Infinity Regenerative Clinic

PROTECTION OF PERSONAL DATA

IRC Logo

Law on the Protection of Personal Data
IRC

At Infinity Clinic Sağlık Hizmetleri Ticaret Anonim Şirketi (“IRC”), we place special emphasis on the protection of personal data. In this context, we, acting with the capacity of the data controller, are attentive to the processing and protection of personal data of IRC patients, persons receiving products or services, associates, authorities, employee candidates, visitors, suppliers, employees and executives of institutions/customers/suppliers with whom we collaborate, third parties and other persons (hereinafter, such persons will be collectively referred to as "Data Subject(s)") in accordance with the provisions of applicable laws and regulations, especially the Law on the Protection of Personal Data No. 6698 ("LPPD").

This Personal Data Protection and Data Privacy Policy (“Policy”) is drawn up to enlighten you about the sources from which we collect your personal data, the legal reasons for obtaining and processing personal data, the purposes of the processing of your personal data, whether we transfer your personal data and to whom we transfer them, and your legal rights as we carry out our operations at IRC. This Policy also aims to transform the lawful processing of personal data into a policy and ensure transparency by informing the Data Subjects about the personal data processed by the IRC.

Our Principles and Rules for Processing Personal Data:
As the data controller, IRC processes personal data as per the principles regulated in Article 4 of the LPPD.

a. Processing in compliance with the Law and the Rules of Integrity: IRC complies with the rules of integrity, LPPD and other relevant legislation in the processing of personal data. Personal data are not collected or processed without prior knowledge of the Data Subject. Personal data are processed in a proportionate manner for the purpose of collection and to the extent required.
b. Ensuring that Personal Data are Accurate and Up-to-date When Necessary: IRC ensures that the personal data to be processed are accurate and up-to-date, taking into account the fundamental rights of the Data Subjects and its own legitimate interests. Accordingly, our company takes the necessary measures.
c. Processing for Specific, Explicit and Legitimate Purposes: IRC processes personal data for legitimate purposes in accordance with the rules of integrity. Accordingly, the company is meticulous to observe the principle of specificity and clarity in its legal texts (explicit consents, etc.) prepared according to the Law on the Processing of Personal Data.
d. Adequate, Relevant and Limited for the Purpose of Processing: IRC processes personal data only for a specific and legitimate purpose and does not process personal data for purposes that are not valid during the processing of personal data but that are thought to arise in the future.
e. Retaining Personal Data for the Period Stipulated in the Relevant Legislation or as Required for the Purpose of Processing: IRC retains personal data only for the period stipulated in the relevant legislation or as required for the purpose of processing. If such a period has been defined, IRC complies with this period. However, if such a period has not been defined, it retains personal data for the period required for the purpose of processing. If the period expires or the purposes of processing are no longer applicable, IRC deletes, destroys or anonymizes the personal data.

Data Subjects:
IRC processes the personal data of the following Data Subjects and the scope is limited to Data Subjects. However, in cases where persons other than these groups submit their requests to IRC within the scope of LPPD, their requests will also be processed within the scope of this Policy.

a. Our patients, b. people who are met and contacted for diagnosis, treatment or a similar service, c. patient relatives, parents, guardians and companions, d. parties of all types of business operations or persons we cooperate/will cooperate with due to business operations or the executives or employees of companies (associates, suppliers, support, marketing, accommodation, transportation, references, etc.), e. shareholders or persons negotiated for shareholding, f. our Legal Counsels, Attorneys and Consultants or authorized personnel or employees of consulting companies, g. visitors, h. legal representatives, parents, representatives or guardians of all data subjects, i. persons who are parties to legal procedures and their legal representatives, j. third parties with whom we contact although they do not have any business or legal connection with IRC, k. our Employee Candidates (including the references shared by job applicants)

Personal Data Processed:
The following personal health data and general and sensitive personal data are processed in compliance with the principles of "lawfulness", "requirement", "fitness for purpose" and "limitation". The categories of personal data we collect from you may vary depending on the nature of your interaction with us or the services you use, and may include one or more of the following:

Identity Information: Information in documents such as Driver's License, Identity Card, Residence, Passport, Attorney ID.
Contact Information: Information such as phone number, address, e-mail, and social media account.
Patient Information: Health information acquired and generated about the data subject as a result of the operations carried out by our business departments within the framework of our treatment services.
Audio-Visual Data: Personal data recorded by the IRC security cameras equipped with a closed-circuit camera system, special written consent, informed consent, and photographic or video data of the person recorded for the purpose of confirming and proving that the promotion, research, medical or aesthetic/cosmetic procedure has been performed or convincing other patient candidates to a medical procedure.
Social Media Data: Data collected through social media features that allow you to share information with your social networks and interact with us on various social media sites.
Family Members and Relatives Information: Information about the family members and relatives of the data subject.
Customer Transaction Data: Data such as call center records, invoices, bills, checks, pay desk receipts, order and demand information, etc.
Legal Data: Data related to any person who has filed a lawsuit or initiated enforcement proceeding against/with IRC.
Financial Data: Data such as bank account number and IBAN of the data subjects. These data are requested and processed for patients receiving service from IRC. Health Data: All health data acquired during the execution of medical diagnosis, treatment, and health care services such as laboratory and imaging results, medical test results, blood type, examination data, prescription information, which must be followed up for legal reasons in medical files.
Transaction Security Information: Your personal data processed to ensure our technical, administrative, legal and commercial security as we conduct our business operations (We may collect your data such as IP address, website access information.)
Employee Candidate Information: Personal data (job and occupational data, training data) processed of individuals who have applied to become an IRC employee or evaluated as an employee candidate as per the needs of human resources in accordance with commercial practices and the rules of integrity.
Legal Transaction and Compliance Information: Your personal data processed for determining and following up our receivables and legal rights and satisfying our liabilities in compliance with our legal obligations and IRC policies.
Audit and Inspection Information: Your personal data processed within the scope of IRC legal obligations and compliance with the policies of headquarters.
Sensitive Personal Data: Medical information and genetic data of our patients; criminal records of employee candidates.
Request/Complaint Management Information: Personal data acquired from receiving and evaluating any request or complaint directed to IRC Incident Management Information: Information and assessments about incidents that IRC, its employees and shareholders have the potential to influence

Channels and Methods of Collecting Personal Data:
We collect your personal data during your visit to IRC, using physical forms, verbal communication, CCTV and the following methods:

a. As a result of face-to-face interviews with IRC doctors or staff via phone, WhatsApp or e-mail,
b. As a result of the communication over the phones used by IRC promotion & marketing personnel or through applications such as SMS or WhatsApp,
c. Through personal data of the person and company executive or employees with whom the business relationship exists as a requirement of the business operations that are available on contracts and other business documents and communication platforms,
d. Through personal data of our Legal Counsels, Attorneys and Consultants or executives or employees of consultancy companies that are available on contracts and other business documents and communication platforms,
e. As a result of the applications made through panels such as "contact us", "detailed information", "review" or "get information" through promotion, information and advertising on social media,
f. As a result of requesting personal data and mobile phone number from guests for encryption as required by the legislation to connect to the wireless network (Wi-Fi) within the scope of wireless Internet service,
g. From logins to the website and mobile application,
h. Through personal data of third parties available on communication platforms when we communicate with IRC without any commercial or legal connection or when they contact us,
i. Similarly, through other legal means of data collection.

Your personal data may be collected by IRC automatically or non-automatically through direct interactions with you, the communication channels you use to reach us (phone, e-mail, fax, social media, web, survey physical forms), automated technologies or interactions (see the Cookie Policy), third parties or public sources (various third parties that help providing services), government agencies, business partners from whom support services are procured and closed-circuit recording systems.

Legitimate Reasons & Purposes of Processing Personal Data
We collect/process your personal data for:

a- Fulfilling legal obligations and performing any work that falls in the scope of the field of activity as per the legal framework,
b- Fulfilling the provisions of the contract,
c- Providing Health Care Services (medical or cosmetic diagnosis, examination, treatment and all types of health care services)
d- The requirements of business operations and management,
e- Sectoral (health) requirements; e.1.Protecting public health (whether sick or not), preventive medicine, medical diagnosis, treatment and health care services, e.2.Sharing the information requested by the Ministry of Health and all other relevant official institutions and organizations in accordance with the health care legislation, e.3.Covering the financing, examination, diagnosis and treatment expenses of your health care services by patient services, financial affairs and marketing departments, e.4.Informing patients about the appointment through customer representatives, IRC employees and other channels, e.5.Identity check and authentication by patient services and other operation departments, e.6.Patient satisfaction measurement, increase and surveys related to IRC management, patient rights and experience, e.7.Invoicing by patient services, financial affairs and marketing departments, e.8.Responding to all questions and complaints about our services within the scope of IRC management, patient rights and patient relations,
f-Technical requirements;f.1.patient relations, planning and managing of the internal functioning by IRC management,f.2.Research, analysis and reporting to improve the quality of service delivery, patient experience and health care services, f.3.Monitoring and preventing abuse or unauthorized transactions by the internal audit and IT department, f.4.Performing risk management and quality improvement activities by quality & IT departments,
f.5.Taking all necessary technical and administrative measures within the scope of data security by IRC management and IT department, f.7.Providing the necessary communications by the officials in order to provide transportation, accommodation and arrival services within the scope of health tourism,
f.8.Providing information about patient relations, marketing and services; communicating announcements and warnings, participating in campaigns and providing campaign information, designing and communicating special content, tangible and intangible benefits on web and other mobile channels and social media, customer services, planning, statistics and satisfaction activities,
g- Fulfilling the obligations arising from the legislation, carrying out legal processes, fulfilling our legal obligations included in the Fundamental Law on Healthcare Services No. 3359, the Decree Law on the Organization and Duties of the Ministry of Health and its Affiliates No. 663, the Regulation on Private Healthcare Institutions Performing Outpatient Diagnosis and Treatment, the Regulation on the Processing of Personal Health Data and Providing Privacy and other relevant regulations;
h- Conducting all business operations such as communication activities, recruitment and evaluation processes, keeping visitor records, conducting and performing service activities, conducting supplier and business partners activities, conducting contract processes, organizing and conducting business operations, logistics operations, goods/service procurement processes and following up requests/complaints,
i- Ensuring the integrity and security of our website, IRC and services for security purposes, preventing security threats, fraudulent activities or other criminal or malicious activities that may jeopardize your data, and ensuring the security of physical space, provided that the processing is required for reasons specified in Article 5 of the Law on the Protection of Personal Data No. 6698 and stipulated in the laws and is directly related to total impossibility or the establishment or performance of a contract, the processing of personal data of the parties to the contract is necessary, the legal obligation of the data controller, the establishment and performance of the contract, the establishment, exercise and protection of the right and does not prejudice the fundamental rights and freedoms of the data subject, the processing of data is mandatory for the legitimate interests of the IRC and your explicit consent is obtained and processed based on legitimate reasons.

As stated in the third paragraph of Article 6 of Law No. 6698, personal data relating to health and sexual life may be processed without the express consent of the data subject by the persons or authorities and institutions with a privacy obligation and only for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, health care and financing planning and management. However, if the activities or processes carried out do not fall within this scope, the explicit consent of the Data Subject(s) is obtained.

Transfer of Personal Data:

Based on the legal grounds specified in Article 8 & 9 of LPPD, your personal data may be shared, to the extent necessary for transfer and storage technologies locally and for fulfilling the above-mentioned purposes internationally and fulfilling the obligations arising from the law and being limited to these purposes, with Ministry of Health, other departments and family medicine centers affiliated to the ministry, Private insurance companies (health, retirement, life insurance and similar), Social Security Institution, Ministry of Family Labor and Social Policies, General Directorate of Security and other law enforcement agencies, General Directorate of Population Citizenship Affairs, other authorized public institutions and organizations, Turkish Pharmacists' Association, Judicial authorities, enforcement offices, mediators, laboratories we cooperate with for medical diagnosis and treatment, medical centers, institutions providing ambulances, medical devices and healthcare services, the health institution to which the patient is referred or to which the patient applies, legal representatives, parents and guardians authorized in writing, all third parties (natural or legal) providing consultancy, including contracted counsels, tax consultants and auditors, Regulatory and supervisory authorities and public authorities, companies within the group of companies to which IRC is affiliated, banks where IRC, a patient and the persons associated with IRC under any contract have accounts, our suppliers, support service providers, business partners and business contacts, shareholders and real or legal persons with whom shareholding negotiations are made, outsourced service providers, cargo or courier companies with whom we collaborate or benefit from for services.

Our Measures and Commitments for the Protection of Personal Data:
We protect the above-mentioned personal and sensitive personal data with maximum care and in full compliance with the provisions of the legislation, taking the necessary administrative and technical measures for the security of all personal data collected. Technical and administrative measures are taken using various methods and security technologies to ensure the proper level of security to prevent unlawful processing and access of personal data and to protect personal data. IRC will not disclose the personal data acquired to any other third party in violation of the provisions of the Law on the Protection of Personal Data or use them for purposes other than processing. IRC has prepared and made sure that all warning or consent statements and commitments are signed for circumstances where personal data must be shared (transmitted) with outsourced service providers and suppliers, consultants or counsels and has implemented the necessary multi-faceted audit activities.

Processing of Personal Data Collected through Cookies:
During the use of our website, you can access detailed information about IP address information, website login and logout, browser information through our Cookie Policy.

Retention of Records Regarding Internet Access Provided to Our Visitors
For the purpose of ensuring company security and in line with the purposes of this Policy, our company provides Internet access to guests who request it during their visit to our buildings and premises. In this case, log records of your Internet access are saved in accordance with Law No. 5651 and the imperative provisions of the legislation regulated by this Law; and these records are processed only if requested by authorized public institutions and organizations or for the audit process in IRC to meet our legal obligation.

Only a limited number of IRC employees can access to log records obtained within this framework. Company employees with access to the mentioned records access to these records only when authorized public institutions and organizations request so, or for use in the audit processes, and share these records with legally authorized persons.

Your Rights Regarding the Protection of Personal Data:
Pursuant to Article 11 of the Law on the Protection of Personal Data, you can exercise your rights regarding the processing and protection of your personal data by applying to IRC in the following ways, provided that you prove your identity.

Your Rights:
1. Finding out whether your personal data is processed or not,
2. Requesting information if your personal data has been processed,
3. Finding out the purpose of processing your personal data and whether they are used in accordance with their purpose,
4. Knowing the third parties to whom your personal data is transferred locally or abroad,
5. Requesting correction of personal data in case of missing or inaccurate processing,
6. Requesting deletion or destruction of personal data,
7. Requesting the correction of your personal data in case of missing or inaccurate processing if your personal data has been transferred to third parties, and the notification of the third party to delete or destroy the personal data,
8. Objecting to any unfavorable consequence against the data subject if the processed data has been analyzed exclusively by automatic systems,
9. Requesting compensation for your damages due to unlawful processing of personal data.

You can request from IRC the destruction (deletion, destruction, or anonymization) of your personal data according to the circumstances stipulated in Article 7 of the Law on the Protection of Personal Data. However, IRC will evaluate and decide the proper method by evaluating your request for destruction, depending on the circumstances. In this context, you can always ask IRC for information about the reasons for choosing the method of destruction. In addition, the personal data collected about people under the age of 18 is limited to their name, surname, age and degree of affinity, and this data can only be given to us by the relevant adult (parent or guardian).

Pursuant to the first paragraph of Article 13 of the Law on the Protection of Personal Data, you can deliver your request regarding the exercise of your above-mentioned rights with the following methods and information in accordance with the "Communique on the Procedures and Principles of Application to the Data Controller No. 30356" published on March 10, 2018.
Information Required for Application:
1. Name and Surname of the applicant.
2. If the applicant is a citizen of the Republic of Turkey, the TR Identity Number or if not, the Nationality together with the Passport Number or, if applicable, the Identity Number.
3. The applicant's domicile or place of business address for notifications.
4. The applicant's electronic mail address, telephone, or fax for notifications.
5. The request of the applicant.
6. Information and documents regarding the applicant's request.

Application Methods:
1. The applicant may fill in the «Application Form» and personally deliver the sealed envelope with a note of «Request for Clarification Pursuant to the Law on the Protection of Personal Data» to the head office of Infinity Clinic Sağlık Hizmetleri Ticaret Anonim Şirketi against receipt.

2. The applicant may send a notification to Infinity Clinic Sağlık Hizmetleri Ticaret Anonim Şirketi through a notary public, but the note «Request for Clarification Pursuant to the Law on the Protection of Personal Data» must be added on the notification envelope.

3. With the "Secure Electronic Signature" defined in the Electronic Signature Law No. 5070, the applicant may personally apply to our company's Registered Electronic Mail infinityclinic@hs03.kep.tr with the note "Request for Clarification Pursuant to the Law on the Protection of Personal Data".

Please click here to access our application form regarding your rights outlined above.

Create Appointment Request

We will contact you as soon as possible.