“Dear visitor; One of the basic principles of our company is to work by respecting individual rights and freedoms. Ensuring that personal data, which is of great importance today, is processed in accordance with the law and ensuring information security is among our priorities in our company policies. In this direction, you can get information by reading the Privacy and Personal Data Protection Policy below and by contacting us at any time.”
1. Purpose and Scope
Privacy and Personal Data Protection Policy (“Policy”), within the scope of the Personal Data Protection Law No. 6698 (“Law”), we have the title of data controllerMayamed Eğitim Sağlık Estetik Hiz. Tur. and Tic. Ltd. Şti. (“Mayamed” or “Company”); It specifies in detail the methods of obtaining personal data and the legal grounds for obtaining personal data, the categories of persons and categories of personal data subject to personal data processing, the Company’s personal data processing purposes, to whom and for what purposes it is transferred, the technical and administrative measures taken to ensure the security of personal data, the storage periods of personal data, the rights of the person concerned and how to exercise these rights.
2. Methods of Obtaining Personal Data and Legal Grounds
Your personal data, by the Company, adhering to the general principles set out in Article 4 of the Law and considering data minimization;
Verbal(e.g. face-to-face communication, telephone calls, etc.),
-Written(e.g. forms and other documents prepared or filled in by you, e-mails sent, notifications from judicial authorities, etc.),
-Visual(e.g. camera recordings) or
-Electronic (e.g. website usage, etc.)
, in any case by fulfilling the disclosure obligation and, in addition, by obtaining the explicit consent of the person concerned where necessary.
Personal data are processed by the Company with the explicit consent of the data subjects, being explicitly stipulated in the laws, being mandatory for the protection of the life or physical integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid, being directly related to the establishment and performance of the contract, being mandatory for the data controller to fulfill its legal obligation, being made public by the data subject himself, data processing is mandatory for the establishment, exercise or protection of a right, and data processing is mandatory for the legitimate interests of the data controller.
Within the framework of its activities, the Company does not process special categories of personal data unless the explicit consent of the data subject is obtained as a rule. Except for personal data relating to health and sexual life, special categories of personal data are processed without the explicit consent of the data subject only if expressly stipulated by law. Personal data relating to health and sexual life may be processed by persons under the obligation of confidentiality (our physicians and other healthcare personnel) without the explicit consent of the data subject only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing; in other cases, it is processed only and only with the explicit consent of the data subject.
3. Data Subject and Personal Data Categories
Within the scope of its activities, the Company processes the personal data of the following groups of persons in the specified categories:
| Patient, Customer | Identity, Communication, Financial, Legal Transaction, Health, Genetic or Sexual Life Data, Audiovisual Recordings, Other |
| Prospective Employee, Employee, Former Employee, Intern | Identity, Contact, Financial, Employment Information, Personal and Occupational Information, Legal Transaction, Sensitive Personal Data (Health and Criminal Conviction), Ancillary Rights and Benefits, Family Members and Relatives Information, Audiovisual Records, Other |
| Employee Relative | Identity, Communication, Finance, Personnel and Occupational Information |
| Business Partner | Identity, Communication, Legal Action |
| Supplier and Customer Company Employee | Identity, Communication |
| Supplier and Customer Company Signature Authorized | Identity, Communication, Legal Action |
| Reference | Identity, Communication, Personnel (and/or Professional Experience) |
| Visitor | Identity, Transaction Security, Physical Space Security |
| Website Visitor | Process Security |
4. Purposes of Processing Personal Data
Personal data are used by the Company for the following purposes:
- Execution of Activities in accordance with the Legislation, Follow-up and Execution of Legal Affairs, Providing Information to Authorized Persons, Institutions and Organizations, Execution of Storage and Archive Activities
- Protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing
- Follow-up of Requests / Complaints, Execution of Communication Activities, Execution of Promotion Activities, Execution of Customer Relationship Management Processes
- Execution of Access Authorizations, Execution of Risk Management Processes, Execution of Information Security Processes, Ensuring the Security of Data Controller Operations
- Execution of Emergency Management Processes, Ensuring Physical Space Security, Ensuring the Security of Movable Goods and Resources
- Execution of Appointment Processes, Execution of Audit / Ethics Activities Execution of Internal Audit / Investigation / Intelligence Activities, Execution of Business Continuity Activities
- Execution of Management Activities, Execution of Strategic Planning Activities, Execution of Contract Processes
- Organization and Event Management, Social Responsibility and Civil Society Activities
- Execution of Training Activities, Execution / Supervision of Business Activities, Execution of Employee Candidate / Intern / Student Selection and Placement Processes, Execution of Employee Satisfaction and Loyalty Processes, Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees, Execution of Benefits and Benefits Processes for Employees, Planning of Human Resources Processes, Execution of Occupational Health / Safety Activities, Execution of Performance Evaluation Processes, Foreign Personnel Work and Residence Permit Procedures, Execution of Wage Policy, Execution of Talent / Career Development Activities
- Receiving and Evaluating Suggestions for Improvement of Business Processes, Execution of Goods / Services Procurement Processes, Execution of Goods / Services Production and Operation Processes,
- Execution of Finance and Accounting Affairs, Execution of Supply Chain Management Processes, Execution of Logistics Activities
- Creating and Tracking Visitor Records
5. Transfer of Personal Data and Purposes of Transfer
Your personal data must be shared with third parties outside the Company for the purposes stated above within the scope of the activities carried out by the Company and limited to the realization of these purposes. In all these transfer processes, the Company acts in accordance with Articles 8 and 9 of the Law, fulfills the necessary technical and administrative measures, complies with the principles of need to know and need to use, and adheres to the principle of data minimization. In addition, the personal data transferred by signing additional protocols with the third parties to whom the data is transferred are also legally protected.
In this context, personal data transfers are carried out as specified in the table below:
| Contact Person | Purpose of Transfer and Transferee |
|---|---|
| Customer | With our contracted companies that provide laboratory services with your explicit consent in order to perform your tests if necessary for your treatment,With our relevant business partners, consultants and service providers, banks, financial advisors for the management of financial and accounting processes, identification and evaluation of risks, and prevention of fraud,With e-invoice business partner to send e-invoice to the customer electronically; with cargo and courier companies for the delivery of physical contracts or invoices, with tax offices for the fulfillment of tax obligations, with representatives of the Ministry of Finance for invoices and collection receipts during tax audits, With our business partners and service providers who provide, operate or provide services to our IT infrastructure,With our business partners who provide financial advisor / accounting services, legally authorized public institutions and private persons or organizations and third parties,With lawyers, auditors, forensic IT experts, cyber security consultants, tax consultants and other third parties and business partners from whom we receive consultancy and services within the scope of fulfilling legal obligations,With regulatory and supervisory institutions and other official institutions such as courts and enforcement offices,With our shareholders in all processes, with other public institutions or organizations authorized to request your personal data, |
| Employee, Former Employee, Intern | -To SSI and/or İŞKUR within the scope of employment and exit notifications, which are our legal obligations, – To SSI and the Ministry of Health when it comes to auditing, – To the Ministry of Family, Labor and Social Services when necessary, – To the tax office of personal data for the purpose of making mandatory tax declarations arising from the law and to other public institutions or organizations authorized to request your personal data, including but not limited to these public institutions;-To banks for financial information in order to make salary payments to employees,-To service providers in order to fulfill automated private pension transactions,-To our business partners and service providers who provide, operate or provide services to our IT infrastructure, to our business partners and service providers who provide services in the field of quality control, complaint management and risk analysis of services,-To our business partners who provide independent audit, customs, financial advisor/accounting services, To lawyers, auditors, forensic informatics experts, cyber security consultants, tax consultants and other third parties from whom we receive consultancy and services within the scope of fulfilling legal obligations, regulatory and supervisory institutions and other official institutions such as courts and enforcement offices, – To occupational health and safety companies, hospitals and health institutions in order to fulfill emergency medical interventions and occupational health and safety obligations;-To travel agencies and hotels in Turkey and abroad for communication data in order to carry out transportation and accommodation transactions within the scope of planning and execution of events, organizations and business trips, -To infrastructure providers for the storage of physical and electronic employee data, -To security companies for data such as camera recordings in order to ensure the security of company premises, -To service providers for training and performance evaluation, -To relevant service providers for the provision of fringe benefits such as discounted transportation cards, meal cards, clothing,Cargo companies in order to make deliveries when necessary, customers to whom services are provided in order to ensure the necessary communication and coordination within the scope of on-site technical support, installation and similar consultancy services, – Business partners providing services in this field in order to ensure information security and fulfill legal and technical obligations, private insurance companies and related service providers for the purposes of preparing disability reports, conducting periodic health screenings, and performing insurance transactions such as private health insurance and personal accident insurance |
| Employee Relative | -with authorized public institutions within the scope of LAGI notifications |
| Business Partner, Supplier and Customer Company Signature Authorized | -With the relevant public institutions and notaries in order to carry out the legal notifications required to be made by the accounting – With the representatives of the Ministry of Finance for invoices and collection receipts during tax audits – With other authorized public institutions and organizations in order to fulfill our legal obligations – With banks for this purpose, in case we have a payment obligation arising from the existing relationship |
| Visitor, Website Visitor | -With public institutions and organizations legally authorized to request this information within the scope of legal obligations (in cases where the Company has a legal or administrative obligation to notify or provide information, such as but not limited to the fight against crime, threats to state and public security, and similar but not limited to) – With the site management where our practice is located in order to ensure the security of the physical space, the name and appointment time information of the visitors – With official institutions such as prosecutor’s offices and courts upon request (for example, log records and camera camera records) |
6. Technical and Administrative Measures Taken to Ensure the Security of Personal Data
The Company takes the necessary care and takes the necessary technical and administrative measures to ensure the confidentiality, integrity and security of your personal data. In this context, it takes the following measures to prevent misuse of personal data, unlawful processing, unauthorized access to personal data, disclosure, alteration or destruction of data.
Anti-Virus: All computers and servers in the Company’s information technology infrastructure are installed with periodically updated anti-virus applications.
Firewall: The Data Center, which hosts the company servers, is protected by Firewall with periodically updated software. New generation firewalls control the internet connections of all personnel and provide protection against viruses and similar threats during this control.
User Definitions and Authorization Matrix: The authorizations of the Company employees in the Company systems are limited only to the extent required by their job descriptions, and in case of any change of authority and duty, the authorizations are immediately terminated or changed within the framework of the new duty.
Information Security Threat and Incident Management: Any breaches or risks detected in the Company’s servers and firewalls are immediately reported to the information technology officer. This responsible person responds to the threat immediately when a security threat occurs and ensures the security of personal data.
Penetration Test: Periodically, a manual penetration test of the servers and computers in the Company system is performed by a supplier company. The security gaps resulting from this test are closed and a verification test is performed to verify that the relevant security gaps have been closed.
Training Employees and Raising Awareness: In order to raise the awareness of Company employees against various information security breaches and to minimize the impact of the human factor in information breach incidents, employees are regularly reminded and trained on information security. Users are reminded and warned again when necessary.
Clean Desk Principle: In accordance with the Company’s internal rules, employees are obliged to comply with the clean desk principle.
Physical Security: We ensure that personal data in paper media are kept in locked cabinets and accessed only by authorized persons.
Cookies: Personal data processed through cookies belonging to third parties from which services are received are deleted from the systems of third parties if the membership is terminated.
Breach Notification: Despite the Company taking the necessary technical and administrative information security measures, in the event that personal data is damaged as a result of attacks on the online platforms operated by the Company or the Company system, or if it is accessed by unauthorized third parties, the Company shall immediately notify you and the Personal Data Protection Board and take the necessary measures to minimize the consequences of the breach.
7. Retention Periods and Destruction Conditions of Personal Data
The Company retains the personal data it processes in accordance with the Law for the periods stipulated in the relevant legislation or required by the purpose of processing. These periods are specified in the table below:
| Personal Data | Storage Time |
|---|---|
| Personal Data of Customers | 10 years from the termination of the legal relationship; (Laboratory and Blood Transfusion Data of Customers are stored for 30 years in physical media and indefinitely in electronic media in accordance with the Regulation on Medical Laboratories and the Regulation on Blood and Blood Products). |
| Personal Data Regarding Business Solution Partners / Suppliers | 10 years from the termination of the legal relationship |
| CV and Personal Information Received During Job Application | 2 years from the date of job application |
| Personal Data of Personnel (Identity, Contact, Personal Information, Legal Action Data, Professional Experience, Audio and Visual Records, Physical Space Security) | Personal data for the lifetime of the personnel, other data for 10 years from the end of the legal relationship, camera recordings for 6 months |
| Sensitive Personal Data of Personnel (Criminal Conviction and Health Data) | Health Data 15 years, Criminal Conviction 10 years from the termination of the legal relationship |
| Personal Data on Visitors (Camera Recordings) | 1 week |
| Personal Data of Online Visitors | 2 years |
| All Records of Accounting and Financial Transactions | 10 years |
The Company stores the personal data that it collects and processes through channels such as physical, electronic, website, e-mail within the scope of business processes for the periods stipulated by the relevant laws or secondary legislation and/or for the periods required by the purpose of processing in accordance with Articles 7 and 17 of the Law and Article 138 of the Turkish Penal Code. In the event that these periods expire, it deletes, destroys or anonymizes personal data in accordance with the provisions of the Regulation on Deletion, Destruction or Anonymization of Personal Data and the Guidelines on Deletion, Destruction or Anonymization of Personal Data. The periodic destruction period has been determined by the Company as 6 months.
Deletion of personal data by the Company refers to the process of making personal data inaccessible and non-reusable for the relevant users in any way; destruction of personal data refers to the process of making personal data inaccessible, non-retrievable and non-reusable by anyone in any way. Anonymization of personal data, on the other hand, refers to the process of making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if these data are matched with other data.
The Company explains in detail the methods of deletion, destruction and anonymization and the technical and administrative measures taken within the scope of the Personal Data Storage and Destruction Policy prepared in accordance with the Regulation on Deletion, Destruction or Anonymization of Personal Data.
8. Rights of Data Subjects and Exercise of These Rights
Pursuant to Article 11 of the Law, personal data subjects have the following rights:
- Learn whether their personal data is being processed,
- Request information if their personal data has been processed,
- To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
- To know the third parties to whom personal data are transferred domestically or abroad,
- To request correction of personal data in case of incomplete or incorrect processing,
- Request deletion or destruction of personal data,
- In case of correction, deletion or destruction of personal data, to request notification of this situation to third parties to whom personal data is transferred,
- To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed personal data exclusively through automated systems,
- In case of damage due to unlawful processing of personal data, to demand compensation for the damage.
- In order to exercise your rights on your personal data; fill out the “Application Form” which you can access at http://www.dryaseminsavas.com/kvkk;
- Küçükbakkalköy Mah. Şenlik Sokak No:14/A Ataşehir/ISTANBUL address in person,
- It can be sent to the specified address with wet signature through a notary public,
- You can send it to kvkk@dryaseminsavas.com with secure electronic or mobile signature, via registered e-mail address or your electronic e-mail address registered in our system.