L O A D I N G

KVKK - Privacy and Protection of Personal Data

Privacy and Cookies Policy

1. LOGIN MDR SPECIAL EDUCATION SAGLIK HIZMETLERI A.S. (“SPECIAL MDR POLYCLINIC”) attaches the utmost importance to protecting the fundamental rights and freedoms of individuals, primarily based on the privacy of private life regulated in Article 20 of the Constitution, in the protection and processing of personal data. In this context, PRIVATE MDR POLYCLINIC pays attention to the legal protection and processing of personal data in accordance with the Personal Data Protection Law No. 6698 (“KVKK”) and the European Union General Data Protection Regulation (“GDPR”), and acts with this understanding in all its planning and activities.

Ensuring the security of Personal Data of individuals is one of the priority targets of PRIVATE MDR POLYCLINIC. For this reason, the necessary security measures are taken by the PRIVATE MDR POLICYCLINIC, in accordance with the current legislation, in order to process the Personal Data of individuals securely and to prevent any unlawful access or leakage to this data.

1.1 PURPOSE OF THE POLICY The purpose of the Personal Data Protection and Processing Policy (“Policy”) is for the protection and processing of personal data, which is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system, in accordance with the purpose of KVKK and GDPR. To inform the Personal Data Owners about the obligations and the procedures and principles to be complied with. In line with the purpose of the Policy, it is aimed to ensure full compliance with the legislation in the protection and processing of personal data carried out by PRIVATE MDR POLYCLINIC and to protect the privacy and data security of Personal Data Owners.

1.2 SCOPE OF THE POLICY This Policy; It has been prepared for Customers (Patients/Clients), Employees, Employee Candidates and Visitors, provided that they are natural persons and will be implemented within the scope of these specified persons. The purpose of publishing this Policy on the website by PRIVATE MDR POLYCLINIC is to inform Data Owners about personal data protection and processing activities and data security. This Policy will not apply to legal entities in any capacity.

This Policy will be applied for the above-mentioned Data Owners if their personal data is processed by PRIVATE MDR POLYCLINIC completely or partially automatically or non-automatically provided that it is a part of any data recording system. This Policy will not be applied if the data is not included in the scope of "Personal Data" within the scope specified below or if the personal data processing activity carried out by the PRIVATE MDR POLYCLINIC is not carried out in the above-mentioned ways.

1.3 DEFINITIONS The terms used in the implementation of this Policy have the following meanings: Explicit Consent Consent about a specific subject, based on information and expressed with free will. Obligation to Disclose It is the obligation of the data controller to inform the persons whose personal data they are processing about, by whom, for what purposes and on what legal grounds, and to whom it can be transferred, for what purposes. Relevant Users are persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data. Destruction refers to the deletion, destruction or anonymization of personal data. Processing of Personal Data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying Personal Data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. or any kind of operation performed on the data, such as preventing its use. The KVK Board is the Personal Data Protection Board. Personal Data Owner Personal Data (including sensitive personal data) refers to Patients, Clients, Employees, Employee Candidates and Visitors. Personal Data Identity is any information relating to a specific or identifiable natural person. The Institution/ Control Mechanism is the Personal Data Protection Authority, which consists of the Board and the Presidency. Automatic Data Processing Computer, phone, watch etc. It is a processing activity that takes place spontaneously without human intervention within the scope of algorithms prepared in advance through software or hardware features, performed by devices with processors. Special Qualified Personal Data Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are private are qualified data. The Registry is the Data Controllers Registry. Private MDR Clinic is MDR SPECIAL EDUCATION SAGLIK HIZMETLERI A.S. Data Processor is the natural or legal person who processes Personal Data on behalf of the Data Controller based on the authority given by him. Data Recording System refers to the recording system in which Personal Data is processed and structured according to certain criteria. Data Category It is the personal data class of the data subject group or groups in which personal data are grouped according to their common characteristics. Data Subject Person Group This is the group of persons whose personal data the data controller processes. Data Controller is the natural or legal person who determines the purposes and means of processing Personal Data and is responsible for the establishment and management of the data recording system.

1.4 ENFORCEMENT OF THE POLICY Policy principles that came into force on 01.12.2021, arranged by the PRIVATE MDR POLYCLINIC, are published on the Corporate websites of the PRIVATE MDR POLYCLINIC and made available to the Data Owners.

2. PROTECTION OF PERSONAL DATA

2.1 SECURITY OF PERSONAL DATA PRIVATE MDR POLYCLINIC takes all necessary administrative and technical measures to ensure the appropriate level of security in order to securely store personal data and prevent unlawful processing and access of personal data in accordance with KVKK and GDPR. Administrative and technical measures taken regarding the security of personal data are regulated in detail in the Personal Data Retention and Disposal Policy of Private MDR Clinic.

2.2 AUDIT PRIVATE MDR POLYCLINIC makes and has the necessary inspections done in order to establish the data security described above and to ensure the regularity and continuity of the measures taken. The technical measures taken by the PRIVATE MDR POLYCLINIC are supervised by authorized persons in semi-annual periodic periods, and the administrative measures are supervised by the persons authorized by the PRIVATE MDR POLYCLINIC.

2.3 PRIVACY All necessary administrative and technical measures are taken by the PRIVATE MDR POLICYCLINIC so that the Data Processor does not disclose the personal data he/she learns within the scope of his/her duty, to others in violation of the provisions of the KVKK, GDPR and Policy, and does not use them for purposes other than processing. In this context, information and training activities are carried out for the Clinic employees about KVKK, GDPR and the Policy, and confidentiality agreements are signed as part of the recruitment processes of the relevant employees. Confidentiality Commitments are received by communicating the policies to Suppliers and Data Processors who also provide outsourced services.

2.4 UNAUTHORIZED DISCLOSURE OF PERSONAL DATA In the event that the personal data processed by PRIVATE MDR POLICYCLINIC is obtained by others through unlawful means, PRIVATE MDR POLICYCLINIC carries out the necessary procedures to notify the Data Owner and KVK Board of this situation within the periods determined by the KVK Board. If deemed necessary by the KVK Board, this situation is announced on the website of the KVK Board or by another method deemed appropriate by the KVK Board.

2.5 PROTECTING THE LEGAL RIGHTS OF RELATED PERSONS PRIVATE MDR POLYCLINIC observes all legal rights of the persons concerned regarding the implementation of the Policy and the Law and takes all necessary measures to protect these rights.

2.6 PROTECTION OF PRIVATE PERSONAL DATA Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are of special nature. is personal data. PRIVATE MDR POLYCLINIC is aware of the fact that Private Personal Data is data that may cause the Data Owner to be victimized or exposed to discrimination if learned by others, and therefore, it takes adequate measures determined by the Board sensitively for the protection of such personal data processed in accordance with the law. . In this context; It has a separate policy (Private Personal Data Security Policy) that is systematic, clearly defined, manageable and sustainable.

3. PROCESSING AND TRANSFERRING PERSONAL DATA

3.1 GENERAL PRINCIPLES ON PROCESSING AND TRANSFERRING PERSONAL DATA Personal Data is processed by PRIVATE MDR POLYCLINIC in accordance with KVKK, GDPR and the procedures and principles stipulated in this Policy. PRIVATE MDR POLYCLINIC complies with the following principles when processing personal data.

c) Processing for Specific, Explicit and Legitimate Purposes PRIVATE MDR POLYCLINIC clearly and precisely determines the purpose of data processing and ensures that this purpose is in compliance with the law. Compliance with the law means that the personal data processed by PRIVATE MDR POLYCLINIC are related to and necessary for the health service in which it operates. PRIVATE MDR POLYCLINIC does not process data for purposes other than those stated. In this respect, it shows sensitivity in compliance with the principle of certainty and clarity in legal transactions and texts in which the purposes of personal data processing are explained.

c) Processing for Specific, Explicit and Legitimate Purposes PRIVATE MDR POLYCLINIC clearly and precisely determines the purpose of data processing and ensures that this purpose is in compliance with the law. Compliance with the law means that the personal data processed by PRIVATE MDR POLYCLINIC are related to and necessary for the health service in which it operates. PRIVATE MDR POLYCLINIC does not process data for purposes other than those stated. In this respect, it shows sensitivity in compliance with the principle of certainty and clarity in legal transactions and texts in which the purposes of personal data processing are explained.

d) Relating to the Purpose for which they are Processed, Limited, Measured and Necessary PRIVATE MDR POLYCLINIC pays attention to the fact that the processed personal data is suitable for the realization of the determined purposes and avoids the processing of data that is not related to the realization of the purpose or is not needed. PRIVATE MDR POLYCLINIC does not collect or process personal data for purposes that do not exist and are thought to be realized later. It also limits the processed data only to what is necessary for the realization of the purpose. Within the scope of the principle of proportionality, it establishes a reasonable balance between data processing and the intended purpose.

e) Being Retained for the Period Envisioned in the Related Legislation or Required for the Purpose of Processing PRIVATE MDR POLYCLINIC complies with these periods if there is a period foreseen for data storage in the relevant legislation; otherwise, it retains personal data only for as long as is necessary for the purpose for which it was processed. If there is no valid reason for further storage of a personal data by the PRIVATE MDR POLYCLINIC, the said data is deleted, destroyed or anonymized. The procedures regarding the storage and destruction of personal data are regulated in detail in Private MDR Clinic's Personal Data Retention and Disposal Policy.