Storage and Disposal Policy

ESTER CLINIC PERSONAL DATA STORAGE AND DISPOSAL POLICY

I. INTRODUCTION

1.1. Purpose of the Policy

Processing of personal data obtained by Ester Clinic per Article 20 of the Constitution titled “Privacy of Private Life” and Law on Protection of Personal Data No. 6698 (“Law”) and relevant legislation and communiqués, patients, their relatives, suppliers, trainees, visitors, and other appropriate third parties) to protect fundamental rights and freedoms, especially the privacy of private life, and to carry out and protect the lawful data processing activities of the data controller who processes personal data, to store and protect the personal data obtained, and to determine the principles regarding their destruction when necessary.

1.2. Scope of the Policy

Obtaining, recording, storing, preserving, and changing all kinds of information related to an identified or identifiable natural person as personal data by Ester Clinic as a data controller fully or partially automatically or non-automatically provided that it is a part of any data recording system, Since all kinds of transactions such as reorganization, disclosure, transfer, takeover, making available, classification or prevention of use are considered as data processing activities, establishing the procedures and principles of the data processing activity carried out by Ester Clinic determines the scope of this Policy.

1.3. Implementation of the Policy and Related Legislation

Your personal data and personal health data are for the purposes explained in this policy text and Health Services Basic Law No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Affiliates, Regulation on Private Hospitals, Regulation on the Processing of Personal Health Data and Protection of Privacy, related regulations and it has been prepared by the rules outlined in the regulations, communiqués, decisions and guides published by the Board, especially the Law No. 6698, rules and provisions will find application area, all communiqués, findings, and guidelines issued by the Board are followed by Ester Clinic, and the regulations stipulated by the Policy are kept up to date.

1.4. Enforcement of the Policy

The policy has been published on the Ester Clinic website https://www.esterclinic.com.tr and has entered into force on the date of its publication.

II. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

According to Article 12 of Law No. 6698, the data controller is obligated:

To prevent the unlawful processing of personal data,

To prevent unlawful access to personal data,

To ensure the protection of personal data

And to take all necessary administrative and technical measures to ensure the appropriate level of security for the purpose.

For the reasons explained, Ester Clinic implements security measures to prevent unlawful processing of personal data, transfer and disclosure to third parties, unauthorized access, and security deficiencies arising through other means. Explanations of the administrative and technical measures taken are included in the VI. ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA.

2.2. Protection of Private Personal Data

Among the sensitive personal data, the health data of the persons concerned, without seeking the explicit consent of the relevant person, but to protect public health, preventive medicine, medical diagnosis, treatment, and care services, planning health services, and financing and management purposes, persons or authorized institutions and can be processed by organizations. In addition, regardless of the type, all sensitive personal data can only be processed by the law if adequate measures determined by PDPL are taken.

Your personal data that you share with us within the scope of our Clinic activities to protect public health, preventive medicine, medical diagnosis, treatment, and care services provided by Ester Clinic, with automatic or non-automatic methods, planning and management of health services and financing, obtain, recording, storing, changing through all channels including social media applications such as internet site, survey, social responsibility, and verbal, written, visual or electronic media, via hotline/call center, internet site, oral, written and similar channels, collected and rearranged. Any operation performed on data within the scope of PDPL is considered “processing of personal data.”

In addition, your personal data may be processed when you use our hotline or internet page for information, appointment, complaint, or other purposes for service provision, visit our Clinic or website and browse this site.

The data that is sensitive due to its nature and may cause victimization or discrimination of the data owner if it is in the hands of third parties is accepted as “Special “Qualified Personal Data” within the scope of the Law. Sensitive personal data includes data related to the person’s race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric data and genetic data. Special categories of personal data cannot be processed without the explicit consent of the data subject. All necessary steps are taken by Ester Clinic to protect sensitive personal data, and such data mustn’t be obtained and processed as much as possible.

III. ISSUES REGARDING THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Compliance with the Principles Established in the Legislation

The principles to be applied in the processing of your data following Article 4 of the Law are as follows:

Compliance with the law and the rule of honesty,

Being accurate and up-to-date when necessary,

Processing for specific, explicit, and legitimate purposes,

Being connected, limited, and restrained for the purpose for which they are processed,

To be kept for as long as required by the relevant legislation or for the purpose for which they are processed.

3.2. Personal Data Processing Conditions

Personal data obtained by Ester Clinic cannot be processed without the explicit consent of the person concerned, except for the exceptions stipulated in the Law. Your personal data may be processed without express consent in the following cases:

It is stipulated in the laws,

It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not given legal validity,

It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

It is mandatory for the data controller to fulfill its legal obligation,

The person concerned has been made public by himself,

Data processing is mandatory for the establishment, exercise, or protection of a right,

It is necessary to process data for the data controller’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3. Exceptions to Obligation to Obtain Explicit Consent

a) It is stipulated in the laws

One of the data processing conditions is that it is expressly specified in the law. The provisions in the regulations regarding the processing of personal data may create a data processing condition. In such a case, the explicit consent of the person concerned is not sought.

b) Actual impossibility

The personal data of the person concerned can be processed without his explicit consent in cases where it is necessary to protect the life or physical integrity of the person or another person who cannot express his consent due to actual impossibility or whose consent is not legally valid.

c) Being directly related to the establishment or performance of the contract

If the data processing is deemed necessary during the conclusion of a contract to which the data owner is a party or during the performance of the agreement, the processing of personal data may come to the fore without obtaining explicit consent.

d) Ester Clinic fulfilling its legal obligations

Personal data can be processed without express consent to fulfill the legal obligations that Ester Clinic must satisfy as a data controller.

e) It has been made public by the person concerned

Personal data made public by the data subject, in other words, personal data disclosed to the public in any way can be processed without obtaining explicit consent. Even in this case, the publicized personal data cannot be used for purposes other than its intended use.

f) Being compulsory for the establishment, use, and protection of a right

In cases where it is necessary for the establishment, use, or protection of a right, it is possible to process the personal data of the person concerned without his explicit consent.

g) Obligatory for the data controller’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.

If the processing of personal data is obligatory for the data controller and the data processing will not harm the fundamental rights and freedoms of the data subject, personal data may be processed without obtaining explicit consent.

The data controller’s legitimate interest is the interest and benefit to be obtained as a result of the process. The data controller’s use must relate to a fair, sufficiently effective, specific, and already existing interest to compete with the fundamental rights and freedoms of the person concerned. It should be a process related to the data controller’s current activities and will benefit soon.

3.4. Processing of Private Personal Data

The processing of sensitive personal data is subject to Article 6 of the Law, and it is prohibited to be processed without the explicit consent of the person concerned.

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and clothing, association membership, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are of special personal data. The data included in this scope is limited and cannot be expanded through interpretation.

Due to its nature, special quality personal data is data that, if learned, may cause discrimination and victimization of the person concerned. Therefore, they must be protected much more strictly than other personal data.

a) Special categories of personal data other than health and sexual life

Except for personal data related to health and sexual life, sensitive personal data can be processed without the person’s explicit consent in cases stipulated by the laws.

b) Special personal data regarding health and sexual life

Special categories of personal data related to health and sexual life can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality to protect public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services, and financing.

3.5. Clarifying and Informing the Personal Data Owner

During the acquisition of personal data, data owners are informed in the Ester Clinic data controller capacity or by authorized persons. The procedures and principles regarding the information provided are specified in the Clarification Texts on the Protection of Personal Data published by Ester Clinic, and the information briefly includes the following elements:

Identity of the data controller and its representative, if any,

For what purpose will personal data be processed,

To whom and for what purpose can personal data be transferred,

Method and legal reason for collecting personal data,

Rights of the person concerned, as indicated in Article 11 of the Law.

a) Identity of the data controller and its representative

According to Article 10 of the Law, personal data obtained from data owners (employees, employee candidates, patients, patient relatives, suppliers, pharmacies, visitors, interns, and other relevant third parties) are processed by Ester Clinic in the capacity of the data controller, and Ester Clinic processes the communication of the relevant unit. It can be obtained from the e-mail address info@esterclinic.com.tr or https://www.esterclinic.com.tr.

b) Purposes of personal processing data

The processing of personal data is carried out for specific, explicit, and legitimate purposes and is based on informing the data owners. The purposes for which your obtained data are processed are included in the CATEGORIZATION AND PROCESSING PURPOSE section of the V. PERSONAL DATA PROCESSED BY Ester Clinic of the Policy.

c) Persons to whom personal data are transferred and the purposes for which they are transferred

The data controller’s obligation to inform the data owner, the persons to whom personal data are shared, and their assigned objectives should be clearly stated. Personal data cannot be transferred to third parties without the data owner’s explicit consent. Section IV shows the recipient groups to whom personal data is transferred by Ester Clinic and their transmitted purposes. TRANSFERRING PERSONAL DATA.

d) Method and legal reason for collecting personal data

Per Articles 5 and 6 of the Law, the data controller must indicate which of the personal data processing conditions it is processed. The data controller determines the data collection method and mediation. The processing conditions of personal data, that is, the needs of compliance with the law, are listed in a limited number in the Law (art. 5-6), and these conditions cannot be extended.

Data controller Ester Clinic primarily evaluates whether the purpose of the personal data processing activity is based on one of the processing conditions other than express consent and if this purpose does not meet at least one of the conditions other than express consent specified in the Law, then the explicit permission of the person is sought for the continuation of the data processing activity.

IV. TRANSFERRING PERSONAL DATA

4.1. Domestic Transfer

Personal data cannot be transferred without the person’s explicit consent. However, provided that adequate measures are taken in the second paragraph of Article 5, in case one of the conditions specified in the third paragraph of Article 6 is present, it can be transferred without seeking the explicit consent of the person concerned.

Accordingly, provided that it is stipulated in the law (1), is compulsory for the protection of the life or bodily integrity of the person or another person whose consent is not legally valid or who is unable to express his consent due to actual impossibility (2), and is directly related to the establishment or performance of a contract, is necessary to process the personal data of the parties (3), is essential for the data controller to fulfill its legal obligation (4), the data subject has been made public by himself (5), the data processing is mandatory for the establishment, exercise or protection of a right (6), provided that it does not harm the fundamental rights and freedoms of the data subject, personal data of the data subject may be transferred to third parties without their explicit consent if data processing is necessary for the legitimate interests of the data controller.

Your personal data and personal health data are for the purposes explained in this policy text and Health Services Basic Law No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Affiliates, Law on Protection of Personal Data No. 6698, Regulation on Private Hospitals, Processing of Personal Health Data and Within the framework of the Privacy Protection Regulation and related regulations;

Ministry of Health, Social Security Institution, General Directorate of Security and other law enforcement agencies, CIMER, SABİM, Ministry of Labor, General Directorate of Population, courts and enforcement offices, Turkish Pharmacists Association to fulfill our contractual and legal obligations and carry out administrative, commercial and economic activities of our Clinic , regulatory and supervisory institutions, insurance companies, representatives authorized by patients, cooperated laboratories and other centers, and Electronic Medical Records and Electronic Health Records systems.

Information on the recipient groups to which your personal data processed by Ester Clinic are transferred is included in Annex 4 – Third Parties to which Personal Data are Transferred and the Purposes of Transfer of this Policy.

4.2. International Transfer

Personal data cannot be transferred abroad without the explicit consent of the person concerned. In so far, if one of the conditions specified in the second paragraph of article 5 and the third paragraph of article 6 of the Law exists and there is sufficient protection in the foreign country to which the personal data will be transferred, in case of lack of adequate protection, the data controllers in Turkey and the relevant foreign country must provide sufficient protection in writing, it can be transferred abroad without seeking the explicit consent of the person concerned, provided that they undertake to undertake and have the permission of the Board.

V. CATEGORIZATION OF PERSONAL DATA PROCESSED BY ESTER CLINIC AND PURPOSE OF PROCESSING

The data subject persons, the data categorization obtained by Ester Clinic, and the purposes pursued in personal processing data are shown in the relevant sections of the clarification texts on our website for each category of the data subject.

VI. ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA

Administrative and technical measures are taken by Ester Clinic to keep personal data safe and to prevent illegal processing and access to personal data.

To ensure personal data security, all personal data processed by Ester Clinic are determined, and the probability of the risks that may arise regarding the protection of this data are determined; While determining these risks, whether the personal data is sensitive personal data (1), what degree of confidentiality it requires due to its nature (2), and the nature and quantity of the damage that may arise in the case of a security breach (3) are taken into account.

After defining and prioritizing these risks; control and solution alternatives to reduce or eliminate the threats; cost, applicability, and usefulness should be evaluated in line with the principles, and necessary technical and administrative measures should be planned and put into Clinic.

6.1. Administrative Measures

Even if employees have limited information about attacks that harm personal and cyber security, it is essential to ensure personal data security. For this reason, awareness and knowledge activities are carried out in our internal organization as a data controller.

Providing necessary training on issues such as not revealing and sharing personal data unlawfully, conducting awareness activities for employees, and creating an environment where security risks can be determined; It is ensured that everyone working with the data controller, regardless of their position, defines their roles and responsibilities regarding personal data security in their job descriptions and that employees are aware of their roles and responsibilities in this regard.

On the other hand, confidentiality agreements are signed as part of the recruitment processes of the employees, and a disciplinary process is carried out if the employees do not comply with the security policies and procedures.

In case of any change in the policies and procedures regarding personal data security, trainings are provided to inform and explain the transition to the employees, and the information about the threats to data security and security is kept up-to-date.

Personal data should be accurate and up-to-date by Article 4(b) and (d) of the Law and should be kept for as long as required by the relevant legislation or for the purpose they are processed. In this context, the data processed are processed according to the principles and rules that must be observed in data processing activities and are kept for the period necessary for the purpose they are processed. It is shown in the STORAGE AND DISPOSAL OF PERSONAL DATA.

The table below provides a summary of the administrative measures taken to ensure data security:

Administrative Measures

Preparation of Personal Data Processing Inventory

Corporate Policies (Access, Information Security, Use, Storage and Disposal, etc.)

Contracts (Between Data Controller-Data Controller, Data Controller-Data Processor)

Privacy Commitments

In-house Periodic and/or Random Audits

Risk Analysis

Employment Contract, Disciplinary Regulation (Adding Legal Provisions)

Corporate Communication (Crisis Management, Informing the Board and Relevant Person, Reputation Management, etc.)

Education and Awareness Activities (Information Security and Law)

Notification to Data Controllers Registry Information System (DCRIS)

Personal Data Security Policies and Procedures

Rapid Reporting of Personal Data Security Issues

Monitoring Personal Data Security

Establishing Disciplinary Arrangements Containing Data Security Provisions for Employees

Reducing Personal Data As Much As Possible

Preparation and Implementation of Institutional Policies on Access, Information Security, Use, Storage, and Disposal

Removal of Authorities in this Area of Employees with a Change in Job or Quitting the Job

Including Data Security Provisions in Signed Contracts

Identification of Current Risks and Threats

Conducting In-house Periodic and/or Random Inspections

Protocols and Procedures for Special Quality Personal Data Security have been determined, and their implementation

Raising Awareness of Data Processing Service Providers on Data Security

6.2. Technical Measures

Firewalls and gateways are used among the measures taken to protect my information technology systems containing personal data against unauthorized access and threats by third parties over the internet. With the firewall used, violations of the information network are stopped, and with the gateway, employees’ access to websites or online platforms that threaten personal data security is restricted.

In addition, regular checks are made regarding the proper functioning of the software and hardware and whether the security measures taken for the systems are sufficient. Access to systems containing personal data is restricted, and within this scope, employees are granted access to the extent necessary for their jobs and duties and their authorities and responsibilities, and access to the relevant systems is provided by using a username and password. While creating the passwords, as mentioned earlier, numbers or letter sequences associated with personal information that can be easily guessed are avoided as much as possible.

Access authorization and control matrices are created within the data controller organization, and products such as antivirus and antispam, which regularly scan the information system network and detect dangers, are used to protect against malicious software.

To ensure data security, necessary measures are taken to ensure that documents in paper media containing personal data and servers, backup devices, CDs, DVDs, USB, and other similar storage devices are only accessible to authorized personnel and to increase physical security in this regard.

The table below provides a summary of the administrative measures taken to ensure data security:

Technical Measures

Authority Matrix

Authority Control

Access Logs

User Account Management

Network Security

Application Security

Encryption

Intrusion Detection and Prevention Systems

Data Loss Prevention Software

Backup

Firewalls

Current Anti-Virus Systems

Deletion, Destruction, or Anonymization

Key Management

VII. BUILDING, FACILITY ENTRANCES, AND PERSONAL DATA PROCESSING IN THE BUILDING AND FACILITY

7.1. Camera Monitoring Activity at Building, Facility Entrances, and Inside

Within the Law on Private Security Services scope, camera monitoring is carried out to ensure security in the Ester Clinic building, working areas, common areas, parking lot, and its surroundings and to protect the interests of Ester Clinic and other persons. The camera monitoring activity is carried out by the Law and within the scope of the data processing conditions listed in the Law and this Policy.

7.2. Monitoring of Guest Entrance and Exit Carried out at Building, Facility Entrances, and Inside

Identity information of the guests visiting Ester Clinic is subject to the personal data processing to control and monitor the entrances and exits to the Ester Clinic building and ensure security. The personal data processed within the scope of this activity are only limited to the guests’ entry and exit, and the relevant personal data is recorded in the electronic or physical environment in the data recording system.

VIII. STORAGE AND DISPOSAL OF PERSONAL DATA

8.1. Retention Periods of Personal Data

Your personal data held at Ester Clinic are kept for as long as the data processing activity is necessary; If the obligation to delete, destroy or anonymize personal data arises, it is deleted, destroyed, or anonymized within the first periodic destruction period following the date of occurrence of this obligation.

Ester Clinic acts by the general principles outlined in article 4 of the Law and the technical and administrative measures outlined in article 12 in the deletion, destruction, or anonymization of your data.

All transactions regarding the deletion, destruction, or anonymization of personal data are recorded by us and are kept during the processing of personal data for at least 30 years by the legal obligation.

Personal data specialist personnel assigned by Ester Clinic regarding the storage and destruction of data is the person responsible for the execution and supervision of the personal data storage and destruction policy.

8.2. Obligation to Delete, Destroy and Anonymize Personal Data

Personal data processed by Ester Clinic, per the provisions of the “Regulation on the Deletion, Destruction or Anonymization of Personal Data” published in the Official Gazette dated October 28, 2017, and numbered 30224, ex officio or in case the necessary reasons disappear, deleted, destroyed or anonymized at the request of the data owner.

a) Deletion of personal data

Deletion of personal data is the process of making personal data inaccessible and non-reusable for relevant users.

All necessary technical and administrative measures are taken to ensure that the deleted personal data cannot be accessed and reused for the relevant users.

b) Destruction of personal data

Destruction of personal data makes personal data inaccessible, unrecoverable, and unusable. The data controller must take all necessary technical and administrative measures to destroy confidential data.

c) Anonymization of personal data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

All kinds of technical and administrative measures are taken by Ester Clinic to anonymize your personal data, and they are anonymized by applying methods of our personal data retention and destruction policy.

8.3. Deletion, Destruction, and Anonymization Techniques of Personal Data

The techniques for deleting, destroying, or anonymizing the personal data processed by Ester Clinic are shown below, and which of the methods will be applied may vary depending on the nature of the personal data processed.

For this, first of all, determining the personal data that is the subject of deletion, destruction, or anonymization (1), identifying the relevant users for each personal data using the access authorization and control matrix or a similar system (2), accessing the appropriate users, It is necessary to determine the authorizations and methods such as retrieval and reuse (3), and to close and eliminate the access, retrieval, reuse authorization and methods of the relevant users within the scope of personal data (4).

The way to delete personal data is as follows:

Deletion command in cloud or application type solutions,

Blackening, cutting, or making invisible data on paper media,

Deletion of data on removable media using appropriate software.

The way to destroy personal data is as follows:

Physical destruction of optical media and magnetic media by melting, burning, or pulverizing,

Other destruction on paper or electronic media.

IX. RIGHTS OF THE PERSONAL DATA OWNER AND THE USE OF THESE RIGHTS

9.1. Rights of Personal Data Owner

Per Law No. 6698, the capacity data owner has the right to:

Learn whether your personal data is processed,

Request information about if your personal data has been processed,

Learn the purpose of processing your personal data and whether they are used for the purpose,

Know the third parties to whom personal data is transferred at home or abroad,

Request correction of personal data in case of incomplete or incorrect processing,

Request the deletion or destruction of your personal data within the framework of the conditions stipulated in Article 7,

Request notification of the third parties to whom personal data has been transferred regarding the correction, deletion, or destruction of data in case of incomplete or incorrect processing,

Object to the emergence of a result against you by analyzing your processed data exclusively through automated systems,

Demand compensation for the damage in case of damage due to the unlawful processing of your personal data.

9.2. Exercise of Personal Data Owner’s Rights

Requests by the data subject regarding the implementation of the Law should be sent to Ester Clinic in written form to the info@esterclinic.com.tr contact e-mail address or the Merkez Mahallesi, Marmara Caddesi, Marmara İş Hanı No: 12, İç Kapı No: 76, Avcılar – İstanbul address. . For application requests, the “Data Owner Application Form” published by Ester Clinic on its website must be used.

9.3. Responding to Ester Clinic Applications

The application is finalized by Ester Clinic as soon as possible, depending on the nature of the request. This period cannot exceed 30 days after the request is served correctly. In so far, if the transaction requires any cost, a fee may be charged according to the tariff determined by the Personal Data Protection Board.

APPENDIX – 1: Definitions

Explicit consent: Consent on a specific subject, based on the information and expressed with free will,

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data,

Recipient group: The natural or legal person category to which the data controller transfers personal data,

Direct identifiers: Identifiers that, by themselves, directly reveal, disclose and distinguish the person with whom they are in a relationship,

Indirect identifiers: Identifiers that come together with other identifiers, revealing, disclosing, and making the person they are in a relationship distinguishable,

Relevant person: The natural person whose personal data is processed,

Relevant user: Real or legal persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data,

Destruction: Deletion, destruction, or anonymization of personal data,

Law: Law on Protection of Personal Data No. 6698, dated 24/3/2016,

Blackening: Processes such as scratching, painting, and icing all of the personal data in a way that cannot be associated with an identified or identifiable natural person,

Recording medium: Any medium containing personal data that are fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system,

Personal data: Any information relating to an identified or identifiable natural person,

Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, and making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as the classification or prevention of its use,

Board: Personal Data Protection Board,

Institution: Personal Data Protection Authority,

Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,

Data registration system: The registration system in which personal data is processed and structured according to specific criteria,

Data controller: The natural or legal person who determines the purposes and means of personal processing data and is responsible for establishing and managing the data recording system.

Identity Information: Your name, surname, Turkish identity number, passport number or temporary Turkish identification number, place and date of birth, marital status, gender, insurance or patient protocol number, and other identification data by which we can identify you;

Contact Information: Your address, telephone number, e-mail address, and other communication data, your voice call records kept by customer representatives or patient services per call center standards, and your personal data obtained when you contact us via e-mail, letter or other means;

Accounting Information: Your financial data such as your bank account number, IBAN, credit card information, and billing information; your data on private health insurance and your Social Security Institution data for financing and planning health services; If you visit our Clinic, your footage of camera recordings kept for security and inspection purposes,

Health Information: Your personal data regarding all kinds of health and sexual life obtained during or as a result of medical diagnosis, treatment, and care services, including but not limited to your laboratory results, test results, examination data, appointment information, prescription information Ester Clinic If you apply for a job, your other personal data, including the CV provided in this regard, and all kinds of personal data related to your service contract if you are a Ester Clinic employee or a related employee.

Data Owner Categories

Explanation

Employee

It refers to the people working in the Clinic.

Employee Candidate

It refers to natural persons who apply for a job by sending a CV to the Clinic or other methods.

Intern

It refers to the people who use the profession they are trained in the Clinic to increase their knowledge of the job.

Patient

It refers to the natural persons who benefit from the services the clinic offers.

The relatives of the patient

It refers to the companions or relatives of the patients who use the services offered by the Clinic.

supplier

It refers to natural persons and legal entity employees from whom services are provided.

Visitor

It refers to the 3rd person who visits the Clinic.

Other Related Third Parties

Refers to people who apply to the Clinic and are not considered to be communicating.

APPENDIX – 3: Third Parties to whom Personal Data is Transferred

Transferred Person/Unit

Purpose of Transfer

Ministry of Health

Transfer of information that needs to be transferred by public health and legislation.

Social Security Institution

Transferring information to realize the transactions of the Employees, Employee Candidates, and Patients within the scope of Social Security.

Authorized Public Institutions and Organizations

Limited sharing/transfer of information and documents requested by the Clinic by relevant public institutions and organizations.

suppliers

Transfer of personal data is limited to providing services received from suppliers.

APPENDIX- 4: Purposes of Transfer of Personal Data

Any personal data obtained by Ester Clinic can be processed for the purposes listed; confirming your identity, protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and financing, planning and management of the operation of our Clinic and daily operations, supply of medicines, informing you about the appointment if you make an appointment, risk management and quality improvement activities, making evaluations for the development of health services, conducting research, fulfilling legal and regulatory requirements, confirming your relationship with the institutions contracted with the Clinic, invoicing in return for our health services, information requested with private insurance companies within the scope of financing health services. Sharing the information requested with the Ministry of Health and relevant public institutions and organizations in accordance with the applicable legislation, answering all your questions and complaints about our health services, Taking all necessary technical and administrative measures within the scope of data security of our systems and applications, analyzing your use of health services and storing your health data in order to develop and improve the health services we provide, obtaining necessary information in line with the requests and inspections of regulatory and supervisory institutions and official authorities, training of our employees and development, monitoring, prevention of abuse and unauthorized transactions, and reversing transactions, preserving the information regarding your health data, which must be kept as per the relevant legislation, providing financial agreement with the institutions we have contracted with regarding the health services offered to you, measuring patient satisfaction and medical diagnosis, execution and development of treatment and care services, planning and management of health services and financing, increasing patient satisfaction, research and similar purposes.

APPENDIX-5: Durations

Personal Data Category

Storage Time

Legal Basis

Health Data (Biometric and genetic and examination data, laboratory, test, analysis, and examination results, check-up and prescription information, patient records, and health data, including but not limited to patient relatives information when necessary)

30 years from the end of the personal data processing activity

Regulation on Private Hospitals, Turkish Penal Code

All Records Related to Accounting and Financial Transactions

Ten years

Law No. 6102, Law No. 213

Cookies and Logs

6 Months – Maximum 2 Years

Internet Law No. 5651

Traffic Information on Online Visitors

Two years

Law No. 5651

Personal Data Regarding Suppliers

Ten years after the legal relationship ends

Law No. 6102, Law No. 6098 and Law No. 213

Personal Data Protection Board Transactions

Ten years

Personal Data Protection Authority, Personal Data Retention and Destruction Policy, Published by PDPL

Contracts

10 Years From The Termination Of The Agreement

Law No. 6102 and Law No. 6098

Human Resources Processes

10 Years From End of Activity

Labor Law No. 4857 and Related Legislation

Visitor Registration

2 Years From The End Of The Event

Personal Data Protection Authority, Personal Data Retention and Destruction Policy, Published by PDPL

Data on Personal Files Stored under the Labor Law

Ten years from the end of the Business Relationship

Labor Law No. 4857 and Related Legislation and Turkish Code of Obligations No. 6098

Data Collected under OHS Legislation (Health reports, OHS Training, Occupational Health and Safety records, etc.)

15 years from the end of the Business Relationship

Occupational Health and Safety Law No. 6331 and Related Legislation

Data kept within the scope of SGK Legislation (Recruitment declarations, bonus/service documents, etc.)

Ten years from the end of the Business Relationship

Social Insurance and General Health Insurance Law No. 5510 and Related Legislation

Job Application If Application Is Not Accepted, Data Regarding Candidate Applications (CV, Curriculum Vitae, Cover Letter, Application Form, etc.)

One year

Sectoral conventions apply.

Personal Data Processed in Contractual Relationships

10 Years After Contract Termination

Turkish Code of Obligations No. 6098

Personal Data Regarding Tax Records

Five years

Tax Procedure Law No. 213

Personal Data Processed for Security Purposes by CCTV Cameras (Camera Records)

90 Days

Sectoral Custom

Traffic Information Processed during Use of the Office Internet Network, Internet Login, and Remote Connection (IP address, start and end time of the service provided, type of service used, amount of data transferred, and subscriber identity information, if any, etc.)

Two years

Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts

Personal Data of a Dead Person

At least 20 Years

Regulation on Personal Health Data published in the Official Gazette dated 21.06.2018 and numbered 30808