{"id":7119,"date":"2023-06-12T21:44:42","date_gmt":"2023-06-12T18:44:42","guid":{"rendered":"https:\/\/tgd.org.tr\/personal-data-processing-and-protection-policy\/"},"modified":"2026-04-24T00:04:29","modified_gmt":"2026-04-23T21:04:29","slug":"personal-data-processing-and-protection-policy","status":"publish","type":"page","link":"https:\/\/tgd.org.tr\/en\/personal-data-processing-and-protection-policy\/","title":{"rendered":"Personal Data Processing and Protection Policy"},"content":{"rendered":"

T\u00fcrk Gastroenteroloji Derne\u011fi (hereinafter referred to as \u201cT\u00fcrk Gastroenteroloji Derne\u011fi\u201d) <\/strong>PERSONAL DATA PROTECTION AND PROCESSING POLICY<\/strong><\/p>\n

 <\/p>\n

This KVKK Policy contains explanations regarding the following topics:<\/p>\n

1. PURPOSE AND SCOPE<\/p>\n

2. DEFINITIONS<\/p>\n

3. PROCESSING OF PERSONAL DATA<\/p>\n

3.1. Personal Data Categories and Processing Purposes<\/p>\n

3.2. Method of Collecting Personal Data<\/p>\n

3.3. Informing the Data Subject<\/p>\n

3.4. General Principles Regarding the Processing of Personal Data<\/p>\n

3.5. Conditions for Processing Personal Data<\/p>\n

3.6. Processing of Special Categories of Personal Data<\/p>\n

3.7. Transfer of Personal Data<\/p>\n

3.8. Retention and Destruction of Personal Data<\/p>\n

4. PROTECTION OF PERSONAL DATA<\/p>\n

5. RIGHTS OF DATA SUBJECTS OVER THEIR PERSONAL DATA AND EXERCISE OF RIGHTS<\/p>\n

5.1. Rights of Data Subjects<\/p>\n

5.2. Exercise of Rights by Data Subjects<\/p>\n

5.3. Evaluation and Response to Data Subject Applications<\/p>\n

6. RELATIONSHIP OF THE KVKK POLICY WITH OTHER POLICIES<\/p>\n

7. EFFECTIVENESS OF THE KVKK POLICY AND AMENDMENTS TO THE POLICY<\/p>\n

8. CONTACT US<\/p>\n

 <\/p>\n

    \n
  1. PURPOSE AND SCOPE<\/strong><\/li>\n<\/ol>\n

    The protection of personal data and ensuring privacy has been adopted as a corporate culture for T\u00fcrk Gastroenteroloji Derne\u011fi <\/strong>(hereinafter referred to as \u201cT\u00fcrk Gastroenteroloji Derne\u011fi <\/strong>\u201d). The Company shows utmost care and effort to process and protect personal data belonging to real persons within the scope of its activities, in accordance with applicable legal norms and universal legal principles. The Company is the data controller for the personal data you provide to us, including those related to this website, and processes and protects personal data under this Policy. <\/p>\n

    This KVKK Policy concerns the personal data of data subjects other than our employees, which our Company, as the Data Controller, processes by wholly or partially automated means, or by non-automated means provided that it is part of any data recording system. The KVKK Policy demonstrates how the principles and rules set forth by the relevant legislation are applied in the Company’s KVKK processes. <\/p>\n

    The relevant legislation, secondary regulations, and universal legal principles in force in this area will primarily apply to the protection and lawful processing of personal data. In case of a conflict between our KVKK Policy and the current relevant regulations, the current regulations shall prevail. <\/p>\n

    We may change this Policy from time to time, so please check back when you use our services to ensure you are aware of our current Policy.<\/p>\n

      \n
    1. DEFINITIONS<\/strong><\/li>\n<\/ol>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
      ABBREVIATION<\/strong><\/td>\nDEFINITION<\/strong><\/td>\n<\/tr>\n
      \u201cExplicit Consent\u201d<\/td>\nConsent given freely, based on information, and relating to a specific matter.<\/td>\n<\/tr>\n
      \u201cObligation to Inform\u201d<\/td>\nThe Company’s obligation to inform Data Subjects, during the acquisition of personal data, about the Data Controller, the methods of collection, the legal reason for processing, the purposes, to whom personal data is transferred for what purposes, and the rights of Data Subjects regarding the processing of their personal data, in accordance with Article 10 of the KVKK Law and the Communiqu\u00e9 on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform. <\/td>\n<\/tr>\n
      \u201cData Subject\u201d, \u201cData Owner\u201d<\/td>\nReal persons whose personal data are processed by the Company or by persons\/institutions authorized on behalf of the Company.<\/td>\n<\/tr>\n
      \u201cDestruction\u201d<\/td>\nThe deletion, destruction, or anonymization of personal data.<\/td>\n<\/tr>\n
      \u201cPersonal Data\u201d<\/td>\nAny information relating to an identified or identifiable natural person.<\/td>\n<\/tr>\n
      \u201cAnonymization of Personal Data\u201d<\/td>\nThe process of rendering personal data incapable of being associated with an identified or identifiable natural person, even by matching it with other data.<\/td>\n<\/tr>\n
      \u201cProcessing of Personal Data\u201d<\/td>\nAny operation performed upon personal data, wholly or partially by automated means or by non-automated means provided that it is part of any data recording system, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use thereof.<\/td>\n<\/tr>\n
      \u201cDeletion of Personal Data\u201d<\/td>\nThe process of making personal data inaccessible and unusable for relevant users in any way.<\/td>\n<\/tr>\n
      \u201cDestruction of Personal Data\u201d<\/td>\nThe process of making personal data inaccessible, irrecoverable, and unusable by anyone, in any way.<\/td>\n<\/tr>\n
      \u201cBoard\u201d<\/td>\nPersonal Data Protection Board<\/td>\n<\/tr>\n
      \u201cAuthority\u201d<\/td>\nPersonal Data Protection Authority<\/td>\n<\/tr>\n
      \u201cLaw\u201d, \u201cKVKK Law\u201d<\/td>\nLaw No. 6698 on the Protection of Personal Data<\/td>\n<\/tr>\n
      \u201cKVKK Policy\u201d<\/td>\nThe Personal Data Protection and Processing Policy adopted by the Company.<\/td>\n<\/tr>\n
      \u201cSpecial Categories of Personal Data\u201d<\/td>\nData relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.<\/td>\n<\/tr>\n
      “Profiling”<\/td>\nUsing automated tools to process personal data to determine certain things about people, such as analyzing or predicting their performance in activities, reliability, economic situation, personal preferences, interests, behaviors, location, or movements.<\/td>\n<\/tr>\n
      \u201cCompany\u201d<\/td>\nT\u00fcrk Gastroenteroloji Derne\u011fi (hereinafter referred to as \u201cT\u00fcrk Gastroenteroloji Derne\u011fi\u201d)<\/td>\n<\/tr>\n
      T\u00fcrk Gastroenteroloji Derne\u011fi (hereinafter referred to as \u201cT\u00fcrk Gastroenteroloji Derne\u011fi\u201d)<\/p>\n<\/td>\nincludes Kurtsan \u0130la\u00e7lar\u0131 Anonim \u015eirketi, Kurtsan Medikal Sanayi ve Ticaret Anonim \u015eirketi, T\u00fcrk Gastroenteroloji Derne\u011fi <\/strong>(hereinafter referred to as \u201cT\u00fcrk Gastroenteroloji Derne\u011fi <\/strong>\u201d).<\/td>\n<\/tr>\n
      \u201cVERB\u0130S\u201d, \u201cRegistry\u201d<\/td>\nThe Data Controllers Registry Information System maintained by the Presidency of the Personal Data Protection Authority.<\/td>\n<\/tr>\n
      \u201cData Processor\u201d<\/td>\nA natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.<\/td>\n<\/tr>\n
      \u201cData Controller\u201d<\/td>\nThe natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

       <\/p>\n

        \n
      1. PROCESSING OF PERSONAL DATA <\/strong><\/li>\n<\/ol>\n

        3.1. Personal Data Categories and Processing Purposes<\/strong><\/p>\n

        The Company processes personal data in accordance with the general principles specified in the Law, especially the principles specified in Article 4 of the Law regarding the processing of personal data, based on at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, and limited to the personal data processing purposes (ANNEX-1) it has declared in the Data Controllers Information System (VERB\u0130S). The Company informs data subjects about data processing categories and purposes in the disclosure texts in accordance with Article 10 of the Law and secondary legislation. <\/p>\n

        3.2. Method of Collecting Personal Data<\/strong><\/p>\n

        The Company collects personal data electronically or in writing, in physical and electronic environments, in accordance with the personal data processing conditions specified in the KVKK Law and this KVKK Policy.<\/p>\n

        The Company adopts the principle of acting lawfully when obtaining personal data. Due to its activities, the Company collects data from third parties through data protection\/transfer agreements, only to the extent required by the activity, and takes measures to ensure data security at this point. <\/p>\n

        3.3. Informing the Data Subject<\/strong><\/p>\n

        In accordance with Article 10 of the KVKK Law and the provisions of the Communiqu\u00e9 on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, the Company informs data subjects about the data controller of personal data, the methods by which it is collected, the legal reason for processing, the purposes, to whom personal data is transferred for what purposes, and the rights of data subjects regarding the processing of their personal data. <\/p>\n

        3.4. General Principles Regarding the Processing of Personal Data<\/strong><\/p>\n

        The Company complies with the \u201cGeneral Principles\u201d specified as mandatory in Article 4 of the KVKK Law when carrying out personal data processing activities. <\/p>\n

        3.4.1. Processing in Accordance with Law and Rules of Good Faith<\/strong><\/p>\n

        The Company manages personal data processing processes in accordance with legal norms, universal legal principles, and rules of good faith; informs data subjects as necessary to ensure the transparency of the processes; and takes into account the interests and reasonable expectations of the data subject in these processes. In this context, it prevents the occurrence of results that the data subject did not expect and should not have expected from the data processing activity. <\/p>\n

        3.4.2. Ensuring Personal Data is Accurate and, Where Necessary, Up-to-Date <\/strong><\/p>\n

        Personal data is, as a rule, processed based on the declaration of the data subjects and as declared. The Company is not obliged to investigate the accuracy of the data declared by the data subjects, nor does it carry out such an application due to legal and operational principles. The data is assumed to be accurate as declared. The Company exercises reasonable care and attention to keep personal data within its legal entity accurate and up-to-date, and to ensure it does not contain incorrect information. If changes in processed personal data are communicated to the Company by the data subject, it ensures the establishment of the necessary administrative and technical mechanism for updating the personal data in the relevant database. <\/p>\n

        3.4.3. Processing for Specific, Explicit, and Legitimate Purposes<\/strong><\/p>\n

        The Company clearly and explicitly sets out its legitimate and lawful data processing purposes before commencing personal data processing activities and processes personal data only to the extent necessary and related to the Company’s products and services.<\/p>\n

        3.4.4. Processing is Relevant, Limited, and Proportionate to the Purposes for which they are Processed<\/strong><\/p>\n

        Personal data is processed by the Company in a manner that is relevant, limited, and proportionate to the purposes determined and disclosed to the data subject. The Company ensures a reasonable balance between the data processing and the desired purpose, taking care that the processing is to the extent necessary to achieve the purpose. <\/p>\n

        3.4.5. Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed<\/strong><\/p>\n

        The Company retains personal data for the period stipulated by the legislation or required by the processing purpose. However, when the period stipulated by the legislation expires or all processing purposes cease to exist, it deletes, destroys, or anonymizes personal data. As the Data Controller, the Company has determined the retention periods, destruction periods, and technical and administrative measures to be implemented for preservation in its Personal Data Retention and Destruction Policy and is aware of its obligation to ensure the preservation of personal data in accordance with these principles. <\/p>\n

        These principles apply regardless of whether the Company processes personal data based on explicit consent or in accordance with other data processing conditions. At this point, the Company processes personal data in accordance with data processing conditions and general principles and fulfills its obligation to inform data subjects. <\/p>\n

        3.5. Conditions for Processing Personal Data<\/strong><\/p>\n

        The Company processes personal data with the explicit consent of the data subject or, if one or more of the other data processing conditions exist, in accordance with these conditions. In the case of special categories of personal data, the conditions specified under the heading \u201cProcessing of Special Categories of Personal Data\u201d in this Policy apply. <\/p>\n

        3.5.1. Existence of Explicit Consent of the Data Subject<\/strong><\/p>\n

        This data processing condition applies when the data subject has given explicit consent, which is informed and freely given, regarding a specific matter. The explicit consent obtained from the data subject is retained by the Company for the period required under KVKK legislation in a verifiable manner. In the presence of the personal data processing conditions listed below, personal data may be processed without the explicit consent of the data subject. <\/p>\n

        3.5.2. Explicitly Stipulated in Laws<\/strong><\/p>\n

        This data processing condition applies if there is an explicit provision in the relevant law regarding the processing of that personal data.<\/p>\n

        3.5.3. Inability to Obtain Explicit Consent of the Data Subject Due to Factual Impossibility<\/strong><\/p>\n

        If it is mandatory to process the personal data of a person who is unable to express their consent due to factual impossibility or whose consent is not legally valid, for the protection of their own life or physical integrity or that of another person, the data subject’s data is processed based on this data processing condition.<\/p>\n

        3.5.4. Directly Related to the Establishment or Performance of a Contract<\/strong><\/p>\n

        If the processing of personal data is necessary, provided that it is directly related to the establishment or performance of a contract to which the data subject is a party, processing occurs based on this data processing condition.<\/p>\n

        3.5.5. Mandatory for the Data Controller to Fulfill its Legal Obligation<\/strong><\/p>\n

        If the processing of personal data is mandatory for the Company to fulfill its legal obligations, processing occurs based on this data processing condition.<\/p>\n

        3.5.6. Personal Data Made Public by the Data Subject Themselves<\/strong><\/p>\n

        Personal data made public by the data subject themselves is processed only for the purpose of making it public.<\/p>\n

        3.5.7. Mandatory Data Processing for the Establishment, Exercise, or Protection of a Right<\/strong><\/p>\n

        If data processing is mandatory for the establishment, exercise, or protection of a right, the personal data of the data subject is processed based on this data processing condition.<\/p>\n

        3.5.8. Mandatory Data Processing for the Legitimate Interests of the Data Controller<\/strong><\/p>\n

        If data processing is mandatory for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject, processing is carried out based on this data processing condition.<\/p>\n

        3.6. <\/strong>Processing of Special Categories of Personal Data<\/strong><\/p>\n

        The Company processes special categories of personal data by complying with the additional measures announced by the Personal Data Protection Board and by taking all necessary administrative and technical measures, in accordance with the Policy on Processing Special Categories of Personal Data, and in the presence of one of the following data processing conditions:<\/p>\n

        3.6.1.<\/strong> Explicit consent of the data subject.<\/p>\n

        3.6.2.<\/strong> Processing of special categories of personal data other than health and sexual life is stipulated in laws.<\/p>\n

        3.6.3.<\/strong> Processing of data related to health and sexual life by persons under the obligation of secrecy for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.<\/p>\n

        3.7. Transfer of Personal Data<\/strong><\/p>\n

        3.7.1. Domestic Data Transfer<\/strong><\/p>\n

        The Company transfers personal data, including special categories of personal data, to third parties (third-party natural and legal persons, authorized public institutions and organizations) in accordance with the regulations in Article 8 of the KVKK Law, based on appropriate personal data processing purposes, and by taking the necessary administrative and technical measures. The Company’s Transfer Recipient Groups are specified in VERB\u0130S. <\/p>\n

        The Company acts lawfully in data transfer activities. It transfers data to third parties only to the extent required by the service. It appropriately instructs the Data Processor Transfer Recipient groups regarding data security through data transfer agreements. <\/p>\n

        3.7 2. International Data Transfer<\/strong><\/p>\n

        The Company may transfer personal data abroad only in accordance with the regulations in Article 9 of the KVKK Law and by taking the necessary administrative and technical measures. This transfer is possible if one of the following conditions is met: <\/p>\n

        3.7.2.1.<\/strong> To foreign countries declared by the Authority to have adequate protection, or<\/p>\n

        3.7.2.2.<\/strong> In the absence of adequate protection, with the written undertaking of data controllers in Turkey and the relevant foreign country to provide adequate protection, and with the permission of the Board, without seeking the explicit consent of the data subject.<\/p>\n

        3.7.2.3.<\/strong> If neither of these two conditions is met, personal data can only be transferred abroad with the explicit consent of the data subject.<\/p>\n

        If one of the aforementioned conditions exists, the Company may transfer personal data to IT, archiving companies, or cloud service companies for the necessary infrastructure and services for corporate electronic communication channels and to ensure data security; and to foreign-based platforms and applications for providing services through instant messaging or online communication channels, which are widely and inevitably used today. In addition, the Company may transfer personal data abroad to its suppliers for the procurement of goods and services from foreign suppliers and to carry out its commercial activities. <\/p>\n

        3.8. Processing of Data by Group Company<\/strong><\/p>\n

        Your personal data is transferred to Group Companies and\/or made accessible to them by Kurtsan <\/strong>for the purposes of providing you with the services, fulfilling our necessary or legal obligations, conducting Company activities in accordance with group goals and strategies, and protecting its rights, interests, and reputation, and only if necessary for the stated purposes. In data transfers to group companies, we always ensure data protection and information security in accordance with applicable data protection legislation. <\/p>\n

        3.9. Retention and Destruction of Personal Data<\/strong><\/p>\n

        As the Data Controller, the Company has determined the retention periods, destruction periods, and technical and administrative measures to be implemented for preservation in its Personal Data Retention and Destruction Policy; and has declared these periods separately for each personal data category in VERB\u0130S. The Company is aware of its obligation to ensure the preservation of personal data in accordance with these principles. <\/p>\n

        In accordance with the KVKK Law, personal data is retained for the period stipulated in the relevant legislation or required for the purpose for which it is processed. These periods have been determined, and after the expiration of this period, the relevant personal data is deleted, destroyed, or anonymized for analytical purposes at the end of the periodic destruction periods specified in the relevant Policy, in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data. You can request more information through the contact details provided in this KVKK Policy. <\/p>\n

          \n
        1. PROTECTION OF PERSONAL DATA<\/strong><\/li>\n<\/ol>\n

          To ensure the lawful processing of personal data, the Company takes technical and administrative measures according to technological possibilities and implementation costs. The technical and administrative measures taken for the protection of personal data are applied with care and additional measures for special categories of personal data, and necessary audits are periodically carried out at the highest level within the Company, and these security measures are specified in VERB\u0130S. <\/p>\n

          The Company has taken all appropriate security measures to ensure that personal data is processed only for the purposes specified in VERB\u0130S (ANNEX-1) and to reduce risks such as malicious use, unauthorized access, transfer, destruction, or alteration of personal data. These security measures also include other measures taken in matters such as the transfer of personal data to countries that do not provide an adequate level of data protection. <\/p>\n

          Personal data is confidential, and the Company respects this confidentiality. Only authorized persons within the Company can access personal data. In this context, it is ensured that software complies with standards, third parties are carefully selected, and the KVKK Policy is adhered to within the Company. <\/p>\n

          Despite the Company taking the necessary data security measures, in the event of damage to personal data or its acquisition by unauthorized third parties as a result of attacks on platforms operated by the Company or the Company’s system, the Company immediately takes action to remedy the violation and minimizes the damage to the data subject. The Company immediately notifies the relevant persons and the Board of this situation and takes the necessary measures. <\/p>\n

            \n
          1. RIGHTS OF DATA SUBJECTS OVER THEIR PERSONAL DATA AND EXERCISE OF RIGHTS<\/strong><\/li>\n<\/ol>\n

            5.1. Rights of Data Subjects<\/strong><\/p>\n

            According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of personal data concerning them. In this context, the rights of the data subject over their personal data are listed below in Article 11 of the KVKK Law: <\/p>\n