PERSONAL DATA PROTECTION AND PROCESSING POLICY

  • Home
  • PERSONAL DATA PROTECTION AND PROCESSING POLICY

HRS HEALTHCARE SYSTEMS INVESTMENTS AND OPERATIONS INC.

PERSONAL DATA PROTECTION AND PROCESSING POLICY

INFORMATION FORM

  • Document Name:
    HRS HEALTHCARE SYSTEMS INVESTMENTS AND OPERATIONS INC. Personal Data Protection and Processing Policy

  • Target Audience:
    All natural persons whose personal data is processed by HRS HEALTHCARE SYSTEMS INVESTMENTS AND OPERATIONS INC., excluding employees.

  • Prepared by:
    HRS HEALTHCARE SYSTEMS INVESTMENTS AND OPERATIONS INC. Personal Data Protection Committee

  • Effective Date:
    03/09/2024

  • Language Discrepancy Clause:
    In the event of any discrepancies between the Turkish version of this policy and any translated versions, the Turkish text shall prevail.

© HRS HEALTHCARE SYSTEMS INVESTMENTS AND OPERATIONS INC.

This document may not be reproduced or distributed without the written permission of HRS HEALTHCARE SYSTEMS INVESTMENTS AND OPERATIONS INC.

TABLE OF CONTENTS

  1. SECTION 1 – INTRODUCTION
    1.1. Introduction
    1.2. Scope
    1.3. Implementation of the Policy and Relevant Legislation
    1.4. Enforcement of the Policy

  2. SECTION 2 – PERSONAL DATA PROTECTION PRINCIPLES
    2.1. Ensuring the Security of Personal Data
    2.2. Protection of Special Category Personal Data
    2.3. Raising Awareness and Supervision of Business Units on Personal Data Protection and Processing

  3. SECTION 3 – PRINCIPLES OF PERSONAL DATA PROCESSING
    3.1. Processing Personal Data in Compliance with Legal Principles
    3.2. Conditions for Processing Personal Data
    3.3. Processing of Special Category Personal Data
    3.4. Informing the Data Subject
    3.5. Transfer of Personal Data

  4. SECTION 4 – CATEGORIZATION AND PURPOSES OF PERSONAL DATA PROCESSED BY THE COMPANY

  5. SECTION 5 – STORAGE AND DELETION OF PERSONAL DATA

  6. SECTION 6 – RIGHTS OF DATA SUBJECTS AND EXERCISING THESE RIGHTS
    6.1. Rights of the Data Subject
    6.2. Exercising the Rights of the Data Subject
    6.3. Company’s Response to Applications

APPENDICES

  • Appendix 1 – Purposes of Personal Data Processing
  • Appendix 2 – Data Subject Categories
  • Appendix 3 – Personal Data Categories
  • Appendix 4 – Third Parties to Whom Personal Data is Transferred and Purposes of Transfer

SECTION 1 – INTRODUCTION

1.1. Introduction

As HRS HEALTHCARE SYSTEMS INVESTMENTS AND OPERATIONS INC. (“HRS” or the “Company”), one of our top priorities is the protection of personal data within the scope of our business activities. This Personal Data Protection and Processing Policy (“Policy”) sets out the principles adopted by our Company for personal data processing activities and explains our commitment to compliance with the provisions of the Law No. 6698 on the Protection of Personal Data (“Law”). The Policy provides detailed information on all personal data processing activities conducted by our Company, ensuring transparency and informing the data subjects accordingly. In full awareness of our responsibility, we process and protect your personal data within the framework of this Policy.

The protection of employee personal data is managed under the HRS HEALTHCARE SYSTEMS INVESTMENTS AND OPERATIONS INC. Employee Personal Data Protection and Processing Policy, which aligns with this Policy.

1.2. Scope

This Policy covers all personal data processed by our Company through automated means or non-automated means as part of any data recording system, excluding employee data. Details regarding the data subjects whose personal data is processed are provided in Appendix 2 (Data Subject Categories).

1.3. Implementation of the Policy and Relevant Legislation

The applicable legal regulations on personal data protection and processing shall take precedence. In case of any inconsistency between the applicable legal regulations and this Policy, the provisions of the legislation in force shall prevail. This Policy concretizes the rules set forth by the applicable legislation in the context of the Company’s practices.

1.4. Enforcement of the Policy

This Policy, issued by our Company, is effective as of 03/09/2024.

If the Policy is fully or partially updated, the effective date will be revised accordingly.

SECTION 2 – PERSONAL DATA PROTECTION PRINCIPLES

2.1. Ensuring the Security of Personal Data

Our Company takes necessary measures in compliance with Article 12 of the Law to prevent the unlawful processing, access, transfer, or any other security risks related to personal data. These measures are implemented considering the nature of the personal data processed. Accordingly, our Company adopts administrative and technical measures to ensure an adequate level of security in accordance with guidelines issued by the Personal Data Protection Board (“Board”) and conducts necessary audits.

2.2. PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Personal data that carries a high risk of causing harm or discrimination if processed unlawfully is given special importance under the Law. According to Article 6 of the Law, “special categories” of personal data include data related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, membership in associations, foundations, or trade unions, criminal convictions and security measures, as well as biometric and genetic data (“Special categories of personal data other than health and sexual life”). Additionally, data related to health and sexual life are classified as “special categories of personal data related to health and sexual life.”

Our company takes technical and administrative measures to protect personal data within the scope of the adequate precautions stipulated by the Board’s Decision No. 2018/10 dated 31/01/2018. These measures are implemented within the framework of our Policy on the Processing and Security of Special Categories of Personal Data and are monitored and audited through internal company inspections.

Further details regarding the processing of special categories of personal data can be found in Section 3.3 of this Policy.

2.3. RAISING AWARENESS AND AUDITING BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our company ensures that necessary training sessions are conducted for business units to increase awareness of preventing the unlawful processing of personal data, unauthorized access to data, and ensuring the safe retention of data. The training and awareness programs organized by the company are developed in accordance with the “Personal Data Security Guide” published on the official website of the Board.

Through these training sessions and awareness initiatives, our company aims to ensure that personal data processing activities conducted by employees in the course of their duties comply with the Law and secondary legislation.

To foster awareness of personal data protection among both existing and newly recruited employees, our company establishes the necessary systems and consults with external experts when needed. Accordingly, participation in related training sessions, seminars, and information meetings is evaluated, and new training programs are organized in parallel with updates in the relevant legislation.

SECTION 3 – MATTERS RELATING TO THE PROCESSING OF PERSONAL DATA

3.1. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES SET FORTH IN LEGISLATION

3.1.1. Lawful and Fair Processing

Personal data is processed in compliance with general trust and good faith principles, ensuring that individuals’ fundamental rights and freedoms are not harmed. Within this framework, personal data is processed only to the extent necessary for our company’s business activities.

3.1.2. Ensuring Accuracy and Updating When Necessary

Our company takes necessary measures to ensure that personal data remains accurate and up to date throughout the processing period. Periodic mechanisms are established to verify and maintain the accuracy and currency of personal data.

3.1.3. Processing for Specific, Explicit, and Legitimate Purposes

Our company explicitly defines the purposes for processing personal data and ensures that data is processed in connection with and for purposes aligned with business operations.

3.1.4. Processing in a Manner That Is Relevant, Limited, and Proportionate to the Purpose

Our company collects personal data only to the extent required for business activities and processes it within the scope of clearly defined purposes.

3.1.5. Retention for the Period Required by Relevant Legislation or the Purpose of Processing

Our company retains personal data for the necessary duration in accordance with the purposes for which it was processed and in line with the minimum retention periods prescribed by applicable laws and regulations. In this regard, our company first determines whether a retention period is stipulated by the relevant legislation. If a retention period is specified, the company complies with that timeframe. If no legal retention period is defined, the data is kept for as long as necessary for the purpose of processing.

At the end of the specified retention periods, personal data is deleted, destroyed, or anonymized in accordance with periodic destruction schedules or upon the data subject’s request, using appropriate deletion, destruction, and/or anonymization methods.

3.2. CONDITIONS FOR PROCESSING PERSONAL DATA

Apart from obtaining the explicit consent of the data subject, the basis for personal data processing activities may be one or more of the conditions listed below. If the processed data is considered sensitive personal data, the conditions outlined in Section 3.3 of this Policy (“Processing of Sensitive Personal Data”) shall apply.

(i) Presence of Explicit Consent of the Data Subject

One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be given for a specific matter, based on information, and voluntarily.

In cases where one of the personal data processing conditions below is met, personal data may be processed without the need for the explicit consent of the data subject.

(ii) Explicitly Stipulated in Laws

If the processing of personal data is explicitly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, this condition shall be deemed to exist.

(iii) Inability to Obtain the Data Subject’s Consent Due to Physical Impossibility

If the data subject is unable to provide consent due to physical impossibility or if their consent cannot be deemed legally valid, personal data may be processed if it is necessary to protect the life or physical integrity of the data subject or another person.

(iv) Direct Relevance to the Establishment or Performance of a Contract

If the processing of personal data is necessary for the establishment or performance of a contract to which the data subject is a party, this condition shall be deemed fulfilled.

(v) Compliance with the Company’s Legal Obligations

If processing is necessary for the Company to fulfill its legal obligations, personal data may be processed.

(vi) The Data Subject Has Made the Data Public

If the data subject has made their personal data public, the relevant personal data may be processed limited to the purpose of disclosure.

(vii) Necessity of Data Processing for the Establishment or Protection of a Right

If processing is necessary for the establishment, exercise, or protection of a legal right, personal data may be processed.

(viii) Necessity of Data Processing for the Legitimate Interests of the Company

Personal data may be processed if it is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3. PROCESSING OF SENSITIVE PERSONAL DATA

Sensitive personal data is processed by our Company in accordance with the principles stated in this Policy and by taking administrative and technical measures as outlined in the “Sensitive Personal Data Processing and Security Policy,” provided that the following conditions are met:

(i) Sensitive personal data, except for those related to health and sexual life, may be processed without obtaining explicit consent if it is explicitly stipulated in the law. Otherwise, explicit consent of the data subject shall be obtained.

(ii) Sensitive personal data related to health and sexual life may be processed without explicit consent for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and healthcare services, as well as planning and managing healthcare services and their financing, provided that such data is processed by individuals or authorized institutions and organizations that are under a confidentiality obligation. Otherwise, explicit consent of the data subject shall be obtained.

3.4. INFORMATION OF THE DATA SUBJECT

Our Company, in compliance with Article 10 of the Law and secondary legislation, informs data subjects about who processes their personal data as the data controller, for what purposes, with whom it is shared, the methods of collection, the legal basis, and the rights of the data subject concerning the processing of their personal data.

3.5. TRANSFER OF PERSONAL DATA

Our Company, in line with the lawful purposes of personal data processing, may transfer the personal data and sensitive personal data of the data subject to third parties (third-party companies, group companies, or third natural persons) by taking the necessary security measures. In this regard, our Company complies with the provisions set forth in Article 8 of the Law. Detailed information on this matter can be found in Appendix 4 of this Policy (“Appendix 4 – Third Parties to Whom Personal Data is Transferred and the Purposes of Transfer”).

3.5.1. Transfer of Personal Data to Third Parties Residing in the Country

Even if the data subject does not give consent, personal data may be transferred to third parties by our Company with due diligence and necessary security measures, provided that one or more of the following processing conditions (“Data Processing Conditions”) are met:

  • The data transfer activity is explicitly stipulated in laws.
  • The transfer of personal data is directly related to and necessary for the establishment or performance of a contract.
  • The transfer of personal data is mandatory for the Company to fulfill its legal obligations.
  • The transfer of personal data is limited to the purpose of disclosure if the data subject has made their data public.
  • The transfer of personal data is necessary for the establishment, exercise, or protection of the legal rights of the Company, the data subject, or third parties.
  • Personal data may be transferred if it is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.
  • If the data subject is unable to give consent due to physical impossibility, or if their consent is not legally valid, and it is necessary to process personal data to protect the life or physical integrity of the data subject or another person.

3.5.2. Transfer of Personal Data to Third Parties Residing Abroad

The transfer of personal data abroad by our Company shall be carried out in accordance with the following rules, depending on whether the recipient country is considered a secure country by the Authority:

  • If the recipient country is among the secure countries announced by the Authority, personal data may be transferred provided that at least one of the Data Processing Conditions is met.
  • If the recipient country is not among the secure countries, personal data may be transferred under at least one of the Data Processing Conditions and in compliance with the fundamental principles outlined in Article 4 of the Law, provided that:
    • The explicit consent of the data subject is obtained, or
    • The Company and the recipient data controller in the respective country undertake adequate protection in writing and obtain permission from the Authority for such transfer.

3.5.3. Transfer of Sensitive Personal Data

Sensitive personal data is processed by our Company in accordance with the principles stated in this Policy and by taking administrative and technical measures as outlined in the “Sensitive Personal Data Processing and Security Policy,” provided that the following conditions are met:

  • Sensitive personal data, except for those related to health and sexual life, may be processed without obtaining explicit consent if it is explicitly stipulated in the law. Otherwise, explicit consent of the data subject shall be obtained.
  • Sensitive personal data related to health and sexual life may be processed without explicit consent for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and healthcare services, as well as planning and managing healthcare services and their financing, provided that such data is processed by individuals or authorized institutions and organizations that are under a confidentiality obligation. Otherwise, explicit consent of the data subject shall be obtained.

SECTION 4 – CATEGORIZATION AND PURPOSES OF PROCESSING PERSONAL DATA BY OUR COMPANY

Our Company processes personal data in compliance with the general principles stated in Article 4 of the Law and at least one of the Data Processing Conditions, in a limited manner, and within the framework of business operations. Detailed information regarding personal data processing purposes can be found in Appendix 1 of this Policy (“Appendix 1 – Personal Data Processing Purposes”).

Detailed information regarding the categories of personal data processed by our Company and their descriptions can be found in Appendix 3 of this Policy (“Appendix 3 – Personal Data Categories”).

SECTION 5 – RETENTION AND DESTRUCTION OF PERSONAL DATA

Our company retains personal data for the period necessary for the purpose for which they are processed and for the minimum duration stipulated by the relevant legal regulations. Our company first determines whether a retention period for personal data is prescribed by the relevant legislation. If such a period is specified, it complies with this duration. If no legal period is set, personal data is retained for the duration necessary for the purpose of processing.

The personal data processed by our company are categorized, and the maximum retention periods for each category are determined in accordance with the relevant data processing process. These periods are set forth in the table included in our company’s Personal Data Retention and Destruction Policy. At the end of the determined maximum retention periods, personal data is destroyed in accordance with periodic destruction periods or upon request from the relevant person, using specified destruction methods (deletion, destruction, and/or anonymization).

SECTION 6 – RIGHTS OF DATA SUBJECTS AND EXERCISE OF THESE RIGHTS

6.1. RIGHTS OF THE DATA SUBJECT

Data subjects have the following rights:

  1. To learn whether their personal data is being processed,
  2. To request information if their personal data has been processed,
  3. To learn the purpose of processing personal data and whether they are used in accordance with their intended purpose,
  4. To know the third parties to whom their personal data is transferred, whether domestically or abroad,
  5. To request the correction of their personal data if it is incomplete or incorrectly processed and to request that third parties to whom the data has been transferred be informed of this correction,
  6. To request the deletion or destruction of their personal data if the reasons for processing no longer exist, even if they have been processed lawfully, and to request that third parties to whom the data has been transferred be informed of this deletion or destruction,
  7. To object to the occurrence of an unfavorable result concerning them by means of the exclusive processing of data through automated systems,
  8. To demand compensation for damages in case they suffer harm due to the unlawful processing of their personal data.

6.2. EXERCISE OF DATA SUBJECT RIGHTS

Data subjects may submit their requests regarding the rights specified in Section 6.1 (“Rights of the Data Subject”) to our company through the methods determined by the Board. Accordingly, they can utilize the “Data Subject Application Form”, available at https://hrsankara.com.

6.3. COMPANY’S RESPONSE TO APPLICATIONS

Our company takes the necessary administrative and technical measures to ensure that applications submitted by data subjects are processed in accordance with the law and secondary regulations.

If the data subject submits a request regarding their rights as specified in Section 6.1 (“Rights of the Data Subject”)in compliance with the proper procedure, our company will process the request as soon as possible and at the latest within 30 (thirty) days free of charge. However, if the requested transaction incurs additional costs, a fee may be charged in accordance with the tariff determined by the Board.

ANNEX 1 – Purposes of Personal Data Processing

PRIMARY PURPOSES SECONDARY PURPOSES
Planning and execution of our company’s human resources policies and processes Planning of human resources processes
Execution of personnel recruitment processes
Planning and execution of benefits and perks for employees
Salary management
Planning and monitoring employee performance evaluation processes
Fulfilling employment contract and legal obligations for employees
Execution of wage policy
Conducting employee satisfaction and engagement processes
Managing application processes of job candidates
Planning and/or execution of in-house training activities
Conducting necessary work by our relevant business units for the execution of the commercial activities carried out by our company and managing related business processes Planning and execution of corporate communication activities
Tracking finance and accounting affairs
Planning and/or execution of business continuity activities
Planning and execution of business activities
Establishing and managing IT infrastructure
Planning and executing the company’s commercial and/or business strategies
Planning and execution of external training activities
Ensuring the legal, technical, and commercial-business security of the company and relevant persons who have a business relationship with the company Planning and execution of necessary operational activities to ensure that company activities comply with company procedures and relevant legislation
Providing information to authorized institutions as required by legislation
Ensuring the security of company premises and facilities

ANNEX 2 – Data Subjects

DATA SUBJECT CATEGORIES DESCRIPTION
Corporate Customer Natural persons who use or have used the services provided by our company, regardless of whether they have a contractual relationship with our company
Inventor/Entrepreneur Natural persons who share their projects or technological initiatives with our company within the scope of the services offered
Visitor Natural persons who enter our company’s physical premises for various purposes or visit our websites
Third Party Third-party individuals related to the above-mentioned parties to ensure commercial transaction security or to protect and benefit the rights and interests of such persons (e.g., family members and relatives) or other natural persons who do not fall under the scope of this policy and Inventram Intellectual Property Rights Management Trade and Investment Inc. Personal Data Protection and Processing Policy
Job Candidate Natural persons who have applied for a job at our company through any means or have made their resumes and related information available for the company’s review (including intern candidates)
Company Shareholder Natural persons who are shareholders of our company
Company Executive Natural persons who are members of the company’s board of directors and other authorized persons
Employees, Shareholders, and Executives of Business Partners Natural persons working in institutions with which our company has any business relationship (such as business partners and suppliers, but not limited to these), including the shareholders and executives of these institutions

ANNEX 3 – Categories of Personal Data

CATEGORIES OF PERSONAL DATA DESCRIPTION
Identity Information Data containing information about an individual’s identity, including name, surname, Turkish ID number, nationality, place of birth, date of birth, gender, workplace information, registration number, tax number, title, biography, etc., as well as documents such as driver’s licenses, professional IDs, national ID cards, and passports
Contact Information Phone number, address, email, fax number
Family and Relatives Information Information regarding an individual’s family members and relatives, processed within the scope of our company’s operations and the products and services we offer, or for the purpose of protecting the legal and other interests of the company and the data subject
Physical Space Security Information Personal data related to records and documents obtained at physical space entry and while remaining in the physical space, including camera recordings, vehicle information records, and records obtained at security checkpoints
Transaction Security Information Personal data processed to ensure our technical, administrative, legal, and commercial security during the execution of our activities (e.g., log records, IP information, authentication details)
Financial Information Personal data processed regarding financial results based on the type of legal relationship our company has with the data subject, including documents and records related to financial outcomes, bank account numbers, IBAN numbers, income details, debt/credit information, etc.
Job Candidate Information Information about job and/or intern candidates who have applied to our company through any means or have shared their resumes
Sensitive Personal Data Data regarding an individual’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance and dress, association, foundation, or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data
Request/Complaint Management Information Personal data related to the receipt and evaluation of any requests or complaints submitted to our company
Visual and Audio Data Photographs, camera recordings (excluding those processed under Physical Space Security Information), and audio recordings
Audit and Inspection Information Personal data processed for conducting operational, financial, fraud, and compliance audits of our company
Legal Procedure and Compliance Information Personal data processed for identifying and tracking our legal claims and rights, fulfilling our obligations, and ensuring compliance with laws and company policies
Transaction Information Personal data processed within the scope of our company’s activities, related to products or services provided, or to protect the legal and other interests of the company and the data subject, such as survey data, statements, purchase records, call center records, membership details, and cookie records

ANNEX 4 – Third Parties to Whom Personal Data is Transferred by Our Company and Purposes of Transfer

Our company may transfer personal data of the relevant individuals specified in this Policy to the following third-party categories in accordance with Articles 8 and 9 of the Law:

(i) Business Partners
(ii) Suppliers
(iii) Affiliates
(iv) Shareholders
(v) Legally Authorized Private Legal Entities
(vi) Legally Authorized Public Institutions and Organizations
(vii) Group Companies
(viii) Company Board Members

The scope of the aforementioned third parties and the purposes of data transfer are specified below:

Recipients of Data Transfer Definition Purpose of Data Transfer
Business Partner / Solution Partner · Parties providing financial and monetary transaction services to our company.
· Parties providing travel planning services for business trips and events to our company.		 Limited to ensuring the fulfillment of the purposes of the business partnership.
Supplier Parties providing services to our company in line with our commercial activities and data processing purposes and instructions. Limited to obtaining the necessary services that our company outsources to conduct its commercial activities.
Affiliates Companies in which our company holds shares and exercises control. Limited to ensuring the execution of commercial activities requiring the participation of affiliates.
Legally Authorized Public Institutions and Organizations Public institutions and organizations authorized by relevant legislation to request information and documents from our company.
Example: Ministries, Tax Offices, Courts, Trade Registry, etc.		 Limited to the purpose requested by the relevant public institution or organization within the scope of its legal authority.
Legally Authorized Private Legal Entities Institutions or organizations established in accordance with the relevant legislation and operating within the legal framework (e.g., independent auditors, notaries). Limited to matters within the scope of activities carried out by the relevant private legal entities.
Company Board Members Company Board Members Limited to ensuring the execution of Company Board activities.

4o