Çalışma Saatlerimiz
Hafta içi: 09:30–20:00
Cumartesi: 09:30–20:00
Pazar: Kapalı
Working Hours
Weekdays: 09:30–20:00
Saturday: 09:30–20:00
Sunday: Closed
DENTADENT ORAL AND DENTAL HOSPITAL TRADE LTD. CO. POLICY ON THE PROTECTION AND PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
SECTION 1
1.1 INTRODUCTION
This Policy on Special Categories of Personal Data may be amended from time to time by DENTADENT ORAL AND DENTAL HOSPITAL TRADE LTD. CO. in order to adapt to changing conditions and legislation. In accordance with the Turkish Personal Data Protection Law No. 6698 (“Law”), utmost importance is attached to the lawful protection and processing of personal data, and all planning and activities are carried out with due diligence. The Company carefully takes all administrative and technical measures required for the protection of personal data. Since special categories of personal data may lead to discrimination or victimization of the data subject if disclosed, additional specific administrative and technical measures are taken for the processing, protection and security of special categories of personal data, in addition to the measures applied for general personal data, in line with the nature and sensitivity of such data.
1.2 PURPOSE
This Policy on the Processing and Protection of Special Categories of Personal Data (“Policy”) aims to take the necessary technical and administrative measures regarding the processing, protection and security of special categories of personal data within the framework of the Constitution, the Turkish Personal Data Protection Law No. 6698, relevant legislation, the Personal Data Protection Board’s decision dated 31/01/2018 and numbered 2018/10, and other relevant decisions, and to inform data subjects by ensuring that the Company fulfills its obligations concerning special categories of personal data under its control in its capacity as the Data Controller.
1.3 SCOPE
This Policy covers all natural persons whose special categories of personal data are processed by the Company for any reason, including company partners, shareholders, company officials, employees, job applicants, interns and intern candidates, customers, customer representatives and employees, potential purchasers of products or services, supplier employees and supplier representatives, visitors, consultants and third parties, and the activities carried out for the processing, protection and security of such special categories of personal data.
This Policy applies to all recording environments within the Company where special categories of personal data are processed, and to processing activities carried out fully or partially by automated means, or by non-automated means provided that they form part of a data recording system.
1.4 DEFINITIONS AND ABBREVIATIONS
COMPANY: DENTADENT ORAL AND DENTAL HOSPITAL TRADE LTD. CO.
EXPLICIT CONSENT: Consent that is related to a specific matter, based on being informed, and declared with free will.
ANONYMIZATION:
Rendering personal data incapable of being associated with an identified or identifiable natural person in any manner, even if matched with other data.
Example: Rendering personal data unrelatable to a natural person through techniques such as masking, aggregation, data distortion, etc.
DATA SUBJECT: The natural person whose personal data is processed (e.g., customers, visitors, employees and job applicants).
PERSONAL DATA: Any information relating to an identified or identifiable natural person. Therefore, processing information relating to legal entities is not within the scope of the Law.
Examples: name-surname, Turkish ID number, email, address, date of birth, credit card number, bank account number, etc.
SPECIAL CATEGORIES OF PERSONAL DATA: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association/foundation/union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
This Policy on Special Categories of Personal Data may be updated from time to time by DENTADENT ORAL AND DENTAL HOSPITAL TRADE LTD. CO. in order to adapt to changing conditions and legislation.
PROCESSING OF PERSONAL DATA:
Any operation performed on personal data, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making accessible, classifying or preventing use of data, fully or partially by automated means, or non-automated means provided that it forms part of a data recording system.
DATA CONTROLLER: The natural or legal person who determines the purposes and means of processing personal data and manages the location where data is systematically stored (data recording system).
DATA SUBJECT APPLICATION FORM:
The application form to be used by the Data Subject when exercising their rights set forth in Article 11 of the Law.
CONSTITUTION: The Constitution of the Republic of Türkiye numbered 2709 dated 07 November 1982, published in the Official Gazette dated 09 November 1982 and numbered 17863.
PDPL (KVKK) LAW: The Turkish Personal Data Protection Law No. 6698 dated 24 March 2016, published in the Official Gazette dated 07 April 2016 and numbered 29677.
POLICY: Policy on the Processing and Protection of Special Categories of Personal Data.
COMMUNIQUÉ ON THE PROCEDURES AND PRINCIPLES TO BE FOLLOWED IN FULFILLING THE OBLIGATION TO INFORM:
The Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, published in the Official Gazette dated 10 March 2018 and numbered 30356, and entered into force.
PERSONAL DATA RETENTION AND DESTRUCTION POLICY:
The policy that serves as the basis for determining the maximum period required for personal data to be retained for the purpose of processing, and for deletion, destruction and anonymization procedures, pursuant to the Regulation on the Deletion, Destruction or Anonymization of Personal Data.
PERIODIC DESTRUCTION: Deletion, destruction or anonymization to be carried out at recurring intervals when all conditions for lawful processing of personal data set forth in the Law cease to exist.
REGISTERED ELECTRONIC MAIL (KEP):
A system that preserves your commercial and legal correspondence and document sharing in the form sent, definitively identifies the recipient, ensures that the content cannot be altered, and provides legally valid, secure and conclusive evidence.
DATA CONTROLLERS’ REGISTRY INFORMATION SYSTEM (VERBIS):
The information system created and managed by the Authority and accessible via the internet, to be used by data controllers in registry applications and other registry-related procedures.
SECTION 2
This Policy on Special Categories of Personal Data may be updated from time to time by DENTADENT ORAL AND DENTAL HOSPITAL TRADE LTD. CO. in order to adapt to changing conditions and legislation.
PROTECTION AND PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA, PURPOSES OF PROCESSING, AND FUNDAMENTAL PRINCIPLES REGARDING PROCESSING
2.1 Special Categories of Personal Data
Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association/foundation/union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data, are special categories of personal data.
2.2 Protection of Special Categories of Personal Data
Since special categories of personal data may lead to discrimination or victimization of the Data Subject if disclosed, the administrative and technical measures taken by the Company for the protection of personal data processed lawfully are implemented with particular care for special categories of personal data, and necessary audits are carried out within the Company. In addition, in processing special categories of personal data, the adequate measures determined by the Board are taken and required procedures are carried out.
2.3 Processing of Special Categories of Personal Data
The Company exercises special care in processing special categories of personal data which are considered more critical to protect for the Data Subject. Special categories of personal data are processed by the Company in accordance with the principles set forth in this Policy, by taking all necessary administrative and technical measures (including the methods to be determined by the Board), and provided that the following conditions are met:
(i) Special categories of personal data other than data relating to health and sexual life may be processed without seeking explicit consent of the data subject if explicitly stipulated by law (i.e., where the applicable law governing the activity contains an explicit provision regarding processing). Otherwise, explicit consent of the data subject shall be obtained.
(ii) Special categories of personal data relating to health and sexual life may be processed without seeking explicit consent by persons under a duty of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of healthcare services and their financing. Otherwise, explicit consent of the data subject shall be obtained.
2.4 Purposes of Processing Special Categories of Personal Data
Special categories of personal data may be processed in line with the personal data processing principles set forth in Article 4 of the Law and the procedures and principles in relevant legislation, and in accordance with the conditions for processing personal data specified in Articles 5 and 6 of the Law. Special categories of personal data collected by the Company through lawful methods may be processed and retained, in a manner that is relevant, limited and proportionate, for the following purposes within the scope of employment relationships, products, services or commercial activities, or other relationships with Data Subjects. Purposes of processing include, but are not limited to:
– Conducting Emergency Management Processes
– Fulfilling Obligations Arising from Employment Contracts and Legislation for Employees
This Policy on Special Categories of Personal Data may be updated from time to time by DENTADENT ORAL AND DENTAL HOSPITAL TRADE LTD. CO. in order to adapt to changing conditions and legislation.
– Managing Employee Fringe Benefits and Entitlements Processes
– Conducting Employee Work Activities
– Evaluating Employee Application Processes
– Conducting Activities in Compliance with Legislation
– Planning Human Resources Activities
– Conducting Occupational Health and Safety Activities
– Providing Information to Authorized Persons, Institutions and Organizations
– Notifying Authorized Persons, Institutions and Organizations
2.5 General Principles Regarding the Processing of Special Categories of Personal Data
One of the primary matters of importance for the Company is to act in compliance with the general principles stipulated in legislation when processing special categories of personal data. In this context, the Company shall act in accordance with the principles listed below in processing special categories of personal data, in line with the Constitution and the Law.
a. Processing Personal Data in Compliance with Law and Good Faith Principles
The Company processes special categories of personal data in compliance with Article 4 of the Law; lawfully and in good faith; accurately and, where necessary, up-to-date; for specific, explicit and legitimate purposes; and in a manner that is relevant, limited and proportionate. Accordingly, the Company takes proportionality requirements into consideration and does not use special categories of personal data beyond what is required by the purpose.
b. Ensuring Personal Data is Accurate and Up-to-date Where Necessary
The Company ensures that special categories of personal data it processes are accurate and up-to-date by taking the necessary measures and establishing systems for this purpose, taking into account the fundamental rights of the Data Subject and its own legitimate interests.
c. Processing for Specific, Explicit and Legitimate Purposes
The Company processes special categories of personal data for legitimate and lawful reasons, in connection with its activities and only to the extent necessary. The purpose of processing is determined before the processing activity begins.
d. Being Relevant, Limited and Proportionate to the Purpose
The Company processes special categories of personal data in a manner suitable for achieving the stated purposes and avoids processing data that is not relevant or needed. The Company does not conduct processing for potential future needs that may arise later.
e. Retaining for the Period Stipulated in Legislation or Required for the Purpose
This Policy on Special Categories of Personal Data may be updated from time to time by DENTADENT ORAL AND DENTAL HOSPITAL TRADE LTD. CO. in order to adapt to changing conditions and legislation.
In accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the Law, the Company retains special categories of personal data only for the period stipulated in relevant legislation and laws or required by the purpose of processing.
In this context, the Company first determines whether a retention period is stipulated in relevant legislation for special categories of personal data; if such a period is stipulated, it acts in compliance with that period. If no legal period exists, special categories of personal data are retained for the period necessary for the purpose of processing. At the end of the retention periods, special categories of personal data are destroyed in accordance with periodic destruction periods or Data Subject applications, using the specified destruction methods (deletion and/or destruction and/or anonymization). Details are set forth in the Personal Data Retention and Destruction Policy.
SECTION 3
TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA AND CONDITIONS:
3.1 Transfer of Special Categories of Personal Data
Since special categories of personal data may cause the Data Subject to suffer harm or discrimination if learned by others, the Company takes the necessary measures with great care during transfer processes. Within this scope, the Company may transfer special categories of personal data to third parties in line with the purposes of processing, by taking the necessary administrative and technical measures in accordance with legislation.
3.2 Conditions for Transfer of Special Categories of Personal Data
a. Conditions for Domestic Transfer:
The Company may transfer special categories of personal data to third parties within Türkiye, provided that the Data Subject has given explicit consent, and by taking the necessary administrative and technical measures in accordance with legislation. As a rule, special categories of personal data cannot be transferred to third parties within Türkiye without the Data Subject’s explicit consent.
However, special categories of personal data other than health and sexual life may be transferred without explicit consent where explicitly stipulated by law (i.e., where the applicable law includes an explicit provision regarding processing/transfer). Accordingly, special categories of personal data other than those related to health and sexual life may be transferred where:
– The Data Subject has explicit consent;
– There is an explicit legal provision regarding transfer of special categories of personal data;
– It is mandatory for the protection of the life or physical integrity of the Data Subject or another person, and the Data Subject is unable to declare consent due to de facto impossibility or where consent is not legally valid;
– Transfer is necessary provided that it is directly related to the establishment or performance of a contract and relates to the parties of the contract;
– Transfer is mandatory for the Company to fulfill its legal obligation;
– Special categories of personal data have been made public by the Data Subject;
This Policy on Special Categories of Personal Data may be updated from time to time by DENTADENT ORAL AND DENTAL HOSPITAL TRADE LTD. CO. in order to adapt to changing conditions and legislation.
– Transfer is necessary for the establishment, exercise or protection of a right;
– Provided that it does not harm the fundamental rights and freedoms of the Data Subject, transfer is mandatory for the legitimate interests of the Company.
Special categories of personal data relating to health and sexual life may be transferred without explicit consent only if adequate and necessary measures are taken and one of the following purposes exists: protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of healthcare services and their financing.
b. Conditions for International Transfer:
The Company may transfer special categories of personal data abroad in line with legitimate and lawful purposes, by showing due care and taking the administrative and technical measures stipulated by legislation and the measures deemed necessary by the Board. As a rule, special categories of personal data cannot be transferred abroad without the Data Subject’s explicit consent.
However, special categories of personal data other than health and sexual life may be transferred without explicit consent to countries announced by the Board as having adequate protection, where explicitly stipulated by law (i.e., where there is an explicit legal provision regarding processing/transfer). If adequate protection is not available, transfer abroad may be made only if data controllers undertake adequate protection and the Board’s permission is obtained.
Special categories of personal data relating to health and sexual life may be transferred without explicit consent to countries announced by the Board as having adequate protection only if one of the following purposes exists: protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of healthcare services and their financing. If adequate protection is not available, transfer abroad may be made only if data controllers undertake adequate protection and the Board’s permission is obtained.
SECTION 4
DELETION, DESTRUCTION OR ANONYMIZATION OF SPECIAL CATEGORIES OF PERSONAL DATA
Although processed in accordance with the Law and other applicable legislation, if the reasons requiring processing cease to exist, personal data shall be deleted, destroyed or anonymized by the Company ex officio or upon the request of the Data Subject.
In deletion, destruction or anonymization processes, the general principles in Article 4 of the Law, the technical and administrative measures required under Article 12, relevant legislation provisions, Board decisions, and the Personal Data Retention and Destruction Policy are complied with.
SECTION 5
In order to ensure that special categories of personal data are stored securely, to prevent unlawful processing and access, and to ensure lawful destruction of personal data, the Company takes the necessary technical and administrative measures within the framework of the obligations set forth in Article 12 of the Law and the adequate measures announced by the Board pursuant to the fourth paragraph of Article 6. In this context, the technical and administrative measures taken by the Company are defined in the Personal Data Processing and Protection Policy and the Personal Data Retention and Destruction Policy. In addition to those measures, the Company also takes the following precautions:
5.1 Measures for Employees Involved in Processing Activities of Special Categories of Personal Data:
– Employees are provided with training on data security matters such as processing, security, protection and storage of special categories of personal data in accordance with relevant legislation.
– Confidentiality agreements are executed with employees and disciplinary procedures are applied.
– The scope and duration of authorizations of employees who have access rights to special categories of personal data are defined.
– Authorization controls are carried out periodically.
– Access rights of employees who change roles or leave employment are immediately revoked, and any allocated inventory is recovered where applicable.
5.2 Measures for Electronic Environments Where Special Categories of Personal Data are Processed/Stored/Accessed:
– Data is stored using cryptographic methods.
– Cryptographic keys are kept securely and in different environments.
– Transaction logs of activities performed on data are securely recorded.
– Security updates for environments where data is stored are continuously monitored; security tests are regularly performed/commissioned and results are recorded.
– Where data is accessed via software, user authorizations are configured; security tests are regularly performed/commissioned and results are recorded.
– Where remote access is required, at least two-factor authentication is applied.
5.3 Measures for Physical Environments Where Special Categories of Personal Data are Processed/Stored/Accessed:
– Physical environments (cabinets, archives, etc.) containing special categories of personal data are locked.
– Adequate security measures are taken according to the nature of the environment (against electrical leakage, fire, flooding, theft, etc.).
– Physical security is ensured and unauthorized entry/exit is prevented.
5.4 Measures Regarding Transfer of Special Categories of Personal Data:
– Where transfer via email is required, data is transferred in encrypted form using a corporate email address or a Registered Electronic Mail (KEP) account. Password information is not included in the email body.
This Policy on Special Categories of Personal Data may be updated from time to time by DENTADENT ORAL AND DENTAL HOSPITAL TRADE LTD. CO. in order to adapt to changing conditions and legislation.
– Where transfer via portable media such as USB, CD, DVD is required, data is encrypted using cryptographic methods and cryptographic keys are stored in a separate environment.
– Where transfer occurs between servers in different physical environments, data transfer is carried out by establishing a VPN or using SFTP.
– Where transfer of paper documents is required, necessary measures are taken against risks such as theft, loss or unauthorized viewing, and documents are sent in the format of “confidential documents”.
SECTION 6
6.1 IMPLEMENTATION OF THE POLICY AND APPLICABLE LEGISLATION
Applicable legal regulations in force regarding the processing and protection of special categories of personal data shall primarily apply. In case of any inconsistency between applicable legislation and this Policy, the Company accepts that the applicable legislation shall prevail. This Policy concretizes and regulates the rules set forth by legislation within the scope of the Company’s practices. In the event of amendments to the Policy, the effective date and relevant provisions shall be updated accordingly.
6.2 EFFECTIVE DATE OF THE POLICY
The effective date of this Policy is 02/02/2024. This Policy is published on the Company’s website and is made available to data subjects upon request.
6.3 DISTRIBUTION
This Policy is announced to third parties and Company employees by being published on the Company’s website.