Personal Data Protection Law (KVKK)

This Privacy Notice has been prepared to inform data subjects regarding the procedures and principles related to the processing of personal data of patients/clients by The Cocona Estetik Kozmetik Sağlık Turizm Ltd. Şti. (“The Cocona”) under Turkish Personal Data Protection Law No. 6698 (“KVKK”) and the European Union General Data Protection Regulation (“GDPR”).

Ensuring the security of patients’/clients’ personal data is one of The Cocona’s primary objectives. Therefore, The Cocona takes necessary security measures in compliance with the applicable legislation to ensure the secure processing of personal data and to prevent any unlawful access or leakage of such data.

DATA CONTROLLER

Your personal data will be processed by The Cocona Estetik Kozmetik Sağlık Turizm Ltd. Şti. in accordance with KVKK and GDPR. Under KVKK, The Cocona is considered the “Data Controller,” and under GDPR, the “Controller.”

The Cocona has engaged a Personal Data Protection Specialist Law Firm as the “Data Protection Officer” under GDPR. While the responsibility for implementing compliance processes related to KVKK and GDPR remains with the Data Controller, the Law Firm provides consultancy and guidance.

PERSONAL DATA TO BE PROCESSED

Your Personal Data and Special Category Personal Data specified below will be processed in compliance with the fundamental principles set out in Article 4 of KVKK and Article 5 of GDPR. The processing will be carried out lawfully, transparently, and with respect for fairness, connected to the purpose of processing, limited, and proportionate. Necessary technical and administrative measures are taken to ensure data security:

  1. IDENTITY INFORMATION: Your name, surname, Turkish ID Number and/or Passport Number and/or Temporary Turkish ID Number, place and date of birth, marital status, gender, profession, signature, and other identifying details.
  2. CONTACT INFORMATION: Your address (residential/workplace), phone numbers (fixed/mobile), email address, IP address, social media accounts, and other communication details.
  3. HEALTH INFORMATION: Blood type, allergies, chronic diseases, sexually transmitted diseases, infectious diseases, previous surgeries/operations, medications, COVID-19 information, medical treatments, health reports, test and imaging results, prescription details, body analysis and measurement data, skin analysis data, harmful habits, and other medical data necessary for your treatment.
  4. PHOTOGRAPHS AND VIDEO RECORDINGS: Photos and/or videos taken before, during, or after medical procedures.
  5. FINANCIAL INFORMATION: Bank account numbers, IBAN numbers, credit card details, billing and invoice information, and other financial data.
  6. TRANSFER AND ACCOMMODATION INFORMATION: If you are a Health Tourist visiting under International Health Tourism, your transfer details, flight itinerary, hotel accommodation details, and related information.

PURPOSES OF PROCESSING YOUR PERSONAL DATA

The detailed purposes for processing your personal data will be outlined in the following sections of this notice. These include ensuring compliance with legal obligations, delivering health services, and enhancing the overall quality of services provided.

PURPOSES OF PROCESSING YOUR PERSONAL DATA

Your personal data will be processed by The Cocona Estetik Kozmetik Sağlık Turizm Ltd. Şti. (“The Cocona”) for the following purposes:

  • Creating patient records.
  • Providing examination, preventive medicine, medical diagnosis, treatment, and care services.
  • Conducting post-treatment follow-ups and managing complications.
  • Establishing direct communication.
  • Managing appointment processes.
  • Addressing patient satisfaction and requests.
  • Fulfilling legal and contractual obligations.
  • Storing health data in compliance with applicable legislation.
  • Facilitating consultations with other medical professionals.
  • Meeting legal health tourism obligations.
  • Organizing transfer and accommodation services for international health tourism.
  • Announcing medical treatment innovations.
  • Informing third parties about medical procedures with your consent.
  • Conducting promotional activities in compliance with health tourism incentive legislation.
  • Managing financial and administrative responsibilities.
  • Ensuring security and fulfilling public obligations.

CONDITIONS AND PURPOSES FOR PROCESSING YOUR PERSONAL DATA

  • Identity Data: Processed for creating patient files, providing examination and treatment services, managing patient satisfaction and requests, and planning transfer and accommodation services for health tourism.
  • Contact Information: Used for post-treatment follow-ups, managing appointments, sending updates on medical innovations (with explicit consent), appointment reminders, and delivering celebratory messages on special occasions.
  • Health Information: Required for the successful execution of medical treatments, consultations during treatment, creating patient files, and fulfilling legal healthcare obligations.
  • Photographs, Videos, and Audio Recordings: Used to monitor treatment progress and, with your explicit consent, inform third parties about medical procedures or for promotional purposes.
  • Financial Data: Processed for invoicing, managing payments, and handling refunds if necessary.
  • Transfer and Accommodation Information: Managed for organizing transfer and accommodation services for international health tourism patients/clients.

These data are essential for conducting medical treatments, fulfilling related obligations, and achieving the aforementioned purposes. If you do not provide your personal data, the risk of incomplete or unsuccessful treatment may arise.

METHODS OF PERSONAL DATA COLLECTION

Your personal data will be collected through the following methods by The Cocona Estetik Kozmetik Sağlık Turizm Ltd. Şti. (“The Cocona”):

  • Examination and Treatment Processes: By submitting health reports, lab and imaging results, declarations related to medical data, and other relevant documents during your visit.
  • Patient Information and Consent Form: Through the “Patient Information and Consent Form” that you complete to approve the treatment.
  • Website Contact Form: Through the contact forms filled out on The Cocona’s official website.
  • Email Communication: Through emails sent to The Cocona’s corporate email address (e.g., info@TheCocona.com).
  • Photograph/Video Records: By recording photos and videos before, during, and after the treatment.
  • Online Diagnosis and Follow-ups: Through remote consultations conducted using applications such as WhatsApp, Zoom, FaceTime, Skype, Messenger, Google Meet, etc., where you share written, audio, or visual data.
  • Social Media Communication: Through messages or comments sent to The Cocona’s official social media accounts (Instagram, YouTube, Facebook, Twitter, LinkedIn, etc.) or by filling out information on promotional panels like “Contact Us” or “Request Info.”
  • Wi-Fi Usage: By logging data via technical tools (e.g., firewall devices) when connecting to the wireless internet network as a guest user at The Cocona’s clinic.

The personal data collected through the methods mentioned above will be processed in accordance with KVKK and GDPR regulations to ensure The Cocona fulfills its contractual and legal obligations during examinations, preventive medicine, diagnosis, treatment, and care services.

PURPOSE, METHOD, AND LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA

Your personal data will be processed by The Cocona Estetik Kozmetik Sağlık Turizm Ltd. Şti. and authorized third parties acting as Data Processors in accordance with GDPR and KVKK regulations. Processing methods include oral, written, photographic, and video recordings, both in physical and electronic environments, with appropriate technical and administrative security measures. In cases stipulated by the law, your explicit consent will be obtained.

SITUATIONS REQUIRING EXPLICIT CONSENT

Under GDPR Article 6/1(a) and KVKK Article 5/1, the following scenarios necessitate your explicit consent for processing personal data:

  • Promotional Communication: Sending SMS messages, emails, or mobile communication for the announcement and promotion of innovations related to aesthetic and healthcare services provided by The Cocona.
  • Use of Visual Data for Promotion: Sharing photos and videos captured before, during, or after medical procedures on The Cocona’s social media accounts (e.g., Instagram, Facebook) and corporate websites.
  • Cross-Border Data Transfers: Sharing data via service providers with servers located abroad (e.g., WhatsApp, Zoom). Your explicit consent will be obtained unless:
    • You use such applications (e.g., WhatsApp, FaceTime) to communicate with The Cocona and have already agreed to their privacy and cross-border data transfer policies.
    • You communicate via email services like Gmail or Yahoo and have agreed to their privacy terms.
    • You engage with ads or promotions published on international social media platforms (e.g., Facebook, Instagram), where your consent to their privacy policies includes data processing and transfer.
    • You send direct messages to The Cocona’s profiles on platforms such as Instagram or Twitter, which indicates agreement with those platforms’ privacy policies and The Cocona’s privacy principles.

DATA PROCESSING WITHOUT EXPLICIT CONSENT

In the following cases, your personal data may be processed without explicit consent, based on legal provisions:

  1. Under GDPR Article 9/2(h) and KVKK Article 6/3:
    • Special categories of personal data (e.g., health data) may be processed without your explicit consent to provide medical diagnosis, treatment, and care services, under The Cocona’s confidentiality obligations.
  2. Under GDPR Article 6/1(b) and KVKK Article 5/2(c):
    • For performing post-treatment follow-ups, managing appointment processes, and ensuring direct communication.
  3. Under GDPR Article 6/1(f) and KVKK Article 5/2(f):
    • For legitimate interests such as ensuring patient satisfaction and handling requests.

The Cocona guarantees that all data processing activities are conducted under the relevant data protection laws, adhering to transparency, confidentiality, and integrity standards.

PERSONAL DATA PROCESSING BASED ON LEGAL OBLIGATIONS

Pursuant to GDPR Article 6/1(c), KVKK Article 5/2(a), and KVKK 5/2(c), your personal data will be processed without your explicit consent in the following cases, based on legal obligations:

  • Creation of patient files.
  • Storing your health-related data as required by relevant legislation.
  • Processing payments and issuing invoices.
  • Fulfillment of tax obligations.
  • Compliance with Ministry of Health regulations.
  • Fulfillment of obligations under Health Tourism regulations.
  • Ensuring your data security.
  • Fulfillment of legal obligations before judicial authorities.
  • Fulfillment of administrative obligations before government institutions and organizations.

TRANSFER OF PERSONAL DATA AND THE PURPOSES AND PARTIES TO WHOM IT MAY BE TRANSFERRED

In accordance with the personal data processing conditions specified in Articles 5 and 6 of the KVKK and Articles 6 and 9 of the GDPR, the personal data you provide will be processed by The Cocona for the following purposes: carrying out, improving, and managing medical diagnosis, treatment, and care services, managing complication processes, consulting with other specialists if necessary, fulfilling international health tourism obligations, planning patient transfer and accommodation services under health tourism, managing promotion activities under health tourism laws, establishing communication with patients, planning and managing the financing of healthcare services, fulfilling legal responsibilities arising from the relationship between doctor and patient, and fulfilling financial, legal, and administrative obligations, ensuring technical and commercial security, and meeting public obligations.

Your personal data and special categories of personal data will be transferred to the following parties, in compliance with the necessary confidentiality agreements and relevant administrative and technical security measures, only to the extent necessary to achieve the above purposes:

  • Other specialists for consultation,
  • Insured employees,
  • Suppliers,
  • Financial advisors, tax consultants, auditors,
  • Legal consultants,
  • Database (server) providers,
  • “Clinical Management Software System” service providers,
  • Interpreters,
  • Foreign promotion consultants,
  • Support management system (DYS) authorities,
  • Data protection officers,
  • IT consultants,
  • Tourism agencies,
  • Public institutions and authorities authorized by law,
  • Judicial authorities.

PERSONAL DATA PROCESSING PERIOD

Your personal data will be stored by The Cocona as long as it is legally required to be retained and in situations where retention is necessary. Documentation and retention obligations stem from local regulations based on trade, tax, and health legislation. The following table shows the retention periods for your personal data:

Retention Periods for Your Personal Data:

  • Identity Information: 20 years after the service is completed.
  • Contact Information: 20 years after the service is completed.
  • Health Information: 20 years after the service is completed.
  • Photographs and Videos: 20 years after the service is completed.
  • Financial Information: 5 years after the service is completed.

LEGAL AGE LIMIT FOR DATA SUBJECTS UNDER RELEVANT LEGISLATION

Under the KVKK, patients and clients may consent to the processing of their personal data provided they are at least 18 years old. If they are under this age, their consent must be given by their legal representatives.

GDPR UNDER EU REGULATIONS

Under the GDPR, citizens of European Union member countries and patients/clients residing in EU countries may give their consent to the processing of personal data provided they are at least 16 years old, or have reached the age specified by their country. Consent for patients/clients below this age must be given by their legal representatives.

WITHDRAWAL OF CONSENT

You may withdraw your consent regarding the processing of your personal data at any time in accordance with GDPR Article 6/1(a) and KVKK Article 5/1. If you submit your request to the contact address below, your consent will be immediately withdrawn.

RIGHTS OF DATA SUBJECTS UNDER GDPR

Your personal data is also protected under GDPR. For those subject to GDPR (citizens of the European Union or residents in EU countries), the rights of the data subject are as follows:

  • Right of Access (GDPR Article 15): The data subject has the right to request confirmation from The Cocona on whether their personal data is being processed, and if so, to obtain details of the processing as outlined in GDPR Article 15.
  • Right to Rectification (GDPR Article 16): The data subject has the right to request the correction of their personal data held by The Cocona if any of it has changed.
  • Right to Erasure (GDPR Article 17): The data subject has the right to request the deletion of their personal data held by The Cocona. If the conditions outlined in GDPR Article 17 are met, The Cocona will delete the data without delay.
  • Right to Restriction of Processing (GDPR Article 18): The data subject may request the restriction of the processing of their personal data until its accuracy is verified if there are objections to the data’s accuracy.
  • Right to Object (GDPR Article 21): The data subject has the right to object to the processing of their personal data based on their specific situation, including profiling. If The Cocona cannot demonstrate legitimate reasons that override the data subject’s rights, it will not process the personal data.
  • Right to Data Portability (GDPR Article 20): If technically feasible, the data subject may request that their personal data be transferred to another controller, provided the processing is based on consent or is necessary for the performance of a contract.
  • Right to Object to Direct Marketing (GDPR Article 21): The data subject has the right to object to the processing of their personal data for direct marketing purposes, including profiling related to such marketing. If an objection is made, the data will no longer be processed for such purposes.

RIGHTS OF DATA SUBJECTS UNDER KVKK

Under KVKK Article 11, individuals whose personal data is processed have the following rights:

  • To learn whether their personal data is being processed.
  • To request information if their personal data has been processed.
  • To learn the purpose of processing personal data and whether it is being used in accordance with that purpose.
  • To know third parties to whom personal data is transferred, both domestically and internationally.
  • To request rectification if personal data is inaccurate or incomplete, and for such rectifications to be communicated to third parties.
  • To request the deletion or destruction of personal data if the reasons for processing no longer exist, and for this to be communicated to third parties.
  • To object to decisions made solely through automated processing of personal data that results in legal consequences for them.
  • To seek compensation for damages caused by unlawful processing of personal data.

If you wish to exercise any of the above rights, you may submit a written request to The Cocona’s contact address, stating which rights you wish to exercise, with the necessary identification documents. The request can also be made to the email address “info@The Cocona.com” or through other methods specified in KVKK.

The Cocona will respond to your request within 30 days, free of charge. If the request requires additional costs, the fees determined by the Personal Data Protection Board will be charged.

CONSENT AND APPROVAL

By reading this Privacy Notice, you acknowledge that you have been fully informed about the data processing process carried out by The Cocona, you have learned your rights under KVKK and GDPR, and you voluntarily give your consent to the processing of your personal and sensitive personal data in accordance with this Privacy Notice.

You have the right to refuse consent after reading this Privacy Notice.

The Cocona is designated as the “DATA CONTROLLER” under GDPR and the “DATA RESPONSIBLE” under KVKK.

This Privacy Notice is provided in accordance with legal regulations.

Kind regards.