HairNeva Health Services, acting as the data controller, places the utmost importance on the protection of personal data belonging to its patients, employees, and all other natural persons with whom it has a relationship. This policy has been prepared within the framework of high service quality, respect for individual rights, transparency, and integrity, in accordance with the principles and obligations set forth by the Turkish Personal Data Protection Law No. 6698.

Great care is taken to ensure that patient privacy and all personal data relating to our patients are processed and stored in the most secure and meticulous way possible.

This policy also aims to ensure that the personal data of companions, visitors, and employees of the institutions and organizations we cooperate with are protected and processed in compliance with the basic principles defined by the relevant legislation.

Purpose of the Policy

The purpose of this Policy is to ensure transparency by informing all persons whose data are processed — including our patients, companions, visitors, employees, company representatives, and employees or authorized persons of the institutions we cooperate with — about how their personal data are processed by our clinic in accordance with applicable laws and regulations.

Within this framework, all administrative and technical measures required for the lawful processing and protection of personal data are implemented in compliance with the Turkish Law No. 6698 and related regulations.

The natural persons whose personal data are processed under this Policy are referred to as the Data Subject, Relevant Person, or Personal Data Owner.

 

Definitions

Explicit Consent: Consent given freely, based on being informed and relating to a specific matter.

Anonymization: The process of altering personal data in such a way that the data lose their personal nature and can no longer be associated with an identifiable person.

For instance, anonymization can be achieved through techniques such as masking, aggregation, or data distortion.

Personal data may be anonymized for various purposes in compliance with the Law and with the individual’s request or consent.

Our clinic takes the necessary precautions to ensure that anonymized data cannot be re-identified by any means.

Employees, Shareholders, and Representatives of Partner Institutions: Natural persons working at institutions (such as business partners or suppliers, but not limited to these) with which we have business relations, including shareholders and authorized representatives of those institutions.

Processing of Personal Data: Any operation performed on personal data, whether fully or partially automated, or by non-automated means that form part of a data recording system — such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, retrieval, classification, or prevention of use.

Personal Data: Any information relating to an identified or identifiable natural person.

Examples include national ID number, full name, email address, phone number, residential address, date of birth, or bank account number.

Special Categories of Personal Data: Data revealing race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing style, membership in associations, foundations or trade unions, health, sexual life, criminal record, or security measures, as well as biometric and genetic data.

Third Party: Any natural person associated with the aforementioned parties for the purpose of ensuring commercial transaction security, protecting rights, or safeguarding legitimate interests (for example, employees or representatives of contracted companies, companions, etc.).

Data Processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the controller (e.g., an IT company maintaining our databases).

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and manages the system where the data are stored.

Our clinic acts as a Data Controller under the Turkish Personal Data Protection Law No. 6698 and is duly registered in the VERBIS (Data Controllers’ Registry Information System).

A Personal Data Protection Committee has been established within our company.

In cases where decisions must be made, this Committee seeks the opinion of a legal expert specialized in personal data protection, and upon management approval, implements the decision accordingly.

 

Collection and Processing of Personal Data

The categories of personal data processed vary depending on the healthcare services provided and are collected through physical and/or digital means.

Such data may be obtained from patients, doctors, healthcare staff, subcontractors and their employees, partner companies, our call center, our clinic’s website, online services, or other verbal, written, or electronic channels.

These personal data — including both general and special categories (notably health data) — may be collected and processed for the following purposes, as well as for other purposes that may arise in the future:

  • Conducting medical diagnosis, treatment, and care services
    • Protection of public health
    • Planning and management of preventive healthcare services and their financing
    • Informing our patients about appointments
    • Planning and management of internal procedures
    • Conducting analyses to ensure that healthcare services are performed in compliance with regulations and to improve service quality
    • Performing risk management and quality enhancement activities
    • Conducting research and studies
    • Fulfilling legal and regulatory requirements
    • Issuing invoices for services rendered
    • Verifying your identity
    • Confirming your relationship with affiliated institutions
    • Sharing information requested by private insurance companies within the scope of healthcare financing
    • Responding to any inquiries or complaints regarding our healthcare services
    • Taking all necessary technical and administrative measures for data security
    • Ensuring financial reconciliation with affiliated institutions, banks, and public or private entities involved in healthcare payments
    • Sharing required information with the Ministry of Health and other public authorities in accordance with the legislation
    • Measuring and improving patient satisfaction
    • Fulfilling contractual and legal obligations

 

Categorization of Processed Personal Data

Identity Information: All data identifying an individual, such as those contained in documents like driver’s licenses, national identity cards, passports, attorney IDs, and marriage certificates.

Contact Information: Data enabling communication with the data subject, including telephone number, address, residence, and email address.

Location Data: Data that clearly belongs to an identified or identifiable person and is used within a data recording system to determine the individual’s physical location.

Family Members and Relatives Information: Data concerning family members and close relatives of the data subject, processed to protect the legal interests of both the institution and the individual.

Physical Space Data: Personal data contained in visual and audio records such as CCTV footage, fingerprint data, and other similar recordings or documents.

Transaction Security Data: Personal data processed to ensure the technical, administrative, legal, and commercial security of our business operations.

Financial Data: Personal data relating to financial information, documents, and records reflecting any financial outcome or transaction.

Job Applicant Data: Personal data processed in relation to individuals who have applied to become employees (e.g., CVs, résumés, or job application information).

Personnel Data: Data related to payroll, disciplinary proceedings, social security records, employment start and termination documents, asset declarations, résumés, performance evaluations, interview results, employment contracts, and information about recruitment and termination.

Legal Transaction Data: Personal data processed in the context of identifying, exercising, or protecting our legal rights and fulfilling our legal obligations.

Legal Basis for Processing

The personal data listed above may be processed in accordance with the Turkish Fundamental Law on Health Services No. 3359, the Decree-Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliated Institutions, the Regulation on Private Hospitals, the Regulation on Personal Health Data, and other related legislation issued by the Ministry of Health.

Such data may be transferred to and stored in physical archives and/or information systems belonging to our clinic and/or its suppliers.

Our company undertakes to process personal data in line with the following principles:

  • Processing lawfully and in good faith
    • Ensuring data accuracy and keeping data up to date when necessary
    • Processing for specific, explicit, and legitimate purposes
    • Being relevant, limited, and proportionate to the stated purposes
    • Retaining data only for the period required by applicable legislation or for the purpose of processing

 

Explicit consent from the data subject constitutes only one of several legal grounds that permit lawful processing of personal data.

In the absence of explicit consent, personal data may still be processed if one or more of the following conditions apply:

  • The data subject has provided explicit consent
    • Processing is expressly permitted by law
    • It is impossible to obtain consent due to factual or practical reasons
  • Processing is directly related to the establishment or performance of a contract
    • Processing is necessary for the controller to fulfill a legal obligation
    • The data subject has made their personal data publicly available
    • Processing is necessary for the establishment, exercise, or defense of legal rights
    • Processing is necessary for the legitimate interests of the company,

provided that such interests do not conflict with the principles set forth under the Law and do not infringe upon the essence of the fundamental rights guaranteed by the Turkish Constitution.

 

Processing of Special Categories of Personal Data

Our company processes special categories of personal data only under the conditions permitted by law and with the necessary safeguards determined by the Turkish Personal Data Protection Board.

Such data are processed in the following cases:

  • Where the data subject has given explicit consent, or
    • Where no consent is obtained, special categories of personal data other than those relating to health and sexual life may be processed in cases explicitly provided for by law,
    Special categories of personal data relating to health and sexual life may be processed solely for the purpose of protecting public health, providing preventive medicine, medical diagnosis, treatment, and care services, and planning and managing healthcare services and financing, and only by persons under a legal obligation of confidentiality or by authorized institutions and organizations.

 

Technical and Administrative Measures

In accordance with Article 12 of the Turkish Personal Data Protection Law No. 6698, the relevant regulations, the general principles mentioned above, and the decisions of the Turkish Personal Data Protection Board, our company implements all necessary technical and administrative measures, taking into account technological capabilities and implementation costs, as listed below:

  • The required software and hardware infrastructure has been established. Strong passwords are used on computers and email accounts.
  • Employees have received training on data protection and confidentiality, and their responsibilities are defined in written employment agreements and confidentiality contracts. This obligation continues even after the end of employment.
  • An appropriate data backup infrastructure has been created.
  • Employees authorized to access data on company computers have been clearly identified.
  • Patient files and personal information are shared only with the individuals themselves, their authorized relatives (with written consent), relevant public institutions and organizations within the framework of applicable law, or judicial authorities when legally required.
  • Before starting any personal data processing activity, the obligation to inform data subjects is duly fulfilled.
  • A personal data processing inventory has been prepared.
  • Through notices and information texts posted within our clinic or otherwise made available to visitors, data subjects are informed about these matters in a transparent manner.

 

Sharing of Personal Data

Your personal data may be shared, in accordance with the fundamental principles set forth by law and under the conditions and purposes specified in Articles 8 and 9 of the Turkish Personal Data Protection Law No. 6698, with the following parties:

  • The Ministry of Health of the Republic of Türkiye, its affiliated units, and family health centers
    Private insurance companies (health, pension, life, and similar)
    • The Social Security Institution (SGK)
    • The General Directorate of Security and other law enforcement authorities
    • The General Directorate of Civil Registry and Citizenship
    • The Turkish Pharmacists’ Association
    Public prosecutors and courts
    Laboratories, medical centers, and healthcare providers located in Türkiye or abroad with whom we cooperate for medical diagnosis
    • The healthcare institution to which the patient is referred or has applied directly
    • The patient’s duly authorized representatives
    Consultants and legal advisors with whom we cooperate
    Regulatory and supervisory authorities, as well as official government bodies
    • Our service providers, business partners, and support service suppliers with whom we have a contractual relationship.

Personal data are not shared with foreign countries.

 

Rights of the Data Subject

In accordance with the provisions of the Turkish Personal Data Protection Law, every data subject has the right to:

  • Learn whether their personal data are being processed,
    • Request information if their personal data have been processed,
  • Access their personal health data and request copies thereof,
    • Learn whether their data are used for their intended purpose,
    • Learn the identities of third parties to whom data are disclosed,
    • Request the correction of inaccurate or incomplete data,
    • Request the deletion or destruction of their personal data,
    • Request that corrections or deletions be notified to third parties who have received the data,
    • Object to the occurrence of an unfavorable result through the analysis of processed data by automated systems,
    • Request compensation for damages arising from the unlawful processing of their personal data.

These rights may be exercised by submitting a written request to our company.

Use of Security Cameras and Access Records

Our company carries out personal data processing activities through the use of security cameras and the recording of visitor entries and exits.

Within this scope, our clinic operates in full compliance with the Turkish Personal Data Protection Law and the relevant security regulations.

Access to the digitally recorded and stored footage is strictly limited to authorized employees and/or authorized personnel of contracted service providers.

Camera recordings are retained for a period of two (2) months and subsequently deleted or destroyed.

Enforcement of the Policy

This Policy is deemed to have entered into force upon its publication on the official website of our clinic.