MNT SAĞLIK HİZMETLERİ VE TİCARET A.Ş.
POLICY ON PROCESSING AND STORAGE OF PERSONAL DATA
PART I
OBJECTIVE AND FUNDAMENTAL PRINCIPLES
1- OBJECTIVE
Objective of this Policy is to stipulate principles on the processing and storage of personal data by MNT Sağlık Hizmetleri ve Ticaret A.Ş. (“MNT Sağlık”/Data Controller”/“Company”/ and set forth principles that shall be implemented within the scope of their obligations including but not limited to those specified under the Law No. 6698 on Protection of Personal Data.
2- DEFINITIONS
Express Consent: Consent that is given about a certain matter with free will upon being informed;
Constitution: Republic of Turkey Constitution No. 2709 dated 7 November 1982, promulgated
in Official Gazette No. 17863 dated 9 November 1982;
Anonymization: Converting personal data into a format that prevents association with an
identifiable or known real person through matching them with other data;
President: President of the Personal Data Protection Authority;
Data Subject: Real person whose personal data are processed;
Personal Data: All kinds of information related with a known or identifiable real person;
Processing of Personal Data: All kinds of processes such as obtaining, recording, storing, protecting, modifying, recomposing, disclosure, transfer, taking the transfer of personal data, converting them into accessible format, classification or prevention of the use of personal data through partially or fully automatic means or non-automatic means provided that they are a part of any data recording system.
Board: Personal Data Protection Board that has been formed in accordance with the Law No. 6698 on Protection of Personal Data upon appointment of five members by the Grand National Assembly of Turkey, two members by the President and two members by the Council of Ministers;
Authority: Personal Data Protection Authority with headquarters in Ankara that has administrative and financial autonomy and public legal personality in accordance with the Law No. 6698 on Protection of Personal Data;
PDPA: Act No. 6698 on Protection of Personal Data;
Data Processor: Real or legal person processing personal data for and on behalf of data subject with the authority granted by the data controller;
Data Recording System: Recording system where personal data are configured and processed based on certain criteria;
Data Controller: Real or legal person who determines objectives and means of processing personal data, and assumes responsibility for establishing and managing the data recording system.
3- SCOPE
This policy applies to all activities managed by the Company regarding the processing and protection of personal data.
This policy concerns all the personal data of our shareholders, officials, employees and employees, shareholders, officials of institutions with which we cooperate and third parties which are processed.
This policy applies to all activities regarding processing and protection of personal data by the Company in addition to relevant detailed data procedures.
4- POLICY REGARDING THE PROCESSING OF PERSONAL DATA
4.1. Principles for processing personal data
Company shall process the Personal Data in accordance with PDPA and applicable legislation.
The relevant legislation terms in effect during processing and protection of personal data will be applied first. If there is a conflict between legislation terms and policy terms, the Company accepts that up-to-date legislation terms prevail.
The Company shall implement the following principles during the processing of personal data in accordance with article 4 of PDPA.
i. Compliance to the law and principle of good faith
The Company shall process the Personal Data in accordance with the law, principles of good faith and good will.
ii. Accuracy and up-to-datedness, if necessary
The Company shall process the Personal Data in true manner and they shall update records in accordance with any change that may arise in connection with the Personal Data. For this purpose, The Company shall establish the organization that is necessary for actively responding to revision requests.
iii. Processing for defined, express and legitimate purposes
The Company shall process the Personal Data in accordance with the law and legitimate purposes and within the framework of pre-defined purposes.
iv. Relevance with the purpose of processing, limited and moderate level of processing
The Company shall process the Personal Data in connection with and in a manner limited with defined, express and legitimate purpose. Accordingly, principle of proportionality shall be observed while processing the personal data and personal data which are thought to be irrelevant with or not serving to the purpose of processing shall not be requested.
v. Storage for a period that is specified under the applicable law or required for the purpose of processing.
The Company shall process and store personal data for periods that are specified under the applicable legislation that constitutes the reason of processing the Personal Data. If the applicable legislation does not set forth such a period, the data shall be either deleted, destroyed or anonymized when the reason of processing is no longer in place.
4.2. Company’s purposes for processing personal data
As per PDPA Article 10, the Company informs the relevant persons when collecting personal data. In this scope, the Company sheds light on the identity of the Company and its representatives (if applicable), the purpose for processing the personal data, to whom and why the processed personal data might be transferred, the method for collecting personal data and the lawful reason for collection, and the rights of the relevant persons as per Article 11 of PDPA.
4.2.1. Terms
· Processing of personal data may be directly related to and necessary to signing or carrying out a contract. Personal data may be processed to prepare a proposal during the beginning phase of a contract, to prepare a purchasing form or to fulfil relevant persons' requests related to the results of a contract. During contract preparation, relevant persons may be contacted in light of the information they have provided,
· Company is allowed to process data if it is required to fulfil a legal obligation or if law requires the personal data or allows these transactions. It is necessary for data transactions to be necessary for the legally-allowed data processing activity and must conform to the relevant legal terms in terms of type and scope,
· Company may process personal data provided that the data is made public,
· Company is obliged to process the data to establish, use or protect the rights of the Company, the persons whose data is being processed or unrelated persons,
· Company is obliged to process the data for its own legitimate interests (provided the basic rights and freedoms of the persons whose data is processed are not violated).
· Company can process the personal data of its employees, provided their basic rights and freedoms are not damaged, for use when deciding upon promotions, raises or benefits, or distributing tasks and roles during the restructuring of the company. Basic principles regarding protecting personal data will be abided by and the balance of the interests of the data personnel and the relevant person will be considered.
· Company obliged to process personal data to protect the data owner’s or someone else’s life or bodily integrity when it is impossible or not legally valid for the personal data owner to express consent.
4.2.2. Purposes
· Carrying out the application processes for the employee candidates who file an application to the Company,
· Fulfilling the obligations arising from contract of employment and regulations with respect to the employees of the Company,
· Carrying out the processes for the benefits and interests of the employees of the Company,
· Planning and performing the training activities of the employees,
· Planning and performing the employees’ authorization for access to information,
· Monitoring and supervising the business activities of the employees,
· Recruiting any personnel appropriate for the vacant positions in compliance with the human resources policies of the Company in order to ensure execution of the human resources policies, and executing the human resources operations,
· Fulfilling the obligations under the Occupational Health and Safety, and taking the necessary measures for such purpose,
· Planning and performing information security processes and set up and manage IT infrastructure;
· Monitoring the finance and/or accounting and legal affairs,
· Planning and performing the business partners’ and/or suppliers' authorization for access to information, and managing the relations with the business partners and/or suppliers,
· Planning and performing the necessary operational activities required to ensure that the activities of the Company are carried out in compliance with the Company procedures and/or the relevant regulations,
· Providing the physical space security,
· Monitoring the medical inspection, medical treatment and relevant processes,
· Fulfilling the legal and regulatory requirements,
· Providing any information to the competent persons and/or authorities due to the regulations.
PART II
PROCEDURES AND PRINCIPLES OF PROCESSING
1- ESSENTIAL CONDITION FOR PROCESSING PERSONAL DATA
Essential condition for the processing of Personal Data is to obtain Express Consent of the Data Subject. The Company shall not process the Personal Data unless Express Consent of the Data Subject is obtained.
Pursuant to Paragraph 2, Article 5 of PDPA, The Company is not obliged to obtain Express Consent for processing the Personal Data in case:
Ø It is expressly set forth under the law;
Ø It is compulsory for protecting the life or physical integrity of a person who is subject to physical conditions that make it impossible to provide consent or a person whose consent is not legally valid, or another person;
Ø It becomes necessary to process Personal Data of parties to an agreement to the extent it is directly related with execution or performance of an agreement;
Ø It is compulsory for Data Controller to fulfil a legal obligation;
Ø Data are disclosed by the Data Subject in public;
Ø Processing is compulsory for establishing, exercising or protecting a certain right;
Ø Processing is compulsory for legitimate interests of the Data Controller to the extent fundamental rights and freedoms of the Data Subject are not jeopardized.
2- THE PROCESSING OF SENSITIVE PERSONAL DATA
Sensitive personal data refer to the data that are related with Data Subject’s race, ethnic origin, political view, philosophical inclination, religion, sect or other beliefs, clothing style, membership to associations, foundations or unions, health, sexual life, criminal conviction or security measures, as well as biometric and genetic data.
Sensitive Personal Data cannot be processed without Express Consent of the Data Subject.
Pursuant to PDPA, sensitive personal data except for personal data related with health and sexual life may be processed without obtaining Express Consent of the Data Subject in events specified under the law.
As a requirement of the sensitivity level, Personal Data related with health and sexual life may be processed without obtaining Express Consent of the Data Subject, by persons or competent authorities and organizations that are subject to confidentiality obligation for the purpose of:
Ø Protecting public health;
Ø Preventive medicine;
Ø Performing of medical diagnosis, treatment and care services;
Ø Planning and managing healthcare services and funding.
The Company shall take all additional measures about Sensitive Personal Data, as specified by the Board.
3- DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA
The Company shall delete, destroy or anonymize Personal Data ex officio or upon request of the Data Subject when the purpose of processing Personal Data of the Data Subject is no longer in place and provided that the storage period specified under the law expires.
4- TRANSFER OF PERSONAL DATA
4.1. Transfer in the Country
The Company shall obtain Express Consent of the Data Subject for the transfer of Personal Data.
Express consent of the Data Subject shall not be sought for transfer of Personal Data in the country in case:
Ø It is expressly specified under the Law;
Ø It is compulsory for protecting the life or physical integrity of a person who is subject to physical conditions that make it impossible to provide consent or a person whose consent is not legally valid, or another person;
Ø It becomes necessary to process Personal Data of parties to an agreement to the extent it is directly related with execution or performance of an agreement;
Ø It is compulsory for Data Controller to fulfil a legal obligation;
Ø Data are disclosed by the Data Subject in public;
Ø Processing is compulsory for establishing, exercising or protecting a certain right;
Ø Processing is compulsory for legitimate interests of the Data Subject to the extent fundamental rights and freedoms of the Data Subject are not jeopardized.
Express consent of the Data Subject shall not be sought for transfer of Sensitive Personal Data in the country in case:
Ø There is a legal provision permitting the processing of personal data without obtaining express consent of the data subject, except for those related with the health and sexual life;
Ø Personal data related with health and sexual life are processed by persons or competent authorities and organizations that are subject to confidentiality obligation, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services; healthcare services and planning and management of the funding.
4.2. Transfer to Foreign Countries
The Company shall obtain express consent of the Data Subject for the transfer of Personal Data.
Transfer of the Data Subject’s Personal Data and Sensitive Personal Data for foreign countries without obtaining express consent of the Data Subject shall be possible only when conditions set forth under article 4.1 above are in place and in case:
Ø There is adequate level of protection in the country where Personal Data and/or Sensitive Personal Data are transferred.
Ø Data controllers in Turkey and in the relevant foreign country provide written guarantee for ensuring adequate level of protection and the Board grants permission, if adequate level of protection is not in place.
PART III.
RIGHTS AND OBLIGATIONS
1- RIGHTS OF DATA SUBJECT
Pursuant to Article 11 of PDPA, Data Subject has right to:
Ø Learn whether Personal Data are processed or not;
Ø Request information about the processing if the Personal Data are processed;
Ø Learn the purpose of processing Personal Data and whether they are processed in accordance with the intended purpose or not;
Ø Get information about the third persons who are transferred Personal Data in the country or abroad;
Ø Request for correction in case Personal Data are processed in an incomplete or incorrect manner;
Ø Request for deletion or destruction of Personal Data in accordance with the conditions specified under article three in part two of this Policy;
Ø Request for notification to third persons who were transferred Personal Data in case Personal Data are corrected or deleted and destroyed;
Ø File an objection about the result obtained against the data subject upon analyzing processed data solely by automatic systems;
Ø Request for compensation of losses in case Personal Data are processed in breach of PDPA and applicable legislation.
2- DATA SUBJECT’S RIGHT TO APPLICATION
Applications related with exercising the aforementioned rights should be submitted in accordance with the following procedure:
1- Application should be submitted in Turkish language;
2- Application should be made in writing or by using registered electronic mail (KEP) address, secure electronic signature, mobile signature or electronic mail address that was previously notified to the Data Controller by the data subject and is registered in the system of the Data Controller, or via a software or application that is developed for application purposes;
3- In the application, it is compulsory to specify:
a) Name, surname, and signature if the application is made in writing;
b) T.R. Identification Number for citizens of the Republic of Turkey; nationality, passport number or if any, identification number for foreign nationals;
c) Residential or work address for notification;
d) If any, electronic mail address, telephone and fax number for notification;
e) Subject matter of the application.
4- The relevant information and documents should be enclosed to the application.
Upon receipt of the application, Data Controller shall respond to requests in the application in the shortest time possible and in any case, latest within 30 (Thirty) days.
Data Controller shall either accept the application, or reject it by explaining the rationale.
In case application of the Data Subject is accepted, Data Controller shall process the request in the shortest time possible and provide information to the Data Subject.
Data Controller shall respond to the Data Subject in writing or electronically.
3- OBLIGATIONS OF THE COMPANY AS DATA CONTROLLER
3.1- Obligation to Provide Information
As Data Controller, The Company is obliged to inform the Data Subjects by providing the following information during collection of the Personal Data:
Ø Identification details of the Data Controller and if any, representative thereof;
Ø The purpose of processing the Personal Data;
Ø Persons who may be transferred the Personal Data and the purpose of such transfer;
Ø Method and legal rationale of collecting the Personal Data;
Ø Information about rights stipulated under article one in part three of this Policy.
3.2- Obligation About Data Security
The Company is obliged to take technical and administrative measures aimed at preventing illegal processing of the Personal Data and illegal access to Personal Data, and ensuring the optimal security level for storage of the Personal Data.
The Company configures systems aimed at conducting and procuring the inspections required about for verification of the functioning of technical and administrative measures taken. Results of such inspections are reviewed and necessary actions are taken by the Personal Data Protection Committee. The Company is obliged to notify Data Subject and the Board – if the applicable legislation requires so-, immediately in case processed Personal Data are accessed by others through illegal ways. The required organizational structure has been established for this purpose.
3.2.1. Technical and Administrative Measures Aimed At Ensuring Legal Compliance of Processing Activities
The Company takes the following measures for the processing of Personal Data in accordance with the law:
Ø All processes conducted within the Company in connection with data processing activities are analyzed for each business unit and a “Personal Data Processing Inventory” is created for this purpose.
Ø Actions to be taken for ensuring legal compliance are determined for each unit in accordance with the Personal Data processing inventory;
Ø Employees of the Company are informed and trained about the processing of Personal Data in accordance with the law and sanctions imposed in case of processing in breach of the law;
Ø Regular inspections are conducted for ensuring awareness among employees, and necessary administrative actions are taken through internal policies and trainings of the Company;
Ø Provisions about confidentiality of disclosed Personal Data; mode of processing and storage are included in agreements and documents that manage the legal relationship between the Company, and employees, subsidiaries, business partners, suppliers and customers thereof;
Ø Access to Personal Data is limited with employees on “need to know” basis in accordance with the purpose of processing. Access of employees to certain Personal Data that are not used within the scope of their jobs is limited.
3.2.2. Technical and Administrative Measures for Preventing Unauthorized Access to Personal Data
The Company takes the following measures for preventing unauthorized access to Personal Data:
Ø Technical measures are taken in accordance with the technology and measures are revised regularly for preventing access to systems and locations where Personal Data are stored;
Ø The Company designs and commission technical processes for access and authorization in accordance with legal compliance requirements applicable to each business unit;
Ø Technical measures are reported to the relevant persons as and when required, and technological solutions are generated in case of security vulnerabilities;
Ø The relevant software and systems including software and hardware with anti-virus systems and firewalls are installed;
Ø Provisions on taking security measures required for protecting Personal Data are included in agreements that are executed with persons to whom The Company transfers Personal Data.
3.3. Obligation of Registering to Data Controllers Registry
The Company shall register to Data Controllers Registry upon submitting application information and documents stipulated under PDPA, within the period that shall be determined and announced by the Board.
