- LOGIN
- Purpose of the Policy
Processing of personal data obtained by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ pursuant to Article 20 of the Constitution titled “Privacy of Private Life” and the Law on the Protection of Personal Data No. 6698 (“ Law ”) and applicable regulations and communiqués, data owners ( employee, employee candidates, patients, relatives, suppliers, interns, visitors and other relevant third parties ) protection of fundamental rights and freedoms, especially the privacy of private life, and the data processing of the personal data in accordance with the law, the protection, storage and, when necessary, of the personal data obtained. The determination of the principles regarding the destruction of these constitutes the purpose of this Policy.
- Scope of the Policy
Obtaining and saving all kinds of information related to an identified or identifiable natural person as personal data by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ fully or partially automatically or non-automatically provided that it is a part of any data recording system, Data processed by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ since all kinds of transactions such as storing, keeping, changing, rearranging, explaining, transferring, taking over, making it available, classifying or preventing its use are considered as data processing activities. establishing the procedures and principles of the processing activity determines the scope of this Policy.
- Implementation of the Policy and Related Legislation
Your personal data and personal health data are for the purposes explained in this policy text and Health Services Basic Law No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Affiliates, Regulation on Private Hospitals, Regulation on the Processing of Personal Health Data and Protection of Privacy, related regulations and It has been prepared in accordance with the rules shown in the regulations, communiqués, decisions and guides published by the Board, especially the Law No. 6698. In case the subject becomes incompatible with the amendment, the amended provisions and rules will apply. All communiqués, decisions and guidelines published by the Board are followed by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ, and the rules stipulated by the Policy are kept up to date.
- Enforcement of the Policy
https://www.eternahealthgroup.com website of ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ and entered into force on the date of its publication.
- MATTERS REGARDING THE PROTECTION OF PERSONAL DATA
2.1. Ensuring the Security of Personal Data
According to Article 12 of the Law No. 6698, the data controller;
- To prevent the unlawful processing of personal data,
- To prevent unlawful access to personal data,
- To ensure the protection of personal data
It is obliged to take all necessary administrative and technical measures to ensure the appropriate level of security for the purpose.
For the reasons explained, ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ implements security measures to prevent unlawful processing of personal data, transferring and disclosure of personal data to third parties, unauthorized access and security deficiencies caused by other means. Explanations on the administrative and technical measures taken VI. It is included in the ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA .
2.2. Protection of Private Personal Data
Among the sensitive personal data, the health data of the persons concerned, without seeking the explicit consent of the relevant person, but for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning health services and financing and management purposes, persons or authorized institutions and can be processed by organizations. In addition, regardless of the type, all sensitive personal data can be processed only if adequate measures determined by KVKK are taken as per the law.
Your personal data that you share with us within the scope of our Travel Agency activities; For the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, provided by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ by automatic or non-automatic methods; Obtaining, recording, storing, changing through all channels, including social media applications such as website, survey, social responsibility, and verbal, written, visual or electronic media, via hotline/call center, website, verbal, written and similar channels, reorganized and collected. All kinds of operations performed on data within the scope of KVKK are considered as “processing of personal data”.
In addition, your personal data may be processed when you use our hotline or internet page for information, appointment, complaint or other purposes for service provision, visit our Travel Agency or website and browse this site.
The data that is sensitive due to its nature and may cause victimization or discrimination of the data owner if it is in the hands of third parties is accepted as “Special “Qualified Personal Data” within the scope of the Law. Sensitive personal data includes data related to the person’s race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data. Special categories of personal data cannot be processed without the explicit consent of the data subject. ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ takes all necessary measures to protect sensitive personal data, and it is essential that such data are not obtained and processed as much as possible.
III. MATTERS REGARDING THE PROCESSING OF PERSONAL DATA
3.1. Processing of Personal Data in Compliance with the Principles Established in the Legislation
The principles to be applied in the processing of your personal data in accordance with Article 4 of the Law are as follows:
- Compliance with the law and the rule of honesty,
- Being accurate and up-to-date when necessary,
- Processing for specific, explicit and legitimate purposes,
- Being connected, limited and restrained with the purpose for which they are processed,
- To be kept for the period required by the relevant legislation or for the purpose for which they are processed.
3.2. Personal Data Processing Conditions
Personal data obtained by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ cannot be processed without the explicit consent of the person concerned, with the exception of the exceptions stipulated in the Law. Your personal data may be processed without express consent in the following cases:
- clearly stipulated in the law,
- It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid,
- It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
- It is mandatory for the data controller to fulfill its legal obligation,
- The person concerned has been made public by himself,
- Data processing is mandatory for the establishment, exercise or protection of a right,
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
3.3. Exceptions to Obligation to Obtain Explicit Consent
- expressly stipulated in the law
One of the data processing conditions is that it is expressly stipulated in the law. The provisions in the laws regarding the processing of personal data may create a data processing condition. In such a case, the explicit consent of the person concerned is not sought.
- actual impossibility
The personal data of the person concerned can be processed without his explicit consent in cases where it is necessary for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid.
- Being directly related to the establishment or performance of the contract
In the event that data processing is deemed necessary during the conclusion of a contract to which the data owner is a party or during the performance of the contract, the processing of personal data may come to the fore without obtaining explicit consent.
- Fulfilling the legal obligation of ETERNA SAGLIK TOURISM AND TRAVEL AGENCY SANAYİ TİCARET LİMİTED ŞİRKETİ
ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ, as the data controller, can process personal data without express consent for the purpose of fulfilling the legal obligations.
- Being made public by the person concerned
Personal data made public by the data subject, in other words, personal data disclosed to the public in any way, can be processed without express consent. Even in this case, the publicized personal data cannot be used for purposes other than its intended use.
- Obligatory for the establishment, use and protection of a right
In cases where it is necessary for the establishment, exercise or protection of a right, it is possible to process the personal data of the person concerned without his explicit consent.
- Obligatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject
If the processing of personal data is obligatory for the data controller and the data processing activity will not harm the fundamental rights and freedoms of the data subject, personal data may be processed without obtaining explicit consent.
The legitimate interest of the data controller is the interest and benefit to be obtained as a result of the processing to be carried out. Benefit of the data controller; It must relate to a legitimate, sufficiently effective, specific and already existing interest to compete with the fundamental rights and freedoms of the person concerned. It should be a process that is related to the current activities of the data controller and will benefit him in the near future.
3.4. Processing of Private Personal Data
The processing of sensitive personal data is subject to Article 6 of the Law and it is prohibited to be processed without the explicit consent of the person concerned.
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are of special nature. is personal data. The data included in this scope are limited in number and cannot be expanded through interpretation.
Due to its nature, special quality personal data is data that, if learned, may cause discrimination and victimization of the person concerned. Therefore, they need to be protected much more strictly than other personal data.
- Special categories of personal data other than health and sexual life
Except for personal data related to health and sexual life, sensitive personal data can be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws.
- Special categories of personal data regarding health and sexual life
Special categories of personal data regarding health and sexual life can only be processed by persons or authorized institutions and organizations that are under the obligation of confidentiality, for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
3.5. Clarifying and Informing the Personal Data Owner
During the collection of personal data, data owners are informed in the capacity of data controller or authorized persons of ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ. Procedures and principles regarding the notification made About the Protection of Personal Data published by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ It is stated in the Illumination Texts and the information includes the following elements in summary:
- Identity of the data controller and its representative, if any,
- For what purpose personal data will be processed,
- To whom and for what purpose personal data can be transferred,
- Method and legal reason for collecting personal data,
- Rights of the person concerned, as indicated in Article 11 of the Law.
- Identity of data controller and representative
According to Article 10 of the Law, data owners ( employees, employee candidates, The personal data obtained (patients, relatives, suppliers, pharmacies, visitors, interns and other relevant third parties ) are processed by ETERNA SAĞLIK TOURISM VE TRAVEL AGENCY SANAYİ TİCARET LİMİTED ŞİRKETİ as the data controller, and the contact of the relevant unit is contact@www.eternahealthgroup.com e-mail address or https://www.eternahealthgroup.com .
- Purposes of processing personal data
The processing of personal data is carried out for specific, clear and legitimate purposes and is based on informing the data owners. V. ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ for the purposes for which your obtained data is processed . CATEGORIZATION OF PERSONAL DATA PROCESSED BY AND PURPOSE OF PROCESSING .
- Persons to whom personal data are transferred and the purposes for which they are transferred
Within the framework of the data controller’s obligation to inform the data owner, the persons to whom personal data are transferred and the purposes for which they are transferred should be clearly stated. Personal data cannot be transferred to third parties without the explicit consent of the data owner. Recipient groups to whom personal data are transferred by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ and the purpose of transfer IV. It is shown in the section TRANSFERRING PERSONAL DATA .
- Method and legal reason for collecting personal data
In accordance with Articles 5 and 6 of the Law, the data controller must clearly state on which basis the personal data processing conditions are based. Data collection method and mediation are determined by the data controller. The processing conditions of personal data, that is, the conditions of compliance with the law, are listed in a limited number in the Law (art. 5-6) and these conditions cannot be extended.
Data controller ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ evaluates whether the purpose of the personal data processing activity is primarily based on one of the processing conditions other than express consent, if this purpose does not meet at least one of the conditions other than the express consent specified in the Law, in this case the continuation of the data processing activity. For this purpose, the express consent of the person is obtained.
- TRANSFERRING PERSONAL DATA
4.1. Domestic Transfer
Personal data cannot be transferred without the explicit consent of the person concerned. However:
- In the second paragraph of Article 5,
- Provided that adequate measures are taken, the third paragraph of Article 6
If one of the conditions specified is present, it can be transferred without seeking the explicit consent of the person concerned.
Accordingly, provided that it is clearly stipulated in the law (1), is compulsory for the protection of the life or bodily integrity of the person or another person whose consent is not legally valid or who is unable to express his consent due to actual impossibility (2), and is directly related to the establishment or performance of a contract. It is necessary to process the personal data of the parties (3), it is necessary for the data controller to fulfill its legal obligation (4), the data subject has been made public by himself (5), the data processing is mandatory for the establishment, exercise or protection of a right (6), Provided that it does not harm the fundamental rights and freedoms of the data subject, personal data of the data subject may be transferred to third parties without obtaining their explicit consent, if data processing is necessary for the legitimate interests of the data controller.
Your personal data and personal health data are for the purposes explained in this policy text and Health Services Basic Law No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Affiliates, Law on Protection of Personal Data No. 6698, Regulation on Private Hospitals, Processing of Personal Health Data and Within the framework of the Privacy Protection Regulation and related regulations;
Ministry of Health, Social Security Institution, General Directorate of Security and other law enforcement agencies, CIMER, SABİM, Ministry of Labor, General Directorate of Population, courts and enforcement offices, Turkey Pharmacists, in order to fulfill our contractual and legal obligations and to carry out administrative, commercial and economic activities of our Travel Agency. Union, regulatory and supervisory institutions, insurance companies, representatives authorized by patients, cooperated laboratories and other centers and Electronic Medical Records and Electronic Health Records systems.
Information on the recipient groups to which your personal data is transferred, processed by ETERNA SAĞLIK TURİZM VE SEYAHAT AGENTES SANAYİ TİCARET LİMİTED ŞİRKETİ, is included in ANNEX 4 – Third Parties and Purposes of Transfer of Personal Data of this Policy.
4.2. International Transfer
Personal data cannot be transferred abroad without the explicit consent of the person concerned. In so far, the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the Law and in the foreign country to which the personal data will be transferred;
- Availability of adequate protection
- In the absence of adequate protection, data controllers in Turkey and in the relevant foreign country undertake in writing to provide adequate protection and have the permission of the Board,
can be transferred abroad without seeking the explicit consent of the person concerned, provided that the
- CATEGORIZATION OF PERSONAL DATA PROCESSED BY ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ AND THE PURPOSE OF PROCESSING
Data subject persons, data categorization obtained by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ and the purposes observed in the processing of personal data are shown in the relevant sections of the clarification texts on our website for each category of data subject.
- ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA
Administrative and technical measures are taken by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ to keep personal data safe, to process it illegally and to prevent access to personal data.
In order to ensure personal data security, all personal data processed by ETERNA SAĞLIK TURİZM VE SEYAHAT AGENESİ SANAYİ TİCARET LİMİTED ŞİRKETİ are determined and the probability of the risks that may arise regarding the protection of this data are determined; While determining these risks, whether the personal data is sensitive personal data (1), what degree of confidentiality it requires due to its nature (2), and the nature and quantity of the damage that may arise in the case of a security breach (3) are taken into consideration.
After defining and prioritizing these risks; control and solution alternatives to reduce or eliminate the said risks; cost, applicability and usefulness should be evaluated in line with the principles, necessary technical and administrative measures are planned and put into practice.
6.1. Administrative Measures
It is of great importance to ensure personal data security that the attacks that will harm personal data security and cyber security, even if employees have limited information, make the first response. For this reason, awareness and information activities are carried out in our internal organization as a data controller.
Providing necessary training to employees on issues such as not unlawfully disclosing and sharing personal data, conducting awareness activities for employees and creating an environment where security risks can be determined; Regardless of the position of the data controller, it is ensured that the roles and responsibilities regarding personal data security are determined in their job descriptions and that the employees are aware of their roles and responsibilities in this regard.
On the other hand, confidentiality agreements are signed as part of the recruitment processes of the employees, and a disciplinary process is carried out if the employees do not comply with the security policies and procedures.
In case of any change in the policies and procedures regarding personal data security, trainings are provided to inform and explain the change to the employees, and the information about the threats to data security and security is kept up-to-date.
Personal data must be accurate and up-to-date when necessary in accordance with Article 4(b) and (d) of the Law, and must be kept for the period required by the relevant legislation or for the purpose for which they are processed. In this context, the data processed are processed in accordance with the principles and rules that must be observed in data processing activities and are kept for the period required for the purpose for which they are processed . It is shown in the STORAGE AND DISPOSAL OF PERSONAL DATA .
The table below gives a summary of the administrative measures taken to ensure data security:
| Administrative Measures |
| Preparation of Personal Data Processing Inventory |
| Corporate Policies (Access, Information Security, Use, Storage and Disposal etc.) |
| Contracts (Between Data Controller-Data Controller, Data Controller-Data Processor) |
| Privacy Commitments |
| In-house Periodic and/or Random Audits |
| Risk Analysis |
| Employment Contract, Disciplinary Regulation (Adding Legal Provisions) |
| Corporate Communication (Crisis Management, Informing the Board and Relevant Person, Reputation Management, etc.) |
| Education and Awareness Activities (Information Security and Law) |
| Notification to Data Controllers Registry Information System (VERBIS) |
| Personal Data Security Policies and Procedures |
| Rapid Reporting of Personal Data Security Issues |
| Monitoring Personal Data Security |
| Establishing Disciplinary Arrangements Containing Data Security Provisions for Employees |
| Reducing Personal Data As Much As Possible |
| Preparation and Implementation of Institutional Policies on Access, Information Security, Use, Storage and Disposal |
| Removal of Authorities in this Area of Employees with a Change in Job or Leaving the Job |
| Including Data Security Provisions in Signed Contracts |
| Identification of Current Risks and Threats |
| Conducting In-house Periodic and/or Random Inspections |
| Protocols and Procedures for Special Quality Personal Data Security have been determined and their implementation |
| Raising Awareness of Data Processing Service Providers on Data Security |
6.2. Technical Measures
Firewalls and gateways are used among the measures taken to protect my information technology systems containing personal data against unauthorized access and threats by third parties over the internet. With the firewall used, violations of the information network are stopped, and with the gateway, employees’ access to websites or online platforms that pose a threat to personal data security is restricted.
In addition, regular checks are made regarding the proper functioning of software and hardware and whether the security measures taken for the systems are sufficient. Access to systems containing personal data is restricted, and within this scope, employees are granted access to the extent necessary for their jobs, duties, and authorities and responsibilities, and access to related systems is provided by using a user name and password. While creating the aforementioned passwords, numbers or letter sequences associated with personal information that can be easily guessed are avoided as much as possible.
Access authorization and control matrices are created within the data controller organization, and products such as antivirus and antispam, which regularly scan the information system network and detect dangers, are used to protect against malicious software.
In order to ensure data security, necessary measures are taken to ensure that documents in paper media containing personal data and servers, backup devices, CD, DVD, USB and other similar storage devices are only accessible to authorized personnel and to increase physical security in this regard.
The table below gives a summary of the administrative measures taken to ensure data security:
| Technical Measures |
| Authority Matrix |
| Authority Control |
| Access Logs |
| User Account Management |
| Network Security |
| Application Security |
| Encryption |
| Intrusion Detection and Prevention Systems |
| Data Loss Prevention Software |
| Backup |
| Firewalls |
| Current Anti-Virus Systems |
| Deletion, Destruction, or Anonymization |
| Key Management |
VII. BUILDING, FACILITY ENTRANCES AND PERSONAL DATA PROCESSING IN THE BUILDING AND FACILITY
7.1. Camera Monitoring Activity at Building, Facility Entrances and Inside
Within the scope of the Law on Private Security Services, ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ building, working areas, common areas, parking lot and its surroundings are provided with security, ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ building, protection of interests and other people’s security. For this purpose, monitoring activities are carried out with a camera. The camera monitoring activity is carried out in accordance with the Law and is carried out within the scope of the data processing conditions listed both in the Law and in this Policy.
7.2. Follow-up of Guest Entrance and Exit Carried out at Building, Facility Entrances and Inside
Identity information of the guests visiting ETERNA SAGLIK TOURISM AND TRAVEL AGENCY SANAYİ TİCARET LİMİTED ŞİRKETİ building is subject to personal data processing in order to control and monitor the entrances and exits, and to ensure security. The personal data processed within the scope of this activity are only limited to the entry and exit of the guests, and the relevant personal data is recorded in the data recording system in electronic or physical environment.
VIII. STORAGE AND DISPOSAL OF PERSONAL DATA
8.1. Retention Periods of Personal Data
Your personal data held by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ are kept for as long as the data processing activity is necessary; In the event that the obligation to delete, destroy or anonymize personal data arises, it is deleted, destroyed or anonymized within the first periodic destruction period following the date of emergence of this obligation.
ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ acts in accordance with the general principles shown in Article 4 of the Law and the technical and administrative measures indicated in Article 12 in deleting, destroying or anonymizing your personal data.
All transactions regarding the deletion, destruction or anonymization of personal data are recorded by us and are kept during the processing of personal data for at least 30 years in accordance with the legal obligation.
Personal data specialist personnel assigned by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ regarding the storage and destruction of data is the person responsible for the execution and supervision of the personal data storage and destruction policy.
8.2. Obligation to Delete, Destroy and Anonymize Personal Data
Personal data processed by ETERNA SAĞLIK TURİZM VE SEYAHAT AGENESİ SANAYİ TİCARET LİMİTED ŞİRKETİ are subject to the “Deletion, Destruction or Anonymization of Personal Data” published in the Official Gazette dated 28 October 2017 and numbered 30224, prepared by the Personal Data Protection Board with Article 7 of the Law. It is deleted, destroyed or anonymized ex officio or upon the request of the relevant data owner, in the event that the reasons requiring it to be processed in accordance with the provisions of the “Regulation on
- Deletion of personal data
Deletion of personal data is the process of making personal data inaccessible and non-reusable for the relevant users.
All necessary technical and administrative measures are taken to ensure that the deleted personal data cannot be accessed and reused for the relevant users.
- Destruction of personal data
Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.
- Anonymization of personal data
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.
ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ takes all necessary technical and administrative measures to make your personal data anonymous, and it is anonymized by applying methods in accordance with our personal data storage and destruction policy.
8.3. Deletion, Destruction and Anonymization Techniques of Personal Data
Techniques for deletion, destruction or anonymization of personal data processed by ETERNA SAĞLIK TURİZM VE SEYAHAT AGENTES SANAYİ TİCARET LİMİTED ŞİRKETİ are shown below, and which of the techniques will be applied may vary depending on the nature of the personal data processed.
For this purpose, first of all, determining the personal data that is the subject of deletion, destruction or anonymization (1), identifying the relevant users for each personal data using an access authorization and control matrix or a similar system (2), accessing the relevant users, It is necessary to determine the authorizations and methods such as retrieval and reuse (3), to close and eliminate the access, retrieval, reuse authorization and methods of the relevant users within the scope of personal data (4).
delete personal data is as follows:
- Issuing a delete command in cloud or application-type solutions,
- Blackening, cutting or making invisible data in paper media,
- Deletion of data on removable media using appropriate software.
destroy personal data is as follows:
- Physical destruction by melting, burning or pulverizing optical media and magnetic media,
- Other destruction in paper or electronic form.
- RIGHTS OF THE PERSONAL DATA OWNER AND THE USE OF THESE RIGHTS
9.1. Rights of Personal Data Owner
In accordance with the Law No. 6698, in the capacity of data owner:
- Learning whether your personal data is processed or not,
- If your personal data has been processed, requesting information about it,
- Learning the purpose of processing your personal data and whether they are used in accordance with the purpose,
- Knowing the third parties to whom personal data is transferred at home or abroad,
- Requesting correction of personal data if it is incomplete or incorrectly processed,
- To request the deletion or destruction of your personal data within the framework of the conditions stipulated in the article,
- In case of incomplete or incorrect processing, requesting notification of the third parties to whom personal data has been transferred, regarding the correction of these and the deletion or destruction of data,
- Objecting to the emergence of a result against you by analyzing your processed data exclusively through automated systems,
- You have the right to demand the compensation of the damage in case of any damage due to the unlawful processing of your personal data.
9.2. Exercise of Personal Data Owner’s Rights
Requests regarding the implementation of the Law by the data subject of the data subject, contact@www.eternahealthgroup.com contact e-mail address or Kazım Özalp Mh. Maiden’s Tower St. No: 32/6 Çankaya/ANKARA in written form to ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ. In the application requests, the ” Data Owner ” published on the website by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ Application Form “must be used.
9.3. ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ’s Response to Applications
Depending on the nature of the application request, it is finalized by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ as soon as possible. This period cannot exceed 30 days after the request is properly served to us. In so far, if the transaction requires any cost, a fee may be charged according to the tariff determined by the Personal Data Protection Board.
APPENDIX – 1: Definitions
Explicit consent: Consent on a specific subject, based on information and expressed with free will,
Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data,
Recipient group: The natural or legal person category to which personal data is transferred by the data controller,
Direct identifiers: identifiers that , by themselves, directly reveal, disclose and distinguish the person with whom they are in a relationship,
Indirect identifiers : Identifiers that come together with other identifiers, revealing, disclosing and making the person they are in a relationship distinguishable,
Relevant person: The real person whose personal data is processed,
Relevant user: Real or legal persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,
Destruction: Deletion, destruction or anonymization of personal data,
Law: Law on Protection of Personal Data No. 6698, dated 24/3/2016,
Blackening: Processes such as scratching, painting and icing all of the personal data in a way that cannot be associated with an identified or identifiable natural person,
Recording medium: Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system,
Personal data: Any information relating to an identified or identifiable natural person,
Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as the classification or prevention of its use,
Board : Personal Data Protection Board,
Institution : Personal Data Protection Authority,
Data processor : The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
Data registration system: The registration system in which personal data is processed and structured according to certain criteria,
Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Identity Information : Your name, surname, TC identity number, passport number or temporary TC identity number, place and date of birth, marital status, gender, insurance or patient protocol number and other identification data by which we can identify you;
Contact Information : Your address, telephone number, e-mail address and other communication data, your voice call records kept by customer representatives or patient services in accordance with call center standards, and your personal data obtained when you contact us via e-mail, letter or other means;
Accounting Information : Your financial data such as your bank account number, IBAN number, credit card information, billing information; your data on private health insurance and your Social Security Institution data for the purpose of financing and planning health services; If you visit our clinic, your footage of camera recordings kept for security and inspection purposes,
Health Information: Your personal data regarding all kinds of health and sexual life obtained during or as a result of medical diagnosis, treatment and care services, including but not limited to your laboratory results, test results, Travel Agency data, appointment information, prescription information ETERNA SAĞLIK If you apply for a job at TURİZM VE TRAVEL AGENCY SANAYİ TİCARET LİMİTED ŞİRKETİ, your other personal data including the CV provided in this regard, and all your personal data if you are an employee of ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ or any related employee.
APPENDIX – 2: Personal Data Owners (Relevant Persons)
| Data Subject Categories | Explanation |
| Worker | ETERNA SAGLIK TOURISM AND TRAVEL AGENCY SANAYİ TİCARET LİMİTED ŞİRKETİ means the people working within the body. |
| Employee Candidate | ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ means real persons who apply for a job by sending a CV or by other methods. |
| Intern | ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ refers to people who use the profession they have been trained in practically to increase their professional knowledge. |
| Patient | ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ means the real persons who benefit from the services offered. |
| The relatives of the patient | ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ means the companions or relatives of patients who use the services provided. |
| supplier | It refers to natural persons and legal entity employees from whom services are provided. |
| Visitor | ETERNA SAĞLIK TOURISM AND TRAVEL AGENCY SANAYİ TİCARET LİMİTED ŞİRKETİ is the 3rd person visiting. |
| Other Related Third Parties | Refers to those who apply to ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ, other than those who communicate. |
APPENDIX – 3: Third Parties to whom Personal Data is Transferred
| Transferred Person/Unit | Purpose of Transfer |
| Ministry of Health | Transfer of information that needs to be transferred in accordance with public health and legislation. |
| Social Security Institution | Transferring information for the purpose of carrying out the procedures of the Employees, Employee Candidates and Patients within the scope of Social Security. |
| Authorized Public Institutions and Organizations | Limited sharing/transfer of information and documents requested by relevant public institutions and organizations from ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ. |
| suppliers | Transfer of personal data limited to the provision of services received from suppliers. |
APPENDIX- 4: Purposes of Transfer of Personal Data
All kinds of personal data obtained by ETERNA SAĞLIK TURİZM VE SEYAHAT ACENTESİ SANAYİ TİCARET LİMİTED ŞİRKETİ can be processed for the purposes listed; confirming your identity, protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and financing, planning and management of the operation of our clinic and daily operations, supply of medicines, informing you about the appointment if you make an appointment, risk management and quality improvement activities, making evaluations for the improvement of health services, conducting research, fulfilling legal and regulatory requirements, confirming your relationship with the institutions contracted with the clinic, invoicing in return for our health services, information requested with private insurance companies within the scope of financing health services. sharing the information requested with the Ministry of Health and relevant public institutions and organizations in accordance with the relevant legislation, answering all your questions and complaints about our health services, Taking all necessary technical and administrative measures within the scope of data security of our systems and applications, analyzing your use of health services and storing your health data in order to develop and improve the health services we provide, obtaining necessary information in line with the requests and inspections of regulatory and supervisory institutions and official authorities, training of our employees and development, monitoring of abuse and unauthorized transactions, preventing and reversing transactions, preserving the information about your health data that must be kept as per the relevant legislation, providing financial agreement with the institutions we have contracted with regarding the health services offered to you, measuring patient satisfaction and medical diagnosis, execution and development of treatment and care services, planning and management of health services and financing, increasing patient satisfaction, research and similar purposes.
ANNEX-5: Periods
| Personal Data Category | Storage Time | Legal Basis |
| Health Data (Biometric and genetic and Travel Agency data, laboratory, test, analysis and examination results, check-up and prescription information, patient records and health data including but not limited to, and patient relatives information when necessary) | 30 Years from the end of the personal data processing activity | Private Hospitals Regulation, Turkish Penal Code |
| All Records Related to Accounting and Financial Transactions | 10 years | Law No. 6102, Law No. 213 |
| Cookies and Logs | 6 Months – Maximum 2 Years | Internet Law No. 5651 |
| Traffic Information on Online Visitors | 2 years | Law No. 5651 |
| Personal Data Regarding Suppliers | 10 Years after the legal relationship ends | Law No. 6102, Law No. 6098 and Law No. 213 |
| Personal Data Protection Board Transactions | 10 years | Personal Data Protection Authority Personal Data Retention and Destruction Policy Published by KVKK |
| Contracts | 10 Years From The Termination Of The Agreement | Law No. 6102 and Law No. 6098 |
| Human Resources Processes | 10 Years Since End of Operation | Labor Law No. 4857 and Related Legislation |
| Visitor Registration | 2 Years From Event Ending | Personal Data Protection Authority Personal Data Retention and Destruction Policy Published by KVKK |
| Data on Personal Files Stored under the Labor Law | 10 Years from the end of the Business Relationship | Labor Law No. 4857 and Related Legislation and Turkish Code of Obligations No. 6098 |
| Data Collected under OHS Legislation (Health reports, OHS Trainings, Occupational Health and Safety records, etc.) | 15 Years from the end of the Business Relationship | Occupational Health and Safety Law No. 6331 and Related Legislation |
| Data kept within the scope of SSI Legislation (Recruitment declarations, bonus/service documents, etc.) | 10 Years from the end of the Business Relationship | Social Insurance and General Health Insurance Law No. 5510 and Related Legislation |
| Job Application If Application Is Not Accepted, Data Regarding Candidate Applications (CV, Curriculum Vitae, Cover Letter, Application Form etc.) | 1 year | Industry practices apply. |
| Personal Data Processed in Contractual Relationships | 10 Years After Contract Termination | Turkish Code of Obligations No. 6098 |
| Personal Data Regarding Tax Records | 5 years | Tax Procedure Law No. 213 |
| Personal Data Processed for Security Purposes in Accordance with CCTV Cameras (Camera Records) | 90 Days | Industry Custom |
| Traffic Information Processed during Use of Travel Agency Internet Network, Internet Login and Remote Connection (IP address, start and end time of the service provided, type of service used, amount of data transferred and subscriber identity information, if any, etc.) | 2 years | Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts |
| Personal Data of a Dead Person | At least 20 Years | Regulation on Personal Health Data published in the Official Gazette dated 21.06.2018 and numbered 30808 |
