Türkçe
English
Български1. INTRODUCTION
The protection of personal data is among the top corporate responsibilities of ÇAVUŞDENT ORAL AND DENTAL HEALTH POLYCLINIC ("Çavuşdent" or "Polyclinic"). In this direction, our Polyclinic takes all necessary technical and administrative measures to ensure full compliance with all applicable legislation.
Within the framework of this Çavuşdent Personal Data Protection and Processing Policy ("Policy"), the principles adopted regarding the personal data processing activities carried out by our Polyclinic and the basic principles aimed at ensuring the compliance of these activities with the Personal Data Protection Law No. 6698 ("Law" or "KVKK") are explained.
1.2. Purpose
This Policy; has been prepared to guide the management of compliance activities to be carried out by Çavuşdent in order to ensure full compliance with KVKK regarding the protection of personal data.
In line with the principles set out in this Policy, Çavuşdent will make the necessary arrangements for the protection and processing of personal data in accordance with the law; and will establish the necessary infrastructure and systems to create awareness among its employees and business partners on this issue.
1.3. Scope
This Policy; relates to all natural persons whose personal data are processed by our Polyclinic, including our employees, employee candidates, polyclinic managers, shareholders, patients/customers, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties; and covers all personal data processed wholly or partly by automated means or by non-automated means provided that they form part of a data filing system.
1.4. Application and Enforcement of the Policy
Applicable legal regulations regarding the processing and protection of personal data will primarily find an area of application. In the event of any incompatibility between the applicable legislation and the Policy, our Polyclinic accepts that the provisions of the applicable legislation will be based on.
The effective date of this Policy is 02.05.2025.
2. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA
This Policy serves as a guide on how Çavuşdent will apply the rules set out in KVKK and the relevant legislation.
In accordance with Article 20 of the Constitution and Article 4 of KVKK, our Polyclinic; engages in personal data processing activities in a lawful and fair manner, accurate and up-to-date, for specific, explicit and legitimate purposes, relevant, limited and proportionate to the purpose.
3. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE LEGISLATION
3.1. Processing in Accordance with Law and Fairness
Çavuşdent acts in accordance with the principles introduced by legal regulations and the general rule of trust and fairness in the processing of personal data. In this context, personal data is processed to the extent required by the activities of our Polyclinic and limited to them.
3.2. Ensuring Personal Data is Accurate and Up-to-Date
Taking into account the fundamental rights and legitimate interests of all relevant persons, especially patients and employees, Çavuşdent ensures that the personal data it processes is accurate and up-to-date; and takes the necessary technical and administrative measures in this direction.
3.3. Processing for Specific, Explicit and Legitimate Purposes
Our Polyclinic explicitly and definitively determines legitimate and lawful personal data processing purposes; and processes personal data as much as is necessary for and related to the health services provided.
3.4. Being Relevant, Limited and Proportionate to the Purpose
Our Polyclinic processes personal data in a way that is suitable for achieving the determined purposes; and avoids processing personal data that is not related to achieving the purpose or is not needed.
3.5. Storing for the Necessary Duration
Our Polyclinic stores personal data only for the duration specified in the relevant legislation or necessary for the purpose for which they are processed. In the event that the storage period expires or the reasons requiring its processing disappear, personal data is deleted, destroyed or anonymized. Personal data is not stored by our Polyclinic with the justification of the possibility of future use.
4. CONDITIONS FOR PROCESSING PERSONAL DATA
Personal data can be processed based on one or more of the processing conditions specified in Article 5 of KVKK. In this context, our Polyclinic evaluates whether each personal data processing activity is based on one of these conditions; processing activities that are not based on any condition are stopped.
In addition to the explicit consent of the personal data owner, in the presence of one of the following conditions, personal data may be processed without seeking explicit consent:
a) Explicit Consent of the Personal Data Owner
The explicit consent of the personal data owner, given regarding a specific subject, based on being informed and with free will, constitutes one of the main legal bases for personal data processing.
b) Being Explicitly Stipulated in Laws
In case there is an explicit regulation regarding the processing of personal data in the relevant legal provision, the transaction may be carried out without the explicit consent of the data owner.
c) Actual Impossibility
Transactions may be carried out in cases where it is mandatory to process personal data to protect the life or physical integrity of the person or someone else, who is unable to express their consent due to actual impossibility.
d) Direct Relation to the Establishment or Performance of a Contract
Transactions may be carried out in cases where the processing of personal data is mandatory, provided that it is directly related to the establishment or performance of a contract to which the data owner is a party.
e) Fulfilling a Legal Obligation
Transactions may be carried out in cases where the processing of personal data is mandatory in order for our Polyclinic to fulfill its legal obligations.
f) Data Being Made Public
In case the data owner has made their personal data public, the data in question may be processed limited to the purpose of making it public.
g) Necessity for the Establishment or Protection of a Right
Transactions may be carried out in cases where data processing is mandatory for the establishment, exercise or protection of a right.
h) Legitimate Interest
Transactions may be carried out in cases where data processing is mandatory for the legitimate interests of our Polyclinic, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
4.2. Processing of Special Categories of Personal Data
In accordance with Article 6 of KVKK; data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are classified as "special category" personal data.
Due to the nature of health services, Çavuşdent also processes the health data of its patients, and in the processing of these data, full compliance is provided with the special regulations stipulated in the Law and the methods determined by the Personal Data Protection Board.
- Special categories of personal data other than health and sexual life: May be processed without seeking explicit consent in cases expressly permitted by law; otherwise, it will be processed by obtaining explicit consent.
- Special categories of personal data relating to health and sexual life: May be processed without seeking explicit consent by persons or authorized public institutions and organizations who are under the obligation of confidentiality for the purpose of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing; otherwise, it will be processed by obtaining explicit consent.
5. INFORMING THE PERSONAL DATA OWNER
In accordance with Article 10 of KVKK, Çavuşdent fully fulfills its obligation to inform the relevant persons during the collection of personal data. In this context, data owners are informed about the following issues:
- The identity of Çavuşdent as the data controller,
- For what purposes their personal data will be processed,
- To whom and for what purposes the personal data may be transferred,
- The method and legal reason for collecting personal data,
- Their rights within the scope of Article 11 of KVKK.
6. TRANSFER OF PERSONAL DATA
Even without the explicit consent of the personal data owner, in the presence of one of the conditions specified below, personal data may be transferred to third parties by Çavuşdent, showing the necessary care and taking all necessary security measures, including the methods stipulated by the Board:
- Activities regarding the transfer of personal data are explicitly stipulated in laws,
- The transfer is directly related and necessary for the establishment or performance of a contract,
- It is mandatory for our Polyclinic to fulfill its legal obligation,
- The personal data has been made public by the data owner and it is limited to the purpose of making it public,
- It is mandatory for the establishment, exercise or protection of the rights of the Polyclinic, the data owner or third parties,
- It is mandatory for our legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data owner,
- It is mandatory for the protection of the life or physical integrity of the person who is unable to express their consent due to actual impossibility or someone else.
6.2. Transfer of Special Categories of Personal Data
Special categories of personal data may be transferred in accordance with the principles set out in this Policy and by taking all kinds of administrative and technical measures required, including the methods determined by the Board. In the event that such data is transferred abroad, the transfer will be made to countries with adequate protection or to foreign countries where data controllers who commit to adequate protection are located.
6.3. Parties to Whom Personal Data is Transferred and Purposes of Transfer
| Party to Whom Data May Be Transferred | Definition | Purpose of Transfer |
| Business Partner | Natural or legal persons with whom we establish business partnerships while carrying out our commercial activities. | Limited to fulfilling the purposes of establishing the business partnership. |
| Supplier | Parties that provide contract-based services in line with the instructions of our Polyclinic. | Limited to the purpose of providing outsourced services. |
| Legally Authorized Public Institutions and Organizations | Public institutions authorized to receive information and documents from our Polyclinic according to the legislation. | Limited to responding to requests within the legal authority of relevant institutions. |
| Legally Authorized Private Law Persons | Private law persons authorized to receive information and documents from our Polyclinic according to the legislation. | Limited to responding to requests within the legal authority of relevant persons. |
7. CATEGORIZATION OF PROCESSED PERSONAL DATA AND PURPOSES OF PROCESSING
In our Polyclinic, within the framework of Articles 4, 5, and 6 of KVKK and secondary legislation, personal data is processed by informing the relevant persons and based on at least one of the legal processing conditions. The categories of processed personal data are listed below:
| Personal Data Category | Description |
| Identity Information | Name-surname, TR identity number, nationality, place and date of birth, gender, title, and identity documents. |
| Contact Information | Phone number, address, email address, fax number. |
| Transaction Security Information | Log records, IP information, authentication information. |
| Health Information (Special Category) | All health records and images relating to examination, diagnosis, treatment, and dental health. |
| Physical Space Security Information | Security camera recordings, entry-exit records. |
| Financial Information | Payment information, invoice records, IBAN number. |
| Visual / Audio Information | Before-after treatment photos (provided patient consent is obtained). |
| Legal Action and Compliance Information | Data processed within the scope of determining legal receivables and rights. |
| Request / Complaint Management Information | Data relating to any requests and complaints received from patients and visitors. |
| Biometric Data | Fingerprint information (within the scope of access control systems). |
These data are processed for the purposes of providing health services, ensuring patient safety, fulfilling legal obligations, managing accounting and finance processes, and maintaining administrative and operational activities.
8. MEASURES REGARDING THE PROTECTION OF PERSONAL DATA
8.1. General Security Measures
Çavuşdent, in accordance with Article 12 of KVKK, takes technical and administrative measures appropriate to the nature of the data to be protected in order to prevent the unlawful disclosure, access, transfer of personal data or security breaches that may occur in other ways.
8.2. Technical Measures
- System security infrastructure is continuously updated and developed.
- Access to information systems is limited within the framework of the authorization matrix.
- Firewalls, intrusion prevention systems, and antivirus software are actively used.
- Personal data is protected by encrypted and cryptographic methods.
- The necessary infrastructure is provided to destroy deleted personal data in an irrecoverable manner.
- Security vulnerabilities are regularly monitored and patched.
- Data backup systems are used effectively.
8.3. Administrative Measures
- A Personal Data Protection Committee has been established and the distribution of tasks has been determined.
- Employees are periodically trained on KVKK compliance.
- Only necessary data is processed by adopting the data minimization principle.
- Provisions regarding the protection of personal data are included in the contracts concluded with employees and third parties.
- Confidentiality agreements are arranged for personnel processing special categories of data.
- KVKK compliance is periodically audited by the internal audit unit.
9. STORAGE AND DESTRUCTION OF PERSONAL DATA
Çavuşdent stores personal data for the periods stipulated in the relevant legislation and for the time required for the purpose for which they are processed. Data whose storage period has expired or the reasons requiring its processing have disappeared are destroyed by appropriate methods of deletion, destruction, or anonymization.
9.1. Storage Periods
| Process / Data Type | Storage Period |
| Patient Health Records | Minimum 10 years from the date of the last transaction (as required by legislation) |
| Employee Personnel Files | 10 years from the termination of the employment relationship |
| Recruitment Documents | 10 years from the termination of the employment relationship |
| Contracts | 10 years from the termination of the contractual relationship |
| Accounting and Payment Records | 10 years from the date of the last transaction |
| Occupational Health and Safety Records | 10 years from the termination of the employment relationship |
| Security Camera Recordings | 3 months from the recording date |
| Business Partner / Supplier Data | 10 years from the termination of the commercial relationship |
| Patient Request and Complaint Records | 10 years from the conclusion of the request |
9.2. Periodic Destruction
Çavuşdent destroys personal data whose storage period has expired within a maximum of 180 days. Periodic destruction processes are carried out in May and November every year.
10. RIGHTS OF PERSONAL DATA OWNERS
10.1. Rights of Data Owners
In accordance with Article 11 of KVKK, personal data owners have the following rights:
- To learn whether their personal data is processed or not,
- To request information if their personal data has been processed,
- To learn the purpose of processing their personal data and whether they are used in accordance with their purpose,
- To know the third parties to whom their data is transferred at home or abroad,
- To request the correction of their data if it is processed incompletely or incorrectly and to request the notification of this to third parties,
- To request the deletion or destruction of their data in the event that the reasons requiring its processing disappear and to request the notification of this to third parties,
- To object to the occurrence of a result against them by analyzing the processed data exclusively through automated systems,
- To request compensation for the damage arising from the unlawful processing of their data.
10.2. Exercising the Rights
You can submit your requests regarding your rights stated above to Çavuşdent by one of the following methods, along with documents proving your identity:
- Written application (via notary public or by hand): Muhittin Mah. Salih Omurtak Cad. Mühendis Kamil İnan Apt, No:63 İç Kapı No:1 Çorlu/Tekirdağ
- Phone: 0 531 849 56 59 | 0 282 673 48 96
- Via E-mail: info@cavusdent.com
For applications to be made through third parties, a special power of attorney issued by the personal data owner must be submitted.
10.3. Conclusion of Applications
Çavuşdent will conclude the submitted applications free of charge within a maximum of thirty (30) days depending on the nature of the request. In the event that a fee is foreseen by the Personal Data Protection Board, the tariff determined by the Board will be based on.
10.4. Right to Complain to the Board
In the event that the application is rejected, the response given is found insufficient or the response is not given in time; the personal data owner has the right to file a complaint with the Personal Data Protection Board within thirty (30) days from the date of learning the response of our Polyclinic and in any case within sixty (60) days from the date of application.
