GET A QUICK QUOTE

MEDIOCEAN CLINIC
CLOSE

What can we do?For you

After selecting the service(s) you are interested in, please fill out the form, and we will provide you with detailed information and our offer regarding the requested service(s) as soon as possible.

To reach us, just one more step.

We will provide you with detailed information about the relevant service you have chosen.
Continue to Step 2 SUBMIT THE FORM

+90 545 520 8 777 Our 24/7 Working Hours Istanbul / Turkey
EN
A A

Cookie Policy

1. DATA PRIVACY COMMITMENT

1.1 This Personal Data Protection Policy (“Policy”) MedoCEAN ESTETİK VE SAĞLIK HİZMETLERİ TİCARET LİMİTED ŞİRKETİ by the provisions of the relevant legislation, in particular the Law on the Protection of Personal Data No. 6698, while fulfilling its obligations to protect Personal Data and processing Personal Data within the Company and/or It determines the principles to be followed by the company.

1.2 The Company undertakes to act by this Policy and the procedures to be applied by the Policy in terms of Personal Data within its own body.

2. PURPOSE OF THE POLICY

The main purpose of this Policy is to determine the principles regarding the methods and processes for the processing and protection of Personal Data by the Company.

3. SCOPE OF THE POLICY

3.1 This Policy covers all activities regarding the Personal Data that the Company processes and is applied to such activities.

3.2 This Policy does not apply to data that does not qualify as Personal Data.

3.3 This Policy may be amended from time to time with the approval of the Board of Directors, if required by the KVK Regulations or when deemed necessary by the Company or the Committee. In case of inconsistency between the KVK regulations and this Policy, the KVK Regulations are taken as the basis.

4. DEFINITIONS

The definitions in this Policy have the following meanings;

Explicit Consent: It refers to the consent that is based on being informed about a certain subject and that is declared with free will.

Anonymization: It means making Personal Data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Obligation to Disclose: Denotes the obligation of the Data Controller or the person authorized by him/her to inform the Data Owner within the scope of Article 10 of the KVKK during the acquisition of Personal Data.

Personal Data: Denotes any information relating to an identified or identifiable natural person (within the scope of this procedure, the term “Personal Data” will also include “Special Personal Data” defined below as appropriate)

Personal Data Processing: Acquiring, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, and making available Personal Data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, It refers to all kinds of operations performed on data such as classification or prevention of use.

Committee: Represents the Company's Personal Data Protection Committee.

Board: Represents the Personal Data Protection Board.

Institution: Represents the Personal Data Protection Authority.

KVKK: Refers to the Law on Protection of Personal Data No. 6698.

KVK Regulations: Law No. 6698 on the Protection of Personal Data and other relevant legislation on the protection of Personal Data, binding decisions, policy decisions, provisions, instructions, and applicable international agreements on data protection and all other types of legislation issued by regulatory and supervisory authorities, courts and other official authorities. means legislation.

KVK Policies: Refers to the policies of the Company on the protection of Personal Data.

KVK Procedures: Denotes the procedures that determine the obligations of the Company, employees, and the Committee's KVK Policies.

Special Qualified Personal Data: "The data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions, and security measures, as well as biometric data and genetic data.

Deletion and Destruction: Refers to the irreversible destruction or destruction of Personal Data.

Data Inventory: "Personal Data Processing processes and methods for the Company's Personal Data processing activities, Personal Data Processing purposes, data category, third parties to whom Personal Data are transferred, etc. means the inventory containing the information.

Data Processor: Refers to the natural or legal person who processes Personal Data on behalf of the Data Controller, upon authorization by the Data Controller.

Data Owner: Refers to all natural persons whose Personal Data are processed by or on behalf of the Company.

Data Controller: Refers to the natural and legal person who processes Personal Data by specifying the purposes and ways of Processing, and who is responsible for establishing and managing the data recording system.

Data Controller Contact Person: Refers to the real person who makes a registration notification by the data controller for the communication to be established with the Authority regarding the KVK Regulations.

5. PRINCIPLES OF PERSONAL DATA PROCESSING

5.1 Processing Personal Data in Compliance with the Law and the Rules of Integrity

The Company processes Personal Data by the law and the rules of honesty and based on proportionality.

5.2

Taking Necessary Precautions to Keep Personal Data Accurate and Up-to-Date When Necessary

The Company takes all necessary measures to ensure that the Personal Data is complete, accurate, and up-to-date and updates the relevant Personal Data in case the Data owner requests a change in Personal Data within the scope of KVKK Regulations.

5.3 Processing of Personal Data for Specific, Clear, and Legitimate Purposes

Before the Personal Data is processed, the Company determines the purpose for which the Personal Data will be processed. In this context, the Data Owner is informed within the scope of KVK Regulations, and their Express Consent is obtained when necessary.

5.4 The Personal Data Are Related to the Purpose for which they are Processed, Limited, and Measured 

The Company processes Personal Data only in exceptional cases within the scope of KVK Regulations (Article 5.2 and Article 6.3 of the KVKK) or for the purpose within the scope of the Explicit Consent from the Data Owner (Article 5.1 and Article 6.2 of the KVKK) and by the principle of proportionality. The Data Controller processes the Personal Data in a way that is suitable for the realization of the determined purposes and refrains from processing in cases that are not related to the realization of the purpose or are not needed.

5.5 Retention of Personal Data for the Period Necessary for Processing or Envisioned in the Relevant Legislation

5.5.1 The Company retains Personal Data for as long as necessary by the purpose. In case the Company wishes to retain Personal Data for a longer period than required by the KVK Regulations or required by the Personal Data Processing purpose, the Company acts by the obligations specified in the KVK Regulations.

5.5.2 Personal Data is Deleted, Destroyed, or Anonymized after the period required by the Personal Data processing purpose expires. In this case, the third parties to whom the Company transfers Personal Data are also provided to Delete, Destroy, or Anonymize Personal Data.

5.5.3 The Committee is responsible for the operation of the processes of Deletion, Destruction, and Anonymization. In this context, the necessary procedure is established by the Committee.

6. PROCESSING OF PERSONAL DATA

Personal Data can only be processed by the Company within the scope of the procedures and principles set forth below.

6.1 Explicit Consent

6.1.1 Personal Data is processed after the notification to be made within the framework of the fulfillment of the obligation to inform the Data Owners and if the Data Owners give their Explicit Consent.

6.1.2 Data Owners are informed of their rights before Explicit Consent is obtained within the framework of the Clarification Obligation.

6.1.3 The Explicit Consent of the Data Owner is obtained through methods by the KVK Regulations. Explicit Consent is provably retained by the Company for the required period within the scope of KVK Regulations.

6.1.4 The Committee is obliged to ensure that the Obligation of Disclosure is fulfilled in terms of all Personal Data Processing processes and that the Explicit Consent is obtained when necessary and that the Explicit Consent is retained. All department employees who process Personal Data are obliged to comply with the instructions of the Contact Person and the Committee, this Policy, and the KVK Procedures annexed to this Policy.

6.2 Processing of Personal Data without Obtaining Explicit Consent

In cases where the Processing of Personal Data is foreseen without Explicit Consent within the scope of the KVKK Regulations (Article 5.2) of the KVKK, the Company may process the Personal Data without the Explicit Consent of the Data Owner. In case the Personal Data is processed in this way, the Company Processes the Personal Data within the limits drawn by the KVK Regulations. In this context;

6.2.1 Personal Data may be processed by the Company without Explicit Consent if it is expressly stipulated in the Laws.

6.2.2 Personal Data may be processed by the Company without Explicit Consent if it is necessary for the protection of the life or physical integrity of the Data Owner himself or someone other than the Data Owner, who is unable to express his/her consent due to actual impossibility or whose consent is not legally valid.

6.2.3 Provided that it is directly related to the establishment or performance of a contract, Personal Data may be processed by the Company without the Explicit Consent of the Data Owners, if it is necessary to process the Personal Data of the parties to the contract.

6.2.4 If the Processing of Data is necessary for the Company to fulfill its legal obligations, Personal Data may be processed by the Company without the Explicit Consent of the Data Owners.

6.2.5 Personal Data made public by the data owner may be processed by the Company without express consent.

6.2.6 If the Processing of Personal Data is necessary for the establishment, exercise, or protection of a right, Personal Data may be processed by the Company without obtaining Explicit Consent.

6.2.7 Provided that it does not harm the fundamental rights and freedoms of the Data Owner, Personal Data may be processed by the Company without Explicit Consent, if data processing is necessary for the Company's legitimate interests.

7. PROCESSING OF SPECIAL QUALITY PERSONAL DATA

7.1 Private Personal Data can only be obtained if the Data Owner has Explicit Consent or if it is sexual life and personal data.

It can be processed in cases expressly required by law in terms of Special Quality Personal Data other than provincial health data.

7.2 Personal data related to health and sexual life can only be used by persons (eg: Company Physician) or authorized institutions and organizations, who are under the obligation of confidentiality, to protect public health, perform preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and financing. maybe processed by organizations without express consent.

7.3 While Processing Special Quality Personal Data, the measures determined by the Board are taken.

7.4 The Company, for employees who are involved in the processing of Sensitive Personal Data;

7.4.1. The Company will regularly provide training on KVK Regulations and the security of Special Quality Personal Data.

7.4.2. Confidentiality agreements will be made.

7.4.3. It will clearly define the scope and duration of authorization of users who have access to Special Quality Personal Data.

7.4.4. It will periodically perform authorization checks.

7.4.5. Employees who have a change in duty or quit the job will immediately remove their authority in this field and will immediately take back the inventory allocated to the relevant employee.

7.5 In case of the transfer of Special Quality Personal Data to electronic media, the Company shall;

7.5.1. It will constantly follow the security updates of the environments where the Special Quality Personal Data are located.

7.5.2. If Private Personal Data is accessed through software, the user of this software will authorize it.

7.5.3. In case of remote access to Special Qualified Personal Data, a two-stage authentication system will be provided.

7.6. In case Special Quality Personal Data is processed in the physical environment, the Company shall;

7.6.1. It will ensure that adequate security measures (against electric leakage, fire, flood, theft, etc.)

7.6.2. It will prevent unauthorized entry and exit by ensuring the physical security of these environments.

7. In case of transfer of Special Qualified Personal data, the Company;

7.1 If it is necessary to transfer Sensitive Personal Data via e-mail, an encrypted corporate e-mail address or a Registered Electronic Mail (“KEP”) account shall be used.

7.2 If it is necessary to physically transfer the Private Personal Data in paper form, it will take the necessary precautions against the risks such as theft, loss, or viewing of the documents by unauthorized persons and will send the documents in the form of "confidential documents".

7.3 In addition to the regulations above, the Committee and the Contact Person will act by the KVK Regulations, especially the Personal Data Security Guide, published by the Board regarding the security of Personal Data, including Private Data.

7.4 In any situation that requires the Processing of Special Quality Personal Data, the Committee is informed by the relevant employee.

7.5 If it is not clear whether a data is Special Quality Personal Data or not, the opinion of the Committee is taken by the relevant department.

8. PERSONAL DATA STORAGE PERIOD

Personal Data are kept within the scope of the relevant legal retention periods within the Company and are kept for the period necessary for the realization of the activities related to this data and the purposes specified in this Policy. Personal Data whose purpose of use has expired and whose legal storage period has expired is deleted, destroyed, or anonymized by the Company by Article 7 of the KVKK.

9. DELETING, DESTROYING, AND MAKING PERSONAL DATA ANONYMOUS

9.1 When the legitimate purpose for the processing of Personal Data ceases, the relevant Personal Data is Deleted, Destroyed, or Anonymized. Situations where Personal Data should be Deleted, Destroyed, or Anonymized are followed up by the Committee and departments.

9.2 The Committee is responsible for the operation of the Deletion, Destruction, and Anonymization processes. In this context, the necessary procedure is established by the Committee.

9.3 The Company cannot store Personal Data considering the possibility of its use in the future.

9.4 All Deletion, Destruction, and Anonymization Activities that the Company will implement on Personal Data will be carried out by the principles outlined in the Personal Data Retention, Destruction Policy.

10. TRANSFER OF PERSONAL DATA AND PROCESSING OF PERSONAL DATA BY THIRD PARTIES

The Company may transfer Personal Data to a third natural or legal person in Turkey and/or abroad in accordance with KVK regulations, provided that it takes the necessary measures for Personal Data Processing. In this case, the Company, Person 

It ensures that the third parties to which it transfers data also comply with this Policy. In this context, necessary protective regulations are added to the contracts concluded with the third party. Each employee is obliged to comply with the processes in this Policy in case of Personal Data transfer.

10.1 Transfer of Personal Data to Third Parties in Turkey

10.1.1 Personal Data shall be transferred to third parties in Turkey, without explicit consent or in other cases, provided that the explicit consent of the data owner is obtained (Article 5.1 and Article 6.2 of the KVKK) in exceptional cases specified in Article 5.2 of the KVKK and in Article 6.3 provided that adequate measures are taken. It can be transferred by the company.

10.1.2 The Company employees and the Committee are jointly responsible for ensuring that the transfer of Personal Data to third parties in Turkey complies with the KVK Regulations.

10.2 Transfer of Personal Data to Third Parties Located Abroad

10.2.1 Personal Data may be transferred by the Company to third parties abroad, provided that the Explicit Consent of the Data Owner is obtained (Article 5.1 and Article 6.2 of the KVKK).

10.2.2 If Personal Data is transferred by the KVK Regulations without obtaining Express Consent, one of the following conditions must be present in terms of the foreign country to which it will be transferred separately;

10.2.3 The foreign country to which the Personal Data will be transferred has the status of a country where adequate protection is provided by the Board,

10.2.4 If the foreign country where the transfer will take place is not included in the safe countries list of the Board, the Company and the Data Controllers in the relevant country make a written commitment to ensure adequate protection and obtain permission from the Board.

10.2.5 Company employees, Committee and Representative are jointly responsible for ensuring that the transfer of Personal Data to third parties abroad complies with the KVK Regulations.

11. THE COMPANY'S LIGHTING OBLIGATION

The Company informs the Data Owners before the Processing of Personal Data in accordance with Article 10 of the KVKK. In this context, the Company fulfills its Disclosure Obligation during the acquisition of Personal Data. The notification to be made to the Data Owners within the scope of the Disclosure Obligation includes the following elements, respectively;

11.1 Identity of the Data Controller (and his representative, if any),

11.2. The purpose for which Personal Data will be processed,

11.3 To whom and for what purpose the Processed Personal Data can be transferred,

11.4 The method and legal reason for collecting Personal Data,

11.5 Rights of Data Owners listed in Article 11 of KVKK.

11.6 The Company shall provide the necessary information if the Data Owner requests information by Article 20 of the Constitution of the Republic of Turkey and Article 11 of the KVKK.

11.7 If requested by the Data Owners by the KVKK Regulations, the Company informs the Data Owner about the personal data it processes.

11.8 The employee following the relevant process and the Committee are jointly responsible for ensuring that the required Disclosure Obligation is fulfilled before the processing of Personal Data.

11.9 Third parties in the status of data processor undertake with a written contract that they will act by the above-mentioned obligations before starting data processing.

12. RIGHTS OF DATA SUBJECTS (RELATED PERSONS)

12.1 The Company responds to the below-mentioned requests of the Data owners, whose Personal Data it processes, by the KVK Regulations;

12.1.1 Learning Whether Personal Data is Processed by the Company,

12.1.2 In the case of Processing Personal Data, requesting information about it

12.1.3 Learning the purpose of processing Personal Data and whether they are used for its purpose,

12.1.4. To know the third parties to whom Personal Data is transferred, in the country or abroad,

12.1.5. Requesting correction of Personal Data in case of incomplete or incorrect processing by the Company,

12.1.6. To request the deletion or destruction of Personal Data by the Company in case the reasons requiring the Processing of Personal Data disappear, to be evaluated within the principles of purpose and legitimacy,

12.1.7. In case of correction, deletion, or destruction of Personal Data by the Company, requesting that these transactions be notified to the third parties to whom the Personal Data has been transferred,

12.1.8. Objecting to this result if a result against the Data Owner arises if the processed Personal Data is analyzed exclusively through automated systems,

12.1.9.Demanding the removal of the damage in case the Personal Data is processed unlawfully and the Data Owner suffers damage due to this reason.

In cases where Data Owners want to exercise their rights and/or think that the Company does not act within the scope of this Policy while processing Personal Data, they can submit their requests by filling out the form on the company website or by creating their requests in a way that will meet the conditions determined by the Authority. address, the e-mail address previously notified to the Company and registered in the Company system. 

They can be sent via e-mail (the e-mail address registered in the system should be checked) or with a secure electronic signature or mobile signature to the Company KEP address or to the postal address below, which may change from time to time, together with the documents proving their identities and a petition with a wet signature. or through a notary public and send them by other methods determined by the Institution, which may be added to them in the future. Current application methods and application content must be confirmed by the legislation before the application.

Data Controller: MEDOCEAN ESTHETIC AND HEALTH SERVICES TİCARET LİMİTED ŞİRKETİ

Registered E-mail (KEP): uroakademisaglik@hs01.kep.tr

Postal : MERKEZ MAHALLESİ İSTİKLAL STREET NO: 9/75 SISLI ISTANBUL

In case the Data Owners submit their requests regarding their rights listed above to the Company in writing, the Company concludes the request free of charge within (30) thirty days at the latest, depending on the nature of the request. If a separate cost arises for the conclusion of the requests by the Data Controller, the fees in the tariff determined by the Personal Data Protection Board may be requested by the Data Controller.

13. DATA MANAGEMENT AND SECURITY

13.1 The Company establishes a Committee to fulfill its obligations under the KVK Regulations, to ensure and supervise the implementation of the KVK Procedures required for the implementation of this Policy, and to make recommendations regarding their operation.

13.2 All employees involved in the relevant process are jointly and severally responsible for the protection of Personal Data by this Policy and KVK Procedures.

13.3 Personal Data processing activities by the Company are controlled by technical systems according to technological possibilities and implementation costs.

13.4 Personal Data Processing activities are staffed with knowledgeable personnel on technical issues.

13.5 Company employees are informed and trained regarding the protection of Personal Data and its legal processing.

13.6 Company employees can access Personal Data only within the authorization defined for them and by the relevant KVK Procedure. Any access and processing done by the employee more than his/her authority is against the law and is a reason for termination of the employment contract with just cause.

13.7 If the company employee suspects that the security of the Personal Data is not adequately provided or identifies such a security gap, he/she informs the Committee of this situation.

13.8 A detailed KVK Procedure is created by the Committee for the security of Personal Data.

13.9 Every person assigned a Company device is responsible for the security of the devices allocated for his/her use.

13.10 Every Company employee or person working within the Company is responsible for the security of the physical files within their area of responsibility.

13.11 If there are security measures requested or to be additionally requested for the security of Personal Data within the scope of KVK Regulations, all employees are obliged to comply with additional security measures and to ensure the continuity of these security measures.

13.12 Software and hardware including virus protection systems and firewalls are installed by technological developments to store Personal Data in secure environments.

13.13 The Company uses backup programs and takes adequate security measures to prevent the loss or damage of Personal Data.

13.14 Necessary measures will be taken for the Company to protect the documents containing Personal Data with encrypted (encrypted) systems. In this context, Personal Data will not be stored in common areas and on the desktop. Files and folders containing Personal Data, etc. The documents will not be moved to the desktop or the common folder, and the information on the Company computer will not be transferred to USB, etc. without the prior written approval of the Committee. It will not be transferred to another device or taken out of the Company.

13.15 The Committee, together with the Board of Directors, is obliged to take technical and administrative measures for the Protection of all Personal Data within the Company, to constantly monitor the developments and administrative activities, to prepare the necessary KVK Procedures and to announce them within the Company, to ensure and supervise their compliance. In this context, the Committee organizes the necessary training to increase the awareness of the employees.

13.16 If a department within the company is Processing Sensitive Personal Data, this department will be informed by the Committee about the importance, security, and confidentiality of the Personal Data they process and the relevant department will act by the Committee's instructions. Only limited employees will be authorized to access Sensitive Personal Data and their list and follow-up will be done by the Committee.

13.17 All Personal Data processed within the Company is considered as “Confidential Information” by the Company.

13.18 Company employees are responsible for their obligations regarding the security and confidentiality of Personal Data, 

The Company has been informed that it will continue after the end of the period and a commitment has been taken from the employees of the Company to comply with these rules.

14 DATA BREACH RESPONSE PLAN

14.1 The situation of the employee who notices the attitude and behavior contrary to the law on the protection of personal data and the relevant legislation, immediately notifies the COMPANY Personal Data Protection Committee.

14.2 In case the processed personal data is obtained by others illegally, the institution is notified within 72 hours.

14.3 Following the identification of the persons affected by the said data breach, the relevant persons shall be notified as soon as possible, directly if the contact address of the data subject can be reached, or through appropriate methods such as publishing on the data controller's website if it cannot be reached.

14.4 In case the data controller fails to notify the Board within 72 hours with a justified reason, the reasons for the delay are also disclosed to the Board with the notification to be made.

14.5 In the notification to be made to the Board, the “Personal Data Violation Notification Form” published at the institution https://ihlalbildirim.kvkk.gov.tr is used.

14.6 In cases where it is not possible to provide the information in the form at the same time, this information is provided in stages without any delay.

14.7 The data controller ensures that the information regarding data breaches, their effects, and the measures taken are recorded and made available for the examination of the Board.

14.8 If the personal data held by the data processor is obtained by others unlawfully, the data processor shall be notified to the committee without any delay in this regard.

The relevant plan is periodically reviewed by the committee.

15. EDUCATION

15.1 The Company provides its employees with the necessary training on the protection of Personal Data within the scope of the Policy and the KVK Procedures and KVKK Regulations in its annex. They can offer this training in person or online.

15.2 Applications for the definition and protection of Sensitive Personal Data are particularly mentioned in the training.

15.3 If the Company employee accesses Personal Data physically or on a computer, the Company provides training to the relevant employee for these accesses (for example, the accessed computer program).

16. AUDIT

The Company has the right to regularly and ex officio audit that all employees, departments, and contractors of the Company act in compliance with this Policy and KVK Regulations, without any prior notice, and perform the necessary routine audits in this context. The Committee creates a KVK Procedure regarding these audits. It submits it to the approval of the management and ensures the implementation of the aforementioned procedure.

17. VIOLATIONS

17.1 Each employee of the Company reports to the Committee any business, transaction, or action that he or she considers to be contrary to the procedures and principles outlined in the KVK Regulations and within the scope of this Policy. In this context, the Committee for the relevant violation creates an action plan by this Policy and KVK Procedures.

17.2 As a result of the notifications, the Committee prepares the notification to be made to the Data Owner or the Institution regarding the violation, taking into account the provisions of the applicable legislation on the subject, especially the KVK Regulations. Contact Person Conducts correspondence and communication with the Institution.

18. RESPONSIBILITIES

Responsibilities within the company are respectively employee, department, and Committee. In this context; The Committee responsible for the implementation of the Policy is appointed by the Company Management by the management decision or by the bodies authorized to sign and bind, and changes are made in this context, again in the aforementioned way.

19. CHANGES TO THE POLICY

19.1 This Policy may be changed by the Company from time to time with the approval of the Management.

19.2 The Company shares the updated Policy text with its employees via e-mail so that the changes it has made to the Policy can be reviewed, or makes it available to the employees and Data Owners via the following web address.

20. EFFECTIVE DATE OF THE POLICY

This version of the policy was approved by the Company Management on 01/01/2023 and entered into force.

Instagram
Facebook
Twitter
Linkedin
Youtube

Bizimle İletişime Geçin

Make an appointment