MLPH International Health Tourism Consultancy Services Ltd. Co. is a global health tourism consultancy company based in Turkey, operating under the brand name MEDPROPER. Hereinafter, in this document, we will refer to our company as MEDPROPER. Our company, along with its subsidiaries operating domestically and internationally, strives to comply with legal regulations with utmost care. We take necessary administrative and technical measures to ensure compliance with personal data protection legislation, establish the infrastructure, and undertake all necessary efforts to transform this matter into not only a legal requirement but also an organizational culture.
The main purpose of the Policy on Protection and Processing of Personal Data ("Policy") of MEDPROPER is to provide explanations regarding the lawful conduct of personal data processing activities and the systems adopted for the protection of personal data. Within this scope, the Policy aims to ensure transparency by informing individuals, including our employees, job applicants, former employees, company shareholders, company officials, visitors, employees, shareholders, and officials of collaborating institutions, customers, potential customers, and third parties, whose personal data is processed by our company. The Policy regulates the fundamental principles and data security principles that demonstrate the required practices of legal regulations in the company and its domestic and international subsidiaries. The objective of this Policy is to ensure compliance with legislation, establish and maintain an orderly system, and achieve sustainability.
This Policy has been developed and prepared based on the General Data Protection Regulation (GDPR) of the European Union, Regulation No. 2016/679, Law No. 6698 on the Protection of Personal Data, and other relevant legislation. The subsidiaries of MEDPROPER operating abroad are primarily responsible for adhering to the legislation of the countries in which they operate. In the absence of any specific legal regulations in the countries where MEDPROPER subsidiaries operate, the provisions of this Policy shall be applicable. The Policy is implemented in all activities related to the processing and protection of personal data carried out by MEDPROPER, whether it owns or manages the personal data. This Policy defines the fundamental control measures that are expected to be known and consistently followed by all employees of MEDPROPER and the employees of collaborating institutions.
International Processing: If the processing and transfer of personal data, either partially or entirely, in compliance with relevant international legislation, such as GDPR applicable cases within the European Union or in other foreign countries where specific national legislation exists, including the cloud access areas within these territories, it is considered as processing carried out internationally.
MEDPROPER processes personal data in compliance with the relevant legislation, adhering to the principles of legality and fairness. The processing is carried out in a transparent, accurate, and, when necessary, up-to-date manner. It pursues specific, clear, legitimate purposes that are relevant and limited, and it does so in a proportionate manner, based on the principle of confidentiality, during its activities of processing and transferring personal data. MEDPROPER provides information and enlightens the data subjects regarding these matters, and when data subjects request information, necessary explanations are provided. It retains personal data for the duration prescribed by laws or as long as necessary to fulfill the purposes of personal data processing.
Personal data is processed if one of the following conditions, as prescribed by the legislation, is met. The basis for the processing of personal data can be one or more of the conditions listed below for a specific processing activity of personal data.
Personal data is processed when there is the informed and freely given explicit consent of the data subject. In order to process personal data based on the data subject's explicit consent, appropriate methods are employed to obtain their consent, which can be substantiated. The explicit consent of the data subject is a declaration of will that can be revoked at any time, as long as it is not deemed an abuse of rights and does not contravene the principle of fairness.
The processing of personal data of the data subject may be carried out in compliance with the law when it is explicitly provided for.
If it is necessary to process the personal data of an individual who is unable to express their consent due to factual impossibility or whose consent cannot be validly obtained, for the purpose of protecting their own or someone else's life or physical integrity, the processing of their personal data may be permissible.
The processing of personal data belonging to the parties of a contract may be permissible if it is directly related to the establishment or performance of the contract.
The processing of personal data of the data subject may be permissible if it is necessary for MEDPROPER, as the data controller, to fulfill its legal obligations.
Personal data may be processed when the data subject has voluntarily made their personal data public, provided that the relevant measures determined by the legislation are taken.
If data processing is necessary for the establishment, use, or protection of a right, the personal data of the data subject may be processed.
Personal data may be processed for MEDPROPER's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject, and subject to the necessary measures determined by the legislation.
When processing "Special Categories" of personal data, MEDPROPER strictly adheres to the regulations stipulated in the legislation.
Except for health information, special categories of personal data are processed only if there is no explicit consent from the data subject, and provided that adequate measures determined by the legislation are taken. Processing of special categories of personal data related to the data subject's health is subject to the condition of taking adequate measures determined by the legislation, and can only be carried out by individuals or authorized institutions and organizations bound by confidentiality obligations for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, and planning and managing the financing of healthcare.
MEDPROPER processes personal data for various purposes within the conditions and requirements of personal data processing specified in the legislation, but not limited to the following:
MEDPROPER ensures compliance with the relevant legislation and regulations regarding the transfer of personal data, both within the country and/or abroad, in all its business processes. Personal data cannot be transferred without the explicit consent of the data subject, as stipulated by the relevant legislation. However, as an exception to this rule, the transfer of personal data without the explicit consent of the data subject may be possible if the processing of personal data falls under one of the following circumstances:
For the transfer of personal data abroad, the explicit consent of the data subject is also required. However, if one of the exceptional circumstances mentioned above exists, and in addition to the existence of such circumstances, if one of the following conditions is met in the foreign country to which the personal data will be transferred, the transfer of personal data abroad may be possible:
MEDPROPER places great importance on the security, confidentiality, integrity, and accessibility of personal data and sensitive personal data belonging to its customers, employees, and all parties with whom it collaborates. In order to ensure this, MEDPROPER utilizes advanced technology tools and works with state-of-the-art systems. All information is stored and backed up on secure servers located both domestically and internationally. MEDPROPER takes all necessary precautions to ensure that its employees and the organizations it collaborates with demonstrate the required level of sensitivity and awareness regarding information security. The implemented security measures are listed below:
In the event that all the conditions for the processing of personal data specified in the legislation cease to exist, it is necessary for the Data Controller to delete, destroy, or anonymize the personal data ex officio or upon the request of the data subject. Even if personal data has been processed in accordance with the provisions of the legislation, if the reasons requiring its processing no longer exist, the personal data shall be deleted, destroyed, or anonymized by the data controller ex officio or upon the request of the data subject.
In the deletion, destruction, or anonymization of personal data, the following must be adhered to:
➢ The general principles to be followed regarding the processing of personal data as specified in the legislation,
➢ The technical and administrative measures to be taken within the scope of data controllers' obligations regarding data security, as well as relevant legislation provisions,
➢ Decisions of the Board,
➢ Compliance with the personal data retention and disposal policy.
All operations related to the deletion, destruction, and anonymization of personal data are recorded, and these records are kept for a minimum period of three years, except for other legal obligations.
The Data Controller selects the appropriate method of ex officio deletion, destruction, or anonymization of personal data unless otherwise decided by the Board. In the event of a request from the data subject, the appropriate method is selected, and the justification is provided.
MEDPROPER takes into account the following criteria when determining the retention and disposal periods of personal data processed in accordance with the relevant legislation:
If the processing of the relevant personal data is legally necessary, and a specific retention period is specified, that period is adhered to. Upon the expiration of the specified period, other criteria are evaluated for the storage of the relevant personal data, and if there is no need for its retention, it is promptly deleted, anonymized, or destroyed using an appropriate method.
If there is no specific period prescribed in the relevant legislation for the retention of personal data, sensitive personal data is immediately and appropriately destroyed when it is no longer necessary to process the data. If there is no longer a need to process the personal data within the scope of the general principles and/or exceptional provisions of the relevant legislation or if there is a violation of these principles or a change or repeal of the legislation, the relevant data is deleted, anonymized, or destroyed using an appropriate method.
Reasonable periods for the processing of personal data are determined within the framework of the relevant legislation. Upon the expiration of these periods and/or when the period requiring the retention of data has passed, if there is no reasonable justification to retain the personal data for a longer period, the relevant data is deleted, anonymized, or destroyed using an appropriate method.
Personal data is deleted, anonymized, or destroyed on designated periodic disposal dates.
In cases where the processing of personal data occurs solely based on explicit consent, if the data subject withdraws their consent, the personal data is deleted, anonymized, or destroyed.
If the purpose requiring the processing or retention of personal data ceases to exist, the personal data is deleted, anonymized, or destroyed.
If the data subject asserts their rights over personal data within the scope of the legislation, and their requests are accepted by the data controller, the personal data is deleted, anonymized, or destroyed.
If the data controller rejects the application containing the request(s) for the deletion, destruction, or anonymization of personal data, provides an insufficient response, or fails to respond within the period prescribed by the legislation, and if the data subject files a complaint with the Board, and the request is found appropriate by the Board, the personal data is deleted, anonymized, or destroyed.
MEDPROPER, in accordance with the legislation and other regulations published by the Personal Data Protection Authority, informs and notifies the data subjects during the collection of personal data. In this regard, MEDPROPER provides enlightenment on the identity of its representative, the purposes for which personal data will be processed, the individuals or entities to whom and for what purposes the processed personal data may be transferred, the method and legal basis of personal data collection, and the rights of the data subject.
Data subjects have the following rights:
To exercise the rights mentioned above, the data subject is required to submit their request, including the necessary information to verify their identity and explanations regarding the right they wish to exercise. This can be done by completing the form on the website http://medproper.com, delivering it in person to the address "Gürsel Mah. İmrahor Cad. No:29 A 101 Kağıthane/İSTANBUL," sending it through a notary, or sending a signed copy of the form via secure electronic signature to the email address firstname.lastname@example.org from their registered electronic mail address. When making the application, it is mandatory to provide the following information: name, surname, signature (if the application is in writing), Republic of Turkey ID number (for Turkish citizens), nationality (for foreigners), passport number, or any available identification number, residential or business address for notification, designated email address for notification (if available), telephone and fax numbers, and the subject of the request. Relevant information and documents should be attached to the application as indicated above.
It is required that the data subject personally makes the request, and it is not possible for a third party to make the request on their behalf. In the case of a third-party request, the data subject must authorize the third party through a special power of attorney specifically issued for this purpose, and the third party must include this power of attorney among the application documents.
If the data subject submits their request to MEDPROPER in accordance with the procedure, MEDPROPER will respond to the request, free of charge, within a maximum of thirty days, depending on the nature of the request. However, if a fee is prescribed by the Board or relevant legislation, MEDPROPER may charge the applicant the fee specified in the applicable tariff.
MEDPROPER may accept the application or reject it with an explanation, and will notify the data subject of its response in writing or electronically. MEDPROPER is not responsible for requests that are not submitted in accordance with the specified procedure and/or are not received by MEDPROPER, or for requests to which no response is given by MEDPROPER.
In order to determine whether the applicant is the data subject, MEDPROPER may request information from the individual in question. To clarify the matters stated in the data subject's application, MEDPROPER may ask the data subject questions related to their application. MEDPROPER may reject the application of the requesting individual with a justification in the following cases:
✓ Processing personal data for research, planning, and statistical purposes by rendering them anonymous through official statistics.
✓ Processing personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights, or constitute a crime.
✓ Processing personal data as part of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order, or economic security.
✓ Processing personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial, or enforcement proceedings.
✓ Processing personal data when it is necessary for the prevention or investigation of a crime.
✓ Processing personal data that has been made public by the data subject.
✓ Processing personal data based on the authority granted by the law by competent public institutions and organizations, as well as professional organizations with public institution status, for the purpose of carrying out their supervisory or regulatory duties, or for disciplinary investigations or prosecutions.
✓ Processing personal data when it is necessary for the protection of the State's economic and financial interests in relation to budget, tax, and financial matters.
✓ Existence of a possibility that the data subject's request may obstruct the rights and freedoms of others.
✓ Making requests that require disproportionate effort.
✓ The requested information being public knowledge.
In the event of the rejection of the application, finding the response insufficient, or failure to respond within the specified timeframe, the data subject may file a complaint with the Board within thirty days from the date of learning about MEDPROPER's response, and in any case, within sixty days from the date of the application. Complaints cannot be lodged without exhausting the application process stipulated in Article 7.2.
Within the scope of this Policy, the principles and values that are protected are implemented and observed in compliance with the relevant legislation, guide documents, official institution decisions, and corporate documents such as global policies, procedures, and implementation instructions published by MEDPROPER within this framework, as well as all activities of the Personal Data Protection Board, in a harmonious and integrated manner. For this purpose, activities related to personal data within MEDPROPER are carried out by the Information Security Unit. MEDPROPER fulfills its legal obligations regarding the protection and processing of personal data and sensitive personal data through the Information Security Unit. The tasks and responsibilities to be carried out by the Information Security Unit are as follows:
This Policy, prepared by MEDPROPER and published on the website, comes into effect upon its publication on the MEDPROPER website (http://medproper.com/Kisisel-Verilerin-Korunması-Ve-İslenmesi-Aydinlatma-Metni) and is made accessible to relevant individuals upon request. This Policy shall remain in effect until it is removed from the website.