PRIVATE KARAKUCAK CLINIC PERSONAL DATA PROTECTION AND PROCESSING POLICY

 

  • INTRODUCTION

PRIVATE KARAKUCAK CLINIC SULTAN KARAKUCAK, under the responsibility of Dr. SULTAN KARAKUCAK (“KARAKUCAK CLINIC”), prioritizes the protection of individuals’ fundamental rights and freedoms, primarily the right to privacy stated in Article 20 of the Constitution, in the processing and protection of personal data. Accordingly, KARAKUCAK CLINIC ensures that personal data is protected and processed lawfully in accordance with Law No. 6698 on the Protection of Personal Data (“KVKK”) and the European Union General Data Protection Regulation (“GDPR”), and acts in compliance with this approach in all its plans and operations.

Ensuring the security of individuals’ Personal Data is a top priority for KARAKUCAK CLINIC. Therefore, necessary security measures are taken by KARAKUCAK CLINIC in compliance with applicable laws to ensure the secure processing of Personal Data and to prevent any illegal access or data breaches.

1.1 PURPOSE OF THE POLICY

The purpose of the Personal Data Protection and Processing Policy (“Policy”) is to inform Data Subjects about the procedures and principles that KARAKUCAK CLINIC will comply with, and its responsibilities in the protection and processing of personal data, which are processed either fully or partially automatically or by non-automatic means that form part of a data recording system, in accordance with KVKK and GDPR. Within this purpose, the aim is to ensure full compliance with applicable legislation and to protect the rights of privacy and data security of Data Subjects during personal data protection and processing activities carried out by KARAKUCAK CLINIC.

1.2 SCOPE OF THE POLICY

This Policy is prepared for natural persons such as Clients (Patients), Employees, Employee Candidates, and Visitors and shall apply to the mentioned persons. The purpose of publishing this Policy on the website by KARAKUCAK CLINIC is to inform Data Subjects about data protection and processing activities and data security. This Policy shall not apply to legal entities under any circumstances.

This Policy shall apply to the above-mentioned Data Subjects if their personal data is processed either fully or partially automatically or by non-automatic means that form part of a data recording system by KARAKUCAK CLINIC. If the data does not fall under the definition of “Personal Data” as described below or is not processed in the manner stated above, this Policy shall not apply.

1.3 DEFINITIONS

The concepts used in the implementation of this Policy shall have the following meanings:

Explicit Consent Consent given on a specific issue, based on information and expressed with free will.
Obligation to Inform The obligation of the data controller to inform individuals whose data it processes about who is processing their data, for what purposes, based on which legal grounds, and to whom and for what purposes the data may be transferred.
Relevant User Persons who process personal data within the data controller’s organization or with the authority and instructions received from the data controller, excluding those responsible for technical data storage, protection, and backup.
Destruction Refers to the deletion, destruction, or anonymization of personal data.
Processing of Personal Data Any operation performed on personal data, whether by fully or partially automatic means or by non-automatic means forming part of a data recording system, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use.
KVK Board The Personal Data Protection Board.
Data Subject Refers to Patients, Clients, Employees, Employee Candidates, and Visitors whose personal data (including special categories of personal data) is processed.
Personal Data Any information relating to an identified or identifiable natural person.
Authority / Supervisory Body The Personal Data Protection Authority composed of the Board and the Presidency.
Automated Data Processing Processing activities performed automatically by devices with processors (e.g., computers, phones, smartwatches) via predefined algorithms without human intervention.
Special Categories of Personal Data Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations, or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Registry The Data Controllers Registry.
KARAKUCAK CLINIC Refers to PRIVATE KARAKUCAK CLINIC SULTAN KARAKUCAK.
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the controller.
Data Recording System A recording system in which personal data is processed and structured according to specific criteria.
Data Category A classification of personal data grouped according to common characteristics belonging to a particular data subject group or groups.
Data Subject Group The relevant group of individuals whose personal data is processed by the data controller.
Data Controller A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

 

1.4 ENFORCEMENT OF THE POLICY

The Policy, which was prepared by KARAKUCAK CLINIC and entered into force on 01.07.2021, is published on KARAKUCAK CLINIC’s corporate websites and made available to Data Subjects.

  • PROTECTION OF PERSONAL DATA

  • SECURITY OF PERSONAL DATA

KARAKUCAK CLINIC takes all necessary administrative and technical measures to ensure an appropriate level of security to store personal data securely, prevent unlawful processing and access in accordance with KVKK and GDPR. The administrative and technical measures taken regarding the security of personal data are detailed in KARAKUCAK CLINIC’s Personal Data Retention and Destruction Policy.

  • AUDIT

KARAKUCAK CLINIC conducts and ensures necessary audits to ensure the implementation and continuity of the data security measures described above. Technical measures are audited by authorized personnel every six months, and administrative measures are audited by persons authorized by KARAKUCAK CLINIC.

  • CONFIDENTIALITY

KARAKUCAK CLINIC takes all necessary administrative and technical measures to ensure that personal data learned by Data Processors during their duties are not disclosed or used for purposes other than processing, in violation of KVKK, GDPR, and this Policy. In this context, staff are informed and trained on KVKK, GDPR, and the Policy, and confidentiality agreements are signed as part of the recruitment process. Suppliers and Data Processors are also informed about the policies, and confidentiality commitments are obtained.

  • UNAUTHORIZED DISCLOSURE OF PERSONAL DATA

If personal data processed by KARAKUCAK CLINIC is unlawfully obtained by others, KARAKUCAK CLINIC shall take the necessary actions to notify the Data Subject and the KVK Board within the timeframes specified by the Board. If deemed necessary, this situation will be announced by the KVK Board via its website or another method deemed appropriate.

  • OBSERVANCE OF LEGAL RIGHTS OF DATA SUBJECTS

KARAKUCAK CLINIC observes all legal rights of the Data Subjects related to the implementation of the Policy and the Law, and takes all necessary measures to ensure the protection of these rights.

  • PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Data regarding individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are considered special categories of personal data. KARAKUCAK CLINIC is aware that such data may lead to victimization or discrimination of the Data Subject if disclosed, and therefore takes the necessary measures determined by the Board with great care to protect these types of personal data lawfully processed. Accordingly, KARAKUCAK CLINIC has a separate policy (Special Categories of Personal Data Security Policy) that is systematic, clearly defined, manageable, and sustainable.

  • PROCESSING AND TRANSFER OF PERSONAL DATA

  • GENERAL PRINCIPLES ON PROCESSING AND TRANSFER OF PERSONAL DATA

KARAKUCAK CLINIC processes Personal Data in accordance with the procedures and principles stipulated by the KVKK, GDPR, and this Policy. While processing personal data, KARAKUCAK CLINIC adheres to the following principles:

 

  • Compliance with the Law, Principles of Honesty and Transparency

KARAKUCAK CLINIC processes personal data in accordance with the relevant legislation and the principles of honesty and uses it within these limits. Under the principle of acting in good faith, KARAKUCAK CLINIC considers the interests and reasonable expectations of the data subjects while pursuing its data processing goals. It acts to prevent outcomes that the data subject does not expect and is not required to expect. Furthermore, it ensures transparency in the data processing activity for the data subject and fulfills its obligation to inform and notify.

  • Being Accurate and Up-to-Date When Necessary

KARAKUCAK CLINIC ensures that the personal data it processes is accurate and up to date, taking into account the fundamental rights and legitimate interests of the Data Subjects. In this context, it pays careful attention to issues such as identifying the sources of data, verifying its accuracy, and evaluating the need for updates. KARAKUCAK CLINIC always keeps the channels open for the data subject to update and correct their data. Ensuring data accuracy and currency is essential both to protect KARAKUCAK CLINIC’s interests and the fundamental rights and freedoms of the Data Subject.

  • Processing for Specific, Explicit, and Legitimate Purposes

KARAKUCAK CLINIC clearly and explicitly defines its purpose for data processing and ensures that this purpose is lawful. A lawful purpose means that the personal data processed by KARAKUCAK CLINIC must be related to and necessary for the healthcare services it provides. It does not process personal data for purposes other than those stated. Therefore, in legal documents and texts where data processing purposes are disclosed, it is sensitive to ensuring clarity and specificity.

  • Being Relevant, Limited, Proportionate, and Necessary for the Processing Purposes

KARAKUCAK CLINIC ensures that processed personal data is suitable for achieving the stated purposes and avoids processing data that is not relevant or necessary for these purposes. It does not collect or process personal data for non-existent or potential future purposes. The processed data is limited to what is necessary for achieving the goal. Under the principle of proportionality, it maintains a reasonable balance between the data processing and the intended purpose.

  • Storage for the Duration Stipulated in Relevant Legislation or Necessary for Processing Purpose

If there is a specified period in the applicable legislation for the retention of personal data, KARAKUCAK CLINIC complies with it; otherwise, it retains personal data only for the period necessary to fulfill the purpose of processing. If there is no valid reason for longer retention, the data is deleted, destroyed, or anonymized. The procedures for storage and destruction are detailed in KARAKUCAK CLINIC’s Personal Data Retention and Destruction Policy.

  • Compliance with Principles of Integrity and Confidentiality

KARAKUCAK CLINIC processes personal data by taking the necessary technical and administrative measures to ensure adequate security and protect against loss, destruction, damage, or unauthorized access.

  • Compliance with the Principle of Accountability

KARAKUCAK CLINIC fulfills its obligation to comply with personal data protection rules in its processing activities and, in case of any complaint or ex officio investigation, is able to provide documentation proving that such measures have been implemented to supervisory authorities.

  • CONDITIONS FOR PROCESSING PERSONAL DATA

KARAKUCAK CLINIC does not process personal data without the explicit consent of the Data Subject. However, personal data may be processed without explicit consent under the following conditions:

  • Clearly Stipulated in the Law

KARAKUCAK CLINIC may process personal data without the explicit consent of the Data Subject in cases clearly stipulated by law.

  • Necessity to Protect the Life or Physical Integrity of a Person Who Cannot Disclose Consent Due to Actual Impossibility or Whose Consent Is Not Legally Valid

In cases where consent cannot be obtained or is not legally valid, KARAKUCAK CLINIC may process personal data without explicit consent in order to protect the life or physical integrity of the individual or another person.

  • Necessity of Processing Personal Data of the Parties to a Contract, Provided That It Is Directly Related to the Conclusion or Performance of the Contract

In cases where processing personal data of the parties to a contract is necessary for the conclusion or performance of the contract, KARAKUCAK CLINIC may process such data without the explicit consent of the Data Subject, limited to that purpose.

  • Necessity for the Data Controller to Fulfill Its Legal Obligation

KARAKUCAK CLINIC may process the personal data of the Data Subject without explicit consent when necessary to fulfill its legal obligations as the Data Controller.

  • Personal Data Made Public by the Data Subject

KARAKUCAK CLINIC may process personal data made public by the Data Subject—i.e., disclosed to the public in any way—limited to the purpose of such disclosure, as the legal interest requiring protection is deemed to have ceased.

  • Necessity of Data Processing for the Establishment, Exercise, or Protection of a Right

KARAKUCAK CLINIC may process personal data without explicit consent where it is necessary for the establishment, exercise, or protection of a legal right.

  • Processing Data for the Legitimate Interests of Our Clinic Without Harming the Fundamental Rights and Freedoms of Data Subjects

KARAKUCAK CLINIC may process personal data when it is necessary for its legitimate interests, provided that it does not harm the fundamental rights and freedoms of the Data Subject protected under KVKK, GDPR, and this Policy. KARAKUCAK CLINIC shows the necessary sensitivity to compliance with the fundamental principles of personal data protection and maintaining the balance of interest between itself and the Data Subject. Legitimate interest refers to a lawful, specific, and existing benefit that can be as significant as the fundamental rights and freedoms of the Data Subject. KARAKUCAK CLINIC implements additional safeguards to ensure no harm comes to the rights of the Data Subject. A reasonable balance is maintained between the interests of the clinic and the fundamental rights and freedoms of the data subject.

  • Conditions for Processing Special Categories of Personal Data

KARAKUCAK CLINIC does not process special categories of personal data without the explicit consent of the Data Subject. Such data may only be processed without consent under the following conditions:

  • Clearly Stipulated in the Law

Special categories of personal data, excluding those related to health and sexual life, may be processed without explicit consent if clearly stipulated in the law.

  • For the Purposes of Public Health Protection, Preventive Medicine, Medical Diagnosis, Treatment and Care Services, and the Planning and Management of Health Services and Their Financing

Special categories of personal data related to the Data Subject’s health and sexual life may be processed by individuals or authorized institutions and organizations under the obligation of confidentiality, for the purposes of public health protection, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.

  • Conditions for Transfer of Personal Data

KARAKUCAK CLINIC may transfer personal data to third parties by taking the necessary security measures and in accordance with Articles 8 and 9 of the KVKK and Articles 45 and 49 of the GDPR, based on one or more of the following conditions:

  • Data Subject’s explicit consent,
  • A clear regulation in the law regarding the transfer of personal data,
  • Transfer is necessary to protect the life or physical integrity of the Data Subject or another person and the Data Subject is unable to give consent due to actual impossibility or lacks legal capacity,
  • Transfer is necessary for the conclusion or performance of a contract to which the Data Subject is a party,
  • Transfer is mandatory for KARAKUCAK CLINIC to fulfill its legal obligations,
  • The personal data has been made public by the Data Subject,
  • Transfer is necessary for the establishment, exercise, or protection of a legal right,
  • Transfer is necessary for the legitimate interests of KARAKUCAK CLINIC provided that it does not harm the fundamental rights and freedoms of the Data Subject.

Special categories of personal data may also be transferred under the following conditions, provided that adequate measures are taken and the transfer is limited to these conditions:

  • The Data Subject has given explicit consent,
  • If the data concerns special categories of personal data excluding health and sexual life, the law must explicitly allow such transfer,
  • If the data concerns health and sexual life, it may be transferred for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing by individuals or institutions under confidentiality obligations.

 

  • CATEGORIES OF PERSONAL DATA AND DATA SUBJECT GROUPS

  • Personal Data Categories

Personal data is processed by KARAKUCAK CLINIC under the following categories:

Identity Name-surname, Turkish ID Number and/or Passport Number and/or Temporary Turkish ID Number, place and date of birth, marital status, gender, profession, signature, and other identity data identifying individuals
Contact Address (residential, workplace), phone number (provided home/work landline and/or mobile), email address, social media accounts, IP address, and other contact data
Employment Resume, title information; employment entry/exit documentation; social security/retirement data, payroll information, and other employment-related data
Physical Space Security Security camera recordings and other data related to physical space security
Financial Data related to any financial relationship established with KARAKUCAK CLINIC, including bank account and credit card information, and other financial data
Visual and Audio Records Photo/video data of data subjects taken outside of physical space security purposes
Communication Records Communication data obtained via KARAKUCAK CLINIC’s communication and IT systems: corporate phone call records, postal and email records and content, etc.
Customer Transactions Patient satisfaction information, invoice and receipt details, etc., related to clinic services
SPECIAL CATEGORIES OF PERSONAL DATA
Health Information Blood type, allergies, chronic illnesses, past procedures/surgeries, medications, test and imaging results, prescription details, body analysis and measurements, medical history, skin analysis, hormone tests, venereal disease information, anesthesia data, COVID-19 status, medical treatments, and other health-related data
Biometric Data Image, voice, and video data

Data Subject Groups

Only natural persons can benefit from the protections provided under this Policy and the Law. The relevant personal data owners are grouped as follows:

Job Applicant Individuals who have applied for a job at our clinic through any channel or have shared their resumes and related information for our review.
Customer Patients or clients visiting our clinic.
Employee Individuals employed by KARAKUCAK CLINIC.
Visitor All natural persons who enter the physical premises of our clinic for various purposes or who visit our websites for any reason.

  • METHOD AND LEGAL BASIS FOR COLLECTING PERSONAL DATA

  • METHOD OF COLLECTING PERSONAL DATA

Your Personal Data is processed by natural or legal persons authorized by KARAKUCAK CLINIC as “DATA PROCESSOR”; recorded verbally, in writing, via camera and photo recordings, in both physical and electronic environments, with your explicit consent obtained where required by the KVKK and GDPR.

  • Job application forms,
  • Personnel information forms,
  • Various documents presented to KARAKUCAK CLINIC,
  • Letters and emails sent to KARAKUCAK CLINIC,
  • Corporate telephone calls,
  • Photo/Video recordings,
  • Websites,
  • Log Recording Devices (Firewall),
  • Patient Information and Consent Forms,
  • Test Results,
  • Health Information Forms, and messages via service providers hosted abroad (WhatsApp/Instagram/Facebook/Messenger/LinkedIn/YouTube/Zoom.us/Google/Hotmail/Yahoo, etc.).

  • LEGAL BASIS FOR COLLECTING PERSONAL DATA

KARAKUCAK CLINIC collects personal data based on one of the following legal grounds in accordance with Articles 5 and 6 of the KVKK and Articles 6 and 9 of the GDPR:

  • The Data Subject’s explicit consent,
  • Clear legal provision in the laws,
  • The personal data has been made public by the Data Subject,
  • Necessity of processing for the conclusion or performance of a contract directly related to the data of the contract parties,
  • If the data concerns special categories related to health and sexual life, processing for public health protection, preventive medicine, medical diagnosis, treatment, operations and care services, and planning and management of health services and financing,
  • Necessity for KARAKUCAK CLINIC to fulfill its legal obligations,
  • Necessity of processing for the establishment, exercise, or protection of a right,
  • Processing for KARAKUCAK CLINIC’s legitimate interests, without harming the Data Subject’s fundamental rights and freedoms.

  • PURPOSES OF PROCESSING PERSONAL DATA

6.1 Mapping of Data Subject Groups to Purposes for Processing Their Personal Data Categories

The mapping of the purposes for processing personal data categories for the Data Subject groups defined above is presented below:

  • Job Applicant

Data Categories: Identity, Contact, Employment Records, Work Experience, Physical Space Security

Processing Purposes: Emergency Management Processes, Information Security Processes, Candidate Selection and Placement Processes, Candidate Application Processes, Ensuring Physical Space Security, Conducting Communication Activities

  • Patient/Client

Data Categories: Identity, Contact, Financial, Customer Transactions, Physical Space Security, Health Data, Biometric Data

Processing Purposes: Creating patient files; conducting examinations, preventive medicine, medical diagnosis, treatment, operations, and care services; conducting health checks after procedures; direct communication with patients; managing appointment processes; managing patient satisfaction and requests; fulfilling legal and contractual obligations; retaining required health data for legally mandated periods; ensuring clinic security; obtaining consultations from other specialists when necessary; fulfilling obligations under health tourism legislation; planning transfer and accommodation for health tourists; announcing innovations in medical treatments; informing third parties medically; conducting marketing and promotion under international health tourism incentives; planning and managing healthcare financing; fulfilling legal responsibilities between doctor and patient; fulfilling financial and administrative obligations; ensuring technical and commercial security; and fulfilling public obligations.

  • Employee

Data Categories: Identity, Contact, Employment Records, Finance, Visual and Audio Records, Physical Space Security,

Processing Purposes: Emergency Management Processes, Information Security Processes, Fulfilling Employment and Legal Obligations, Managing Employee Benefits, Ensuring Regulatory Compliance, Ensuring Physical Space Security, Conducting and Auditing Business Activities, Organizational and Event Management

  • Visitor

Data Categories: Physical Space Security

Processing Purposes: Emergency Management Processes, Information Security Processes, Ensuring Physical Space Security

6.2 Personal Data Processing Activities in Physical Premises

To ensure the security of our clinic, entry and exit logs are recorded and an appointment tracking system is used. Employees’ data processing activities are performed according to an authority matrix established by KARAKUCAK CLINIC, and confidentiality agreements are signed with staff.

  • Personal Data Processing Activities on the Website

Traffic information of online visitors to our website is processed automatically for information security purposes. Additionally, under Law No. 5651 and related legislation, hosting providers are obliged to record and retain website traffic data.

6.4 Personal Data Processing Activities via Communication Channels

Communications via telephone, email, etc., are recorded and monitored by KARAKUCAK CLINIC for the purpose of conducting/auditing business activities and tracking requests/complaints.

Data Subjects should use these channels solely for business purposes.

  • PURPOSES AND RECIPIENTS OF PERSONAL DATA TRANSFER

  • Purposes of Transferring Personal Data

KARAKUCAK CLINIC transfers personal data within the limits set by Articles 8 and 9 of the KVKK and Articles 45 and 49 of the GDPR, for the following purposes:

  • To conduct examinations, preventive medicine, medical diagnosis, treatment, operations, and care services,
  • To manage complication processes,
  • To obtain consultations,
  • To fulfill obligations under Ministry of Health regulations,
  • To fulfill obligations under international health tourism regulations,
  • To arrange transportation, accommodation, and interpreter services for health tourists,
  • To fulfill administrative obligations before Provincial and District Health Directorates,
  • To inform third parties medically about services provided,
  • To conduct candidate selection and placement processes,
  • To conduct candidate application processes,
  • To fulfill employment and regulatory obligations for employees,
  • To manage employee benefits,
  • To ensure regulatory compliance of operations,
  • To conduct finance and accounting activities,
  • To conduct and audit business activities,
  • To ensure business continuity,
  • To conduct risk management processes,
  • To ensure and audit data security,
  • To execute contract processes,
  • To inform authorized persons, institutions, and organizations.

 

  • Recipients of Transferred Personal Data

KARAKUCAK CLINIC may transfer personal data, limited to the necessary data subject groups and data for the transfer purpose, applying all administrative and technical security measures required by law, to the following persons and organizations:

  • Other specialist physicians for consultation,
  • Insured employees,
  • Affiliates,
  • Suppliers,
  • Financial advisors, tax and finance consultants, and auditors,
  • Legal counsel,
  • Database (Server) Providers,
  • “Clinic Management Software” Service Providers,
  • Translators,
  • Data Protection Officer,
  • IT Consultant,
  • Web Consultant,
  • Tourism Agencies,
  • Authorized Public Institutions and Organizations under the law,
  • Judicial Authorities.

  • DESTRUCTION AND RETENTION PERIODS OF PERSONAL DATA

  • Destruction of Personal Data

  • Without prejudice to other destruction provisions in laws, KARAKUCAK CLINIC deletes, destroys, or anonymizes personal data it has processed, ex officio or upon request, in accordance with the Personal Data Retention and Destruction Policy when the reasons for processing cease to exist under the KVKK and other laws.
  • “Deletion” refers to making personal data completely inaccessible and unusable for relevant users.
  • “Destruction” refers to making personal data irretrievable and permanently unusable by anyone.
  • “Anonymization” refers to masking, removing variables, generalizing, or using other techniques so that personal data cannot be associated with an identified or identifiable natural person.

  • Retention Periods of Personal Data

KARAKUCAK CLINIC retains personal data according to the periods stipulated by law and other regulations. If no retention period is specified, personal data is retained only for the time necessary to achieve the processing purpose, and thereafter is deleted, destroyed, or anonymized according to periodic destruction schedules in the Personal Data Retention and Destruction Policy.

  • DATA SUBJECT RIGHTS UNDER KVKK AND GDPR

  • DATA SUBJECT RIGHTS UNDER GDPR

As a Data Subject, your Personal Data is also protected under the GDPR. In cases within the scope of the GDPR (EU citizens or residents), the Data Subject’s rights are as follows:

  • Right of Access (GDPR Article 15): The Data Subject has the right to confirm whether their personal data is being processed by KARAKUCAK CLINIC and, if so, to obtain the details specified in Article 15 of the GDPR.
  • Right to Rectification (GDPR Article 16): The Data Subject has the right to request correction of their personal data held by KARAKUCAK CLINIC.
  • Right to Erasure (GDPR Article 17): The Data Subject has the right to request deletion of their personal data held by KARAKUCAK CLINIC. If the conditions of Article 17 are met, KARAKUCAK CLINIC will delete the data without undue delay.
  • Right to Restriction of Processing (GDPR Article 18):
  • If the Data Subject contests data accuracy, they may request restriction until accuracy is verified.
  • If data processing is unlawful and the Data Subject requests deletion, they may request restriction until deletion.
  • If KARAKUCAK CLINIC no longer needs the data but the Data Subject needs it for legal claims, they may request restriction.
  • If the Data Subject objects under Article 21(1), they may request restriction until the controller’s legitimate grounds override the Data Subject’s grounds.
  • Right to Data Portability (GDPR Article 20): The Data Subject may request transfer of their personal data to another controller if technically feasible, applicable when processing is based on consent or contract.
  • Right to Object (GDPR Article 21):
  • The Data Subject may object to processing, including profiling, under Article 6(1)(e) or (f). KARAKUCAK CLINIC cannot process data unless it demonstrates compelling legitimate grounds.
  • The Data Subject may object at any time to processing for direct marketing, including profiling related to such marketing.
  • If the Data Subject objects to direct marketing processing, their data will no longer be processed for those purposes.

  • DATA SUBJECT RIGHTS UNDER KVKK

Under Article 11 of the KVKK, natural persons whose data is processed have the following rights:

  • To learn whether their personal data is processed,
  • To request information if their data has been processed,
  • To learn the purpose of processing and whether data is used accordingly,
  • To know third parties to whom data is transferred domestically or abroad,
  • To request correction of incomplete or incorrect data and notification to third parties,
  • To request deletion or destruction if reasons for processing cease to exist and notification to third parties,
  • To object to results against them produced solely by automated processing,
  • To request compensation for damage from unlawful processing.

If Data Subjects wish to exercise any of these rights or submit requests, they may deliver a signed written request specifying the right(s) under KVKK Article 11, along with identity documents, in person, via notary, or by secure e-signature to KARAKUCAK CLINIC’s address, or email to info@karakucakklinik.com, or by other methods specified in the KVKK. Requests must include name-surname, signature, Turkish ID/passport/temporary ID number, residence or workplace address, email address, phone and fax numbers, and subject matter as per the “Communiqué on Application Procedures.”

KARAKUCAK CLINIC will conclude requests free of charge within thirty (30) days at the latest, depending on request complexity. However, if additional costs are required, fees per the Personal Data Protection Board’s tariff will apply.

EFFECTIVE DATE: 01.07.2021

LAST UPDATED: 01.07.2021