1. PURPOSE
AS DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ; The processing of personal data of real persons related to our Company, including our customers, subscribers and employees, in accordance with the Constitution of the Republic of Turkey, international agreements on human rights to which our country is a party, and the relevant legislation, in particular the Law on the Protection of Personal Data No. 6698 (“KVKK”) It is our priority to ensure that their rights are used effectively.
Therefore, but not limited to those listed; DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ Personal Data Protection and Processing Policy (“Policy”).
Protecting personal data and observing the fundamental rights and freedoms of natural persons whose personal data are collected are the basic principles of our policy regarding the processing of personal data.
For this reason, we carry out all our activities in which personal data are processed, taking into account the protection of privacy, the confidentiality of communication, freedom of thought and belief, and the right to use effective legal remedies.
In order to protect personal data, we take all administrative and technical protection measures required by the nature of the relevant data in accordance with the legislation and current technology.
This Policy explains the methods we follow for the processing, storage, transfer, deletion or anonymization of personal data shared during our commercial or social responsibility and similar activities within the framework of the principles mentioned in the KVKK.

2. SCOPE
Not limited to those listed; All personal data of our employees, subscribers, visitors, business contacts, business partners, customers, potential customers, suppliers, dealers, users visiting our website, in short, all personal data we obtain during our activities and processed by DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ are within the scope of this Policy..
The protection of personal data is only related to real persons, and information belonging to legal entities that do not contain information about the real person is excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal entities.
Our policy is implemented in activities for the processing of all personal data owned by DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ or managed by DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ. received and prepared.

3. DEFINITION AND ABBREVIATIONS
In this section, special terms and phrases, concepts, abbreviations etc. in the Policy. briefly explained.

3.1. Company Name: DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ

3.2. Explicit Consent: Consent to a particular subject, based on information and free will, with a clear and unambiguous, limited only to that transaction.

3.3. Anonymization: It is the rendering of personal data in no way associated with an identified or identifiable natural person, even by matching with other data.

3.4. Employee: Represents the personnel of DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ.

3.5. Personal Data Owner (Relevant Person): The natural person whose personal data is processed.

3.6. Personal Data: Any information relating to an identified or identifiable natural person.

3.7. Sensitive Personal Data: Data about people’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions, and security measures with biometric and genetic data.

3.8. Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. or any kind of operation performed on the data, such as preventing its use.

3.9. Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

3.10. Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

3.11. KVK Board: Personal Data Protection Board.

3.12. KVK Authority: Personal Data Protection Authority.

3.13. KVKK: Law on Protection of Personal Data published in the Official Gazette dated 7 April 2016 and numbered 29677.

3.14. KEP: It is the registered e-mail address. It is a system that protects all kinds of commercial, legal correspondence and document sharing
in the sent form, determines exactly who the recipient is, does not change the content, and turns the content into legal, valid and secure, definitive evidence.

3.15. Policy: DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ Personal Data Protection and Processing Policy.

4. ROLE AND RESPONSIBILITIES

4.1. Board of Directors
The Board of Directors is responsible for the oversight of the determination and operation of notification, review and sanction mechanisms in case of non-compliance with the Policy, rules and regulations.

4.2. Operations Management
Responsible for the preparation, development, execution and updating of this Policy. It evaluates this Policy in terms of timeliness and development needs when necessary. The publication of the prepared document on the corporate portal is the responsibility of the Iztim IT Services Operations management.

5. LEGAL OBLIGATIONS

Legal obligations within the scope of protection and processing of personal data as a data controller pursuant to KVKK are listed below:

5.1. Our obligation to inform

While collecting personal data as a data controller;

1. For what purpose your personal data will be processed,
2. Our identity, information on the identity of our representative, if any,
3. To whom and for what purpose your processed personal data can be transferred,
4. Our method of collecting the data and the legal reason,
5. We have an obligation to inform the Related Person about the rights arising from the law

As DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ, we take care that this Policy, which is open to the public, is clear, understandable and easily accessible.

5.2. Our obligation to ensure data security

As the data controller, we take the administrative and technical measures stipulated in the legislation in order to ensure the security of the personal data under our responsibility. Obligations and measures regarding data security are detailed in section 9 of this Policy.

6. CLASSIFICATION OF PERSONAL DATA

6.1. Personal data
Personal data; Any information relating to an identified or identifiable natural person. The protection of personal data is only related to real persons, and information belonging to legal entities that do not contain information about the real person is excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal entities.

6.2. Special categories of personal data
Data on people’s race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, their clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions, and security measures, and biometric and genetic data are privately owned. qualified personal data.

7. PROCESSING PERSONAL DATA

7.1. Our personal data processing principles
We process personal data in accordance with the principles below.

7.1.1. Processing in accordance with the law and honesty rules
We process personal data in accordance with the rules of honesty, transparently and within the framework of our obligation to inform.

7.1.2. Ensuring that personal data is accurate and, where necessary, up to date
We take the necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We also allow the Personal Data Owner to apply to us to update their data and to correct any errors in their processed data, if any.

7.1.3. Processing for specific, explicit and legitimate purposes
AS DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ, we process personal data within the scope and content of which are clearly defined, within the scope of our legitimate purposes determined to continue our activities within the framework of the legislation and the ordinary course of commercial life.

7.1.4. Personal data must be connected, limited and measured for the purpose for which they are processed.
We process personal data in connection with the purpose we have clearly and precisely determined, in a limited and measured way. We avoid the processing of personal data that is not relevant or does not need to be processed.

7.1.5. Keeping personal data for the duration of our legitimate commercial interests and stipulated by the legal regulations Many regulations in the legislation require that personal data be kept for a certain period of time. For this reason, we keep the personal data we process for the period stipulated in the relevant legislation or required for the purposes of processing personal data until the end of the service.
In case the storage period stipulated in the legislation expires or the purpose of processing disappears, we delete, destroy or anonymize personal data. Our principles and procedures regarding retention periods are detailed in section 9 of this Policy.

7.2. Our purposes for processing personal data
Your personal data;

Your personal data by which we can identify you, such as your name, surname, telephone number, e-mail address, customer number, contract number, user ID assigned to you regarding your subscription,

Your basic subscription information such as your tariff and package information, value-added service subscriptions, billing, financial and debt information, subscription type, subscription status (cancellation, active, etc.) within the scope of your subscription,

Your personal data obtained when you contact us via e-mail with your voice call recordings kept by sales and customer representatives in accordance with call center standards,

Your credit and debit card information, branch code, account number and other bank information,

Your data obtained through sales, such as your demand and transaction information in sales channels,

Your personal data including your usage details such as the amount of value-added services you use, the content you provide and your personal information and other records,

Your behavioral information and usage data on DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ websites and mobile applications, the content and personal information you provide, and your preferences regarding your use of certain products and services,

Device, network, location and usage information that the related DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ mobile applications can collect from your device,

If you apply for a job at DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ, your other personal data including the CV provided in this regard and your personal data regarding your service contract and all kinds of work inclination if you are an employee of DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ or a related employee.

To inform you of our new products and services and to provide you with the most suitable product and service,

To offer you an offer based on the way you use our products and services and to inform you about new services,

Analyzing in order to improve our products and services,

Training and developing our employees,

Invoicing for your use of our products and services,

Confirming your identity

Answering all your questions and complaints about our products or services,

Analyzing your use of our products and services in order to develop and improve the products and services we offer you,

Providing the necessary information in line with the requests and inspections of regulatory and supervisory institutions and official authorities,

Preserving the information about your subscription, which must be kept in accordance with the relevant legislation,

Reconciliation for reconciliation, commission and invoicing regarding the products and services we offer to you with our relevant business partners,

Ensuring the consistency of your information,

Measuring customer satisfaction,

Marketing activities and communication such as providing services related to our products and services, management of services, traffic management, analysis of products and services, campaign, tariff, product, strategy determination and measurement, including but not limited to the execution of customer services and sales operations, customer service and satisfaction, financial reporting and analysis, legal follow-up, service optimization and similar purposes.

7.3. Processing of special categories of personal data

Special categories of personal data are processed by us by taking the administrative and technical measures envisaged by the laws and by the KVK Board, if there is express consent, or when required by the legislation.

Since sensitive personal data related to health and sexual life can be processed by persons or authorized institutions and organizations under the obligation of keeping confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, It is not processed by us other than the data of our employees.

Such data belonging to our employees may be processed by the persons stipulated by the laws.

7.4. Exceptional cases where express consent is not sought in the processing of personal data

We may process personal data without obtaining explicit consent in exceptional cases listed below and arising from the law:

I. expressly stipulated in the laws;
II.It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract;
I. Data processing is mandatory for the establishment, exercise or protection of a right;
II. It is necessary for us to process your data for our legitimate interests as data controller, provided that it does not harm fundamental rights and freedoms.

Exceptional cases where sensitive personal data can be processed without the explicit consent of the Relevant Person are specified in article 7.3 of this Policy.

8. TRANSFERRING PERSONAL DATA
8.1. Transfer of personal data to the country
As DOCTOREM INTERNATIONAL MEDİKAL SANAYİ VE TİCARET LİMİTED ŞİRKETİ, we act in accordance with the decisions and regulations stipulated in the KVKK and taken by the KVK Board regarding the transfer of personal data.

Without prejudice to the exceptional circumstances in the legislation, personal data and sensitive data are not transferred to other real persons or legal entities without the explicit consent of the Relevant Person.

In exceptional cases stipulated by the KVKK and other legislation, the data may be transferred to the authorized administrative or judicial institution or organization in the manner stipulated in the legislation and within the limits, without the explicit consent of the Relevant Person.

In addition, with the exceptional cases stipulated by the legislation;

1. 7.4 of the Policy. In the cases described in Article

2. 7.3 of the Policy with regard to sensitive personal data. in the cases listed in the article,

3. With the measures stipulated by the KVK Board and the relevant legislation,
special quality personal data related to the health and sexual life of the Relevant Person can only be provided for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. It can be transferred to persons or authorized institutions and organizations under the obligation of keeping secrets for the purpose of keeping their secrets, without seeking their explicit consent.

8.2. Transfer of personal data abroad

As a rule, personal data is not transferred abroad without the explicit consent of the Relevant Person.

8.3. Institutions and organizations to which personal data is transferred

Personal data, including but not limited to;

1. To our suppliers,

2. To our business partners and business contacts,

3. To our affiliates and group companies,

4. Legally authorized public institutions and organizations,

5. Legally authorized private legal persons,

6. It can be transferred to our shareholders
in accordance with the principles and rules described above.

8.4. Measures we take regarding the legal transfer of personal data

8.4.1. technical measures

To protect personal data, but not limited to those listed;

1. To make the internal technical organization for the processing and storage of personal data in accordance with the legislation,
2. Establishing the technical infrastructure to ensure the security of the databases where your personal data will be stored,
3. Follows and audits the processes of the technical infrastructure created,
4. It determines the procedures regarding the reporting of the technical measures and audit processes we take,
5. Periodically updating and renewing the technical measures,
6. Risky situations are re-examined and necessary technological solutions are produced,
7. We use virus protection systems, firewalls and similar software or hardware security products and establish security systems in line with technological developments,
8. Accessing data with VPN connections,
9. We employ employees who are experts in technical matters.

8.4.2. Administrative measures
To protect your personal data, but not limited to those listed;

1. Establishing personal data access policies and procedures, including company and subsidiary employees within our group,
2. Informing and training our employees on the legal protection and processing of personal data,
3. In the contracts we make with our employees and/or in the Policies we create, the company records the measures to be taken in case of unlawful processing of personal data by our employees,
4. We monitor the processing of personal data of the data processors we work with or the partners of the data processors.

9. STORAGE OF PERSONAL DATA
9.1. Keeping personal data for as long as required by the relevant legislation or for the purpose for which they are processed
In cases where we process personal data for more than one purpose, the data is deleted, destroyed or anonymized and stored if the purposes of processing the data disappear or there is no legal obstacle to the deletion of the data upon the request of the Relevant Person.
In matters of destruction, deletion or anonymization, the provisions of the legislation and the decisions of the KVK Board are complied with.
9.2. Measures we take regarding the storage of personal data
9.2.1. technical measures

1. Establishes technical infrastructures and related control mechanisms for the deletion, destruction and anonymization of personal data, 2. Takes necessary measures for the safe storage of personal data,
3. Employs employees with technical expertise,
4. It creates business continuity and emergency plans against possible risks and develops systems for their implementation,
5. We establish security systems in accordance with technological developments regarding the storage areas of personal data.

9.2.2. Administrative measures
1. Raising awareness by informing our employees about the technical and administrative risks related to the storage of personal data,
2. In case of cooperation with third parties for the storage of personal data, contracts made with companies to which personal data are transferred; We include provisions regarding taking the necessary security measures for the protection and safe storage of the transferred personal data of the persons to whom personal data is transferred.

10. SECURITY OF PERSONAL DATA

10.1. Our obligations regarding the security of personal data
Personal data;
1. To prevent illegal processing,
2. To prevent illegal access,
3. We take administrative and technical measures according to technological possibilities and implementation costs to ensure that they are stored in accordance with the law.

10.2. Measures we take to prevent unlawful processing of personal data

1. We carry out and have the necessary inspections made within our group,
2. To train and inform our employees about the legal processing of personal data,
3. The activities carried out by our Group and Group companies are evaluated in detail for all business units, and as a result of the said evaluation, personal data is processed specifically for the commercial activities carried out by the relevant units,
4. In contracts made with companies that process personal data, in cases where cooperation is made with third parties for the processing of personal data; It includes provisions regarding the taking of necessary security measures by the persons who process personal data,
5. In case of unlawful disclosure of personal data or data leakage, we notify the KVK Board about the situation and carry out the investigations stipulated by the legislation and take the measures.

10.2.1. Technical and administrative measures taken to prevent unlawful access to personal data

To prevent unlawful access to personal data;

1. Employs employees with technical expertise,
2. Periodically updating and renewing the technical measures,
3. Establishing access authorization procedures within our Group and Group companies,
4. It determines the procedures regarding the reporting of the technical measures and audit processes we take,
5. Establishes the data recording systems used within our group in accordance with the legislation and conducts periodic audits,
6. It creates emergency aid plans against the risks that may occur and develops systems for their implementation,
7. We train and inform our employees about accessing and authorizing personal data,
8. In contracts with companies that provide access to personal data, in cases where cooperation is made with third parties for activities such as processing and storage of personal data; It includes provisions regarding taking the necessary security measures of persons accessing personal data,
9. We establish security systems within the scope of technological developments in order to prevent unlawful access to personal data.

10.2.2. Measures we take in case of unlawful disclosure of personal data

We take administrative and technical measures to prevent the unlawful disclosure of personal data and update them in accordance with our relevant procedures. If we detect that personal data has been disclosed without authorization, we establish systems and infrastructures to notify the Related Person and the KVK Board.

In the event of an unlawful disclosure despite all the administrative and technical measures taken, this may be announced on the website of the KVK Board or by any other method, if deemed necessary by the KVK Board.

11. RIGHTS OF PERSONAL DATA OWNER

Within the scope of our disclosure obligation, we inform the Personal Data

Owner and establish systems and infrastructures for this
information. We make the necessary technical and administrative arrangements for the Personal Data Owner to exercise their rights regarding your personal data.

On the Personal Data Owner’s personal data;

1. Learning whether personal data is processed or not,
2. If personal data has been processed, requesting information about it,
3. Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
4. Knowing the third parties to whom personal data is transferred at home or abroad,
5. Requesting correction of personal data if it is incomplete or incorrectly processed,
6. Requesting the deletion or destruction of personal data in case the reasons requiring the processing of personal data disappear,
7. Requesting notification of the above-mentioned correction, deletion or destruction processes to third parties to whom personal data has been transferred,
8. Objecting to the emergence of an unfavorable result by analyzing the processed data exclusively through automated systems,
9. It has the right to demand the compensation of the damage in case of loss due to the unlawful processing of personal data

11.1. Exercise of rights regarding personal data

Personal Data Owner, your requests within the scope of KVKK and all kinds of questions about your personal data by writing a petition to Mustafa Kemal Mah. 2141. Cad. No: 32/8 Çankaya/ANKARA, addresses (via Notary Public etc.) or send the relevant form signed with a secure electronic signature to our registered e-mail address info@doctorem.com.tr. You can also submit your request from the KVKK Information Inquiry field at www.doctoremglobal.com.

11.2. Evaluation of the application

In the application containing explanations regarding the right to be made and requested by the Personal Data Owner to use the above- mentioned rights; The requested matter must be clear and understandable, the requested subject must be related to the applicant’s person or, if acting on behalf of someone else, he must be specifically authorized in this regard and this authority must be documented, and the application must include identity and address information, and documents proving his identity must be attached to the application. Such requests will be made individually and requests made by unauthorized third parties regarding personal data will not be taken into consideration.

11.2.1. Application response time

Requests regarding personal data are concluded as soon as possible and in any case within 30 (thirty) days at the latest, free of charge, or against the fee in the tariff if the conditions in the tariff to be published by the KVK Board are met. Additional information and documents may be requested during the application or while the application is being evaluated.

11.2.2. Our right to refuse the application

Applications regarding personal data;

1. Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
2. Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate privacy or personal rights or constitute a crime,
3. Processing of personal data made public by the Personal Data Owner
4. The application is not based on a just cause.
5. The application contains a request contrary to the relevant legislation
6. In case of non-compliance with the application procedure, it is rejected with justification.
11.3. Evaluation procedure of the application

In order for the response period specified in Article 11.2.1 of this Policy to begin, the requests must be sent with written and wet signatures or electronic signature and via KEP or by other methods determined by the KVK Board, with information and documents confirming the identity of the applicant.
If the request is accepted, the relevant process is applied and a notification is made in written or electronic form. In case of rejection of the request, the applicant is notified in writing or electronically by explaining the reason.

11.4. Right to complain to the Personal Data Protection Board
In cases where the application is rejected, the answer we give is insufficient or the answer is not given on time; The applicant has the right to complain to the KVK Board within 30 (thirty) days from the date of learning the answer and in any case within 60 (sixty) days from the date of application.

12. PUBLISHING AND STORING THE DOCUMENT
This Policy is stored in two different media, printed paper and electronic media. The updated version of the documents is available on the institution portal and website.

13. UPDATE PERIOD
This Policy is reviewed at least once a year and updated by the Operations Management as needed.

14. ENFORCEMENT

This policy enters into force on the date of acceptance by the Executive Board.