| Data Category | Purpose of Processing Personal Data | Data Subject | Legal Basis |
|---|---|---|---|
| Identity Data (Name, Surname, Turkish ID Number, Gender, Date of Birth, Passport Number, etc.) |
- Conducting activities in compliance with legislation - Managing communication activities - Evaluating and responding to all written, verbal, or electronic inquiries, requests, suggestions, complaints, and applications, including those related to personal data - Providing healthcare services to patients - Managing appointment scheduling and related processes - Identifying emergency contacts and, if the patient is under 18, collecting parental or guardian information |
Patient Patient’s Relative Shareholder/Partner Supplier Employee Supplier Representative Parent / Guardian / Legal Representative |
- Processing is necessary for the performance of a contract to which the data subject is party - Data made public by the data subject - Processing is necessary for compliance with a legal obligation to which the data controller is subject |
| Contact Data (Address, Email Address, Phone Number) |
- Conducting activities in compliance with legislation - Managing legal affairs - Managing communication activities - Handling requests/complaints - Providing information to authorized persons, institutions, and organizations - Evaluating and responding to written, verbal, or electronic inquiries, requests, suggestions, complaints, and applications, including those related to personal data - Providing healthcare services - Managing appointment scheduling and related processes - Identifying emergency contacts and, if the patient is under 18, collecting parental or guardian information |
Job Applicant Employee Patient Patient’s Relative Shareholder/Partner Supplier Employee Supplier Representative Parent / Guardian / Legal Representative |
- Processing is necessary for the performance of a contract - Processing is necessary for compliance with a legal obligation - Data made public by the data subject |
| Marketing Data (Website records, Cookie data, Occupation information) |
- Announcing new or existing products, services, and campaigns - Conducting sales and marketing activities - Performing market research - Creating statistics and analyzing usage - Customizing products and services according to demand |
Website Users Cookies Occupation Information |
- Processing is necessary for the legitimate interests pursued by the data controller, provided that such interests do not override the fundamental rights and freedoms of the data subject - Explicit consent of the data subject |
| Health Data (Medical reports, Blood group, Medication information, Test results) |
- Providing healthcare services in accordance with medical standards - Managing diagnosis, treatment, and prescription processes - Maintaining personnel files and ensuring compliance with legal obligations for employees - Providing information to competent authorities |
Patients Employees |
- Processing is explicitly required by law - Explicit consent of the data subject - Processing necessary for the performance of a contract - Processing necessary for compliance with a legal obligation |
| Sexual Life Data (Pregnancy status, use of medication related to sexual health, use of birth control pills) |
- Processing required for the provision of healthcare services (e.g., diagnosing oral lesions, prescribing medication that requires information about contraceptive use, etc.) | Patients | - Explicit consent of the data subject - Processing necessary for the establishment, exercise, or defense of legal claims |
| COVID-19 Health Data (HES Code, Vaccination status, COVID test results) |
- Protecting the health of individuals within the company - Complying with government-imposed COVID-19 measures - Ensuring the company’s legitimate interests |
Patients Employees Patient’s Relatives Job Applicants Visitors |
- Processing necessary for legitimate interests, provided fundamental rights are not infringed - Explicit consent of the data subject |
| Financial Data (Information, documents, and records reflecting financial transactions, such as bank account number, IBAN, credit card details) |
- Processing patient and third-party payments - Making payments required under company contracts - Paying employee salaries and benefits |
Patients Parents/Guardians Shareholders/Partners Employees Suppliers |
- Processing necessary for the performance of a contract - Processing necessary for the establishment, exercise, or defense of legal claims |
| Physical Security Data (CCTV recordings) |
- Managing emergency response procedures - Ensuring physical security of premises |
Patients Visitors Patient’s Relatives Employees Job Applicants Shareholders/Partners |
- Processing necessary for legitimate interests, provided fundamental rights are not infringed |
| Identity Data (Employees) (Name, Surname, Mother/Father’s Name, Date/Place of Birth, Marital Status, Gender, National ID Serial No., etc.) |
- Conducting activities in compliance with legislation - Managing retention and archiving - Managing contractual processes - Tracking requests and complaints - Providing information to competent authorities - Managing administrative operations |
Employees Job Applicants |
- Processing explicitly required by law - Processing necessary for the establishment, exercise, or defense of legal claims |
| Personnel Data (HR) (Payroll information, Disciplinary records, Employment documentation, Declarations of assets, CVs, Performance reports, etc.) |
- Managing recruitment and placement processes - Managing job application processes - Fulfilling employment contract and legal obligations - Managing employee benefits and entitlements - Managing training activities - Ensuring compliance with legislation - Managing assignment processes - Managing legal affairs - Planning HR processes - Managing business operations and audits - Managing occupational health and safety - Collecting and evaluating process improvement suggestions - Managing retention and archiving - Managing contractual processes - Providing information to authorized bodies |
Employees Job Applicants Shareholders/Partners |
- Processing explicitly required by law - Processing necessary for legitimate interests, provided fundamental rights are not infringed |
| Professional Experience Data (Diploma, Course attendance, Vocational training, Certificates, Transcripts, etc.) |
- Managing recruitment and placement processes - Managing job application processes - Fulfilling employment contract and legal obligations - Managing employee benefits and entitlements - Conducting training activities - Ensuring compliance with legislation - Managing assignments - Collecting and evaluating process improvement suggestions |
Employees Job Applicants Shareholders/Partners |
- Processing necessary for legitimate interests, provided fundamental rights a |
The Company is bound by a duty of confidentiality and is committed to protecting and maintaining the privacy of personal data. Personal data shall not be shared with any third parties, institutions, or organizations, unless required by law or a legitimate legal basis exists.
Personal data may be disclosed to competent public authorities only where there is a legal obligation, such as the duty to report contagious diseases to the relevant authorities or the duty to report criminal acts, and always in a limited, proportionate, and purpose-specific manner.
Furthermore, in order to fulfill the Company’s legal obligations under tax and other applicable laws, identity, contact, and financial transaction data may be shared with our certified public accountant/accounting firm, legal advisors, electronic invoicing service providers, and the Ministry of Finance.
Employees working within the Company are also bound by a confidentiality undertaking in accordance with the Turkish Labor Law No. 4857, which imposes an explicit duty of confidentiality.
If you have a private insurance agreement or if the service provided is covered by the Social Security Institution (SGK), your identity, contact, and health data may be shared exclusively for this purpose and only upon your explicit request with the relevant institutions.
Pursuant to the Turkish Dental Association’s Code of Professional Ethics, in cases where medical consultation is required for diagnosis or treatment, your consent will be obtained before sharing the relevant information for consultation purposes.
Your personal data will be transferred only for the purposes specified in the Information Notice and in this Data Policy, in accordance with the principles set out in the Law on the Protection of Personal Data (Law No. 6698) and, where applicable, with your explicit consent, under the conditions stipulated in Articles 8 and 9 of the Law.
This version uses internationally recognized GDPR compliance terminology such as technical and organizational measures (TOMs), data minimization, integrity and confidentiality, and access control, making it appropriate for publication in privacy documentation or internal compliance manuals.
The Company implements technical and organizational measures to ensure the lawful processing and secure storage of personal data, taking into account the technological possibilities, implementation costs, and nature of the processing activities.
The Company monitors personal data processing activities through established technical systems and performs regular internal audits.
To maintain network and application security, the Company employs a range of protective measures, including firewalls, antivirus software, and data loss prevention (DLP) systems.
Personal data stored in digital environments are secured against unauthorized access, alteration, disclosure, or destruction by implementing:
Access control and authentication mechanisms
Data encryption and secure communication protocols (e.g., SSL/TLS)
Regular vulnerability scanning and security patch management
Data backup and disaster recovery procedures
Intrusion detection and prevention systems (IDS/IPS)
All employees receive periodic training and awareness programs on data protection legislation, confidentiality obligations, and the lawful processing of personal data.
Each business unit’s data processing activities are mapped and reviewed in detail to minimize the amount of personal data processed and ensure compliance with data minimization and purpose limitation principles.
In cases of data access requests or security incidents, the Company immediately performs an internal assessment and prepares a data breach report in accordance with the procedures required by law.
Contracts signed with third parties contain data protection and confidentiality clauses, obligating all parties to ensure compliance with personal data security standards.
Specific data protection procedures, internal policies, and disciplinary measures are enforced to maintain continuous compliance.
The Company implements up-to-date technical safeguards in line with technological advancements.
These measures are periodically updated and improved.
Access and authorization mechanisms are established according to the principle of least privilege, and physical access to archives is strictly controlled.
When employees change roles or leave the organization, their access rights are immediately revoked.
A user account management and access control system is maintained and monitored.
Security measures include:
Antivirus protection and firewall systems
Regular security vulnerability assessments and remediation
System logging of all access to personal data storage areas
Real-time monitoring and alerts for unauthorized access attempts
Employees are informed and trained on the importance of preventing unauthorized access to personal data.
They are expressly prohibited from disclosing or using personal data for any purpose other than their assigned duties, and this obligation continues even after employment termination.
Contracts with third parties receiving personal data include explicit clauses requiring them to:
Implement appropriate technical and organizational measures to protect personal data; and
Ensure compliance with these measures within their own organization.
Personal data storage systems are protected by firewalls, antivirus solutions, and other security software, with all protective systems periodically reviewed and updated.
Potential risks are continuously assessed, and remedial measures are implemented promptly.
Data are securely backed up using lawful and encrypted backup systems, and attack detection/prevention systems are utilized to identify and block unauthorized attempts.
All access to personal data within storage or archiving environments is logged, and unauthorized access attempts are automatically reported.
Employees are trained on secure data storage practices.
Corporate policies covering data access, information security, retention, and destruction are in place and regularly reviewed.
Where personal data storage services are outsourced to third-party providers, the Company ensures that such providers are contractually obligated to implement GDPR-compliant data protection measures, and to maintain equivalent levels of security within their own systems.
The Company determines the retention and destruction periods for personal data in accordance with the Law on the Protection of Personal Data (Law No. 6698), the General Data Protection Regulation (GDPR), and other applicable legislation.
Personal data are retained only for as long as necessary for the purposes for which they were collected or as required by relevant legislation. When the retention period expires or the purpose of processing no longer applies, the data are deleted, destroyed, or anonymized.
Retention Periods Prescribed by Law:
If a statutory retention period exists for a specific category of data, the Company retains such data for the duration prescribed by the relevant law or regulation. Once the statutory period expires, the data are securely destroyed.
No Statutory Period Specified:
Where the legislation does not define a specific retention period, the Company determines the period by considering:
The purpose of processing and whether it still applies,
The Company’s legitimate interests,
The principles of necessity, proportionality, and data minimization as set out under Article 5(1)(e) of the GDPR and Article 4 of Law No. 6698.
Classification of Data:
Personal data are classified as personal data or special categories of personal data (sensitive data) pursuant to Article 9 of the GDPR and Article 6 of Law No. 6698.
Once the purpose of processing sensitive data ceases, such data are immediately and securely destroyed.
Assessment of Lawfulness of Retention:
The Company regularly evaluates whether continued storage of each data category is compatible with:
The original purpose of collection,
The data subject’s rights and freedoms, and
The principles of accuracy, storage limitation, and integrity.
Data that fail to meet these criteria are deleted, destroyed, or anonymized.
Legal Exceptions:
Retention may continue if necessary for:
The establishment, exercise, or defense of legal claims,
Compliance with legal obligations, or
The protection of vital interests of the data subject or others.
The Company applies the following secure data destruction methods, selected according to the medium and sensitivity of the data:
Personal data processed by non-automated means or stored on physical media (e.g., paper, microfiche) are destroyed in such a way that they cannot be recovered, reconstructed, or read.
Examples include shredding, burning, or secure disposal by certified destruction services.
For data stored on magnetic or optical media, an overwriting method is used.
This involves overwriting existing data at least seven times with random binary values (0s and 1s) using specialized data destruction software to render the original data irretrievable.
Anonymization refers to the process by which personal data are irreversibly altered so that the individual can no longer be identified, either directly or indirectly, even when combined with other data.
For data to be considered truly anonymized:
It must not be possible for any party (including the data controller or third parties) to re-identify the individual by combining it with other available information.
Techniques such as masking, generalization, aggregation, randomization, or pseudonymization may be used, though only full anonymization permanently removes the data from the scope of GDPR.
Personal data reaching the end of their retention period are reviewed at regular intervals and are subject to secure deletion, destruction, or anonymization in accordance with this Policy and the guidelines issued by the Turkish Data Protection Authority (KVKK) or the European Data Protection Board (EDPB).
All deletion or destruction actions are documented in internal logs or data destruction reports to demonstrate accountability and compliance with Article 5(2) of the GDPR (“the controller shall be responsible for, and be able to demonstrate compliance with, the principles”).
Below are the Company’s defined data retention and destruction periods:
| Data Category | Retention Period | Destruction Period |
|---|---|---|
| Identity Data | Employees, company representatives, business partners, and patient relatives: 10 years Job applicants not hired: 6 months Patients: 20 years |
During the first scheduled destruction period following the expiration of the retention period |
| Contact Data | Employees, company representatives, business partners, patient relatives, and patients: 10 years Job applicants not hired: 6 months |
During the first scheduled destruction period following the expiration of the retention period |
| Personnel Data | Employees and company representatives: 10 years Job applicants not hired: 6 months |
During the first scheduled destruction period following the expiration of the retention period |
| Marketing Data | Maximum 2 years | Immediately upon expiration |
| Physical Security Data | (e.g., CCTV footage) retained for the legally prescribed period (typically 30–90 days, depending on the system) | During the first scheduled destruction period following the expiration of the retention period |
| Financial Data | 10 years | During the first scheduled destruction period following the expiration of the retention period |
| Health Data | Employees: 10 years following termination of employment (statutory requirement) COVID-19 test results, temperature measurements, and HES codes: immediate destruction Patients: 20 years |
During the first scheduled destruction period following the expiration of the retention period |
| Sexual Health Data | Patients: 20 years | During the first scheduled destruction period following the expiration of the retention period |