INTRODUCTION
This policy regulates the rules to be followed when processing non-employee personal data of almi Health Agency in accordance with the KVKK No. 6698. Protection of personal data is one of our company’s top priorities. While processing personal data, our company carries out its processing activities by paying maximum attention to the rules of compliance with the law and honesty.
The term “non-employee” in this Policy will include, to the extent appropriate, service areas from our company and persons related to our company within its subject matter.
Updateability
This policy may be changed and updated in accordance with legislative changes. Updates will take place both online and in the document archive without delay.
1- PROCESSING OF NON-EMPLOYEE PERSONAL DATA
1.1 General Approach in Processing Non-Employee Personal Data
With the lighting texts provided by our company, non-employee people; informs them about which personal data are processed about them, for what purposes and reasons personal data will be processed, from which sources the personal data is collected, with whom this personal data will be shared and how it will be used.
Our company evaluates the personal data it processes and processes this data based on at least one of the conditions in the KVKK.
These conditions are;
· Having the explicit consent of the person,
The data processing is clearly stipulated in the relevant laws,
Failure to obtain the explicit consent of the person due to actual impossibility,
· Data processing is directly related to the establishment or performance of a contract,
Data processing is mandatory for our company to fulfill its legal obligations,
· The personal data has been made public by the personal data owner himself,
Data processing is mandatory for the establishment or protection of a right,
· Processing of data based on legitimate interest.
In the presence of at least one of the conditions written above, personal data processing can be carried out. Data processing may be carried out based on one or more of the conditions.
In cases where explicit consent is required, the said explicit consent process is completed before the processing of personal data. Our company never takes blanket consent.
1.2 Collection of Personal Data as and as Necessary for the Required Period
Our company collects personal data from employees and non-employees based on a clear and foreseeable need. Our company ensures that the collected data is suitable for meeting the aforementioned needs. In addition, our company is sensitive about processing the received data only for the period stipulated by the law or specified in the express consent text. Data whose processing period has expired; destruction, anonymization and deletion.
In order to ensure compliance with the above-mentioned principle, all forms and input methods in which employees enter personal data are audited. This control, as soon as possible for existing forms and input methods; It is completed before starting to use them for newly created forms and input methods.
As a result of the audit, the parts that provide unnecessary data collection are removed from the relevant form and input method. In addition, the personal data obtained through these parts are immediately deleted, destroyed or anonymized.
1.3 Ensuring Update of Personal Data
Our company takes the necessary measures to keep the personal data of non-employees up-to-date.
In this context, particular attention is paid to the following:
1.4 Processing of Data of Non-Special Qualified Persons
Some of the personal data is regulated separately as “special quality personal data” within the scope of KVKK and is subject to special protection.
Data as described in special personal law; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction, and biometric and genetic data.
Our company may process health data in the following cases, provided that adequate measures to be determined by the Personal Data Protection Board are taken in cases where the non-employee does not have the express consent:
2.1 General Approach to the Processing of Health Data of Non-Employees
Health data is among the special categories of personal data. Health data of non-employee persons are stored separately from other personal data.
2.2 Identification of Persons to Process Health Data
It is ensured that the employees of the company who will process or authorize the health data of non-employees are informed about the relevant legislation and the privacy policy created. Health data of non-employees are analyzed by people who are qualified to do this job. Our company takes care to inform the employees in an understandable manner for what purposes health data is used and who accesses this data and for what purpose.
In periodic trainings, the importance of this data for our company and the principles to be followed in processing activities are explained to the relevant personnel. In this regard, measurement and evaluation tests are carried out on the personnel for the periods to be determined by our COMPANY. The data processing activities of the employees who fail these tests are terminated immediately. Until the next test gets a passing grade, the relevant personnel are kept away from special data processing activities.
3. EASY LIFE GROUP SAGLIK EMLAK DAN. PROCESSING BY A LIMITED COMPANY
almi Health Agency provides and processes personal data in the following cases:
4. LEGAL RIGHTS OF NON-EMPLOYEE PERSONS REGARDING THE PERSONAL DATA COLLECTED ABOUT THEM
Persons whose personal data are processed by our company have all legal rights set forth in Article 11 of the KVKK and included in the disclosure text of our company. Our company determines the necessary methods in order to ensure access to these rights and includes these methods in the clarification text.
4.1 Principles Regarding the Exercise of Legal Rights by Non-Employee Persons
Our company takes all kinds of administrative, legal and technical measures to ensure that non-employees can exercise their legal rights, make the necessary applications and respond to their applications within 30 days at the latest, and design the relevant processes and inform the employees on this subject. Our company develops methods that will ensure that the person concerned is fully satisfied with the application to be made by the person concerned.
In the answers to be given by our company to employees exercising their legal rights,
all necessary care is taken not to disclose the personal data of third parties.
5. SHARING THE PERSONAL DATA OF NON-EMPLOYEE PERSONS WITH THIRD PARTIES
5.1 General Rules Regarding Personal Data Sharing
Our company determines the internal procedures regarding the sharing of personal data of non-employees. It is ensured that data sharing requests are answered by competent employees.
Necessary measures are taken to confirm the reality and accuracy of data sharing requests from outside the company (such as judicial authorities, administrative authorities, insurance claims).
It is essential that data sharing requests from outside the company are made in writing.
In case the personal data of non-employee persons is sent abroad upon the incoming request, all kinds of administrative, legal and technical measures are taken regarding the transfer of personal data abroad.
If the sharing of personal data of non-employees constitutes a legal obligation, personal data may be shared only in accordance with the scope of this legal obligation.
Without prejudice to the legal conditions regarding international data transfer and the transfer of sensitive personal data; personal data of employees: Explicit consent of the data owner, If there is a clear regulation in the laws regarding the transfer of personal data, If it is necessary for the protection of the life or physical integrity of the personal data owner or someone else, and if the personal data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid; If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the conclusion or performance of a contract, If personal data transfer is mandatory for the fulfillment of a legal obligation, If the personal data is made public by the personal data owner, Personal data transfer is a right, It may be transferred to third parties if it is necessary for the legitimate interests of the relevant company, provided that the fundamental rights and freedoms of the personal data owner are not harmed. The company cannot transfer personal data without fulfilling the conditions written here.
5.2 Information and Record Keeping on Personal Data Sharing
In case the personal data of non-employee persons is shared with third parties, it is required that the data sharing be based on one of the conditions in the KVKK before the data is shared.
“If non-employee persons have not been informed before, it is ensured that they are informed about this sharing at the latest at the time of sharing. However, if this information is against the law or if it is a warning beforehand about an investigation by the competent authorities, the non-employee person is not informed about the subject.”
6. PERSONAL DATA STORAGE OF NON-EMPLOYEE PERSONS
Our company preserves the personal data of non-employees for the period required for the purpose for which they are processed and in accordance with the minimum periods stipulated in the legal legislation to which the relevant activity is subject.
In this context, our company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the data owner and with the determined destruction methods (deletion and / or destruction and / or anonymization).
7. USE OF EXTERNAL SERVICE PROVIDERS FOR THE PROCESSING OF PERSONAL DATA
Our company may use external service providers for the processing of non-employee personal data. However, our company has to take the following precautions regarding outsourcing service providers:
8. SECURITY OF PERSONAL DATA
Our company takes all necessary administrative and technical measures to ensure the security of the data of non-employees. The measures taken are designed to prevent unauthorized access risks, accidental data loss, deliberate deletion of data or damage to data. The number of employees who will be authorized to access the personal data obtained as a result of this is kept as limited as possible. In this context, if there are employees whose access to this data is unnecessary in the current situation, our company removes or limits the access authorizations of these employees. Necessary physical security measures are taken to ensure that only authorized persons can access the personal data of non-employees. In this context, it is also prevented that the authorized persons have extensive authority unnecessarily. Measures such as audit trails are taken to determine who has access to the personal data of the employees on the information systems. Access records to be created in this context are checked regularly and investigation mechanisms are established for unauthorized access. It is essential that other employees who have access to the personal data of non-employees are subject to the necessary security checks. In addition, it is ensured that these persons sign a confidentiality agreement/commitment that provides the necessary protections, or that provisions in this context are included in their employment contracts and that these persons are continuously trained about their responsibilities.
INFORMATION ABOUT THE DATA PROCESSING POLICY IS PROVIDED BY THE PERSONS WHO PROCESS THE DATA AND THE REAL PERSONS (RELATED PERSON), whose data is processed, THROUGH THIS POLICY IS PUBLISHED WHERE THE COMPANY deems appropriate.
