PERSONAL DATA PROCESSING AND PROTECTION POLICY

ARTICLE 1-INTRODUCTION

1.1.Introduction

With the Law No. 6698 on the Protection of Personal Data ("Law"), important obligations have been imposed on personal data processors, especially to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, regarding the processing of personal data. The Company, whose central address is Merkez Mah. Halitpaşa Cad. Sinan Business Center Apt. No. 40/5 Gaziosmanpaşa Istanbul Istanbul registered in Istanbul Trade Registry Doktorumsun Health and Technology Services Medical Organization Foreign Trade Limited Company ("Company") shows a meticulous and sensitive approach to fulfill its obligations and make all its data processing processes compliant with the legislation. For this purpose, the Company's personal data processing and protection processes have been determined with this Personal Data Processing and Protection Policy ("Policy") by taking into account all aspects of the Law and related legislation.

1.2. Purpose and Scope

1.2.1. Purpose

This Policy has been prepared in order to inform the persons and employees in the data categories specified below within the scope of the Company's personal data processing and protection activities, to create a detailed guide on the processes, principles and principles adopted by the Company, and to present to the relevant parties the practices that it has developed and implemented in order to fulfill its obligations arising from the Law and related legislation.

1.2.2. Scope

The data subject groups that are subject to the Policy are detailed below. The personal data of real persons in the data subject categories such as employee, employee candidate, employee relative, supplier representative, customer and visitor, whose personal data is processed by the Company, are processed and protected within the framework of the provisions of this Policy, automatically or as part of a data recording system by non-automatic means.

Data Subject Group  

“Employee”

It refers to the persons who have a service contract with the Company.

“Employee Candidate”

It refers to the persons who are taken into the evaluation process by the Company to make a service contract.

“Employee Relative”

It refers to the family members of the Company employees such as spouse, child, etc.

“Customer” (Expert Member, User Member)

It refers to the real persons whose data is processed by being evaluated as a customer or a potential customer through verbal or written contracts that the Company offers its products and/or services or in line with the transactions of the Company departments.

“Visitors”

It refers to the locations where the Company operates and the people who visit the company's e-commerce site.

“Third Parties”

It refers to the persons whose personal data is processed in accordance with the provisions of the Policy and who are not defined under a separate title in the Policy. 

1.3. Policy and Applicable Law

This Policy aims to ensure that the obligations regarding personal data processing brought by the Law and related legislation are systematically fulfilled. Since our Company's priority and sensitivity is "to act in accordance with the legislation in order to protect the right of individuals to protect their personal data arising from the Constitution of Turkey", our Company will work to apply the Applicable Law in case of a contradiction between this Policy and Applicable Law.

1.4. Enforcement and Amendment of the Policy

This Policy has been prepared under the meticulous work and leadership of the Company's Personal Data Protection Commission and has come into force after being approved by the authorized body.

It will be audited by the Personal Data Protection Commission every 6 months and the necessary changes will be made to ensure compliance with the relevant current legislation. These changes will be published on the Website with the approval of the Company's authorized body. Upon request, they may also be presented to the Relevant Persons through different channels within the limits of the legislation and at the discretion of the Company.

2. ARTICLE - DEFINITIONS

“Recipient Group”

It means the category of real or legal persons to whom personal data are transferred by the data controller.

“Relevant Person”

It means the real person whose personal data are processed.

“Personal Data”

It means any information relating to an identified or identifiable natural person.

“Processing of Personal Data”

It means any operation performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing their use, wholly or partly by automatic means or by non-automatic means provided that they are part of any data recording system.

"Special Qualified Personal Data"

It refers to data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership of association, foundation or union, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

"Data Category"

It refers to the personal data class belonging to the data subject group or groups grouped according to the common characteristics of personal data.

"Data Subject Group"

It refers to the category of relevant persons whose personal data are processed by data controllers.

"User Member"

It refers to users who are members of the website in order to benefit from the contents and services of Expert Members on the website.

" Board"

It refers to the Personal Data Protection Board.

"Request Management Procedure"

It refers to the guide procedure that determines the details of the right of application to the Data Controller recognized by Article 11 of the Law and the Company's response process to the application.

"Expert Member"

It refers to persons who are members of the website with the title of expert in the field of "health" such as aesthetician, doctor and similar.

“ Board”

It refers to the Personal Data Protection Board.

“Request Management Procedure”

It refers to the guide procedure that determines the details of the right of the Relevant Person to apply to the Data Controller under Article 11 of the Law and the Company's response process to the application.

“Expert Member”

It refers to the persons who are members of the Website with the title of expert in the field of “health” such as aesthetician, doctor and similar.

“Data Controller”

It refers to the Company that determines the purposes and means of processing personal data, and is responsible for establishing and managing the data recording system.

 “Website”

It refers to the doktorumsun.com site where the Company conducts its online activities.


3. ARTICLE- PROCESSING OF PERSONAL DATA

The Company complies with the provisions stipulated in the Law from the first moment of contact with personal data of each data subject group until the final moment of destruction of personal data while designing the personal data processing processes of each data subject group. One of the main purposes of this Policy is to inform the relevant persons transparently about our Company's principles of processing and protecting personal data. The methodology adopted in the Policy is based on the goal of "Following the personal data's journey within the Company from beginning to end". For this reason, the Relevant Person will find the answers to the following questions in this article.

i. Which data categories does the Company process personal data in? 

ii. Which special quality personal data does the Company process?

iii. How has the Company structured its processes of informing the Relevant Person and obtaining the Explicit Consent of the Relevant Person? What are the situations where the Company processes data without Explicit Consent?

iv. What principles does the Company adopt when processing personal data?

v. For what purposes does the Company process personal data?

vi. In which environments does the Company record and store personal data?

vii. To which recipient groups does the Company transfer personal data domestically and abroad?

viii. What is the company's retention and deletion policy for personal data it processes?


3.1. Data Categories Processed by the Company

The Company processes data in the following data categories within the scope of the purposes specified in Article 3.5 of the Protocol, in accordance with the principles in Article 4 of the Law and limited by the conditions in Articles 5 and 6 of the Law.

Data Category

Identity 

It refers to the information processed by automatic or non-automatic means as part of a data recording system, belonging to an identified or identifiable natural person, such as name-surname, T.C. identity number, nationality information, name of mother and father, place of birth, date of birth, gender, workplace information, blood group, registration number, tax number, title, biography, etc. contained in documents such as identity card, residence certificate, driver's license, passport, lawyer's identity card, marriage certificate and similar documents.

Communication 

It refers to the information processed by automatic or non-automatic means as part of a data recording system, belonging to an identified or identifiable natural person, such as phone number, email address, fax number,  social media accounts etc.

Personal Data 

Education level, certificate and diploma information, foreign language information, education and skills, CV, courses taken, leave, seniority base date, leave seniority additional day, leave group, exit/return date, day, reason for leave, address/phone where he/she will be on leave, position name, department and unit title, last entry date, entry and exit dates, insurance entry/retirement, social security number, flexible working hours status, travel status, number of working days, projects worked on, monthly total overtime information, severance pay base date, severance pay additional day, strike days, any personal data processed for obtaining internet access logs of the employee, entry and exit logs and performance, education and skills required for the employee to advance in his/her position, information on which training he/she received on which date, e-mail,  signed attendance form, customer meeting quality evaluation form, monthly performance evaluation and target realization status, activity information etc. means information that identifies or makes identifiable a natural person who is processed by automatic or non-automatic means provided that it is part of the data recording system.

Legal Transaction 

Foreclosure notice and similar court/enforcement office documents etc. means information that identifies or makes identifiable a natural person who is processed by automatic or non-automatic means provided that it is part of the data recording system.

Customer Transaction 

It refers to information processed by automatic or non-automatic means as part of a data recording system, belonging to an identified or identifiable natural person, such as delivery note, invoice information and order information.

Transaction Security 

It refers to information processed by automatic or non-automatic means as part of a data recording system, belonging to an identified or identifiable natural person, such as internet traffic data, network activities, IP address, visit data, time and date information.

Finance 

Bank account number, bank account information,(IBAN no, account holder etc.) credit card information, financial and salary details of employees, payrolls, premium entitlements,  premium amounts, file and debt information related to enforcement follow-up files, bank account wallet, minimum subsistence allowance information, private health insurance amount etc. It refers to information processed by automatic or non-automatic means as part of a data recording system, belonging to an identified or identifiable natural person.

Professional Experience 

It refers to information processed by automatic or non-automatic means as part of a data recording system, belonging to an identified or identifiable natural person, such as the places where the employee, Expert Members worked before and the professional certificates they obtained.

Marketing 

It means information that is processed automatically or non-automatically by means of automatic or non-automatic methods, provided that it is part of a data recording system, belonging to an identified or identifiable real person, such as user behaviors obtained with cookie technology.

Visual and Auditory Records 

It means information that is processed automatically or non-automatically by means of automatic or non-automatic methods, provided that it is part of a data recording system, belonging to an identified or identifiable real person, such as photographs, audio and video recordings.

Other Information 

It means information that is processed automatically or non-automatically by means of automatic or non-automatic methods, provided that it is part of a data recording system, belonging to an identified or identifiable real person, such as identity and contact information of family members, performance evaluation, movable information allocated to the employee, information required for customized products.

3.2. Special Qualified Personal Data Processed by the Company

In Article 6 of the Law, Data Categories that are subject to special treatment due to the risk of causing discrimination in society have been determined and these Data Categories are called Special Qualified Personal Data. The Company strives to process Special Qualified Personal Data only in mandatory cases and as narrowly as possible.  

The Company takes all administrative and technical measures necessary for the protection of Special Qualified Personal Data it processes. It ensures the effective and reliable execution of the administrative and technical measures taken with regular audits conducted under the management of the Personal Data Protection Commission.

Special Qualified Personal Data related to health and sexual life;

i. It is clearly stipulated in the laws; or 

ii. In terms of Special Quality Personal Data related to the health and sexual life of the Relevant Person, without the explicit consent of the Relevant Person, it is processed by persons or authorized institutions and organizations under the obligation of secrecy for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing,

can be processed without the explicit consent of the relevant Person.

The special quality personal data processed by the Company are subject to a more sensitive treatment in terms of storage conditions. In this context, the obtained data are stored in separate files and locked cabinets and are accessible to a limited number of authorized employees.

The Special Quality Personal Data categories processed by the Company are as follows.

Special Quality Personal Data Categories

Association Membership 

It means information that indicates the associations that the person is a member of, which belongs to a real person who is identified or identifiable by automatic or non-automatic means as part of a data recording system.

Foundation Membership 

It means information that indicates the foundation memberships that the person is a member of, which belongs to a real person who is identified or identifiable by automatic or non-automatic means as part of a data recording system.

Trade Union Membership 

It refers to the information processed by automatic or non-automatic means as part of a data recording system, provided that it belongs to a real person whose identity is certain or identifiable, indicating the trade union to which the person is a member.

Health Information 

It refers to the information processed by automatic or non-automatic means as part of a data recording system, provided that it belongs to a real person whose identity is certain or identifiable, indicating the health status of the person in documents such as health report, disability report.

For User Members, it means the examination appointments they receive through the Website.

3.3. Informing the Relevant Person and Obtaining Explicit Consent

3.3.1. Methods of Obtaining Personal Data

The Company obtains personal data through the following methods.

3.3.2. Disclosure 

The Company fulfills its obligation to inform in accordance with Article 10 of the Law while obtaining personal data. The Company informs the Relevant Persons at least about its identity, the purpose for which personal data are processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and other rights of the Relevant Person within the scope of Article 11 of the Law. 

The Company may fulfill its obligation to inform in accordance with the form of obtaining personal data verbally, in writing, by sound recording, call center or in physical or electronic environment.

When the Company obtains the personal data of the Relevant Person, in cases where it carries out the personal data processing activity based on the Explicit Consent condition, it fulfills its obligation to inform and obtains Explicit Consent separately.

3.3.3. Explicit Consent

The Company starts processing personal data after obtaining the consent of the Relevant Person with his/her completely free will, except for the exceptional cases where there is no obligation to obtain explicit consent. Explicit consent is limited to the personal data processing purposes and personal data processing principles specified during the information made within the scope of article 3.3.2. for the relevant data categories. The Company is aware that the personal data processing activity will be limited by this approval given in this explicit consent. In case it wants to change or increase its personal data processing purposes for the relevant data categories, it declares and undertakes that it will inform the Relevant Person and obtain a separate explicit consent.

3.3.4. Situations Where Personal Data Can Be Processed Without Explicit Consent

In the following cases, personal data may be processed by the Company without the explicit consent of the Relevant Person.

i) Being clearly stipulated in laws: In case there is a provision regarding personal data processing in the legislation and personal data is processed based on this provision, explicit consent is not required. Keeping personal information of employees in accordance with the Labor Law, including name and surname information on invoices in accordance with the Tax Procedure Law are examples of this situation.

ii) Processing personal data of a person who is unable to express his/her consent due to actual impossibility or whose consent is not legally valid, provided that it is necessary for the protection of the life or physical integrity of himself/herself or of another person: In case of an actual impossibility, the Company has the right to process the data of the Relevant Person without obtaining his/her consent or whose consent is not legally valid in order to protect his/her or someone else's life and physical integrity. Processing personal data such as name, surname, blood group, phone number of a person who loses consciousness in order to protect his/her life is an example of this situation.

iii) Processing personal data of the parties of a contract, provided that it is directly related to the establishment or performance of the contract: The Company has the right to process personal data of the other party without obtaining explicit consent in order to establish and perform the contracts it is a party to. Processing personal data such as address and account information of a real person counterparty in a contract that has payment and delivery obligations is an example of this situation.

iv) It is mandatory for the data controller to fulfill its legal obligation: The Company has the right to process personal data without explicit consent in order to fulfill its legal obligations. The Company's processing of employee account information in order to pay their salaries is an example of this situation.

v) Disclosure by the Relevant Person himself: The Company has the right to process personal data within the scope of the purpose of disclosure of the information disclosed by the Relevant Person. An example of this situation is that the Company processes the contact information of its customer who left his contact information for promotion and advertising purposes only for this purpose.

vi) Data processing being mandatory for the establishment, use or protection of a right: The Company has the right to process personal data without the explicit consent of the Relevant Person for the establishment, use or protection of a right. An example of this situation is that the Company informs the person whose service contract has ended with the Company about the garnishment notice sent to him.

vii) Data processing being mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the Relevant Person: The Company has the right to process data without harming the fundamental rights and freedoms of the Relevant Person when it is mandatory for its legitimate interests. An example of this situation is that it is mandatory for the Company to process the personal data of its employees to ensure workplace security.

viii) Special quality personal data: The provisions adopted regarding the processing of special quality personal data without explicit consent are included in article 3.2.

3.4. Principles Regarding Personal Data Processing

The Company acts in accordance with the provisions of the Law and other legislation while processing personal data of each data subject group from the first moment of contact with personal data to the last moment when personal data is destroyed. It takes the necessary measures to ensure the accuracy and currency of personal data. It processes personal data based on specific, clear and legitimate purposes without ambiguity. It keeps personal data limited to the period stipulated in the relevant legislation or required for the purpose for which they are processed. The Company evaluates each data category in line with these principles while designing processes in accordance with the Law and related legislation. Detailed explanations of these principles are given below.

3.4.1. Compliance of Personal Data Processing Activity with Law and Rules of Honesty

The Company acts in accordance with the Law and other legislation while processing personal data. In addition, it stays within the limits of honesty rules while processing personal data and does not engage in processing activities that exceed the purpose of processing personal data. It always acts in a manner that will avoid harming the Relevant Person by staying within the limits of legitimate purposes.

3.4.2. Ensuring that Obtained Personal Data is Accurate and Up-to-Date When Necessary

The Company takes measures to ensure that the personal data it processes in accordance with this Policy provides reliable, accurate and up-to-date information on the subject it expresses. These measures are evaluated by the Company specifically for each data subject group and data category, and systems are established to ensure information accuracy and currency when necessary. 

3.4.3. Processing of Personal Data Obtained for Specific, Explicit and Legitimate Purposes

The Company determines the purposes for which it processes the personal data it processes without any ambiguity and obtains explicit consent from the Data Subject within the scope of these purposes. These clear and specific purposes are related to the products and services of the Company and are determined to be as much as required by these products and services. These purposes are determined before the data processing activity begins and the Data Subject is informed about the purposes.

3.4.4. Personal Data Being Relevant, Limited and Proportionate to the Purposes for Which They Are Processed

The Company processes data only for the specific, explicit and legitimate purposes it has determined and limited to this. It is aware that a personal data processing activity that does not serve these purposes would be contrary to the Law and acts with this awareness and sensitivity and pays attention to proportionate data processing.

3.4.5. Being Retained for the Period Foreseen in the Relevant Legislation or Required for the Purpose for Which They Are Processed

The Company keeps the personal data it processes in accordance with the periods specified in the relevant legislation. If no such period is specified in the relevant legislation, it will be kept for as long as necessary for the purpose. The Company destroys personal data whose purpose has been achieved and whose periods required for the purpose have expired in accordance with its Personal Data Retention and Destruction Policy.


3.5. The Company's Personal Data Processing Purposes

The Company processes data within the limits of the conditions in Articles 5 and 6 of the Law and in light of the principles in Article 4 of the Law for the following purposes;

Conducting emergency management processes,

Conducting information security processes,

Conducting employee candidate, intern and student selection and placement processes,

Conducting application processes for employee candidates,

Conducting employee satisfaction and loyalty processes,

Fulfilling contractual and legal obligations for employees,

Conducting side benefits and interests processes for employees,

Conducting audit and ethics activities,

Conducting training activities,

Conducting access authorization processes,

Conducting activities in compliance with the legislation,

Conducting finance and accounting works,

Conducting loyalty processes to the company, products and services,

Conducting assignment processes,

Following up and conducting legal affairs,

Conducting internal audit, investigation and intelligence activities,

Conducting communication activities,

Planning human resources processes,

Conducting business activities and control,

Conducting improvement proposals for business processes and evaluation,

Conducting activities to ensure occupational health and safety,

Conducting activities to ensure business continuity,

Conducting sales of products and services,

Conducting customer relationship management processes,

Conducting activities for customer satisfaction,

Organizing and managing events,

Conducting marketing analysis studies,

Conducting advertising, campaign and promotion processes,

Conducting risk management processes,

Conducting storage and archive activities,

Conducting contract processes,

Conducting strategic planning activities,

Monitoring and tracking demands and complaints,

Conducting salary policy,

Conducting product and service marketing processes,

Providing data controller operations security,

Conducting operations for foreign personnel work and residence permits,

Conducting investment processes,

Conducting talent/career development activities,

Providing information to authorized persons, institutions and organizations,

Conducting management activities,

Creating and tracking visitor records.

3.6. Environments Where Personal Data is Recorded and Stored

Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system, is within the scope of the recording medium.

Personal data collected by the company can be recorded in various media depending on the principles such as the nature of the data, the purposes of processing and the frequency of use. Company personal data is securely stored in electronic and physical environments in accordance with the relevant legislation and within the framework of international data security principles.

Electronic media:

Environments such as software, cloud, central server, portable media, database

Physical environments:

Peripheral systems such as locked or unlocked cabinets, archive, paper, network device, flash-based media, magnetic tape, magnetic disk, mobile phone, optical disc, printer, door access/security system

The Company processes and stores personal data for specific and legitimate purposes, in the light of the principles detailed in the Law and the Policy, and in accordance with the retention period stipulated in the Law.

3.7. Transfer of Personal Data

Within the purposes adopted by the Company and limited to the provisions of the Law, the Company may transfer personal data to certain recipient groups for certain purposes, both domestically and abroad.

3.7.1. Domestic Personal Data Transfer

When transferring personal data domestically, the Company acts in accordance with the following conditions.

i. If the relevant person has explicit consent, personal data can be transferred domestically.

ii. Personal data can be transferred without the explicit consent of the Data Subject if there is a clear regulation in the legislation regarding the transfer of personal data.

iii. Personal data can be transferred to third parties without the explicit consent of the Data Subject if it is necessary to protect the life or physical integrity of the data subject or another person and the data subject is unable to express his/her consent due to actual impossibility or his/her consent is not legally valid.

iv. Personal data can be transferred to third parties without the explicit consent of the Data Subject if it is necessary for the establishment or performance of a contract, provided that it is directly related to the parties of the contract.

v. If personal data transfer is mandatory for the Company to fulfill its legal obligation without the explicit consent of the Relevant Person, personal data can be transferred to third parties.

vi. If personal data has been made public by the personal data owner without the explicit consent of the Relevant Person, personal data can be transferred to third parties limited to the purpose of disclosure.

vii. If personal data transfer is mandatory for the establishment, use or protection of a right without the explicit consent of the Relevant Person, personal data can be transferred to third parties.

viii. If personal data transfer is mandatory for the legitimate interests of the Company without harming the fundamental rights and freedoms of the Relevant Person without his/her explicit consent, personal data can be transferred to third parties.

3.7.2.Transfer of Personal Data Abroad

The Company transfers the personal data it processes abroad only if there is Explicit Consent of the Relevant Person.

a) Without the explicit consent of the Company, the personal data of the Relevant Persons may be transferred abroad. Personal data can be transferred abroad without obtaining explicit consent in cases where one or more of the following conditions exist, provided that the country or countries to which personal data will be transferred (a) are declared by the Board to have adequate protection or (b) if not one of the countries announced by the Board, written commitment from data controllers in the relevant foreign country to provide adequate protection and permission from the Board is obtained.

i. Personal data can be transferred abroad if there is a clear regulation in the legislation regarding the transfer of personal data.

ii. If it is mandatory to protect the life or physical integrity of the personal data subject or someone else and the personal data subject is unable to express his/her consent due to actual impossibility or his/her consent is not legally valid, personal data can be transferred abroad.

iii. Personal data can be transferred abroad without the explicit consent of the Data Subject, provided that it is directly related to the establishment or performance of a contract and that the transfer of personal data belonging to the parties of the contract is necessary.

iv. If personal data transfer is mandatory for the Company to fulfill its legal obligation, personal data can be transferred abroad.

v. If it has been made public by the personal data subject, it can be transferred abroad limited to the purpose of making it public.

vi. If personal data transfer is mandatory for the establishment, use or protection of a right, personal data can be transferred abroad.

vii. Personal data can be transferred to third parties without the explicit consent of the Data Subject, provided that it is necessary for the legitimate interests of the Company and that it does not harm the fundamental rights and freedoms of the Data Subject.

b) Special Category Personal Data; The Company may transfer the Special Category Personal Data abroad by taking administrative and technical measures and complying with the special measures taken by the Board in accordance with the principles and purposes set forth in this Policy, by obtaining the Explicit Consent of the Data Subject. In order for the Company to be able to transfer Special Category Personal Data abroad without obtaining the Explicit Consent of the Data Subject, (a) the country or countries to which the personal data will be transferred must be one of the countries declared by the Board to have adequate protection or (b) if it is not one of the countries declared by the Board, a written commitment from the data controllers in the relevant foreign country to provide adequate protection and obtain permission from the Board, and (c) one or more of the following conditions must exist.

i. Special Category Personal Data other than health and sexual life: The Company may process Special Category Personal Data other than health and sexual life without obtaining the explicit consent of the data subject if it is explicitly stipulated in the legislation.

ii. Special Category Personal Data related to health and sexual life: It may be processed without seeking explicit consent by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

3.8. Personal Data Storage and Destruction Policy

The Company stores personal data for a limited period of time as stipulated in the relevant legislation. In case there is no storage period stipulated in the legislation regarding the stored personal data, the Company determines reasonable storage periods according to the personal data processing purpose and commercial customs and stores personal data for these periods. When the storage periods mentioned in this article expire, personal data are deleted, destroyed or anonymized by the Company.

4. RIGHTS OF THE RELATED PERSON

4.1. Rights of the Related Person

The Related Person has the right to apply to the Company about personal data issues using the application form in Annex 1;

i. To learn whether personal data is processed or not,

ii. To request information if personal data has been processed,

iii. To learn the purpose of processing personal data and whether they are used appropriately for their purpose,

iv. To know the third parties to whom personal data are transferred domestically or abroad,

v. Requesting the correction of personal data that has been processed incompletely or inaccurately, 

vi. Requesting the deletion or destruction of personal data, 

vii. Requesting that the processes related to the correction and/or deletion or destruction of personal data be notified to third parties to whom personal data have been transferred,

viii. Objecting to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems, 

ix. Requesting compensation for the damage arising from the unlawful processing of personal data.

4.2. The Company's Request Management

The Company has prepared the Procedure to protect the rights of the Relevant Person regulated by the Law and related legislation and to fulfill its own obligations in this regard. The Company makes every effort to provide the information requested by the Relevant Person by applying to the Company regarding his/her personal data in accordance with this Procedure free of charge as soon as possible within thirty days at the latest. In case the transaction requires an additional cost, the fee in the tariff determined by the Board can be taken from the Relevant Person. The Company accepts or rejects the request by examining it and notifies its answer to the Relevant Person in writing or electronically. In case of acceptance of the request in the application, the Company fulfills what is required by the request. If the application results from a mistake of the Company, the fee received is returned to the Relevant Person.

Related Persons can use their rights by filling out the application form in ANNEX 1 and sending it with a wet signature via notary, KEP or e-mail to Muratpaşa Mah. Uluyol Cad. İstanbul Tower Plaza No: 19 Office:23 Bayrampasa Istanbul address or deliver it personally or through a proxy to the same address or send it to iletisim@doktorumsun.com e-mail address.

Documents proving identity, documents supporting the request if any, and a copy of a power of attorney containing special authorization for this matter in case the Related Person wants to use this right through a proxy must be submitted along with the form.