Company Kvkk Policy

Levent Hospital Inc. Corporate Personal Data Protection Policy

Document Information

  • Document Name: Personal Data Protection Policy
  • Document Relevance: The purpose of the Personal Data Protection Policy is to outline the procedures for safeguarding personal data by Levent Hospital Inc. and to set forth the principles to be applied in this regard.
  • Publication Date: 07.04.2020
  • Version No.: 1
  • Reference / Justification: Law No. 6698 on the Protection of Personal Data and related regulations
  • Approval Authority: Board of Directors of Levent Hospital Inc.

1. PURPOSE

The right of every individual to demand the protection of their personal data is a fundamental right arising from the Constitution. At Levent Hospital Inc., we consider it one of our most valuable duties to fulfill the requirements of this right. Therefore, we prioritize the lawful processing and protection of your personal data.

This policy has been prepared to establish the principles and procedures we follow while processing and protecting personal data.

2. SCOPE

This policy applies to all personal data managed by Levent Hospital Inc. The scope includes any operation performed on data, such as obtaining, recording, storing, preserving, altering, organizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of data, whether by fully or partially automated means or non-automated means, as part of any data recording system.

It applies to the personal data of the shareholders, officials, customers, employees, suppliers, and third parties of Levent Hospital Inc.

Levent Hospital Inc. may amend the Policy for compliance with regulations and decisions of the Personal Data Protection Authority, aiming for better protection of personal data.

3. DEFINITIONS

AbbreviationDefinition
Recipient GroupCategories of natural or legal persons to whom personal data is transferred by the data controller.
Explicit ConsentFreely given, specific, informed, and unambiguous consent relating to the processing of personal data.
AnonymizationRendering personal data no longer identifiable with a specific individual even if combined with other data.
Data SubjectThe natural person whose personal data is processed.
Related UserIndividuals who process personal data within the data controller organization, excluding those responsible for technical storage, protection, and backup of the data.
DestructionThe deletion, destruction, or anonymization of personal data.
Law/KVKKLaw No. 6698 on the Protection of Personal Data.
Recording MediumAny environment where personal data is processed through fully or partially automated or non-automated means, provided it is part of a data recording system.
Personal DataAny information relating to an identified or identifiable natural person.
Data InventoryThe inventory that details the personal data processing activities carried out by data controllers, including the purpose, legal basis, category, and retention period, among other aspects.
Data ProcessingAny operation carried out on personal data, including obtaining, recording, storing, altering, or disclosing.
CommissionThe Personal Data Protection Commission established by Levent Hospital Inc. to manage and ensure compliance with this Policy.
BoardThe Personal Data Protection Board.
InstitutionThe Personal Data Protection Authority.
Sensitive Personal DataData relating to a person’s race, ethnicity, political opinions, religious beliefs, or other sensitive areas such as health or criminal records.
Periodic DestructionRoutine deletion or anonymization of personal data according to the data retention and destruction policy when the legal grounds for data processing no longer exist.
PolicyThe Personal Data Protection Policy.
Data ProcessorA natural or legal person processing personal data on behalf of the data controller, based on authority granted.
Data ControllerThe natural or legal person who determines the purposes and means of processing personal data and is responsible for managing the data recording system.

4. GENERAL PRINCIPLES

Levent Hospital Inc. reviews the compliance of personal data with the following principles for every new data processing workflow. Workflows that are not compliant are not implemented.

Levent Hospital Inc. ensures that personal data is processed in accordance with:

  • (I) Lawfulness and fairness principles.
  • (II) Accuracy and updating when necessary.
  • (III) Clearly defined, lawful, and legitimate purposes.
  • (IV) Limited processing, ensuring the data is relevant to the purpose and processed to the extent necessary.
  • (V) Retaining data only for as long as necessary and destroying it once the purpose for processing is no longer valid.

5. ROLES AND RESPONSIBILITIES

Levent Hospital Inc. has established the Personal Data Protection Commission to manage this Policy and related procedures and to ensure compliance. The Commission comprises the General Manager, Human Resources Manager, Administrative and Financial Affairs Chief, and Quality Assurance Chief. Additionally, the hospital may obtain consultancy services for compliance with the KVKK.

The responsibilities of the Commission include:

  • (I) Meeting regularly every six months or more frequently when necessary (e.g., in case of a potential data breach).
  • (II) Reviewing aspects of the Policy that require updates or improvements.
  • (III) Identifying necessary actions to ensure the lawful processing and protection of personal data.
  • (IV) Raising KVKK awareness within the company and among business partners.
  • (V) Identifying risks related to personal data processing and implementing necessary measures.
  • (VI) Managing relations with the Authority.
  • (VII) Evaluating requests from data subjects.
  • (VIII) Monitoring periodic destruction processes.
  • (IX) Updating the Data Inventory.
  • (X) Assigning tasks for the above responsibilities.

6. SECURITY MEASURES FOR DATA PROTECTION

Levent Hospital Inc. implements necessary technical and administrative measures to ensure an appropriate level of security, including the prevention of unlawful processing and access to personal data and its secure retention.

6.1. Technical Measures

  • (I) Ensuring network and application security.
  • (II) Implementing security measures for IT systems used for procurement, development, and maintenance.
  • (III) Regularly keeping access logs.
  • (IV) Using up-to-date anti-virus systems.
  • (V) Implementing firewall protections.
  • (VI) Ensuring security measures for physical environments containing personal data.
  • (VII) Protecting environments against external risks (fire, flood, etc.).
  • (VIII) Securing personal data storage environments.
  • (IX) Backing up personal data and ensuring the security of backups.
  • (X) Managing user accounts and access controls and monitoring them.
  • (XI) Keeping log records in a way that prevents user interference.
  • (XII) Using attack detection and prevention systems.
  • (XIII) Encrypting data.

6. TRANSFER OF PERSONAL DATA

Levent Hospital A.Ş. may transfer personal data to third parties only within the framework specified by the relevant laws and with the explicit consent of the data subject. Personal data may be shared domestically and internationally with the following parties, when necessary for the continuation of hospital operations:

  • Business partners,
  • Service providers,
  • Legally authorized public institutions and organizations,
  • Insurance companies, and
  • Other relevant third parties.

When transferring personal data, the protection of the rights and freedoms of the individuals concerned is prioritized, and all necessary security measures are taken. Levent Hospital A.Ş. ensures that third parties receiving the data also comply with confidentiality and data protection principles.

7. PURPOSE OF PROCESSING PERSONAL DATA

Levent Hospital A.Ş. processes personal data based on the explicit consent of the data subject or in situations where the law allows such processing without consent. Personal data is processed for the following purposes:

  • Providing medical services in line with the hospital’s operations,
  • Managing patient relationships and keeping medical records,
  • Improving healthcare quality and efficiency,
  • Carrying out operational, financial, and administrative activities,
  • Meeting legal obligations and complying with regulatory requirements,
  • Ensuring patient satisfaction and enhancing the quality of care.

The processing of personal data is conducted in accordance with the principles of fairness, transparency, confidentiality, and security, aiming to safeguard the rights and freedoms of individuals.

8. STORAGE PERIOD OF PERSONAL DATA

Personal data collected by Levent Hospital A.Ş. is stored for the period necessary to fulfill the purposes for which it is processed. The retention period may vary depending on the type of data and the legal obligations associated with it. Once the relevant retention periods have expired, personal data will be deleted, destroyed, or anonymized in accordance with the regulations.

In cases where legal regulations require a longer retention period, personal data may be stored for the duration stipulated by the law.

9. RIGHTS OF DATA SUBJECTS

Data subjects whose personal data is processed by Levent Hospital A.Ş. have the following rights under applicable law:

  • To learn whether their personal data has been processed,
  • To request information about the processing of their personal data,
  • To learn the purpose of processing and whether the data has been used in accordance with that purpose,
  • To know the third parties to whom personal data has been transferred domestically or abroad,
  • To request correction of any inaccuracies in their personal data,
  • To request the deletion or destruction of personal data under the conditions set forth by law,
  • To request that third parties to whom personal data has been transferred are notified of such corrections, deletions, or destructions,
  • To object to the processing of personal data if it results in a negative outcome for the individual, and
  • To request compensation for damages arising from the unlawful processing of personal data.

Data subjects can exercise their rights by contacting Levent Hospital A.Ş. via written communication or through the designated contact points specified by the hospital.

10. AMENDMENTS TO THE PRIVACY POLICY

Levent Hospital A.Ş. reserves the right to update this Privacy Policy in line with legal regulations and institutional needs. Any changes made will be effective upon publication on the hospital’s official website. Data subjects are encouraged to regularly review the Privacy Policy to stay informed about how their personal data is processed and protected.

Corporate
Online Services
Social Media