5.3 Purposes of Collection and Processing of Personal Data of Personal Data Owners in Personal Data Subject Groups

 The Health Store Turkey processes the personal data of its shareholders and officials in order to carry out the activities written in the Introduction section within the framework of the legal obligations arising from the Turkish Commercial Code, Tax Procedure Law, Labor Law and other relevant legislation. These personal data are obtained from the records kept in official institutions regarding The Health Store Turkey, the minutes of the company’s general assembly and board of directors, and the documents kept regarding the corporate and management processes of the company.

The Health Store Turkey, the data of tenants operating in the independent sections of the hospital within the framework of the lease agreement in the data category of authorized real persons; Ensuring the execution of the lease agreement between the parties, ensuring that all tenants act in accordance with the rules due to the obligation of the data controller in ensuring the general security and order of the hospital, and in case of breach of contractual obligations, notices can be drawn, enforcement and lawsuits can be applied and other measures can be taken saves in order.

The personal data of the tenants in the hospital are obtained through the lease agreement, addendums, additional contracts, protocols, mail correspondence, and the business cards given by the tenants themselves.

The Health Store Turkey records it in order to check whether the authorized real persons of the suppliers and subcontractors who assist in the performance of the hospital’s activities and the real person employees assigned by these suppliers and subcontractors fulfill their duties and to ensure the order of the activities of the company. Personal data of suppliers and subcontractors are obtained through e-mails sent and received as a result of communication with them, telephone calls and transfer of business card and website information.

The Health Store Turkey requests and processes the personal data of the personnel and interns working within its body in order to be able to register with the Social Security Institution, in order to complete the required documents to be included in the personnel file within the scope of the current Labor Law and Occupational Health and Safety Law. These personal data include the resume, job application forms, resume viewing methods offered by human resources software programs (such as Kariyer.net, LinkedIn) that provide candidate pool services, which are asked to them during the interview and answered with their consent. It is obtained through their answers to the questions.

The Health Store Turkey requests and processes personal data from real persons applying for a job in order to communicate with the person for interview purposes during the recruitment process and to determine whether the person’s qualifications and experiences are compatible with the vacant position to be recruited. This personal data is for applicants to send their CVs to the human resources department with their express consent, to answer questions of their own consent during the interview, or to publish advertisements and view resumes provided by human resources software programs (such as Kariyer.net, LinkedIn) that provide candidate pool services It is obtained by methods.

The Health Store Turkey records the data of the employees and authorized real persons of the business partners with which it cooperates, within the framework of the purposes of establishing the business partnership. It records the personal data of the suppliers of goods and services in order to ensure that the services required to fulfill the commercial activities of the shopping center are provided in The Health Store Turkey and to control this. These personal data are obtained from business cards through signed contracts, invoices sent, device delivery reports, mail correspondence, telephone and other communication.

The license plate information, information in the complaint and request form, and identity information of all visitors coming to the office where The Health Store Turkey operates are obtained in order to ensure the security of the office where the company operates. In case people call the Call Center or the relevant departments of the company to convey their requests and complaints, the voice records of the individuals are processed in order to ensure the service quality. The data provided by individuals at the counter, at the information desk or on the Wi-Fi login screen are processed for the purpose of ensuring service quality, performing activities and for security reasons. Images of people visiting The Health Store Turkey office for whatever reason are obtained by 24/7 security camera image methods.

5.4. Associating Data Subject Groups with Data Categories Belonging to These Persons

Personal data of The Health Store Turkey data owners are collected within the scope of personal data processing conditions specified in Articles 5 and 6 of KVK Law No.6698 and limited to the purposes specified in this Policy, in accordance with Articles 8 and 9 of the KVK Law. 3. Will be able to transfer to persons and institutions.

The scope of the persons to whom the transfer is made and the purposes of data transfer are stated below. These people and Institutions;

A) The Health Store Turkey affiliated institutions and organizations and business partners,

B) The Health Store Turkey suppliers / tenants / subcontractors

C) The Health Store Turkey Shareholders,

D) The Health Store Turkey officials,

E) Public institutions and organizations authorized to obtain information legally,

F) They are private law legal entities legally authorized to obtain information.

7. TRANSFER OF PERSONAL DATA ABROAD

The Health Store Turkey, KVK Board by adequate protection where it has been declared to foreign countries ( “Adequate Protection with Foreign Countries”) or in case of adequate protection of the absence of an adequate protection of those responsible for the data in and in the foreign countries, Turkey has pledged in writing and KVK Board can transfer personal data to foreign countries (“Foreign Country where Data Controller Committing Adequate Protection”) has the permission of.

In this direction, The Health Store Turkey acts in accordance with the regulations stipulated in Article 9 of the KVK Law.

7.1 Transferring Personal Data Abroad

The Health Store Turkey can transfer personal data to Foreign Countries with Sufficient Protection or Undertaking Sufficient Protection, if the personal data owner has given explicit consent for legitimate and legal personal data processing purposes, or if the personal data owner does not have express consent:

• If there is a clear regulation in the laws that personal data will be transferred,
• If it is mandatory for the protection of the life or body integrity of the personal data owner or someone else and if the personal data owner is unable to disclose his consent due to the actual impossibility or his consent is not legally valid;
• If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• If personal data transfer is mandatory for The Health Store Turkey to fulfill its legal obligation,
• If the personal data has been made public by the personal data owner,
• If the transfer of personal data is mandatory for the establishment, exercise or protection of a right,
• Personal data transfer is mandatory for the legitimate interests of The Health Store Turkey, provided that the fundamental rights and freedoms of the personal data owner are not damaged.

7.2. Transferring Special Quality Personal Data Abroad

The Health Store Turkey, with due care, taking necessary security measures and taking adequate precautions stipulated by the KVK Board; In line with legitimate and lawful personal data processing purposes, it can transfer the special quality data of the personal data owner to Foreign Countries with Sufficient Protection or Undertaking the Adequate Protection in the following cases.

• If the personal data owner has explicit consent, or
• If the personal data owner has no explicit consent;
  • Personal data of special nature other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, association, foundation or union membership, criminal conviction and security measures and biometric and genetic data), in cases stipulated by laws,

• Personal data of special quality regarding the health and sexual life of the personal data owner, only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, persons or authorized institutions and organizations under the obligation to keep confidentiality. under the processing by.

As a rule, personal data obtained by The Health Store Turkey is not shared abroad. Personal data of foreign nationals, Turkish nationals living abroad or coming to The Health Store Turkey through companies established in foreign countries can be shared with the relevant public institution, insurance company or intermediary institutions and organizations.

8. STORAGE OF PERSONAL DATA

The personal data we obtain is securely stored in physical or electronic environment for an appropriate period of time in order to enable The Health Store Turkey to perform its medical and commercial activities.

Within the scope of these activities, The Health Store Turkey acts in accordance with the obligations stipulated in all relevant legislation, especially the KVK Law, regarding the protection of personal data.

In accordance with the relevant legislation, with the exception of cases where the storage of personal data is permitted or required for a longer period, in the event of the termination of the purposes of processing personal data, personal data will be deleted, destroyed or anonymized by The Health Store Turkey or at the request of the relevant persons .

In case of deletion of personal data through the aforementioned methods, these data will be destroyed in a way that they cannot be used and retrieved in any way.

However, in cases where the data controller has a legitimate interest, personal data will be processed until the limitation period specified in the Law of Obligations or other legislation concerning The Health Store Turkey expires, provided that the purpose of processing and the periods specified in the relevant laws expire, provided that the fundamental rights and freedoms of the data subjects are not harmed can be stored. Personal data will be deleted, destroyed or anonymized after the aforementioned limitation period expires.

9. MEASURES ON THE PROTECTION OF PERSONAL DATA

The Health Store Turkey takes the necessary technical and administrative measures to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the appropriate level of security in accordance with the conditions set forth in the KVK Law. to make or have inspections.

Although all technical and administrative measures have been taken, The Health Store Turkey informs the relevant units as soon as possible in the event that the processed personal data are illegally seized by third parties.

9.1. Technical Measures:

• Technical measures are taken in accordance with the developments in technology, the measures taken are periodically updated and
• Access and authorization technical solutions are implemented in accordance with legal compliance requirements determined on a business unit basis.
• Access rights are limited and authorities are regularly reviewed.
• The technical measures taken are periodically controlled, and the necessary technological solutions are produced by re-evaluating the issues that pose a risk.
• Software and hardware including virus protection systems and firewalls are installed.
• Knowledgeable personnel on technical issues are employed and system vulnerabilities are controlled.
• It is regularly subjected to security scans to detect security vulnerabilities in applications where personal data are collected. Closing the gaps found is provided.
• It is ensured that personal data is destroyed in such a way that it cannot be recycled and leave no audit trail. With penetration tests, the risks, threats, vulnerabilities and gaps, if any, of our Company’s information systems are revealed and necessary measures are taken.
• Necessary measures are taken for the physical security of our company’s information systems equipment, software and data.
• Procedures are established and implemented for the distribution of access authorizations and roles, authorization matrix is applied, access is recorded and inappropriate access is kept under control, disposal processes in accordance with the storage and disposal policy are defined and implemented. Backup programs are used that ensure the safe storage of personal data.
• Information systems are kept up to date and strong passwords are used in electronic environments where personal data are processed.
• As a result of real-time analysis with information security event management, risks and threats that will affect the continuity of information systems are constantly monitored.
• The session is recorded. Hardware and software (firewalls, network access control, systems that prevent malicious software, etc.) are taken to ensure the security of information systems against environmental threats.
• Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks and technical controls are carried out for the measures taken.
• By creating access procedures within the company, reporting and analysis studies regarding access to personal data are carried out.
• Accesses to storage areas where personal data are stored are recorded, and inappropriate access or access attempts are kept under control.
• The company takes the necessary measures to ensure that the deleted personal data cannot be accessed and reused for the relevant users.
• In case personal data is illegally obtained by others, a suitable system and infrastructure has been established by the Company to inform the relevant person and the Board.
• Passwords are used in electronic environments where personal data are processed. Data backup programs are used that ensure the safe storage of personal data.
• Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
• Users are enabled to use unique usernames and passwords while logging into the systems.
• A separate policy has been determined for the security of sensitive personal data. Special quality personal data security trainings have been provided for employees involved in special quality personal data processing processes, confidentiality agreements have been made, and the authorities of users with access to data have been defined.
• Adequate security measures are taken in the physical environments where personal data of special nature are processed, stored and / or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
• If personal data of special nature needs to be transferred via e-mail, they are transferred encrypted using a corporate e-mail address or a REP account. It is encrypted if required to be transferred via removable memory, CD, DVD, etc. If it is required to be transferred via paper environment, necessary measures are taken against risks such as theft, loss or being seen by unauthorized persons, and the document is sent in “confidential” format.

9.2. Administrative Measures:

• Employees , personal data are trained on technical measures will be taken to prevent unlawful access.
• Employees are trained by the Legal Advisor on the KVK Law.
• Personal data processing on a business unit basis is designed and implemented in The Health Store Turkey in accordance with the legal compliance requirements for access and authorization of personal data.
• The Health Store Turkey has to comply with the obligations stipulated by the KVK Law in order to process personal data in accordance with the law in all kinds of documents that regulate the relationship between its personnel and personal data, personal data should not be disclosed, personal data should not be used illegally and The non-compliance of the personnel with these obligations requires the implementation of sanctions that may terminate the employment contract and is specifically regulated in the The Health Store Turkey’s Group Code of Conduct.
• Employees are informed that they cannot disclose the personal data they have learned to anyone in violation of the provisions of the KVK Law and cannot use them for purposes other than processing, and this obligation will continue after they leave their job and in this direction, necessary commitments are taken from them.
• Contracts concluded by The Health Store Turkey with persons to whom personal data are legally transferred; The provisions stating that the persons to whom the personal data are transferred will take the necessary security measures in order to protect the personal data and ensure that these measures are followed in their own organizations.
• The Health Store Turkey notifies the relevant person and the Board as soon as possible in the event that the processed personal data are obtained by others illegally.
• The Health Store Turkey employs knowledgeable and experienced personnel about the processing of personal data and provides necessary training to its personnel within the scope of personal data protection legislation and data security.
• The Health Store Turkey carries out the necessary inspections and has them done in order to ensure the implementation of the provisions of the Law before its own legal entity. Confidentiality and security vulnerabilities arising as a result of the audits
• The Health Store Turkey is responsible for fulfilling the obligations of third parties to whom personal data is transferred, to process and preserve the data in accordance with the provisions of this Policy and KVK Law, and to access data in accordance with the law, pursuant to the article of the KVK Law. For this reason, The Health Store Turkey should take commitments that include the provision of these conditions and the authorization to perform inspections in the contracts to be made and all kinds of arrangements while transferring data to third parties. Again, The Health Store Turkey should specifically inform all of its staff in terms of responsibilities arising from the processes of transferring personal data to third parties.
• In order to improve the quality of employees, training is provided on the prevention of unlawful processing of personal data, prevention of unlawful access to personal data, protection of personal data, communication techniques, technical knowledge skills and other relevant legislation.
• Confidentiality agreements are made to the employees regarding the activities carried out by the company. A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
• Before starting to process personal data, the obligation to inform the relevant persons is fulfilled by the Authority.
• Personal data processing inventory has been prepared. Our employees are trained and informed about the legal processing of personal data.
• It is ensured that unneeded personal data are deleted, destroyed or anonymized.
• It is ensured that all reasonable precautions are taken in order to prevent the theft, loss or corruption of information.
• Disciplinary procedures to be applied to employees who do not comply with security policies and procedures are applied, and the obligation to inform the relevant persons is fulfilled.
• Periodic and random audits are conducted within the company and information security trainings are provided for employees.

9.3. Supervision of the Measures Taken for the Protection of Personal Data:

Within the scope of KVK Law, The Health Store Turkey will have the title of data controller and will be registered with VERBİS system.

In the 1st paragraph of the 11th article of the Regulation “is responsible for the data under the Law of legal persons residing obligations in Turkey, representing a legal entity in accordance with relevant legislation and bind mentioned in the official competent body or the applicable legislation or any person fulfilled with ingenuity. The body authorized to represent the legal entity may assign one or more persons in relation to the obligations to be fulfilled in terms of the implementation of the Law ”.

Persons who are given management and representation of the company by the Board of Directors in accordance with the relevant articles of the TCC are responsible for transactions and actions that take place within the limits of their authority within the scope of TCC, BK and TCK.

In particular, they have been elected authorized to represent and testify in law enforcement, prosecutors’ offices, public institutions and courts.

The Director of each department will be obliged to audit and report to the Board of Directors and the Executive Board whether the Related Users in the departments comply with this Policy and Destruction Policy prepared within the framework of the Law and Regulation. In cases requiring a decision, the decision taken will be put into effect following the Board of Directors’ decision after obtaining the opinion of the Legal Consultancy.

10. DATA CONTROLLER’S OBLIGATION

The Health Store Turkey informs the personal data subject’s rights in accordance with Article 10 of the Law on KVK and guides the personal data owner on how to exercise these rights.

The Health Store Turkey carries out the necessary channels, internal operation, administrative and technical regulations in accordance with Article 13 of the KVK Law in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.

Within the scope of Article 10 of the Law on KVK, data owners should be informed before or at the latest during the acquisition of personal data. The information to be conveyed to data owners within the framework of the mentioned disclosure obligation is as follows:

1. Identity of the data controller and, if any, its representative,

2. For what purpose personal data will be processed,

3. To whom and for what purpose the processed personal data can be transferred,

4. Method and legal reason for collecting personal data,

5. Other rights enumerated in Article 11 of the KVK Law.

In order to fulfill its obligation of illumination, The Health Store Turkey has prepared illumination statements on the basis of the process and the persons whose data are processed, to be submitted to the data owners within the scope of the above-mentioned KVK Law.

After the disclosure statements were submitted to the data owners, explicit consent statements were also prepared for data processing activities and data categories requiring the explicit consent of the data owner in order for The Health Store Turkey to carry out its activities.

On the other hand, The Health Store Turkey is not obliged to enlighten in cases listed within the framework of Article 28 (1) of the KVK Law.

11. THE HEALTH STORE TURKEY’S RESPONSE TO APPLICATIONS

11.1. The Procedure and Duration of The Health Store Turkey to Answer Applications

Personal data subject, 11.1 of this section. In the event that it transmits its request to The Health Store Turkey in accordance with the procedure in the section titled “The Health Store Turkey”, The Health Store Turkey will finalize the request free of charge within thirty days at the latest, depending on the nature of the request.

However, if a fee is stipulated by the KVK Board, the fee in the tariff determined by the KVK Board will be collected from the applicant by The Health Store Turkey.

11.2. Information that The Health Store Turkey may request from the Applicant Personal Data Owner

The Health Store Turkey may request information from the relevant person in order to determine whether the applicant is the owner of personal data. In order to clarify the matters included in the application of the personal data owner, it may ask a question to the personal data owner about his application.

11.3. The Health Store Turkey’s Right to Reject the Application of Personal Data Owner

• The Health Store Turkey The Health Store Turkey may reject the application of the applicant by explaining the reason in the following cases:
• Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
• Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
• Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
• Processing of personal data is necessary for the prevention of crime or for criminal investigation.
• Processing personal data made public by the personal data owner himself.
• The processing of personal data is necessary for the execution of supervision or regulation duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations that have the status of public institutions, based on the authority granted by the law
• Processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial issues.
• The possibility of the personal data subject’s request to hinder the rights and freedoms of other persons
• Requests requiring disproportionate effort have been made
• The information requested is public information.

12. REVISION AND TERMINATION

If this Policy is revised or abolished, the revised version of the Policy or the new policy sample will be announced in the relevant places.

13. ENFORCEMENT

This Policy comes into force on 28.01.2018.

14. EXECUTION

All department Directors are responsible for the follow-up and coordination of all business and transactions within the scope of the KVK Law and the Data Protection Board regulations of the board of directors of The Health Store Turkey, which is responsible for fulfilling the obligations of the data controller and the data controller.

Click to download the KVKK Application Request Form.