Personal Data Protection Law

PERSONAL DATA PROTECTION AND PRIVACY POLICY

1. DATA CONFIDENTIALITY COMMITMENT

1. This Personal Data Protection Policy (“Policy”), determines the principles to be followed within the Company and/ or by the Company while DOKU AESTHETIC AND HEALTHCARE SERVICES TRADE LIMITED COMPANY processing Personal Data, and also performing its obligations to protect Personal Data in accordance with the provisions of the relevant legislation, in particular the Law on the Protection of Personal Data No. 6698.
1.2 
The Company undertakes to act in accordance with this Policy and the procedures to be applied in accordance with the Policy in terms of Personal Data within its own body.

2. PURPOSE OF THE POLICY
The main purpose of this Policy is to determine the principles regarding the methods and processes for the processing and protection of Personal Data by the Company.

3. SCOPE OF THE POLICY
3.1 This Policy covers all activities related to Personal Data processed by the Company and is applied to such activities.
3.2
 This Policy does not apply to data that does not qualify as Personal Data.
3.3
 This Policy may be amended from time to time with the approval of the Board of Directors, if required by the KVK Regulations or when deemed necessary by the Company or the Committee. In case of inconsistency between the KVK regulations and this Policy, the KVK Regulations are taken as the basis.

4. DEFINITIONS
The terms expressed in this Policy are defined as follows:
Explicit Consent:
 It refers to the consent that is based on being informed about a certain subject and expressed with free will.
Anonymization: 
It means making Personal Data impossible to be associated with an identified or identifiable natural person in any way, even by matching with other data.
Obligation to Disclose: It means the obligation of the Data Controller or the person authorized by this person to inform the Data Owner within the scope of Article 10 of the KVKK during the acquisition of Personal Data.
Personal Data:
 Refers to any information relating to an identified or identifiable natural person (within the scope of this procedure, the term “Personal Data” will also include “Special Personal Data” defined below to the extent appropriate)
Personal Data Processing:
 It refers to all kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, classification or prevention of use, accessing to the Personal Data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system,
Committee:
 Refers to the Company’s Personal Data Protection Committee.
Board: Refers to the Personal Data Protection Board.
Institution: Refers to the Personal Data Protection Authority.
KVKK:
 Refers to the Law on Protection of Personal Data No. 6698.
KVK Regulations:
 refer to Law No. 6698 on the Protection of Personal Data and other relevant legislation on the protection of Personal Data, binding decisions, policy decisions, provisions, instructions and applicable international agreements on data protection and all other types of legislation issued by regulatory and supervisory authorities, courts and other official authorities.
KVK Policies:
 Refers to the policies of the Company on the protection of Personal Data.
KVK Procedures:
 Refers to the procedures that determine the obligations of the Company, employees, and the Committee within the scope of KVK Policies.
Special Qualified Personal Data refers to data of individuals regarding their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures including biometric and genetic data.
Deletion and Destruction:
 Refers to the irreversible deletion or destruction of Personal Data.
Data Inventory: refers to the inventory containing the information on Personal Data Processing processes and methods related to the Company’s Personal Data processing activities, Personal Data Processing purposes, data category, third parties to whom Personal Data are transferred, etc.
Data Processor:
 Refers to the natural or legal person that processes Personal Data on behalf of the Data Controller, with the authorization of the Data Controller.
Data Owner: Refers to all natural persons whose Personal Data are processed by or on behalf of the Company.
Data Controller:
 Refers to the natural and legal person who processes Personal Data by specifying the purposes and ways of Processing, and has the responsibility of establishing and managing the data recording system.
Data Controller Contact Person:
 Refers to the real person who makes a registration notification by the data controller for the communication to be established with the Authority regarding the KVK Regulations.

5. THE PRINCIPLES OF PERSONAL DATA PROCESSING

5.1 Processing of Personal Data in Compliance with the Law and the Rules of Integrity
The Company processes Personal Data in accordance with the law and the rules of integrity and on the basis of proportionality.
5.2 
Taking Necessary Precautions to Keep Personal Data Accurate and Up-to-Date in Case of Need
The Company takes all necessary measures to ensure that the Personal Data is complete, accurate and up-to-date, and updates the relevant Personal Data in case the Data owner requests a change in Personal Data within the scope of KVKK Regulations.
5.3
 Processing of Personal Data for Specific, Explicit and Legitimate Purposes
Before the Personal Data is processed, the purpose for which the Personal Data will be processed is determined by the Company. In this context, the Data Owner is informed within the scope of KVK Regulations and their Explicit Consent is obtained in case of need.
5.4
 Personal Data Being Related, Limited, and Proportional to the Purpose for which they are Processed
The Company processes Personal Data only in exceptional cases within the scope of KVK Regulations (Articles 5.2 and 6.3 of the KVKK) or for the purpose within the scope of the Explicit Consent obtained from the Data Owner (Articles 5.1 and 6.2 of the KVKK) and in accordance with the principle of proportionality. The Data Controller processes the Personal Data in a way that is suitable for the realization of the determined purposes and refrains from processing in cases that are not related to the realization of the purpose or are not needed.
5.5 Retention of Personal Data for the Period Envisioned in the Relevant Legislation or Necessary for the Purpose of Processing
5.5.1
 The Company retains Personal Data as long as necessary for the purpose. In case the Company wishes to retain Personal Data for a longer period than required by the KVK Regulations or by the Personal Data Processing purpose, the Company acts in accordance with the obligations specified in the KVK Regulations.
5.5.2
 Personal Data is Deleted, Destroyed or Anonymized after the period required for the purpose of processing Personal Data has expired. In this case, the third parties to whom the Company transfers Personal Data are also required to Delete, Destroy or Anonymize Personal Data.
5.5.3 The Committee is responsible for the operation of the processes of Deletion, Destruction, and Anonymization. In this context, the necessary procedure is established by the Committee.

6. PROCESSING PERSONAL DATA

Personal Data can only be processed by the Company within the scope of the procedures and principles set forth below.
6.1
 Explicit Consent
6.1.1
 Personal Data is processed after the notification to be made within the framework of the fulfillment of the obligation to inform, and enlighten the Data Owners and if and only if the Data Owners give their Explicit Consent.
6.1.2 Data Owners are informed of their rights before the Explicit Consent is obtained within the framework of the Obligation of Enlightenment (Disclosure).
6.1.3
 Explicit Consent of the Data Owner is obtained through methods in accordance with the KVK Regulations. Explicit Consent is provably retained by the Company for the required period of time within the scope of KVK Regulations.
6.1.4
 The Committee is obliged to ensure that the Obligation of Disclosure is fulfilled in terms of all Personal Data Processing processes and that Explicit Consent is obtained, and retained when necessary. All department employees who process Personal Data are obliged to comply with the instructions of the Contact Person and the Committee, this Policy and the KVK Procedures annexed to this Policy.
6.2
 Processing Personal Data without Explicit Consent
In cases where the Processing of Personal Data without the Explicit Consent within the scope of the KVKK Regulations (Article 5.2) of the KVKK is foreseen, the Company may process the Personal Data without the Explicit Consent of the Data Owner. In case the Personal Data is processed in this way, the Company Processes the Personal Data within the limits drawn by the KVK Regulations. Within this context:
6.2.1
 Personal Data may be processed by the Company without Explicit Consent, if it is expressly stipulated in the laws.
6.2.2
 Personal Data may be processed by the Company without Explicit Consent, if it is necessary for the protection of the life or bodily integrity of the Data Owner or someone other than the Data Owner, who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid.
6.2.3
 Provided that it is directly related to the establishment or performance of a contract, the Personal Data of the parties to the contract may be processed by the Company without the Explicit Consent of the Data Owners, in case it is necessary to process the Personal Data.
6.2.4
 If the Processing of Data is necessary for the Company to fulfill its legal obligations, Personal Data may be processed by the Company without the Explicit Consent of the Data Owners.
6.2.5
 Personal Data made public by the data owner may be processed by the Company without obtaining the explicit consent of the data owner.
6.2.6 If the Processing of Personal Data is necessary for the establishment, exercise or protection of a right, Personal Data may be processed by the Company without obtaining explicit consent.
6.2.7
 Provided that it does not harm the fundamental rights and freedoms of the Data Owner, Personal Data may be processed by the Company without obtaining Explicit Consent, if data processing is necessary for the Company’s legitimate interests.

7. PROCESSING OF SPECIAL QUALITY PERSONAL DATA

7.1 Special Quality Personal Data can only be processed if the Data Owner has given his/her Explicit Consent or if it is expressly required to be processed by law in terms of Sensitive Personal Data other than sexual life and personal health data.
7.2
 Personal data related to health and sexual life may only be processed by persons (e.g. Company Physician) or authorized institutions and organizations that are under the obligation of confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. without obtaining explicit consent.
7.3
 While Processing Special Quality Personal Data, the measures determined by the Board are taken.
7.4
 The Company will regularly provide trainings for the employees involved in the processing of Sensitive Personal Data
7.4.1.
 on KVK Regulations and the security of Special Quality Personal Data.
7.4.2.
 Confidentiality agreements will be made.
7.4.3.
 It will clearly define the scope and duration of authorization of users who have access to Special Quality Personal Data.
7.4.4.
 It will periodically perform authorization checks.
7.4.5.
 It will immediately remove the authorities of the employees in their field of action who have a change in duty or quit the job and will promptly take back the inventory allocated to the relevant employee.
7.5
 In the event that Special Quality Personal Data is transferred to electronic media, where Special Quality Personal Data is processed, retained and/or accessed
7.5.1.
 The Company shall constantly follow the security updates of the environments where the Special Quality Personal Data are located.
7.5.2.
 If Private Personal Data is accessed through a software, it will authorize the relevant person for the use of this software
7.5.3. 
In case of remote access to Special Qualified Personal Data, a two-stage authentication system will be provided.
7.6. 
In case Special Quality Personal Data is processed in physical environment, the Company shall take necesary precautions related to physical environments where the data were processed, retained and/or accessed
7.6.1. 
It will ensure that adequate security measures (against electric leakage, fire, flood, theft, etc.) are taken in consideration of the setting where Special Qualified data is stored.
7.6.2.
 It will prevent unauthorized entry and exit by ensuring the physical security of these environments.
7.7.
 In case of transfer of Special Qualified Personal data,
7.8
 The Company will use an encrypted corporate e-mail address or a Registered Electronic Mail (“KEP”) account, if it is necessary to transfer Sensitive Personal Data via e-mail.
7.2 If it is necessary to physically transfer the Private Personal Data in paper form, the Company will take the necessary precautions against the risks such as theft, loss or viewing of the documents by unauthorized persons and will send the documents in the form of “confidential documents”.
7.9
 In addition to the above regulations, the Committee and the Contact Person will act in accordance with the KVK Regulations, particularly the Personal Data Security Guide, published by the Board regarding the security of Personal Data, including Special Quality Data.
7.10
 In all cases that require the Processing of Special Quality Personal Data, the Committee is informed by the relevant employee.
7.11
 If it is not understandable whether a data is Special Quality Personal Data or not, the opinion of the Committee is taken by the relevant department.

8. PERSONAL DATA RETENTION PERIOD

Personal Data are kept within the scope of the relevant legal retention periods within the Company and for the period necessary for the realization of the activities related to this data and the purposes specified in this Policy. Personal Data whose purpose of use and legal retention period have expired is deleted, destroyed or anonymized by the Company in accordance with Article 7 of the KVKK

9. DELETING, DESTROYING AND ANONYMIZATION OF PERSONAL DATA

9.1 When the legitimate purpose for the processing of Personal Data ceases, the relevant Personal Data is Deleted, Destroyed or Anonymized. Situations where Personal Data should be Deleted, Destroyed or Anonymized are followed up by the Committee and departments.
9.2 
The Committee is responsible for the Deletion, Destruction and Anonymization processes. In this context, the necessary procedure is established by the Committee.
9.3 The Company cannot hide Personal Data considering the possibility of its use in the future.
9.4 
All Deletion, Destruction and Anonymization Activities to be implemented by the Company on Personal Data will be carried out in accordance with the principles specified in the Personal Data Storage and Destruction Policy.

10. TRANSFERRING AND PROCESSING PERSONAL DATA BY THIRD PARTIES

The Company may transfer Personal Data to a third natural or legal person in Turkey and/or abroad in accordance with KVK regulations, provided that it takes the necessary measures for the purposes of Personal Data Processing. In this case, the Company ensures that the third parties to which it transfers Personal Data also comply with this Policy. In this context, necessary protective regulations are added to the contracts concluded with the third party. Each employee is obliged to comply with the processes in this Policy in case of Personal Data transfer.
10.1
 Transfer of Personal Data to Third Parties in Turkey
10.1.1
 Personal Data may be transferred to third parties in Turkey without obtaining explicit consent in Article 5.2 of the KVKK and in exceptional cases specified in Article 6.3 provided that adequate measures are taken, or in other cases stipulated in Articles 5.1 and 6.2 of the KVKK data can be transferred by the company on the condition of obtaining the explicit consent of the Data Owner.
10.1.2
 The Company employees and the Committee are jointly responsible for ensuring that the transfer of Personal Data to third parties in Turkey complies with the KVK Regulations.
10.2
 Transfer of Personal Data to Third Parties Located Abroad
10.2.1
 Personal Data may be transferred by the Company to third parties abroad, provided that the Explicit Consent of the Data Owner is obtained (Articles 5.1 and 6.2 of the KVKK).
10.2.2
 In case the Personal Data is transferred without explicit consent in accordance with the KVK Regulations, şn addition one of the following conditions must be currently valid in the foreign country to which it will be transferred ;
10.2.3
 The foreign country to which the Personal Data will be transferred has the status of a country with adequate protection as deemed by the Board,
10.2.4
 If the foreign country where the transfer will take place is not included in the safe countries list of the Board, the Company and the Data Controllers in the relevant country make a written commitment to ensure adequate protection and obtain permission from the Board.
10.2.5
 Company employees, Committee and its Representative are jointly responsible for ensuring that the transfer of Personal Data to third parties abroad complies with the KVK Regulations.

11. COMPANY’S DISCLOSURE OBLIGATION

The Company informs the Data Owners before the Processing of Personal Data in accordance with Article 10 of the KVKK. In this context, the Company fulfills its Disclosure Obligation during the acquisition of Personal Data. The notification to be made to the Data Owners within the scope of the Disclosure Obligation includes the following elements, respectively;
11.1 
Identity of the Data Controller (and his/her representative, if any),
11.2 
For what purpose the Personal Data will be processed,
11.3 
To whom and for what purpose the Processed Personal Data can be transferred,
11.4 
Method and legal reason for collecting Personal Data,
11.5 
Rights of Data Owners listed in Article 11 of KVKK.
11.6 
In accordance with Article 20 of the Constitution of the Republic of Turkey and Article 11 of the KVKK, the Company provides the necessary information in case the Data Owner requests information.
11.7 
If requested by the Data Owners in accordance with the KVKK Regulations, the Company informs the Data Owner about the personal data it processes.
11.8 
The employee following the relevant process and the Committee are jointly responsible for ensuring that the required Disclosure Obligation is fulfilled prior to the processing of Personal Data.
11.9
 Third parties with data processor status undertake with a written contract that they will act in accordance with the above-mentioned obligations before starting data processing.

12. RIGHTS OF DATA SUBJECTS (RELEVANT PERSONS)

12.1 The Company responds to the below-mentioned requests of the Data owners, whose Personal Data it processes, in accordance with the KVK Regulations;
12.1.1 
Requests to learn whether Personal Data is Processed by the Company,
12.1.2 
Request information about the Processing of Personal Data 12.1.3 Requests to learn the purpose of processing Personal Data and whether they are used in accordance with its purpose,
12.1.4.
 Requests to know the third parties to whom Personal Data is transferred, in the country or abroad,
12.1.5. 
Requesting correction of Personal Data in case of incomplete or incorrect processing by the Company,
12.1.6.
 To request the deletion or destruction of Personal Data by the Company in case the reasons requiring the Processing of Personal Data disappear, in order to be evaluated within the principles of purpose and legitimacy,
12.1.7.
 In case of correction, deletion or destruction of Personal Data by the Company, requesting that these transactions be notified to the third parties to whom the Personal Data has been transferred,
12.1.8.
 Objecting to the result violating the rights of the Data Owner due to the processing Personal Data exclusively through automated systems
12.1.9.
Demanding the compensation of the damage in case the Personal Data is processed unlawfully and adversely affected Data Owner.
In cases where Data Owners want to exercise their rights and/or think that the Company does not act within the scope of this Policy while processing Personal Data, they can submit their requests together with certified documents providing their identities including a petition with wet signature by filling out the form on the company website or by creating their own requests in a way that will meet the conditions determined by the Institution to the following e-mail address that may change from time to time and previously notified to the Company and registered in the Company system (the e-mail address registered in the system should be checked) or to the Company KEP address with secure electronic signature or mobile signature or send these documents by hand , through a notary public or by other additional methods that may be determined by the Authority in the future. Current application methods and application content must be confirmed by the legislation before the application.

Data Controller: DOKU AESTHETICS AND HEALTH SERVICES TRADE LIMITED COMPANY

Registered E-mail (KEP) : [email protected]
Postal address : MERKEZ MAHALLESİ İSTİKLAL STREET NO: 9/75 SISLI ISTANBUL
In case the Data Owners submit their requests regarding their rights listed above to the Company in writing, the Company concludes the request free of charge within (30) thirty days at the latest, depending on the nature of the request. In the event that a separate cost arises for the conclusion of the requests by the Data Controller, the fees in the tariff determined by the Personal Data Protection Board may be requested by the Data Controller.

13. DATA MANAGEMENT AND SECURITY

13.1 The Company establishes a Committee in order to fulfill its obligations under the KVK Regulations, to ensure and supervise the implementation of the KVK Procedures required for the implementation of this Policy, and to make suggestions for their operation.
13.2 
All employees involved in the relevant process are jointly responsible for the protection of Personal Data in accordance with this Policy and KVK Procedures.
13.3 
Personal Data processing activities by the Company are controlled by technological possibilities, and technical systems according to their application costs.
13.4
 Personnel knowledgeable in technical matters related to Personal Data Processing activities are employed.
13.5
 Company employees are informed and trained regarding the protection and legal processing of Personal Data.
13.6
 Company employees can access Personal Data only within the authorization defined for them and in accordance with the relevant KVK Procedure. Any access and processing done by the employee in excess of his/her authority is against the law and is a reason for termination of the employment contract with just cause.
13.7 
If the employee of the Company suspects that the security of the Personal Data is not adequately provided or identifies such a security gap, he/she notifies the Committee of this situation.
13.8
 A detailed KVK Procedure for the security of Personal Data is created by the Committee.
13.9
 Each person assigned a Company device is responsible for the security of the devices allocated to his/her own use.
13.10
 Each Company employee or person working within the Company is responsible for the security of the physical files within their area of responsibility.
13.11
 In the event that there are security measures requested or to be requested additionally for the security of Personal Data within the scope of KVK Regulations, all employees are obliged to comply with additional security measures and to ensure the continuity of these security measures.
13.12
 Software and hardware including virus protection systems and firewalls are installed in accordance with technological developments in order to store Personal Data in secure environments.
13.13
 The Company uses backup programs and takes adequate security measures to prevent the loss or damage of Personal Data.
13.14
 Necessary measures will be taken to protect the documents containing Personal Data for the Company with encrypted systems. In this context, Personal Data will not be stored in common areas and on the desktop. Files and folders containing Personal Data, etc. and the documents will not be moved to the desktop or to the common folder, the information on the Company computer will not be transferred to USB etc. without the prior written approval of the Committee. It will not be transferred to another device or taken out of the Company.
13.15
 The Committee, together with the Board of Directors, is obliged to take technical and administrative measures for the Protection of all Personal Data within the Company, to constantly monitor the developments and administrative activities, to prepare the necessary KVK Procedures, to announce them within the Company, to ensure and supervise their compliance. In this context, the Committee organizes the necessary trainings to increase the awareness of the employees.
13.16
 If a department within the company processes Sensitive Personal Data, this department will be informed by the Committee about the importance, security and confidentiality of the Personal Data they process and the relevant department will act in accordance with the Committee’s instructions. Only limited number of employees will be authorized to access Sensitive Personal Data and their list and follow-up will be done by the Committee
13.17
 All Personal Data processed within the Company are considered as “Confidential Information” by the Company.
13.18
 Company employees have been informed that their obligations regarding the security and confidentiality of Personal Data will continue after the termination of the business relationship, and a commitment has been received from the Company employees to comply with these rules.

14 DATA BREACH RESPONSE PLAN

14.1 The employee who notices the attitude and behavior contrary to the personal data protection law and the relevant legislation immediately notifies the COMPANY Personal Data Protection Committee.
14.2
 In case the processed personal data is obtained by others unlawfully, the institution is notified within 72 hours.
14.3
 Following the identification of the persons affected by the breach of the data in question, the relevant persons are notified as soon as possible, directly if the contact address of the data subject can be reached, or if it cannot be reached through appropriate methods such as publishing the issue on the data controller’s own website.
14.4
 If the data controller fails to notify the Board within 72 hours with a justified reason, the reasons for the delay are also disclosed to the Board with the notification to be made.
14.5
 In the notification to be made to the Board, the “Personal Data Violation Notification Form” published at the institution https://ihlalbildirim.kvkk.gov… is used.
14.6
 Where it is not possible to provide the information written in the form at the same time, this information is provided in stages without delay.
14.7
 The data controller ensures that the information regarding data breaches, their effects and the measures taken are recorded and made available to the Board for review.
14.8
 In the event that the personal data held by the data processor is obtained by others unlawfully, the data processor shall notify this issue to the committee without any delay.
The relevant plan is periodically reviewed by the committee.

15. EDUCATION
15.1 The Company provides its employees with the necessary training on the protection of Personal Data within the scope of the KVK Procedures and KVKK Regulations included in the Policy and its annex. They can offer these trainings in person or online.
15.2 
In the trainings, applications for the definition and protection of Special Quality Personal Data are especially mentioned.
15.3 
If the Company employee accesses Personal Data physically or on a computer, the Company provides training to the relevant employee for these accesses (for example, the accessed computer program).

16. AUDIT
The Company has the right to regularly and ex officio audit that all employees, departments and contractors of the Company act in compliance with this Policy and KVK Regulations, without any prior notice, and performs the necessary routine audits in this context. The Committee creates a KVK Procedure regarding these audits. It submits it to the approval of the management and ensures the implementation of the aforementioned procedure.
17. VIOLATIONS
17.1 Each employee of the Company reports to the Committee any work, transaction or action that he or she considers to be contrary to the procedures and principles set forth in the KVK Regulations and within the scope of this Policy. In this context, the Committee for the relevant violation creates an action plan in accordance with this Policy and KVK Procedures.
17.2
 As a result of the notifications, the Committee prepares the notification to be made to the Data Owner or the Institution regarding the violation, taking into account the provisions of the applicable legislation on the subject, especially the KVK Regulations. Contact Person Conducts correspondence and communication with the Institution.

18. RESPONSIBILITIES

Responsibilities within the company are carried out respectively by employee, department and Committee. In this context; The Committee responsible for the implementation of the Policy is appointed by the Company Management by the management decision or by the bodies authorized to sign and bind, and changes are made in this context, again in the aforementioned way.

19. CHANGES TO BE MADE İN THE POLICY

19.1 This Policy may be changed by the Company from time to time with the approval of the Management.
19.2
 The Company shares the updated Policy text with its employees via e-mail so that the changes it has made on the Policy can be reviewed, or accessed by the employees and Data Owners via the following web address.20. EFFECTIVE DATE OF THE POLICY
This version of the policy was approved by the Company Management and entered into force. on ../../2024