Protection of Personal Data



This Policy, named Personal Data Protection and Privacy Policy, covers all departments and employees within Baran Kul (referred to as "The Institution" or "Baran Kul"). This Policy; It was prepared in order to explain the whole of the rules for the processing of personal data and to provide the necessary information, and entered into force on 26.08.2021 after being approved by the Baran Kul management.


Personal data: It is all kinds of information that can be identified or identifiable and includes all situations that enable the identification of the person as a result of carrying a tangible content expressing the physical, economic, cultural, social or psychological identity of the person or associating it with any record such as identity, tax, insurance number.

Special categories of personal data: Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Explicit consent: Consent about a specific subject, based on information and expressed with free will.

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Processing personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, It is all kinds of operations performed on data such as classification or prevention of use. This includes all types of operations performed on the data, starting from the first time the data is obtained.

Personal data owner: Natural person whose personal data is processed

Data registration system: The registration system in which personal data is processed and structured according to certain criteria.

Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

PDPL: Law on Protection of Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette dated 7 April 2016 and numbered 29677

Board: Personal Data Protection Board

Institution: Personal Data Protection Authority

Policy: Baran Kul Personal Data Protection and Privacy Policy


Law on Protection of Personal Data ('PDPL'): Although it is the subject of this Policy, it is the Law No. 6698 of 24 March 2016 published in the Official Gazette dated 7 April 2016 and numbered 29677.


Changes to be made in this Policy with the entry into force of additional legislation within the scope of PDPL or at various times can be followed on the Institution's corporate website, and the current version of this Policy can also be accessed from this corporate site.


It legally processes the personal data of its suppliers, employees, customers, visitors and other real persons who establish a relationship through job applications or any other purpose or channel, in order to carry out health and aesthetic operation activities.

The purpose of this policy is to inform the relevant persons by making an explanation about these processing activities and personal related systems carried out by the Institution and thus to provide transparency regarding personal data.

In this context, the Authority has explained the processing of personal data within the scope of PDPL, the data owners subject to this processing and their rights, together with the use of cookies and similar technologies in this Policy in detail.


2.1 General Principles Regarding Personal Data Processing

The Institution processes personal data in accordance with the following principles, within the scope of the purposes exemplified in the second paragraph of Article 4 of the PDPL and the "Purposes of Processing Personal Data" section of this Policy:

• Compliance with the law and honesty rules

• Being accurate and up-to-date when necessary

• Processing for specific, explicit and legitimate purposes

• Being connected, limited and restrained for the purpose for which they are processed.

• Preservation for the period required by the relevant legislation or for the purpose for which they are processed.

2.2. Personal Data Processed by the Institution

Personal data is processed within the scope of the activities that can be carried out within the Institution through the express consent of the data owners or without being subject to the express consent in accordance with Articles 5 and 6 of the PDPL, and these data are processed only within the framework of the purposes exemplified in the 'Purposes of Processing Personal Data' section of this Policy. These types of personal data, which vary and differ depending on the type and nature of the relationship between the institution and the data owner, the communication channels used and the purpose information mentioned, and which are processed in accordance with the principles in this Policy, are as follows:

• Information identifying the data owner such as your name, surname, citizenship number, citizenship status, passport number or temporary citizenship number, place and date of birth, marital status, employment information, education status, gender, marital status, military service information, criminal record information,

• Data such as date of birth, place of birth, identity number, blood group, religion and photo found in identification documents such as a photocopy of identity card, photocopy of identity card, passport and driver's license,

• Contact information such as address, e-mail, telephone and fax number, as well as communication records within the scope of e-mail correspondence, other voice data,

• Before/After photos, video recordings taken for pre-operative illumination and informative purposes, videos taken during the surgery, photos for monitoring the recovery phase

• Your in-office camera records in order to ensure the physical security of the clinic,

• All kinds of health information and data obtained during or as a result of medical diagnosis, treatment and care services, including but not limited to patient medical reports, diagnostic data, laboratory results, test results, examination data, appointment information,

• Your health data, including but not limited to your external institution laboratory and imaging results, test results, examination data, that you submit for inclusion in your file

• Your financial data such as your bank account number, IBAN number, credit card information only on the slip, billing and billing information,

• Real person information in documents for legal persons such as tax plate, trade newspaper, authorization certificate, certificate of qualification, circular of signature and activity certificate,

• Detailed financial data on pricing, settlement, collection and payment activities.

2.3. Purposes of Processing Personal Data

Personal data can be processed by the Institution within the scope of the following purposes and can be stored as long as these purposes and the relevant legal periods stipulate:

• Confirming your identity,

• Planning and management of medical diagnosis, health services and financing,

• Planning and managing the internal functioning of the clinic and daily operations,

• Analyzing for the purpose of improving health services,

• Informing you about the appointment if you make an appointment,

• Fulfilling legal and regulatory requirements,

• Invoicing for our services,

• Sharing the requested information with the Ministry of Health and relevant public institutions and organizations in accordance with the relevant legislation,

• Taking all necessary technical and administrative measures within the scope of data security of our clinic's systems and applications,

• Analyzing your use of health services and storing your health data in order to develop and improve the health services we offer you,

• Providing the necessary information in line with the requests and inspections of regulatory and supervisory institutions and official authorities,

• Sharing the images of the person on the social media accounts of the clinic, if the data owner gives permission,

• Preserving the information about your health data, which must be kept as per the relevant legislation, and without being limited to these, the execution, development, planning and management of health services and financing, increasing patient satisfaction, Execution of Information Security Processes

• Planning of Human Resources Processes

• Fulfilling Employee Contract and Legislative Obligations

• Execution of Assignment Processes such as appointment, promotion, transfer, internal transfer

• Execution of Wage Policy

• Execution of Performance Evaluation Processes

• Execution of Training Activities

• Execution of Activities in Compliance with the Legislation

• Execution of Finance and Accounting Affairs

• Ensuring Physical Space Security

• Follow-up and Execution of Legal Affairs

• Carrying out Internal Audit / Investigation / Intelligence Activities

• Execution of Communication Activities

• Execution / Supervision of Business Activities by Receiving Necessary Forms and Minutes

• Organization and Event Management

• Providing Information to Authorized Persons, Institutions and Organizations

• Execution of Management Activities

• Execution of Contract Processes

• Evaluation of trial period performance,

2.4. Transfer of Personal Data

The Institution transfers domestic and international data within the framework of the purposes exemplified in the 'Purposes of Processing Personal Data' section of this Policy and in accordance with Articles 8 and 9 of the PDPL, and personal data can be processed and stored in the servers and electronic media used in this context. The nature of these transfers and the parties to which they are shared vary depending on the type and nature of the relationship between the data owner and the Institution, the purpose of the transfer and the relevant legal basis, and these parties are generally as follows:

• Third parties in the country and abroad from whom service is received,

• Direct and indirect shareholders, affiliates, subsidiaries,

• Persons and institutions from whom services and/or consultancy are received,

• Contracted business partners,

• To parties that receive services abroad through software, programs and web-based applications used within the company,

2.5. Collection of Personal Data

In order to meet the purposes exemplified in the 'Purposes of Processing Personal Data' section of this Policy by the Institution, personal data can be obtained directly from employees and customers, suppliers, business partners, official institutions and other physical environments within the framework of the conditions stipulated in Articles 5 and 6 of the PDPL. It can also collect personal data through websites, mobile applications, social media and other public channels or organized trainings, organizations and similar events.

2.6. Retention Period of Personal Data

Personal data are kept within the scope of the relevant legal storage periods within the Institution and are kept for the period necessary for the realization of the activities related to this data and the purposes specified in this Policy. Personal data whose purpose of use is terminated and whose legal storage period has expired is deleted or destroyed by the Institution in accordance with Article 7 of the PDPL.

2.7. Data Owner's Rights within the Framework of PDPL

Within the scope of Article 11 of PDPL, the rights of natural persons whose personal data are processed are regulated and in accordance with this article, data owners have the following rights over the Institution:

• Learning whether personal data is processed or not,

• If personal data has been processed, requesting information about it,

• To learn the purpose of processing personal data and whether they are used in accordance with the purpose,

• Knowing the third parties to whom personal data is transferred in the country or abroad,

• Requesting correction of personal data if it is incomplete or incorrectly processed,

• Requesting the deletion or destruction of personal data, in case the reasons for processing disappear,

• Requesting notification of correction and deletion processes to third parties to whom personal data has been transferred,

• Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,

• Requesting the compensation of the damage in case of loss due to unlawful processing of personal data.

Requests from data owners for the use of one of the above rights will be met by the Authority within 30 days at the latest. These requests can be delivered to the address “Bahçelievler Mahallesi D-100 Yanyol Sokak No 14/809 Bahçelievler/Istanbul” by hand with identification documents, sent to the same address through a notary public or sent to with secure electronic signature. . In case the requests require additional costs, the Institution may charge a fee in the amounts determined within the scope of the relevant legislation.


2.8. Data Transfer Abroad

Personal data is transferred abroad (via software, programs, web-based applications used within the Company) in accordance with the legislation in order to meet the purposes exemplified in the "Purposes of Processing Personal Data" section of this Policy for the purposes of processing, storage, administration or any other use specified in this Policy. In these transfers, necessary measures are taken to protect personal data as required.

2.9. Security of Personal Data

The institution attaches importance to protecting the confidentiality and security of personal data. Accordingly, necessary technical and administrative security measures are taken to protect personal data against unauthorized access, damage, loss or disclosure. Accordingly, necessary systemic access controls, data access controls, secure transfer controls, business continuity controls and other necessary corporate controls are implemented.




This Policy will enter into force on the date it is approved by the Institution Management. Changes to be made in the Policy will enter into force after the approval of the Institution Management. The policy is normally reviewed and updated once a year. However, in line with legislative changes, changes in a referenced technical standard, the actions and/or decisions of the Personal Data Protection Board, and court decisions, the Institution reserves the right to revise this Policy and, when necessary, update, change or abolish the policy and create a new policy. amount. The authority to decide on the repeal of the Policy belongs to the Institution Management.

Copyright © 2021 Baran Kul, MD. All rights reserved.