In accordance with Article 13 of the General Data Protection Regulation (“GDPR”) and Article 10 of the Personal Data Protection Law No. 6698 (“KVKK”), we would like to inform you about our personal data processing activities. As the Data Controller, QBA Medi Turizm Sağlık ve Dış Ticaret Anonim Şirketi (“QBA Medi Tours”) may process, record, store, classify, update, and, in cases permitted by law and/or limited to the purposes for which they are processed, disclose or transfer your personal data in accordance with the law and the principles of fairness, for the purposes set out below.
“Purpose of Personal Data Processing”
QBA Medi Tours processes personal data of its employees, customers, potential customers, customer complaints, companions, and suppliers. The personal data processed for these individuals is detailed below:
-
Employees: Identity, contact, criminal record, salary and IBAN, photograph, personnel, health, and professional information.
-
Customers: Identity, contact, credit card, invoice, health, requests-complaints, flight, and accommodation information.
-
Customer relatives: Identity, contact, requests-complaints, and contract fee information.
-
Potential customers: Identity, contact, personnel, health, credit card, and cookie information.
-
Companions: Identity, contact, invoice, requests-complaints, flight, and accommodation information.
-
Suppliers: Identity, contact, IBAN, and invoice information.
QBA Medi Tours processes the personal data of the data subjects listed above for the following detailed purposes:
-
Evaluation of requests and complaints: The name, surname, phone number, and details of requests and complaints of customers, customer relatives, and companions are processed using the “Customer Request and Complaint Notification Form” to evaluate requests and complaints related to the services provided by QBA Medi Tours.
-
Assessment of suitability for requested healthcare services: Name, surname, contact information, credit card information, how QBA Medi Tours was learned about, and health information are collected to assess the suitability of customers and potential customers for the healthcare services they want to receive. Name, surname, health, and country information from the collected personal data are shared with contracted doctors/clinics after being translated by translation companies to obtain approval for treatment. Credit card payments are made to carry out the consultancy service.
-
Analysis of website visitor usage:
To ensure the smooth delivery of consultancy services and to accurately provide declared information to authorized institutions, your information is translated by translation agencies.
To facilitate the processing of visas, flights, accommodation, guidance, and transfer processes for you and your companions as part of the consultancy services you receive, your identity, contact, health, flight, and accommodation information is processed.
In order to issue invoices and make collections in accordance with the Tax Procedure Law No. 213 for the services provided to our customers, personal data is processed.
In order to determine the liabilities of the medical consultancy service to be provided, your identity, contact, and contract fee information is processed when contracts are made with the customer or their relatives.
In order to conclude contracts with suppliers and service providers and to invoice for the services received, the identity, contact, and bank account information of our suppliers is processed. Additionally, the phone, email, and address information of suppliers and service providers is processed to ensure the sustainability of our operations and to be able to reach them in a timely manner.
In accordance with the Labor Law No. 4857, identity, contact, professional information, photograph, personnel file, health, bank account and IBAN information is processed to prepare employee personnel files, fulfill legal obligations, manage leaves, create payrolls, and fulfill contractual terms. Additionally, criminal record information is requested from the employee to ensure the security of QBA Medi Tours.
To comply with the Social Security and General Health Insurance Law No. 5510, employee identity, personnel, and salary information is processed to ensure that employees’ social security and health insurance premiums are paid. Additionally, to provide the minimum subsistence allowance to employees under the Income Tax Law No. 193, the identity and information declared in the AGI Form is processed.
Personal data is stored to fulfill the requests of authorized persons, institutions, and organizations, to provide information, and to carry out legal processes.
2. Data Deletion
You can submit all your requests for the deletion of your personal data by using the Personal Data Application Form created by QBA Medi Tours. In the absence of any requests from data subjects, your personal data is deleted or anonymized within the following periods:
-
Employees: All personal data in the employee’s personnel file that has been used for operations is stored for 10 years after the termination of the employment contract and then destroyed.
-
Medical Consultancy: The personal data of customers, potential customers, customer relatives, and companions related to medical consultancy activities is stored for 10 years after the termination of the consultancy service and then destroyed.
-
“Personal data obtained from suppliers and service providers shall be retained for a period of ten years following the termination of the contract and subsequently destroyed in accordance with our data retention policy.”
3. Sharing of Data
-
“Your personal data may be shared with third-party organizations for the purposes outlined below.”
“Your personal data may be shared with third-party organizations within the country for the following purposes:
-
Legal matters: In the event of a legal dispute involving our customers, potential customers, customer complaints, companions, employees, or suppliers, your personal data may be shared with contracted law firms and authorized public institutions upon request.
-
Payment processing: To facilitate payment for services provided to our customers and potential customers, your card information is shared with banks through our virtual POS system.
-
Invoicing: To issue invoices to our customers and their companions, the personal information included on the invoice is shared with our contracted accounting firms.
-
Flight bookings: To book flights for our customers and their companions, your identity, passport, and contact information are shared with airlines through our contracted service providers.”
“To ensure a seamless assessment of the suitability of our customers and potential customers for the desired healthcare services, the identity and health information provided during the initial application are shared with Translation Agencies. Additionally, where necessary, photographs may be shared with contracted doctors or clinics to facilitate this assessment. To facilitate the payment of our employees’ salaries, salary information is shared with banks. In order to manage employee leave, insurance, and premium declaration processes, your identity, salary, and information contained in the Agi Form are shared with contracted accounting firms. To ensure compliance with medical consultations provided to customers and potential customers, and to address inquiries and complaints, the information requested by the Turkish Ministry of Health is shared.”
“Your personal data may be transferred abroad for the following purposes:
-
Healthcare assessments: To assess the suitability of customers and potential customers for the desired healthcare services, customer photographs may be shared with contracted doctors and clinics.
-
Local service providers: Customer and companion names, contact information, flight, and hotel details may be shared with service providers in Turkey to assist with local guidance services.
-
With your explicit consent: Your personal data may be transferred abroad with your explicit consent.”
“Personal data is processed with the explicit consent of the data subject when the transfer of personal data to third parties does not meet the data processing conditions specified in Articles 5, 6, and 9 of the Personal Data Protection Law, provided that:
-
It is necessary for QBA Medi Tours to fulfill its legal obligations.
-
The processing of personal data is necessary for the establishment, exercise, or defense of a legal claim.
-
The processing of personal data is necessary for the legitimate interests pursued by the data controller, provided that the fundamental rights and freedoms of the data subject are not adversely affected.”
“Methods of Collecting Your Personal Data and Legal Grounds
-
Your personal data is processed based on the following legal grounds as stipulated in Article 5 of the Personal Data Protection Law:
-
Your explicit consent.
-
Explicit provisions of the law.”
-
-
We process your personal data based on the following legal grounds:
-
Necessity for the performance of a contract: Where the processing is necessary for the performance of a contract to which you are a party.
-
Compliance with a legal obligation: Where the processing is necessary for us to comply with a legal obligation.
-
Legitimate interests: Where the processing is necessary for our legitimate interests, provided that the interests or fundamental rights and freedoms of the data subject are not overridden.
-
We collect your personal data through various means, including in-person, email, pre-application forms, online payment systems, and written or verbal statements. Your data is processed securely.”
“Ensuring the Security of Your Personal Data
-
Your personal data is secured and accessible only to authorized personnel and support companies who have signed confidentiality agreements. QBA Medi Tours has implemented necessary administrative and technical measures to ensure this.
-
Our systems and devices are protected by antivirus software. QBA Medi Tours adheres to the principle of least privilege, restricting access to personal data. Access and authorization definitions are made according to process requirements. Accesses are checked against authorizations. Risk points are identified, and necessary administrative and technical measures are taken. Physical security measures are maintained at a high level thanks to the security systems and personnel of the plaza where QBA Medi Tours is located. Backups of personal data are stored in a way that is accessible only to authorized personnel. Complex passwords are used on user computers. Secure data transfer is ensured using SSL certificates on the webpage where personal data is collected. Personal data is stored in locked environments. Equipment that supports the protection of personal data is maintained periodically.”
“Ensuring Data Security
-
QBA Medi Tours employs knowledgeable and experienced individuals to ensure data security. Within the framework of the established systems, risks are identified and action plans are developed. A “Data Protection Officer Contact Person” role has been defined within QBA Medi Tours to ensure the security of personal data. The Data Protection Officer Contact Person takes the necessary administrative measures to ensure the security of personal data and monitors employees’ compliance with these measures. Employees are informed that they cannot disclose personal data they learn to others in violation of the law, cannot use it for purposes other than the processing purpose, and that this obligation continues even after they leave the company. Employees are required to provide the necessary undertakings in this regard. In the event of employees acting in violation of the law, disciplinary procedures are initiated. Regarding the sharing of personal data with third parties, QBA Medi Tours ensures data security by signing confidentiality agreements with the individuals with whom personal data is shared or by adding provisions to the agreements. Third parties with whom personal data is shared agree to take the necessary security measures to protect personal data and to ensure compliance with these measures within their own organizations.”
“To ensure accurate analysis of personal data, a personal data inventory is created for each unit. Policies and procedures related to the management of personal data within the organization have been published.”
“Rights of the Data Subject
-
You have the following rights regarding the processing of your personal data, which you can exercise by submitting a request to QBA Medi Tours. All requests will be processed free of charge by QBA Medi Tours within thirty days at the latest. However, if a fee is foreseen by the Personal Data Protection Authority, QBA Medi Tours may charge the fee specified in the tariff. As a data subject, you have the right to:
-
Know whether your personal data is being processed or not.
-
Request information about the processing of your personal data if it has been processed.
-
Learn the purpose of the processing of your personal data and whether it is used in accordance with its purpose.
-
Learn the third parties to which your personal data is transferred domestically or abroad.
-
Request the correction of incomplete or inaccurate personal data.
-
Request the deletion or destruction of your personal data.
-
Request that the rectification, erasure or destruction of your personal data be notified to the third parties to which your personal data has been transferred.
-
Request that your personal data be erased, destroyed or anonymized in the event that the reasons for the processing of your personal data cease to exist, and to request that the third parties to which your personal data has been transferred be notified of the operation carried out in this context.
-
Object to a decision concerning you which is based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
-
Demand compensation for the damages you have suffered as a result of the unlawful processing of your personal data.”
-
“Contact Methods
-
You can exercise your rights regarding your personal data by using the following methods:
Data Controller: QBA Medi Tourism Health and Foreign Trade Incorporated Company
When submitting your personal data requests, you can do so by filling out the Personal Data Request Form. You can submit your applications using the following methods:”
“Methods
-
You can exercise your rights by using the following methods:
Delivery in Person: QBA Medi Turizm Sağlık ve Dış Ticaret Anonim Şirketi Kore Şehitleri Cd. No:43/3, 34394 Şişli/İstanbul
By Secure Electronic Mail (KEM): qbamediturizm@hs01.kep.tr
Via Notary: QBA Medi Turizm Sağlık ve Dış Ticaret Anonim Şirketi Kore Şehitleri Cd. No:43/3, 34394 Şişli/İstanbul
To ensure timely processing of your request within the 30-day legal timeframe, requests sent by cargo must be notarized and sent by registered mail. Such requests will be accepted by us after identity verification and will be answered in writing or electronically within the legal timeframes.”