Personal Data Processing and Protection Policy

Definitions

• Explicit Consent: Consent regarding a specific matter, based on information and declared with free will.
• Constitution: The Constitution of the Republic of Türkiye No. 2709.
• Data Subject: The natural person whose personal data are processed.
• Destruction: The deletion or obliteration of personal data.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Personal Data Processing Inventory: An inventory that correlates processing activities with purposes, data categories, recipient groups, data-subject groups, maximum retention periods, international transfers, and security measures.
• Anonymisation of Personal Data: Rendering personal data incapable of being associated with an identified or identifiable person under any circumstance, even if matched with other data.
• Destruction of Personal Data: The deletion, anonymisation, or destruction of personal data.
• Deletion of Personal Data: Rendering personal data completely inaccessible and unusable for relevant users.
• Obliteration of Personal Data: Making personal data inaccessible, irretrievable, and unusable for anyone.
• DPA Board: The Personal Data Protection Board.
• KVKK: Law No. 6698 on the Protection of Personal Data.
• Medoffice: Medoffice Health Industry Inc.
• Special Categories of Personal Data: Data relating to a person’s race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, attire, association/foundation/union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
• Periodic Destruction: Deletion, destruction, or anonymisation carried out ex officio at recurring intervals once all processing conditions cease to exist, as set out in the retention and destruction policy.
• Policy: This Personal Data Processing and Protection Policy.
• Product or Service Recipient: Natural or legal persons who have a contractual relationship with Medoffice.
• Data Processor: The natural or legal person who processes personal data on behalf of the data controller by virtue of the authority granted.
• Data Filing System: A recording system in which personal data are processed by being structured according to specific criteria.
• Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data filing system.

INTRODUCTION

Purpose and Scope

As Medoffice Health Industry Inc., we attach maximum importance to protecting the personal data of everyone we interact with—customers, employees, visitors, and business partners—and to complying with Law No. 6698 on the Protection of Personal Data (KVKK), which recognises this protection as a constitutional right.

Accordingly, in our capacity as Data Controller, we take every technical and organisational measure required to prevent the unlawful processing of personal data, to stop unauthorised access, and to ensure that personal data are stored securely.

Through this Personal Data Processing and Protection Policy, our goal is to inform you about our systems and core principles for processing, transferring, protecting, retaining, and destroying personal data.

This Policy encompasses all physical and electronic media and systems used to process personal data and special categories of personal data, whether processed automatically or by non-automated means that are part of a data filing system.

GENERAL PRINCIPLES FOR PROCESSING PERSONAL DATA

Medoffice processes personal data in accordance with Article 20 of the Constitution and Article 4 of KVKK, acting lawfully and in good faith; accurately and, where necessary, keeping data up to date; for specific, explicit, and legitimate purposes; in a manner that is relevant, limited, and proportionate to those purposes; and for as long as required by legislation or the purpose of processing. We also comply with the provisions governing the processing of special categories of data (Article 6 of KVKK), transfers (Articles 8 and 9), and the obligation to inform data subjects (Article 10).

Every personal data processing activity carried out by Medoffice adheres to the fundamental principles listed in Article 4 of KVKK.

• Processing personal data lawfully and in good faith: We act in accordance with laws, secondary legislation, and general principles of law, limiting processing strictly to the relevant purpose.
• Accuracy and up-to-dateness: We pay attention to ensuring that processed personal data remain accurate and current, and we allow data subjects to request correction or deletion of inaccurate data.
• Processing for specific, explicit, and legitimate purposes: Each processing activity begins with the identification of lawful purposes and adherence to those purposes.
• Relevance, limitation, and proportionality: We limit processing to the personal data necessary for the purpose, and we take the technical and organisational measures required to prevent processing of unrelated personal data.
• Retention for the period required by legislation or the purpose of processing: When the processing purpose ceases or a statutory period expires, personal data are deleted, destroyed, or anonymised.

CONDITIONS FOR PROCESSING PERSONAL DATA

Medoffice processes personal data only if at least one of the legal bases listed in Article 5 of KVKK exists. These conditions are:

• Presence of the data subject’s explicit consent: Personal data may be processed when the data subject provides informed, unambiguous consent limited to the specific transaction.
• Explicit provision in the laws: Where laws expressly allow processing, personal data may be processed without explicit consent.
• Impossibility of obtaining consent and necessity of processing: If the data subject is unable to express consent or the consent would be invalid, personal data may be processed without consent to protect the life or physical integrity of the data subject or another person.
• Direct relation to the establishment or performance of a contract: If processing is necessary to establish or perform a contract between the data subject and Medoffice, it may be carried out without consent.
• Necessity to fulfil a legal obligation of the data controller: Personal data may be processed without consent to comply with legal duties.
• Public exposure by the data subject: Personal data made public by the data subject may be processed without consent, limited to the purpose of disclosure.
• Necessity for the establishment, exercise, or protection of a right: Processing may be conducted without consent where required for legal claims.
• Legitimate interests of the data controller: Personal data may be processed without consent when necessary for Medoffice’s legitimate interests, provided the fundamental rights and freedoms of the data subject are not harmed and a fair balance is maintained.

CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

Article 6 of KVKK lists special categories of personal data on a numerus clausus basis. Medoffice processes such data only by implementing the additional safeguards determined by the Board and solely under the following conditions:

• Explicit consent of the data subject.
• Explicit provision in the laws.
• Necessity to protect the life or physical integrity of a person who cannot express consent or whose consent is invalid.
• Processing of data made public by the data subject, limited to the purpose of disclosure.
• Necessity for the establishment, exercise, or protection of a right.
• Processing by persons under a confidentiality obligation or by authorised institutions for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, or planning, managing, and financing healthcare services.
• Necessity to fulfil legal obligations in employment, occupational health and safety, social security, social services, or social assistance.
• Processing by foundations, associations, or other non-profit entities, in line with their legislation and purposes, limited to their activities and without disclosure to third parties, for their current or former members or those in regular contact with them.

PERSONAL DATA CATEGORIES PROCESSED BY MEDOFFICE

In line with KVKK and other applicable legislation, Medoffice may process personal data categories such as Identity, Contact, Criminal Conviction and Security Measures, Financial, Physical Space Security, Legal Transaction, HR/Personnel, Visual and Audio Records, Professional Experience, Customer Transaction, and Health Information. Detailed information is provided in the relevant privacy notices.

TRANSFER OF PERSONAL DATA

Medoffice may transfer personal data and special categories of personal data to natural persons, private-law legal persons, shareholders, suppliers, authorised public institutions, and other relevant parties by taking the necessary security measures and in compliance with Article 8 of KVKK.

Even without explicit consent, personal data may be transferred to third parties—subject to stringent care and adequate safeguards—if one or more of the following conditions exist:

• The transfer activity is explicitly stipulated in the laws.
• The data subject is unable to provide consent due to actual impossibility or lacks legal capacity, and the transfer is necessary to protect the life or physical integrity of the person or of another individual.
• The transfer is directly related to the establishment or performance of a contract.
• The transfer is necessary for the data controller to fulfil a legal obligation.
• The data have been made public by the data subject, provided the transfer remains limited to the purpose of disclosure.
• The transfer is necessary for the establishment, exercise, or protection of a right for Medoffice, the data subject, or third parties.
• The transfer is mandatory for the legitimate interests of Medoffice, provided the fundamental rights and freedoms of the data subject are not harmed.

Cross-Border Transfers

In addition to the above, Medoffice may transfer personal data abroad only when all required security measures are in place and one of the following conditions is met:

• 1. Existence of an Adequacy Decision
  • If the Board has issued an adequacy decision for the destination country, sector, or international organisation, personal data may be transferred abroad provided that one of the processing conditions in Articles 5 or 6 (contract, legitimate interest, etc.) is satisfied.
• 2. Appropriate Safeguards in the Absence of Adequacy
  • Where no adequacy decision exists, cross-border transfers require the presence of a processing condition under Articles 5 or 6, the assurance that data subjects can exercise their rights and obtain effective legal remedies abroad, and at least one of the following safeguards:
  • An agreement executed between public institutions in Türkiye and abroad (that is not an international treaty) with the Board’s approval.
  • Execution of the standard contractual clauses announced by the Board.
  • Binding Corporate Rules approved by the Board for corporate groups.
  • An undertaking submitted by the parties and approved by the Board, providing guarantees compatible with the fundamental principles of the Law.
• 3. Occasional Transfers (Where No Adequacy or Safeguard Exists)
  • If the above conditions cannot be met, personal data may be transferred abroad on an occasional, non-repetitive basis by obtaining the explicit consent of the data subject and only when one of the following applies:
  • The transfer is necessary for the performance of a contract between the data subject and our Company, or for pre-contractual measures taken at the data subject’s request.
  • The transfer is necessary for the conclusion or performance of a contract between our Company and another natural or legal person for the benefit of the data subject.
  • The transfer is required due to important public interest.
  • The transfer is necessary for the establishment, exercise, or protection of a right.
  • The transfer is necessary to protect the life or physical integrity of a person who cannot provide consent due to actual impossibility.
  • The transfer is made from a public register or one open to certain persons by law, provided it is compatible with the purpose of the register.

UPDATED RULES FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

Article 6 of KVKK lists special categories of personal data exhaustively. Medoffice processes these data only by adopting the additional administrative and technical safeguards determined by the Board and, pursuant to the latest amendments to Article 6, solely when one of the following conditions exists:

• Explicit consent of the data subject.
• Explicit provision in the laws.
• Necessity to protect the life or physical integrity of a person who cannot express consent or whose consent is invalid.
• Processing of personal data made public by the data subject, consistent with the purpose of disclosure.
• Necessity for the establishment, exercise, or protection of a right.
• Processing by persons subject to confidentiality or by authorised institutions for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, or the planning, management, and financing of healthcare services.
• Necessity to meet legal obligations in employment, occupational health and safety, social security, social services, or social assistance.
• Processing by foundations, associations, or other non-profit entities, without disclosure to third parties, limited to their members or those in regular contact with them, in line with their legislation and purposes.

ISSUES RELATING TO THE PROTECTION OF PERSONAL DATA

Pursuant to Article 12 of KVKK, Medoffice takes the technical and organisational measures necessary to prevent the unlawful processing of personal data, to stop unauthorised access, and to ensure the safe storage of data, and conducts or commissions the required audits accordingly.

Our data protection principles include the following:

• Providing transparent information about who uses personal data and for what purpose.
• Processing only the minimum personal data necessary for the stated purposes and avoiding excessive collection.
• Maintaining an inventory of processed personal data categories.
• Ensuring personal data remain accurate and, where necessary, up to date.
• Processing personal data fairly and lawfully.
• Drafting and maintaining this Policy.
• Implementing all technical and organisational measures required by KVKK, secondary legislation, and the Board to guarantee an appropriate level of security.
• Processing only relevant and appropriate personal data.

RETENTION AND DESTRUCTION OF PERSONAL DATA

Medoffice retains personal data for the period required by the processing purpose and for no less than the minimum periods stipulated in applicable legislation. We first determine whether the legislation sets a retention period and, if so, comply with it; otherwise, we retain data only as long as necessary for the processing purpose.

Upon expiry of the retention period or termination of the processing purpose, personal data are destroyed in accordance with our Personal Data Retention and Destruction Policy by deletion, destruction, or anonymisation, either during periodic destruction cycles or upon the data subject’s request.

INFORMING AND NOTIFYING THE DATA SUBJECT

In line with Article 10 of KVKK, Medoffice fulfils its obligation to inform data subjects. Where personal data are obtained directly from the data subject, the required information is provided at the time of collection; where data are obtained from other sources, the information is provided within a reasonable time and, in all cases, without waiting for a request.

• Identity of Medoffice.
• Purposes for which personal data will be processed.
• Parties to whom personal data may be transferred and the purposes of such transfers.
• The method of collecting personal data.
• The legal grounds for collecting personal data.
• Other rights of the data subject listed in Article 11 of KVKK.

RIGHTS OF THE DATA SUBJECT AND EXERCISING THESE RIGHTS

Data subjects may exercise the legal rights set out below:

• Learn whether personal data are processed.
• Request information if personal data have been processed.
• Learn the purpose of processing and whether data are used in accordance with that purpose.
• Know the third parties to whom personal data are transferred domestically or abroad.
• Request correction of incomplete or inaccurate data and notification of such corrections to third parties.
• Request deletion, destruction, or anonymisation of personal data when the reasons requiring processing cease to exist, and request that third parties be notified.
• Object to results arising against them through analysis of data solely by automated systems.
• Request compensation for damages arising from unlawful processing of personal data.

How to Exercise These Rights

Data subjects may submit their requests in Turkish pursuant to the Communiqué on the Principles and Procedures for Data Controller Applications by completing the application form in writing or by sending it via Registered Electronic Mail (KEP), secure electronic signature, mobile signature, or the e-mail address previously registered in our systems.

MEDOFFICE’S RESPONSE TO APPLICATIONS

Medoffice takes every technical and organisational measure necessary to conclude applications submitted by data subjects effectively, lawfully, and in good faith.

Applications may be accepted or rejected—with reasons—and responses are provided to the data subject in writing or electronically.

Provided that the statutory conditions are satisfied, Medoffice responds to data-subject requests regarding the rights listed in this Policy as soon as possible and no later than 30 (thirty) days, free of charge. However, if the response entails an additional cost, the fee set by the Board may be requested.

ENTRY INTO FORCE OF THE POLICY

This Policy enters into force on the date it is published on Medoffice’s corporate website. Any amendments shall likewise take effect upon publication of the updated text on the website.