KVKK Information Notice (Turkish Personal Data Protection Law Disclosure Statement)

1. Data Controller

As Furkan CERTEL, we process your personal data in accordance with Law No. 6698 on the Protection of Personal Data (“KVKK”), the Regulation on Personal Health Data, other relevant legislation, and the regulations of the Republic of Turkey Ministry of Health and related authorities, within the scope of this Information Notice.

The corporate identity information of Furkan CERTEL, as the “Data Controller,” is as follows:

Head Office Address: Atatürk Mah. Ertuğrul Gazi Sk. No:2E / 353 Ataşehir / ISTANBUL
Phone: +90 501 134 83 00
Website: www.furkancertel.com
Email: info@furkancertel.com

As Furkan CERTEL, we adopt the principle of ‘protecting patient confidentiality’ while delivering healthcare services and respect the rights of our patients, prospective patients, and their relatives regarding privacy and the protection of personal data. In this regard, your personal data are processed in accordance with the KVKK and all relevant legislation, stored securely, and all necessary administrative and technical measures are taken against possible unlawful access. Through this Information Notice, we explain what personal data we collect, how we collect it, the legal basis for its collection, the purposes of processing, with whom it is shared, and your rights related to this data.

2. Method of Collecting Your Personal Data and Legal Grounds for Processing

Your personal data may be collected by Furkan CERTEL either wholly or partially by automated means, or non-automated means provided that it is part of a data recording system. Collection methods include communication via our website or social media platforms, physical forms and surveys completed during patient registration at our clinic, medical examinations and tests conducted by the doctor, and other interactions with our personnel.

This data may also be collected through the doctor’s and clinic’s information management systems, website, communication channels (email, phone, fax, WhatsApp, other online and/or offline platforms), cargo/postal services, our social media accounts, partner healthcare institutions, laboratories we collaborate with, their integrated systems, authorized public and private institutions, and other future communication methods.

The purposes for processing include:

Protection of public health

Preventive medicine

Medical diagnosis, treatment, and care services

Planning and management of healthcare services and their financing

Your data may be processed and collected under the legal grounds listed in Article 5 and 6 of the KVKK, such as:

Where processing is explicitly permitted by law

Where processing is necessary for the establishment or performance of a contract

Where processing is necessary to fulfill a legal obligation

For the protection of vital interests where the data subject is incapable of giving consent

When personal data has been made public by the data subject

Where processing is necessary for the establishment, exercise or defense of a legal claim

Based on your explicit consent, when required

For legitimate interests

3. Categories of Personal Data Processed and Purposes of Processing

Below are the categories of personal data that may be processed and the purposes for their processing:

Identity Data:
Includes full name, nationality, Turkish ID number (or passport number and information or temporary ID number for non-citizens), place and date of birth, marital status, gender, and other identifying information.

Contact Data:
Includes residential address, mailing address, mobile phone number, email address, and all contact-related information.

Visual and Audio Data:
Includes images and audio recordings captured by clinic CCTV systems, audio recordings of calls with our call center, and – with written consent – photos and videos taken for promotional, research, medical, cosmetic purposes, or to confirm the performance of a procedure, or to inform other potential patients.

Comment and Complaint Data:
Includes feedback and complaints submitted via our website, social media platforms, or other channels with consent.

Location Data:
Includes address or location information voluntarily provided by individuals.

Transaction Security Data (IP Data and Cookies):
Includes IP address, browser details, login/logout details on our website, and password information (e.g., Mac ID, IP address).

Financial Data:
Includes bank account and IBAN numbers. This applies to both employees and patients receiving services from the clinic.

Health Data:
Includes lab and imaging results, test outcomes, blood type, examination details, prescriptions, and other medical records required for diagnosis, treatment, and care.

Vehicle License Plate Data:
Includes plate numbers collected when using clinic-owned parking or valet services.

Customer Transaction Data:
Includes call center logs, invoices, promissory notes, checks, payment receipts, order details, and similar information.

Physical Security Data:
Includes visitor and employee entry/exit logs, and CCTV footage from clinic premises.

Your above-mentioned personal and special category personal data will be processed for the following purposes:

Fulfillment of legal obligations and conducting activities within legal boundaries

Performance of contractual obligations

Provision of healthcare services (including medical, aesthetic/cosmetic diagnosis, examination, treatment, and care)

Business and operational requirements

Sector-specific (healthcare) needs:

5.1. Protection of public health, preventive medicine, medical diagnosis, treatment, and care
5.2. Sharing required information with the Ministry of Health and other authorized entities per health regulations
5.3. Financial planning of healthcare services by relevant departments
5.4. Patient appointment notifications via call center and other channels
5.5. Identity verification by operations staff
5.6. Measurement and enhancement of patient satisfaction
5.7. Invoicing by financial and operational departments
5.8. Responding to inquiries and complaints regarding healthcare services

Technical Requirements:

6.1. Internal planning and management by relevant departments
6.2. Research and analysis to improve service quality and patient experience
6.3. Staff training by HR and quality teams
6.4. Monitoring and preventing misuse by audit and IT teams
6.5. Risk management and quality improvement efforts
6.6. Ensuring data security through administrative and technical measures
6.7. Arranging communication for transportation, accommodation, and protocol services within medical tourism
6.8. Providing campaign and promotional content through digital platforms
6.9. Coordination with educational institutions for training and other activities

Your personal data obtained and processed in accordance with the relevant legislation may be stored both digitally and physically in Furkan CERTEL’s archives and IT systems.

4. Transfer of Your Personal Data to Domestic and Foreign Third Parties

Within the clinic/practice of the doctor, your personal data can only be accessed by employees with limited authority for the specific purposes outlined above and only to the extent necessary to fulfill their job duties.

In accordance with Articles 8 and 9 of the KVKK, and based on the legal grounds such as explicit provision by law, legitimate interest, legal obligation, establishment, use, or protection of a right, protection of public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of healthcare services and financing—your personal data may be processed and transferred under the following conditions, and where required, with your explicit consent:

Authorized persons/institutions/organizations as permitted by the Basic Law on Health Services No. 3359, the Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliates, the KVKK No. 6698, the Regulation on the Processing and Protection of Personal Health Data, and other relevant legislation;

Our suppliers, potential suppliers, and their employees (e.g., social security consultants, sworn financial advisors, legal consultants, IT and data hosting providers, scheduling and appointment platforms), for the purpose of procuring products and/or services necessary for clinical operations;

Patient’s relatives, companions, proxies or legal representatives, and other authorized third parties, in line with applicable health regulations (KVKK, Patient Rights Regulation, Regulation on Personal Health Data), court orders, or with patient/legal heir approval—for sharing the patient’s health status, accompanying the patient, receiving and delivering personal belongings or medications, and processing payment transactions;

Business partners and potential business partners, and their employees (e.g., affiliated laboratories and pharmaceutical depots), for the purpose of ensuring business continuity and establishing potential collaborations within the scope of services provided at the clinic;

With your explicit consent, on our social media platforms;

Banks, private health or supplementary insurance companies, and affiliated institutions/organizations, for the purpose of planning or conducting financial and accounting operations and insurance transactions related to healthcare services;

Referring institutions, other healthcare institutions, doctors, and healthcare personnel, as well as domestic/foreign laboratories, to ensure accurate medical diagnosis and treatment and for consultations;

Authorized institutions and private individuals, for fulfilling legal obligations and legal procedures (e.g., Republic of Turkey Ministry of Health, Provincial Health Directorates, other units affiliated with the Ministry of Health, Social Security Institution of Turkey, courts);

Domestic/foreign organizations and other third parties and legal representatives, with whom we have contractual service agreements or partnerships, for conducting our operations;

Attorneys, consultants, auditors, and other authorized legal representatives providing consultancy or representing us;

Shareholders and legal representatives authorized by you.

5. Duration of Personal Data Processing

Your personal data are stored and destroyed in accordance with the general principles and procedures specified in the relevant legislation, including the KVKK, the Regulation on the Deletion, Destruction or Anonymization of Personal Data, and our internal data retention and destruction policies and procedures.

In this context, your personal data will be destroyed once all conditions for processing personal data under Articles 5 and 6 of the KVKK cease to exist. Accordingly, your data will continue to be processed for the duration of your relationship with our clinic/practice and for the applicable statutory limitation periods thereafter.

Personal data processed based on your explicit consent will be destroyed during the first destruction period following your withdrawal of consent. For requests concerning the destruction of your personal data, please refer to Section 6 of this Information Notice.

6. Your Rights Under the KVKK

As the data subject, you have the following rights under Article 11 of the Law on the Protection of Personal Data (KVKK):

To learn whether your personal data is being processed,

To request information if your personal data has been processed,

To learn the purpose of the processing and whether your data is being used in accordance with that purpose,

To know the third parties to whom your personal data is transferred within the country or abroad,

To request the correction of your personal data if it is incomplete or incorrectly processed and to request notification of these corrections to third parties to whom your data has been transferred,

To request the deletion or destruction of your personal data in the event the reasons for processing cease to exist, even if it has been processed in accordance with the law and other relevant legislation, and to request notification of this deletion or destruction to third parties to whom your data has been transferred,

To object to any unfavorable outcome resulting from the analysis of your personal data exclusively by automated systems,

To request compensation for any damages incurred due to the unlawful processing of your personal data.

To exercise your rights mentioned above, you may send your request (application letter) including your explanations regarding the right(s) you wish to exercise under Article 11 of the KVKK, along with the necessary documents to verify your identity, via one of the following methods:

By sending it via notary to our address: Atatürk Mah. Ertuğrul Gazi Sok. No: 2E/353 Ataşehir/İSTANBUL,

By delivering it in person with ID-verifying documents to the same address,

Or by sending it via email with a secure electronic signature to: info@furkancertel.com.

7. Cases Where Personal Data May Be Processed Without Explicit Consent Under the KVKK

According to Article 5 of the KVKK and Article 7 of the Regulation, your personal data may be processed without your explicit consent in the following cases:

When explicitly provided for by law,

When it is impossible to obtain your consent due to actual impossibility or legal invalidity and it is necessary to process your personal data to protect the life or physical integrity of yourself or another person,

When processing is directly related to the establishment or performance of a contract, and your personal data must be processed as a party to that contract,

When processing is necessary to comply with a legal obligation,

When the data has been made public by you,

When processing is necessary for the establishment, exercise, or defense of a legal right,

In the case of personal health data, without your explicit consent, it may be processed by persons or authorized institutions and organizations under a duty of confidentiality, for the purposes of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, and the planning and management of healthcare services and financing, and may be transferred to the relevant institutions and organizations in accordance with the law and applicable regulations.