the Physician and Clinic on these social media accounts, by accepting the Privacy Policies and International Transfer Principles of the social media accounts you are currently a user of, whose servers are located abroad (Instagram, YouTube, Facebook, Twitter, LinkedIn, Google etc.), through the "contact us" or "get information" panels on the promotions and advertisements made by the Physician and Clinic on these social media accounts and by giving automatic processing permission to the information you transfer.

Exceptions that make it possible to process personal data lawfully are regulated in Article 5/2 of the KVKK. In this respect, the Clinic may process personal data without explicit consent if one of the other conditions (exceptions) listed below exists. The basis of the personal data processing activity may be only one of the conditions listed below, or more than one of these conditions may be the basis of the same personal data processing activity.

These are: Explicitly provided for by law, it is necessary to process the personal data of the person who is unable to explain his consent due to actual impossibility or whose consent is not legally valid, to protect the life or physical integrity of himself or another person, it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract, it is necessary for the Clinic to fulfill its legal obligation, the personal data owner has made his personal data public, it is necessary to process data for the establishment, exercise, or protection of a right, provided that it does not harm the fundamental rights and freedoms of the data subject, it is necessary to process data for the legitimate interests of the Clinic.

Additionally, under GDPR Article 9/2/h, Article 6/1/b, and Article 6/1/f, situations where your data can be processed without the need for explicit consent:

For the purpose of conducting examination, medical diagnosis, treatment, and care services, your Health Data, which is considered Special Category Personal Data by the Clinic, which is under the obligation of confidentiality according to the law, will be processed without your explicit consent.

After medical diagnosis and treatment processes, your Personal Data will be processed by the Clinic without your explicit consent for the purpose of conducting your controls, communicating with you one-on-one, and managing appointment processes.

Your Personal Data will be processed by the Clinic without your explicit consent for the purpose of patient satisfaction and demand management.

Under GDPR Article 6/1/c, your Personal Data will be processed without your explicit consent based on legal obligations in the following situations:

Creation of patient files.

Preservation of information related to health data that must be kept as required by relevant legislation.

Issuing invoices by controlling your payment of fees.

Fulfillment of tax obligations.

Fulfillment of obligations according to the Ministry of Health Regulations.

Fulfillment of obligations according to the Health Tourism Regulations.

Ensuring data security.

Fulfillment of legal obligations before judicial authorities.

Fulfillment of administrative obligations before administrative authorities.

Your requests in your application will be concluded free of charge within a maximum of thirty days, depending on the nature of the request. However, if the process incurs an additional cost for the Practice, a fee may be charged according to the tariff determined in the Communiqué on the Procedures and Principles of Application to the Data Controller by the Personal Data Protection Board. In accordance with the first paragraph of Article 13 of the KVKK, Personal Data Owners can submit their requests related to the use of their rights, according to the procedures and principles specified in the "Communiqué on the Procedures and Principles of Application to the Data Controller" published in the Official Gazette dated March 10, 2018, and numbered 30356. In accordance with Article 28 of the KVKK, it will not be possible for personal data owners to assert their rights in the following matters:

• Processing of personal data for purposes such as research, planning, and statistics by making them anonymous with official statistics

• Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights, or do not constitute a crime

• Processing of personal data by public institutions and organizations authorized and tasked by law to ensure national defense, national security, public security, public order, or economic security, for preventive, protective, and intelligence activities

• Processing of personal data by judicial authorities or enforcement agencies related to investigation, prosecution, trial, or execution processes

According to Article 28/2 of the KVKK, provided that it is in compliance with the purpose and fundamental principles of the Law and is proportionate, the provisions of Article 10, which regulates the obligation of data controllers to inform, except for the right to request compensation for damage, Article 11, which regulates the rights of the relevant person, and Article 16, which regulates the registration obligation to the Data Controllers Registry, do not apply in the following cases:

• Processing of personal data is necessary for the prevention of crime or for criminal investigation

• Processing of personal data made public by the data owner

• Processing of personal data by public institutions and organizations, and professional organizations with the status of public institutions, authorized and tasked by law to carry out supervision or regulatory duties and for necessary disciplinary investigations and prosecutions

• Processing of personal data is necessary for the protection of the economic and financial interests of the state related to budget, tax, and financial issues

RIGHTS OF DATA SUBJECTS UNDER GDPR

As a Data Subject, your Personal Data is also protected under the GDPR. In cases where the GDPR is applicable (citizens of the European Union or those residing in European Union countries), the rights of Data Subjects are as follows;

Right of Access (GDPR Article 15): The data subject has the right to confirm whether personal data concerning them is being processed by contacting the Clinic, and if so, to learn the details specified in GDPR Article 15.

Right to Rectification (GDPR Article 16): The Data Subject has the right to request correction of their personal data held by the Clinic at any time.

Right to Erasure (GDPR Article 17): The Data Subject has the right to request the deletion of their personal data held by the Clinic. If the conditions specified in GDPR Article 17 occur, your personal data will be deleted by the Clinic without delay.

Right to Restrict Processing (GDPR Article 18):

Data Subjects have the right to request restriction of processing if they dispute the accuracy of their Personal Data, until the Clinic verifies the accuracy of the Personal Data.

The Data Subject has the right to request restriction of processing if the Personal Data processing activity is unlawful and the Data Subject objects to the deletion of their Personal Data, until their request is fulfilled.

The Data Subject has the right to request restriction of processing if the Clinic no longer needs the personal data for the purposes of processing but the Data Subject requires the data for the establishment, exercise, or defense of legal claims.

Data Subjects have the right to request restriction of processing under GDPR Article 21/1 if they object to processing, until it is verified whether the legitimate reasons of the Clinic outweigh those of the Data Subject.

Right to Data Portability (GDPR Article 20): The Data Subject has the right to request the transfer of their Personal Data held by the Clinic to another controller, provided it is technically feasible. However, this right can only be exercised when the processing is based on consent or required by contract.

Right to Object (GDPR Article 21):

The Data Subject has the right to object to the processing of their Personal Data on grounds relating to their particular situation under GDPR Article 6/1 /e and (f).

We would like to inform you that we continue our activities with the awareness that personal data security is prioritized in all our products and services.

CONSENT AND APPROVAL

By reading this Clarification Text, you declare that you are fully and completely informed about the data processing process carried out by the Doctor and the Practice, that you have learned about your rights regulated by KVKK and GDPR, and that you freely and voluntarily consent to the processing of your Personal Data and Special Categories of Personal Data within the scope of this Clarification Text by the Doctor and the Practice.