Personal Data Protection Law

PROTECTION OF PERSONAL DATA

T.C. BAHÇEŞEHİR UNIVERSITY FACULTY OF DENTISTRY

BAU DENTAL HOSPITAL

INFORMATION TEXT UNDER THE PERSONAL DATA PROTECTION LAW

Bahçeşehir University Dental Hospital (“Bahçeşehir University”) has formulated this information document (“Information Document”) to apprise you of the collection, processing, and transfer of your personal data, including health data, within the framework of the Law on the Protection of Personal Data No. 6698 (“KVKK”) as the Data Controller.

Your personal data, encompassing health data and other special and general personal data, may be processed, and transferred by Bahçeşehir University Dental Hospital in accordance with the conditions and purposes of personal data processing stipulated in Articles 5 and 6 of Law No. 6698.

For detailed information about your collected, processed, and transferred personal data, you can refer to the Personal Data Protection Board’s Data Controllers Registry Information System (“VERBIS”).

You can access the VERBIS records of Bahçeşehir University Dental Hospital by searching for the phrase “Bahçeşehir University” on the “Registry Inquiry” section at https://verbis.kvkk.gov.tr.

1. Method and Legal Basis for Personal Data Collection:

Our hospital collects personal data through direct acquisition during diagnosis and treatment, or through manual, digital, automatic, partially automatic, or integrated methods, and via hand delivery, mail, or courier. These personal data are collected to provide health services and fulfill legal obligations specified in the “Purpose of Personal Data Processing” clause. In addition to these purposes, personal data may be processed and transferred within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of Law No. 6698.

2. Purposes of Processing Personal Data:

The processing of personal data adheres to the principles regulated under the title “General Principles” in Article 4 of the law, including compliance with legality and fairness, accuracy and being up-to-date when necessary, processing for specific, clear, and legitimate purposes, being related to the purpose of processing, being limited and proportionate, and being kept for the period stipulated by the relevant legislation or required for the purpose of processing. Your personal data is collected based on the personal data processing conditions specified in Articles 5 and 6 of the Law No. 6698 on the Protection of Personal Data, within the scope of carrying out and improving the medical, technical, and administrative processes of our hospital/university for the purpose of providing health services. Your personal data, depending on your relationship with our hospital/university, may be collected by our hospital/university through automatic or non-automatic methods, verbally, in writing, or electronically. Your data will be updated as long as your relationship with our hospital/university continues, and the mandatory data will be processed by our hospital/university as the Data Controller in accordance with the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law No. 6698 on the Protection of Personal Data to fulfill our legal responsibilities.

Your personal data is processed in a proportionate manner for the following purposes:

1- Fulfilling legal and regulatory requirements arising from all relevant laws and secondary regulations related to Law No. 2547 on Higher Education, Turkish Labor Law No. 4857, Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Law on Consumer Protection No. 6502, Act No. 3308 on Apprenticeship and Occupational Training, Law on Occupational Health and Safety No. 6331, Law on the Protection of Personal Data No. 6698, Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed by Means Of Such Publication, Tax Procedure Law No. 213, Social Insurance and General Health Insurance Law No. 5510, Fundamental Law on Healthcare Services No. 3359, Statutory Decree Concerning the Organization and Duties of the Ministry of Health and Affiliated Organizations No. 663, Private Hospitals Regulation, Regulation on the Processing and Privacy of Personal Health Data, etc.,

2- Conducting necessary work by our relevant units for patients to benefit from the products and services of our hospital or units affiliated with our hospital,

3- Ensuring the life and property security, as well as legal, commercial, and occupational health and safety of patients benefiting from the services of our hospital or units affiliated with our hospital,

4- Protection of public health, execution of preventive medicine, medical diagnosis, treatment, and care services,

5- Sharing of information requested by the Ministry of Health (E-Nabız) and other public institutions and organizations in accordance with relevant legislation,

6- Sharing of requested medical information with private insurance companies within the scope of financing health services, covering examination, diagnosis, and treatment expenses,

7- Invoicing for the services received,

8- Planning and managing the internal functioning of the institution,

9- Monitoring and preventing misuse and unauthorized transactions,

10- Responding to all kinds of questions and complaints related to the services you receive, measuring, increasing, and investigating patient satisfaction,

11- Providing information about the services received, complementary services, and new services,

12- Provision of specialized medicines, medical supplies or devices,

13- Informing about appointments through the Call Center and Digital Channels,

14- Information about the degree of proximity of the person bringing the patient in case of emergency incidents,

15- Witness information during the obtaining of the legal representative’s approval if needed,

16- Interpreter information if needed,

17- Name, surname, and signature information of the patient’s consultant,

18- Determining and sharing your location with the relevant authorities in accordance with the legislation in case of emergency calls.These purposes include but are not limited to the execution, improvement, planning, and management of medical diagnosis, treatment, and care services, the planning and management of health services and their financing, the increase and research of patient satisfaction, and related reasons.

3. Personal Data Collected Regarding Patients:

– Identity data such as name, surname, Republic of Turkey (“T.R.”) identification number, passport number, or temporary T.R. identification number for non-T.R. citizens, place, and date of birth, marital status, gender.

– Photocopy of T.R. Identity Card or Driver’s License.

– Height-weight, blood type information.

– Health insurance, private health insurance, payer institution information, and Social Security Institution data,

– Occupation, workplace registry, and/or patient identification card number, and other identity data that can identify the patient,

– Contact data such as address, phone number, email address,

– Personal data obtained upon contact, such as call records kept in accordance with call center standards, and any and all personal data obtained upon contact through means such as e-mail, letter, etc.,

– Financial data such as bank account number, IBAN, credit card information, billing, and invoice information,

– Medical diagnosis, examination data, test, laboratory, and imaging results, prescription information, patient medical reports, diagnosis data, biometric and genetic data, doctor analysis, and comments obtained during the execution of medical diagnosis, treatment, and care services,

– Treatment planning data, intraoral measurements taken in traditional or digital ways, intraoral (panoramic), intraoral X-ray reports, cephalometric X-ray reports, dental volumetric tomography report,

– Data related to previous examinations, diagnoses, and tests transmitted with the patient’s consent, medical laboratory and imaging results, test results, prescription information,

– Shared responses and comments for evaluating the services received

– Closed-circuit camera system images and voice recordings taken during hospital visits,

– Vehicle plate information in case of using parking and valet services,

– Location information, IP address, browser information, form information obtained during website and mobile application use,

– Identification number/passport number and date of birth required for creating e-appointments through the website and mobile application, navigation information, IP address, browser information, and medical documents transmitted with the patient’s consent,

– Name-Surname, Email, Phone Number, and location data required for the request or complaint form created on the website and mobile application,

– Representative information for communication with the legal representative if the patient is not of legal age,

– Emergency contact information for reaching in case of emergency, including Name-Surname and Phone Number,

4. To Whom and For What Purpose Personal Data May be Transferred

The patient’s personal data may be transferred to relevant institutions under the conditions specified in Article 5, paragraph 2, and Article 6, paragraph 3 of Law No. 6698, provided that sufficient measures are taken when the personal data processing conditions and purposes are limited.
Ensuring the appropriate security level in accordance with the Law on Protection of Personal Data, and related health legislation, the patient’s personal data may be transferred, with the necessary technical and administrative measures, to institutions or organizations allowed by the following laws and regulations:

  • Law No. 2547 on Higher Education
  • Fundamental Law on Healthcare Services No. 3359
  • Social Insurance and General Health Insurance Law No. 5510
  • Statutory Decree Concerning the Organization and Duties of the Ministry of Health and Affiliated Organizations No. 663
  • The Law on Practice of Medicine and Medical Sciences no. 1219,
  • Regulation on the Operation of Inpatient Treatment Facilities,
  • Regulation on the Processing and Privacy of Personal Health Data, and other relevant legislation.
  • Ministry of Health, affiliated units, and family health centers,
  • Private insurance companies for financing health services, covering examination, diagnosis, and treatment expenses,
  • Social Security Institution,
  • General Directorate of Security and other law enforcement forces,
  • Population and Citizenship Directorate,
  • Turkish Pharmacists Association,
  • Judicial authorities,
  • Laboratories, medical centers, ambulances, medical device manufacturers, and institutions providing health services with which you are in collaboration for medical diagnosis and treatment,
  • Referral or self-applied healthcare institutions,
  • Legal representatives authorized by the patient,
  • In case of possible legal disputes, legal representatives, tax consultants, auditors of Bahçeşehir University who are legally or contractually obligated to maintain confidentiality,
  • Regulatory and supervisory authorities, and official authorities,
  • If billing is to be made to the employer, workplace physician,
  • Bahçeşehir University affiliates and subsidiaries within the legal limits for the continuity of the services received,
  • Within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law No. 6698, to business partners providing bulk SMS and email sending services for informing about services received, complementary services, new services, etc.

5. Rights of the Personal Data Owner as Stated in Article 11 of Law No. 6698:

As personal data owners, if you wish to exercise your rights, you can submit your requests to our hospital/university using the methods outlined below. Our hospital/university will process your request free of charge as promptly as possible, and within a maximum of thirty days, depending on the nature of the request. However, if the transaction requires an additional cost, our hospital/university will charge the fee specified by the Personal Data Protection Board.
In this context, personal data owners have the right to:

  • Learn whether their personal data is being processed,
  • Request information about the processing of their personal data,
  • Understand the purpose of processing their personal data and whether it is used in accordance with that purpose,
  • Know the third parties to whom personal data is transferred domestically or abroad,
  • Request the correction of personal data if it is incomplete or inaccurately processed, and request notification of this correction to third parties to whom the personal data has been transferred,
  • Request the deletion or destruction of personal data if the reasons requiring its processing cease to exist, despite being processed in accordance with Law No. 6698 and other relevant laws, and request notification of this to third parties to whom the personal data has been transferred,
  • Object to the emergence of a result against the person through the analysis of processed data exclusively through automated systems,
  • Request compensation for damages in case personal data is processed unlawfully and causes harm.

As per the first paragraph of Article 13 of Law No. 6698, you can submit your request to exercise the aforementioned rights in writing or with an electronically signed document to our Healthcare Institution. The channels and methods for submitting your application to our Healthcare Institution under the scope of Article 11 of Law No. 6698 are explained below:

In accordance with Article 5 titled “Application Procedure” in the Regulation on the Procedures and Principles Regarding Application to the Data Controller, you can personally deliver a signed copy of your request to Çırağan Cad. Osmanpaşa Mektebi Sok. No: 4 – 6, 34353, Beşiktaş/Istanbul. Alternatively, you can send it through a notary or other methods specified in Law No. 6698. You can also securely send an electronically signed request to the email address bahcesehiruniversitesi@hs01.kep.tr / kvkk@bau.edu.tr.