KVKK

Excellent Smile Turkey

PERSONAL DATA PROTECTION, STORAGE DISPOSAL AND COMPLIANCE POLICY

1-INTRODUCTION;

As Excellent Smile Turkey, we attach great importance to the Protection of Personal Data. Protection of personal data is among the most important priorities of our company. The most important pillar of this issue is managed by this Policy; Protection and processing of personal data of our customers, clients, employees, employee candidates, visitors and third parties. The activities we carry out regarding the protection of personal data of our employees are also managed in line with the principles in this policy. According to the Constitution of the Republic of Turkey, everyone has the right to demand the protection of their personal data. Regarding the protection of personal data, which is a constitutional right, our company is governed by this Policy; pays due attention to the protection of all personal data and makes this a policy. In this context, all necessary administrative and technical measures are taken by our company for the protection of personal data processed in accordance with the relevant legislation.

2. PURPOSE;

The purpose of this Personal Data Protection, Storage, Disposal and Compliance policy (policy); In the protection and processing of personal data in accordance with the purpose of the law, to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, and to comply with the obligations and principles of the real persons and Excellent Smile Turkey, who process them, to the relevant law and other legal legislation. to arrange accordingly.

3. SCOPE;

This Policy; It applies to real persons whose data are processed in accordance with the provisions of the Law, and to natural and legal persons who process this data fully or partially automatically or non-automatically, provided that they are part of any data recording system.

4. RESPONSIBILITIES;

Excellent Smile Turkeyis responsible for the implementation of this policy.

5. DEFINITIONS AND ABBREVIATIONS;

Explicit consent: Consent on a specific subject, based on information and expressed with free will,

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data,

Ministry: Ministry of Health

General Directorate: General Directorate of Health Information Systems

Relevant person: The real person whose personal data is processed,

Personal Health Record System: The system established in accordance with e-government applications, which provides access to the health data of the concerned persons themselves or the third parties they authorize,

Personal data: Any information relating to an identified or identifiable natural person,

Personal Health Data: All kinds of health information related to an identified or identifiable natural person,

Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as the classification or prevention of its use,

Processing of Personal Health Data: Obtaining personal health data fully or partially automatically or by non-automatic means provided that it is a part of any data recording system,

all kinds of operations performed on health data such as recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making it available, classifying or preventing its use,

Commission: Personal Health Data Commission established within the Ministry.

Board: Personal Data Protection Board,

Institution: Personal Data Protection Authority,

Central Health Data System: The data system created by the Ministry to collect personal health data,

Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,

Undersecretary: Undersecretary of the Ministry of Health,

Health service provider: Real persons who provide or produce health services and legal persons in public law and private law,

USVS: National Health Data Dictionary published by the Ministry,

Directive: Information Security Policies Directive published by the Ministry,

Data Controller: The natural or legal person who determines the purposes and means of processing Personal Data and is responsible for the establishment and management of the data recording system,

Law/KVKK: The Law on Protection of Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette dated 7 April 2016 and numbered 29677.

KVK Board: Personal Data Protection Board

KVK Authority: Personal Data Protection Authority

Policy: Policy on the Processing and Protection of Personal Data

Recipient group: The natural or legal person category to which personal data is transferred by the data controller,

Relevant user: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,

Destruction: Deletion, destruction or anonymization of personal data,

Law: Law on Protection of Personal Data No. 6698, dated 24/3/2016,

Recording medium: Any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system,

Personal data processing inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the purposes of processing, the data category, the transferred recipient group and the data subject group, explaining the maximum time required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security,

Personal data retention and destruction policy: The policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction, and anonymization,

Board: Personal Data Protection Board,

Periodic destruction: The deletion, destruction, or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the law are eliminated,

Registry: The registry of data controllers kept by the Presidency of the Personal Data Protection Authority,

Data registration system: The registration system in which personal data is processed and structured according to certain criteria,

Data controller: Data controller, which determines the purposes and means of processing personal data.

6. REFERENCE AND DOCUMENTS;

a. Constitution

b. Personal Data Protection Law-No. 6698

c. Regulation on the Working Procedures and Principles of the Personal Data Protection Board

d. Regulation Amending the Regulation on the Processing and Privacy of Personal Health Data

e. Regulation on the Data Controllers Registry

7. PROTECTION OF PERSONAL DATA IN OUR LAWS;

A. Article 20 of the 1982 Constitution “Everyone has the right to demand the protection of their personal data”

Law No. B.6698 on the Protection of Personal Data,

C. Turkish Civil Code Article 24 “Personal Rights”

D. Articles 134 of the Turkish Penal Code and the following: “Privacy of Private Life, Collection and Protection of Personal Data”

Provisions of the E. Labor Law directly related to the Protection of the Employee’s Personal Data

F. Occupational Health and Safety Law Article 15/5 “Health information is kept confidential in order to protect the private life and reputation of the employee who has undergone a health examination”

Law No. 6705 regarding the approval of additional supervisory authorities and the protocol on cross-border data flow to the Agreement on the Protection of Individuals against automatic Processing of Personal data No. G.181

8. BASIC PRINCIPLES OF PROCESSING PERSONAL DATA;

Personal data is processed by Excellent Smile Turkey and company employees within the scope of the following principles;

a. Compliance with the law and the rules of honesty,

b. Keeping accurate and up-to-date, when necessary, –

c. Processing for specific, explicit, and legitimate purposes,

d. Related, limited, and measured processing for the purpose for which they are processed,

e. To keep for the period required by the relevant legislation or for the purpose for which they are processed,

f. Enlightening and informing personal data owners,

g. Establishing the necessary system for personal data owners to exercise their rights,

h. To take the necessary measures in the protection of personal data,

I. To act in accordance with the regulations of the KVK Board,

j. Informing and training the employees of Excellent Smile Turkey about the law on the protection of personal data and the processing of personal data in accordance with the law,

k. To comply with the decisions of the KVK Board,

l. Putting the necessary clauses in the contracts and keeping them up to date.

9. SPECIAL PRINCIPLES IN THE PROCESSING OF PERSONAL DATA;

Excellent Smile Turkey and company employees act within the framework of the following principles in the storage and destruction of personal data;

a. In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law and the technical and administrative measures specified in the relevant articles of this Policy, which must be taken within the scope of Article 12, the provisions of the relevant legislation, Board decisions and this Policy are fully complied with.

b. All transactions regarding the deletion, destruction and anonymization of personal data are recorded by Excellent Smile Turkey, and these records are kept for at least 10 years + 6 months, excluding other legal obligations. It is kept for a period of time (taking into account the general statute of limitations of 10 years and delays that may occur in notifications). Exceptionally, this period is 7 days for security camera recordings.

c. Unless a contrary decision is taken by the Board, the appropriate method of deletion, destruction or anonymization of personal data ex officio is chosen by us. However, upon the request of the Relevant Person, the appropriate method will be chosen by explaining the reason. Personal data included in Articles 5 and 6 of the Law are deleted, destroyed, or anonymized by Excellent Smile Turkey ex officio or upon the request of the person concerned. In case of application by the person concerned in this regard;

c.1. Requests submitted are finalized within 30 (thirty) days at the latest and the relevant person is informed,

c.2. In case the data subject to the request has been transferred to third parties, this situation is notified to the third party to which the data is transferred, and necessary actions are taken before the third parties.

10. TERMS OF PROCESSING PERSONAL DATA;

A. PROCESSING CONDITIONS OF GENERAL PERSONAL DATA

Personal data will not be processed without the explicit consent of the person. Personal data is only processed without seeking explicit consent in the presence of the following conditions.

a. It is clearly stipulated in the laws,

b. It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to a physical impossibility, or whose consent is not given legal validity,

c. It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

d. It is mandatory for the data controller to fulfill its legal obligation,

e. Making it public by the person concerned,

f. Data processing is mandatory for the establishment, use or protection of a right,

g. Data processing for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

B. PROCESSING CONDITIONS OF SPECIAL QUALITY PERSONAL DATA

Personal data regarding the race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data of the person is data.

The issues in Article 8 of this policy are also valid for sensitive personal data. However, special quality personal data related to health can only be provided by Excellent Smile Turkey in Article 6/3 of the KVKK. It is processed in accordance with the provisions of the article or other legal regulations.

11. PROCESSING METHODS OF PERSONAL DATA

A-RECORDING ENVIRONMENTS

Personal data of data owners are safely stored by Excellent Smile Turkey in the form of physical files and digitally, in accordance with the relevant legislation, especially the provisions of the KVKK, and within the framework of international data security principles:

Electronic media: Customer data held digitally.

Physical environments: Lockers and Archive.

B. SAFETY PRECAUTIONS

Excellent Smile Turkey, as the data controller, must take adequate technical and administrative measures to ensure the protection of personal data being processed in accordance with Article 12 of the KVK Law.

Data Controller Excellent Smile Turkey is obliged to make or have had the necessary audits done for the implementation of the Law.

The data controller and the data processor cannot disclose the personal data they have learned in violation of the provisions of this law and cannot use them for purposes other than processing. This obligation continues after they leave their duties.

In the event that this data falls into the hands of others through illegal means, the data controller shall notify the relevant person and the Board as soon as possible.

All administrative and technical measures taken by Excellent Smile Turkey, within the framework of the principles in Article 12 of the KVKK, in order to keep personal data safe, to prevent unlawful processing-access and to destroy data in accordance with the law, are listed below. counted;

a.Administrative Measures

a.1. Internal access to the stored personal data is limited to the personnel required to access it as per the job description. In limiting access, whether the data is of special nature and its importance are also taken into account.

a.2. In case the processed personal data is obtained by others unlawfully, it notifies the person concerned and the Board as soon as possible.

a.3. With regard to the sharing of personal data, a framework agreement is signed with the persons to whom personal data is shared, regarding the protection of personal data and data security, or data security is ensured by the provisions added to the existing agreement.

a.4. Personnel who are knowledgeable and experienced about the processing of personal data are employed and necessary training is given to the personnel within the scope of personal data protection legislation and data security. In this context, a confidentiality agreement is made with all employees.

a.5. In order to ensure the implementation of the provisions of the law within the company, the necessary inspections are made or made by the data controller. Confidentiality and security vulnerabilities revealed as a result of audits are promptly resolved.

b.Technical Measures

Excellent Smile Turkey, as data controller, will take the following technical measures:

b.1. It ensures that the physical files in which personal data are recorded are kept in locked cabinets and that the key is only available to him and to the authorized personnel. It takes other physical measures to prevent unauthorized access to the files in question.

b.2. It ensures that the personal data stored digitally can be accessed only by itself as the data controller and the personnel authorized in this regard, by putting a password on the computers, it ensures login with the registered username and password, and takes the necessary cryptographic measures. It backs up a copy of digital data via storage devices in case of fire, flood and loss and encrypts the device in question so that only authorized personnel can access it. Takes other necessary measures to prevent unauthorized access.

b.3. Makes the necessary inspections to test the effectiveness of the technical measures taken.

b.4. It ensures that the processes of destruction of personal data stored in physical and digital media are non-recyclable and leave no audit trail.

C-STORAGE AND DISPOSAL

Personal data belonging to the data owners, in order to maintain the health services provided by Excellent Smile Turkey, to fulfill legal obligations, to protect and fulfill the rights of customers and other persons, and to manage customer relations, in a secure manner in the physical or electronic media listed above. It is stored within the limits specified in KVKK and other relevant legislation.

The reasons for keeping it are as follows:

a. Storing personal data as it is directly related to the establishment and performance of contracts,

b. For the establishment, use or protection of a right of personal data,

c. It is obligatory to keep personal data for the legitimate interests of Excellent Smile Turkey, provided that it does not harm the fundamental rights and freedoms of individuals,

d. In order for Excellent Smile Turkey to fulfill any of its legal obligations arising from the legal or contractual agreement with third parties,

e. The legislation clearly stipulates the storage of personal data,

f. Explicit consent of the data owners in terms of storage activities that require the explicit consent of the data owners.

In accordance with the Regulation, the personal data of the data owners in the cases listed below are deleted, destroyed or anonymized by Excellent Smile Turkey ex officio or upon request.

Information on personal use, personal data processing guide used by group tools and in compliance with the law 5. Personal data can be transferred manually to one or more of them and accurately, without preparing personal data.

b. Transfer of Special Quality Personal Data

While Excellent Smile Turkey is completed with due diligence, demonstration, march and being established; It is designed for personal data prepared with real or appropriate personal data processing method.

12. PERSONAL DATA INVENTORY

Personal data inventory will be created by Excellent Smile Turkey in accordance with business processes. Information is not included in the personal data inventory;

a. Personal data processing purpose

b.Data Categories

c. Transferred recipient group

d. Data subject group

e. Maximum period for keeping personal data

f. Foreign government agency

g. Data security for children

13. ENTRY TO THE COMPANY HEADQUARTERS AND PERSONAL DATA PROCESSING ACTIVITIES AND WEBSITE VISITORS

In this regard, it will be work related to all personal regulations and within the scope of KVKK.

14. RIGHTS OF THE DATA SUBJECT AND THE USE OF THESE RIGHTS

A- RIGHTS OF THE PERSONAL DATA OWNER

Personal data owners have the following rights:

a. Learning whether personal data is processed or not,

b. If personal data has been processed, requesting information about it,

c. Learning the purpose of processing personal data and whether they are used in accordance with its purpose,

d. Knowing the third parties to whom personal data is transferred in the country or abroad,

e. Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to third parties to whom the personal data has been transferred,

f. Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist despite the fact that it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,

g. Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,

h. To request the compensation of the damage in case of loss due to unlawful processing of personal data.

B.KİŞİSEL VERİ SAHİBİNİN HAKLARINI İLERİ SÜREMEYECEĞİ HALLER

Personal data owners cannot claim their rights in the following matters, since the following cases are excluded from the scope of KVKK in accordance with Article 28 of the KVKK;

a. Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.

b. Processing personal data for art, history, literature, or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.

c. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that are authorized by law to ensure national defense, national security, public safety, public order, or economic security.

d. Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to article 28/2 of KVKK; In the cases listed below, personal data owners cannot claim their other rights, except for the right to demand the compensation of the damage;

a. The processing of personal data is necessary for the prevention of crime or for criminal investigation.

b. Processing of personal data made public by the personal data owner.

c. If personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution, based on the authority given by the law.

d. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

C. ANSWER TO APPLICATIONS MADE BY THE PERSONAL DATA OWNER

If an application is made by the personal data owner to Excellent Smile Turkey to exercise their legal rights; Excellent Smile Turkey will conclude this request free of charge, as soon as possible and within 30 days at the latest, depending on its nature. The request will either be accepted or rejected on the condition that the reason is given. If the application requires cost, the fee in the tariff determined by the Board will be requested from the applicant.

a. Information that can be requested from the applicant

Excellent Smile Turkey may request information and documents from the relevant person in order to determine whether the applicant has personal data. Excellent Smile Turkey may ask questions about the personal data owner’s application in order to clarify the issues in the personal data owner’s application.

b. Refusal of the Application

Excellent Smile Turkey may reject the application of the applicant in the following cases by explaining the reason;

a. Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.

b. Processing personal data for art, history, literature, or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.

c. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that are authorized by law to ensure national defense, national security, public safety, public order or economic security.

d. Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

e. The processing of personal data is necessary for the prevention of crime or for criminal investigation.

f. Processing of personal data made public by the personal data owner.

g. If personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution, based on the authority given by the law.

h. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

i. The possibility of the personal data owner’s request to prevent the rights and freedoms of other persons

j. Requests that require disproportionate effort have been made.

k. The requested information is publicly available information.

15. ENFORCEMENT

This policy enters into force as of the signature date specified below and remains in effect until a new one is made or the activity of Excellent Smile Turkey is terminated or the text of this policy is legally repealed.

16.AUDITING

Excellent Smile Turkey official performs all kinds of audits, with or without prior notice of the personnel, in order to determine whether the principles determined by this policy are respected within the company. It checks the documents and records, makes the necessary organization, takes the necessary measures for the related documents to be read, understood and signed by the person concerned, and performs other inspections and controls that it deems necessary, provides the necessary training to the personnel or ensures that it is given by third parties.

ATTACHMENTS:

1-Personnel Title, Unit and Task List

2-Personal Data Retention and Disposal Periods Table

APPENDIX-1. PERSONNEL TITLE UNIT AND TASK LIST

STAFF RESPONSIBLE

Company Official: It is the principal responsible for the implementation of this policy text. In this context, it takes all kinds of measures, gives the necessary instructions to the personnel, and performs audits to ensure that the company’s operation complies with the legal regulations on the protection of personal data and the principles set forth in this policy text.

Personnel: While performing their duties within the company, they are obliged to comply with the principles and procedures specified in all legal legislation on the subject, especially the KVKK Law No. 6698, as well as the principles and principles set forth in this policy text. He is obliged to fulfill the instructions given to him during the processing, storage, and destruction of personal data.
ANNEX-2. PERSONAL DATA STORAGE AND DISPOSAL TIMES TABLE

Provided that it is not contrary to the periods stipulated in other laws;

Excellent Smile Turkey