BariApp Information About Data Protection & Privacy

INFORMATION TEXT REGARDING PERSONAL DATA PROTECTION

For the protection and processing of personal data, MEDICAL FLY SAGLIK VE TURIZM LTD STI attaches utmost importance to protecting the fundamental rights and freedoms of individuals, especially the privacy of private life regulated in Article 20 of the Constitution. In this context, it pays attention to the protection and processing of personal data in accordance with the law and acts with this understanding in all its planning and activities.

Our company does not only evaluate the protection and processing of personal data, which is the basis of the privacy of private life, within the scope of compliance with the legislation, but also puts the value to humans at the basis of its approach. Acting with this awareness, our Company takes all kinds of administrative and technical measures necessary to provide safe storage and prevent the unlawful processing of personal data.

A. Data Controller

In accordance with the Personal Data Protection Law No. 6698 (“Law”), your personal data is collected and processed by MEDICAL FLY SAGLIK VE TURIZM Ltd Sti. (“Company”) as the data controller within the scope described below.

Method and Legal Reason for Collecting Personal Data

Your personal data is collected in all kinds of verbal, written, and electronic medium in whole or in part by automatic or non-automatic means through various channels such as various documents, job application forms, customer information forms, mail and e-mails sent to our company; call center; Company website; social media tools; Corporate communication accounts and devices; Company information systems and devices; security cameras; third parties such as group companies, business partners, companies to which our company provides or receive services, employment companies, and job search portals to be kept for as long as necessary.

Your personal data is processed based on your express consent. In addition, your personal data may also be processed without seeking explicit consent, based on one of the legal reasons in paragraph 2 of Article 5 of the Law which are (i) if it is expressly stipulated by law, (ii) if the personal data has been made public by the personal data owner himself/herself, (iii) if it is necessary for the protection of life or physical integrity of the person himself/herself or someone else who is unable to express his/her consent due to actual impossibility, (iv) if it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the draw up or performance of a contract, (v) if it is mandatory for our company to fulfill its legal obligation (vi) data processing is mandatory for the establishment, exercise or protection of a right, (vii) if data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of personal data owners.

B. Purposes of Processing Personal Data

Your personal data is processed for the purpose of fulfilling the obligations clearly stipulated in the laws and professional and legal requirements if there is one of the conditions given in the 2nd paragraph of Article 5 of the Law; for the correct planning and execution of our commercial relations, partnerships and strategies; to ensure the legal, commercial and physical security of our Company and our business partners; for ensuring the corporate functioning of our Company; for the best planning and implementation of our human resources policies; to ensure the operability and information security of our Company’s information systems and to create the necessary databases for this; to improve the services offered on the website of our Company and to correct any errors; for creating and tracking visitor records and providing request and complaint management.

If you give your explicit consent, your personal data may be processed to ensure that you benefit from the products and services offered by our Company in the best way possible (to make statistics, analysis, profiling, and admiration reporting) and to inform you (personal process follow-up by promotion, advertisement, announcement, and information); for the purpose of planning, developing, and executing corporate communication activities and analyzing your financial profile.

C. To Whom and for What Purpose the Processed Personal Data can be Transferred

In the event that one of the conditions in paragraph 2 of Article 5 of the Law exists, and limited to the purposes specified in paragraph 1 of Article (c) of this text, your personal data may be transferred to our group companies, our affiliates, our business partners, the companies which we receive services (regarding safety, health, work safety, law, etc.) to fulfill our contractual or legal obligations, authorized institutions, and organizations, within the framework of the conditions specified in Articles 8 and 9 of the Law, provided that necessary security measures are taken.

If you give your express consent, your personal data may be transferred to our group companies, affiliates, and business partners limited to the purposes specified in paragraph 2 of Article (c) of this text.

D. Rights of Personal Data Owners Pursuant to Article 11 of the Law

Our Company informs you about your rights in accordance with Article 10 of the Law; provides guidance on how to exercise these rights and carries out the necessary internal functioning, administrative and technical arrangements for all these. As a personal data owner, you have the following rights in accordance with Article 11 of the Law: (a) learning whether your personal data is being processed, (b) requesting information about your personal data if it has been processed, (c) learning the purpose of your personal data being processed and whether they are used in accordance with its purpose, (d) learning the third parties to whom your personal data is transferred at home and abroad, (e) requesting correction of your personal data if it is incomplete or incorrectly processed, (f) requesting the deletion or destruction of your personal data within the framework of the conditions stipulated in Article 7 of the Law, (g) requesting notification of the transactions made pursuant to subparagraphs (d) and (e) of Article 11 of the Law, to third parties to whom your personal data has been transferred, (h) objection to the emergence of a result against you after analyzing your processed data exclusively through automated systems, (i) requesting the compensation of the damage in case you suffer a damage due to the unlawful processing of your personal data.

You can personally submit your requests and applications regarding the implementation of the Law to Bahcelievler Mah. 1831/14 Sokak No:12 Daire 49 Izmir Turkey address by filling out the Data Owner Application Form of the Law on the Protection of Personal Data or send through a notary; or submit electronically to the registered e-mail address medicalfly@hs01.kep.tr by using a secure electronic signature or mobile signature

In your requests and applications, it is mandatory to write:

Name, surname and the signature if the application is in written form,
R. identity number for citizens of the Republic of Turkey; nationality, passport number for foreigners,
or identification number, if any,
domicile or workplace address for notification, E-mail address, if any, telephone and fax number for notification,
and the subject of the request.

Information and documents related to the issue must be added to the application.

Depending on the nature of the request, our Company concludes the requests in the application free of charge as soon as possible or within thirty days at the latest. However, if the transaction in question requires additional costs, the fee in the tariff determined by the Board may be charged.

Our Company may accept the request or reject it by explaining the reason and notifies the relevant person in writing or electronically. If the request in the application is accepted, our Company fulfills what is required as soon as possible and informs the relevant person. If the application is caused by the error of our Company, the fee received will be returned to the data owner.

In cases where the application is rejected, the answer given is insufficient or the application is not answered in due time; The data owner has the right to file a complaint with the Board within thirty days from the date of learning the answer and in any case within sixty days from the date of the application.

For more information about this topic, you can review the relevant legislation and our Company’s “Personal Data Protection and Processing Policy” via the links: https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=6698&MevzuatTur=1&MevzuatTertip=5

https://www.mevzuat.gov.tr/File/GeneratePdf?mevzuatNo=32610&mevzuatTur=KurumVeKurulusYonetmeligi&mevzuatTertip=5

POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA OF MEDICAL FLY SAGLIK VE TURIZM LIMITED ŞIRKETI

TABLE OF CONTENTS

FIRST SECTION

INTRODUCTION

1.1. Introduction

1.2. Purpose of the Policy

1.3. Scope of the Policy

1.4. Definitions

1.5. Enforcement of the Policy

SECOND SECTION

PROTECTION OF PERSONAL DATA

2.1. Security of Personal Data

2.2. Control

2.3. Privacy

2.4. Unauthorized Disclosure of Personal Data

2.5. Protecting the Legal Rights of Personal Data Owners

2.6. Protection of Sensitive Personal Data

THIRD SECTION

PROCESSING AND TRANSFER OF PERSONAL DATA

3.1. General Principles for Processing Personal Data

3.2. Terms of Processing Personal Data

3.3. Conditions for Processing Sensitive Personal Data

3.4. Terms of Transferring Personal Data

FOURTH SECTION

CLASSIFICATION OF PERSONAL DATA, THEIR PROCESSING, AND TRANSFER PURPOSES AND THE PERSONS THEY WILL BE TRANSFERRED.

4.1. Classification of Personal Data

4.2. Purposes of Processing Personal Data

4.3. Purposes of Transferring Personal Data

4.4. Persons to whom Personal Data will be Transferred

FIFTH SECTION

METHOD OF COLLECTING PERSONAL DATA AND ITS LEGAL REASON, THEIR DELETION, DESTRUCTION, ANONYMIZATION, AND THE RETENTION PERIOD

5.1 Method of Collecting Personal Data and its Legal Reason

5.2. Deletion, Destruction, and Anonymization of Personal Data

5.3. Retention Period of Personal Data

SIXTH SECTION

INFORMING PERSONAL DATA OWNER AND THE RIGHTS OF DATA OWNER ACCORDING TO THE LAW ON THE PROTECTION OF PERSONAL DATA

6.1. Informing the Personal Data Owner

6.2. Rights of the Personal Data Owner in Accordance with the PDP Law

6.3. Conditions in which the Policy and Law will not be Enforced whole or Partially

SEVENTH SECTION

CLASSIFICATION OF PERSONAL DATA OWNERS AND MATCHING THEM WITH THE PERSONAL DATA

7.1. Classification of Personal Data Owners

7.2. Matching the Personal Data with the Personal Data Owners

FIRST SECTION

1. INTRODUCTION

1.1. Introduction

As MEDICAL FLY HEALTH AND TOURISM LTD. STI. (“Company” or “medicalfly“), we attach utmost importance to the legal protection and processing of Personal Data in accordance with Law No. 6698 on the Protection of Personal Data (“Law”), and we act with this care in all our planning and activities. With this awareness, as MEDICAL FLY, we take all administrative and technical measures for the protection and processing of Personal Data.

1.2. Purpose of the Policy

The purpose of Personal Data Protection and Processing Policy (“Policy“) is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life as regulated in Article 20 of the Constitution during the protection and processing of Personal Data in accordance with the purpose of the Law and to inform Personal Data Owners about the obligations of our Company and the procedures and principles that it will comply with in line with the Law.

medicalfly, as a health tourism intermediary institution, processes various personal data of health tourists and potential health tourists, employees, company employees, and other real persons who communicate on their behalf or as a representative, by applying for a job or by any other purpose or channel, in accordance with the Law in its capacity as Data Controller in order to provide services in the fields of marketing, health tourism service package sales, and after-sales.

Another purpose of this policy is to inform the relevant persons and thus to provide transparency regarding personal data by making a statement about these processing activities and related personal systems that medicalfly carries out. In this context, medicalfly has detailed the processing of personal data within the scope of the Law, the data owners subject to this processing and their rights, and the use of cookies and similar technologies in this Policy.

1.3. Scope of the Policy

This Policy was prepared for Company Shareholders, Company Business Partners, Company Officials, Employee Candidates, Visitors, Company Customers, Potential Customers, and Third Parties provided that they are natural persons and will be implemented within the scope of the specified persons. The Company informs these Personal Data Owners about the Law by publishing this Policy in the content of the application downloaded to your device by yourself and on the website.

This Policy will be applied for the above-mentioned persons, if our Company processes the Personal Data of these concerned persons in fully or partially automatic, or non-automatic way provided that it is part of any data recording system. In the event that the data is not included in the scope of “Personal Data” within the scope specified below or the Personal Data processing activity carried out by our Company is not in the above-mentioned ways, this Policy will not be implemented.

1.4. Definitions

The terms used in the implementation of this policy have the following meanings:

Express Consent: It is consent that is related to a particular subject and based on being informed and explained by free will.

Anonymization: It is the making of personal data that cannot be associated with an identified or identifiable natural person under any circumstances, even if they are matched with other data.

Employee Candidate: Individuals who have applied for a job in any way to our company or have submitted their resume and related information to our company’s review.

Contact person: In relation to the obligations of legal persons residing in Turkey and the data controller representative of legal persons not residing in Turkey under the Law and secondary regulations to be issued based on this Law, it is the real person who is notified by the data controller during the registration to the Registry for the communication to be established with the Institution.

Processing of Personal Data: It is all kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of Personal Data fully or partially automatically or by non-automatic means provided that it is a part of any data recording system.

PDP Board: It Is the Personal Data Protection Board.

Personal Data Owner/Contact Person: It refers to the Company Shareholders, Company Business Partners, Company Officials, Employee Candidates, Visitors, Company Customers, Potential Customers, and Third Parties, whose Personal Data are processed.

Personal data processing inventory: It is the inventory created by data controllers by associating personal data processing activities, which they carry out in connection with their business processes, with personal data processing purposes, data category, transferred recipient group, and persons subject to the data group and which they detail by explaining the maximum period required for the purposes for which personal data is processed, the personal data envisaged to be transferred to foreign countries, and the measures taken regarding data security.

Personal data storage and destruction policy: It is the policy on which data controllers base the process of determining the maximum period required for the purpose for which personal data is processed and the process of deletion, destruction, and anonymization.

Personal Data: Any information about an identified or identifiable natural person.

Company Customer: Individuals who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company.

Sensitive Personal Data: Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions, and security measures, and the biometric and genetic data are deemed to be sensitive personal data.

Potential Customer: They are real persons who have requested or been interested in using our products and services or have been evaluated in accordance with commercial practices and honesty rules that they may have this interest.

Company / Our Company: is MEDICAL FLY HEALTH AND TOURISM LTD. STI.

Company Shareholder: The natural persons who are the shareholders of MEDICAL FLY HEALTH AND TOURISM LTD. STI.

Company’s Business Partner, Shareholder, Official, Employee of Business Partners: They are the real persons with whom our company has any kind of business relationship and all real persons including employees, shareholders, and officials of real and legal persons with whom our company has any business relationship.

Company Official: They are the board members and other authorized real persons of MEDICAL FLY HEALTH AND TOURISM LTD. STI.

Third Person: Other persons who are not covered by MEDICAL FLY SAGLIK VE TURIZM LTD. STI.’s Personal Data Protection and Processing Policy and do not fall under any Personal Data Owner category in this Policy.

Data category: is the personal data class in respect of data subject person group, or groups, in which personal data are grouped according to their common characteristics.

Data subject person group: is the related person category in which the data controllers process their data.

Data Controllers’ Registry Information System (VERBIS): is the information system that is accessible on the Internet and established and managed by the Presidency under supervision of the Board, that data controllers will use for the registration with the Registry and the other operations related to the Registry.

Data Processor: is the natural and legal person who processes Personal Data on behalf of the data controller based on the authority given by the data controller.

Data Recording System: refers to the registration system in which personal data is structured and processed according to certain criteria.

Data Controller: is the person who determines the purposes and means of processing personal data and manages the location (data recording system) where the data is kept in a systematic way.

Visitor: All natural persons who have entered the physical settlements owned by our Company for various purposes or have visited our websites for any purpose.

Procedure for Managing the Requests from Data Owners: is the procedure prepared by MEDICAL FLY HEALTH AND TOURISM LTD. STI. in which the process to be used in meeting the requests that may come from the data owners are detailed within the scope of the Law.

1.5. Enforcement of the Policy

The Policy, which has been issued and entered into force by MEDICAL FLY SAGLIK VE TURIZM LTD. STI, is published on the Company’s website and made available to the relevant persons upon request. MEDICAL FLY SAGLIK VE TURIZM LTD. STI has the right to make changes in this policy at any time within the framework of the Law, secondary legislation, and PDP Board decisions.

SECOND SECTION

2. PROTECTION OF PERSONAL DATA

2.1. Security of Personal Data

In accordance with the Law, our Company takes all necessary technical and administrative measures to ensure the appropriate level of security to prevent the illegal processing and access of Personal Data and to ensure the protection of Personal Data.

2.2. Control

Our company conducts and makes conducted the necessary controls in order to ensure the regularity and continuity of the data security described above and the measures to be taken.

2.3. Privacy

Our company takes all necessary technical and administrative measures according to technological possibilities and implementation costs to prevent the relevant data controllers and data processors to disclose the Personal Data they have to others in violation of the provisions of the Law and Policy and prevent them to use the data for purposes other than processing. In this context, information and training activities are carried out for our Company employees about the Law and Policy.

2.4. Unauthorized Disclosure of Personal Data

In case the Personal Data processed by our Company is obtained by others in unlawful ways, our Company carries out the necessary procedures to notify the relevant Personal Data Owner and the PDP Board as soon as possible. If deemed necessary by the PDP Board, this situation may be announced on the website of the PDP Board or by any other method deemed appropriate by the PDP Board.

2.5. Protecting the Legal Rights of Personal Data Owners

By implementing the Policy and Law, our company protects all legal rights of Personal Data Owners and takes all necessary precautions to protect these rights.

2.6. Protection of Sensitive Personal Data

Within the framework of the Policy on the Processing and Protection of Sensitive Personal Data, adequate measures determined by the PDP Board are taken by our company with precision.

THIRD SECTION

3. PROCESSING AND TRANSFER OF PERSONAL DATA

3.1. General Principles for Processing Personal Data

Personal Data is processed by our Company in accordance with the procedures and principles stipulated in the Law and this Policy. Our company complies with the following principles when processing personal data.

Ø Compliance with the Law and the rules of Good Faith

Ø Being Accurate and Up-to-Date when Needed

Ø Processing for Specific, Explicit and Legitimate Purposes

Ø Being Related, Limited and Prudent to the Purpose for which they are Processed

Ø Retention for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed

3.2. Terms of Processing Personal Data

Personal data is processed within MEDICAL FLY SAGLIK VE TURIZM LTD. STI. in the light of activities that can be carried out with the express consent of data owners or without being subject to express consent in accordance with Articles 5 and 6 of the Law and these data are only processed within the framework of the purposes exemplified in the “Purposes of Processing Personal Data” section of this Policy. Our Company may process personal data without the explicit consent of the data owner if one of the following conditions exists.

3.3. Conditions for Processing Sensitive Personal Data

Our Company does not process Sensitive Personal Data without the express consent of the person concerned. However, Personal Data other than health and sexual life can be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws. Personal Data regarding health and sexual life is only processed by our Company for the purpose of protecting public health, performing preventive medicine, medical diagnosis and treatment and care services, planning and managing health services, and financing under the conditions in which we are under the obligation to keep secrets without seeking the explicit consent of the person concerned. Our company carries out the necessary procedures to take adequate measures determined by the Board in the processing of sensitive personal data.

3.4. Terms of Transferring Personal Data

Our company may transfer the Personal Data of Personal Data Owners and Sensitive Personal Data to third parties in accordance with the Law by creating the necessary confidentiality conditions and taking security measures in line with the purposes of processing Personal Data. Our company acts in accordance with the regulations stipulated in the Law during the transfer of Personal Data. In this context, in line with the legitimate and lawful Personal Data processing purposes, our Company may transfer Personal Data to third parties based on and limited to one or more of the Personal Data processing conditions specified in Article 5 of the Law,

Ø if the Personal Data owner has given his/her express consent,

Ø if there is a clear regulation in the Law regarding the transfer of Personal Data,

Ø if it is necessary for the protection of the life or physical integrity of the Personal Data owner or someone else and the Personal Data owner is unable to disclose his/her consent due to actual impossibility or the consent of the Personal Data owner is not legally valid,

Ø if it is necessary to transfer the Personal Data of the Parties of the contract if it is directly related to the draw up or performance of a contract,

Ø If the transfer of Personal Data is mandatory for our Company to fulfill its legal obligation,

Ø If the Personal Data has been publicly disclosed by the Personal Data owner,

Ø If the transfer of Personal Data is mandatory for the establishment, use or protection of a right,

Ø If Personal Data transfer is necessary for the legitimate interests of our Company,

if it does not harm the fundamental rights and freedoms of the Personal Data owner.

3.4.1. Conditions for Transferring Personal Data Abroad

By taking the necessary security measures, our Company may transfer the Personal Data and Sensitive Personal Data of the Personal Data Owners to third parties abroad in line with the Personal Data processing purposes. Personal Data can be transferred by our Company to foreign countries that are declared to have sufficient protection by the PDP Board, or, in the absence of sufficient protection, they can be transferred in cases where data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and to the foreign countries permitted by the PDP Board.

FOURTH SECTION

4. CLASSIFICATION OF PERSONAL DATA, THEIR PROCESSING, AND TRANSFER PURPOSES AND THE PERSONS THEY WILL BE TRANSFERRED

4.1. Classification of Personal Data

4.1.1. Identity Information

They are the data that contains information about the identity of the person such as name-surname, T.R. identity number, marital status, nationality information, mother’s-father’s name-surname, place of birth – date, gender, background information, factory, and registration numbers of the employees, title deed and other official registration information and driver’s license, identity card, and passport, etc. containing this information and tax number, social security number, signature information, vehicle plate number, and other information.

4.1.2. Contact Information

Phone number, address, e-mail address, fax number, IP address, etc.

4.1.3. Transaction Security Information

Personal data processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Company while carrying out the Company’s activities.

4.1.4. Financial Information

Personal data processed regarding information, documents, and records that are showing all kinds of financial results arising in accordance with the employee-employer relationship established by the Company with the Related Person and the information such as bank account number, branch code, bank card information, IBAN number, credit card information, financial profile, credit rating, assets data, income information, etc.

4.1.5. Visual and Audial Information

Photo and camera recordings, audio recordings, and any data and other information contained in this data.

4.1.6. Personnel Information

All kinds of personal data processed for obtaining information that will be the basis for the protection of personal rights of real persons who are in a working relationship with the Personal Data Owner.

4.1.7. Location Information

Within the framework of the activities and operations of the Company or cooperated companies and institutions, the information identifying the location of the Relevant Person while he/she is using Company mediums, their GPS location, travel data and other information.

4.1.8. Family Members and Relatives Information

Within the framework of the activities and operations of the Company or cooperated companies and institutions or in order to protect the legal and other interests of the Company and the Related Person, the identity and contact information, as defined above, about the Relevant Person’s family members (e.g. spouse, mother, father, child), relatives and other persons who can be reached in case of emergency.

4.1.9. Physical Area Safety Information

Personal data regarding the records and documents taken during the entrance to the physical area and during the stay in the physical area such as camera records, fingerprint records and the records taken at the security point and other data related to the workplace.

4.1.10. Legal Action Information

Data processed within the scope of the determination, follow-up and performance of the Company’s legal receivables and rights and legal obligations.

4.1.12. Sensitive Personal Information

The data specified in Article 6 of the Law (health data, biometric data, religion and association membership information, etc.)

4.1.13. Request/Complaint Management Information

Personal data regarding receiving and evaluating the request or complaint directed to our company.

4.2. Purposes of Processing Personal Data

In order to fulfill the obligation of clarification in Article 10 of the Law, our Company informs data owners about the purposes for which Personal Data will be processed, to whom, and for what purpose the processed data can be transferred.

Your personal data is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to the best planning and implementation of our human resources policies; the correct planning and execution of our commercial partnerships and strategies; ensuring the legal, commercial and physical security of our Company and our business partners; ensuring the corporate functioning of our company; carrying out works to ensure that you benefit from the products and services offered by our Company in the best way possible; suggesting the products and services offered by our Company to you by customizing them according to your demands, needs, and wishes; ensuring the highest level of data security; creating databases; improving the services offered on our Company’s website; communicating with those who have submitted their requests and complaints to our Company; correcting errors in our Company’s website.

4.3. Purposes of Transferring Personal Data

Your Personal Data is transferred within the scope of the conditions specified in Articles 8 and 9 of the Law, limited to the best planning and implementation of our human resources policies; the correct planning and execution of our commercial partnerships and strategies; ensuring the legal, commercial and physical security of our Company and our business partners; ensuring the corporate functioning of our company; carrying out works to ensure that you benefit from the products and services offered by our Company in the best way possible; suggesting the products and services offered by our Company to you by customizing them according to your demands, needs, and wishes; ensuring the highest level of data security; creating databases; improving the services offered on our Company’s website; communicating with those who have submitted their requests and complaints to our Company; correcting errors in our Company’s website.

4.4. Persons to whom Personal Data will be Transferred

Your Personal Data may be transferred to our shareholders, business partners, suppliers, affiliates, the companies, and institutions with which we are in cooperation, companies that we outsource to fulfill our contractual or legal obligations, authorized institutions, and organizations. The nature of these transfers and the parties to whom they are shared vary depending on the type and nature of the data owner and medicalfly relationship, the purpose of the transfer, and the relevant legal basis, and these parties are generally as follows:

Ø Legal authorities such as Law Offices and institutions where support is taken for legal activities,

Ø Business units within medicalfly that are ensuring the coordination, cooperation, and efficiency,

Ø Research firms within the scope of the objectives such as customer satisfaction, etc.

Ø Banks that will allow financial transactions to be realized,

Ø T.R. Ministry of Health and T.R. Ministry of Culture and Tourism

Ø T.R. Health organizations or hospitals affiliated with the Ministry of Health,

FIFTH SECTION

5. METHOD OF COLLECTING PERSONAL DATA AND ITS LEGAL REASON, THEIR DELETION, DESTRUCTION, ANONYMIZATION, AND THE RETENTION PERIOD

5.1 Method of Collecting Personal Data and its Legal Reason

For the purpose of checking the compliance with Article 1, which regulates the purpose of the Law, and Article 2, which regulates the scope of the Law; Personal Data is collected in all kinds of verbal, written, electronic media through technical and other methods, via call center, our company’s website, mobile application, etc., in order to achieve the purposes set out in the Policy, within the framework of legislation, contract, demand, and optional legal reasons in order to fully and accurately fulfill the responsibilities arising from the Law, and is processed by our Company or data processors assigned by our Company.

5.2. Deletion, Destruction, and Anonymization of Personal Data

Without prejudice to the provisions of other laws regarding the deletion, destruction, or anonymization of Personal Data, our Company deletes, destroys, or anonymizes the Personal Data ex officio or upon the request of the data owner in accordance with the Personal Data Retention and Disposal Policy in the event that the reasons requiring it to be processed disappear, although it has been processed in accordance with the provisions of this Law and other laws. By the deletion of personal data, the data is destroyed in a way that it can never be used and restored again. Accordingly, the data is deleted from the documents, files, CDs, floppy disks, hard disks, etc. in which they are stored in a way that they cannot be returned. Data destruction, on the other hand, refers to the destruction of materials that are suitable for storing data, such as Documents, files, CDs, floppy disks, hard disks, where the data is stored, so that the information cannot be returned and used again. By anonymizing data, it is meant that the data cannot be associated with an identified or identifiable natural person even if the Personal Data is matched with other data.

5.3. Retention Period of Personal Data

Our company stores Personal Data in accordance with the periods stipulated in the laws and other legislation. If there is no time limit in the laws and other legislation regarding how long Personal Data can be kept, Personal Data is processed until the realization of our Company’s purpose regarding processing the Personal Data, then it is deleted, destroyed, or anonymized in accordance with the Personal Data Retention and Disposal Policy.

SIXTH SECTION

6. INFORMING PERSONAL DATA OWNER AND THE RIGHTS OF DATA OWNER ACCORDING TO THE LAW ON THE PROTECTION OF PERSONAL DATA

6.1. Informing the Personal Data Owner

Our company informs the Personal Data Owners during the acquisition of personal data in accordance with Article 10 of the PDP Law. In this context, it gives information to the Personal Data Owner regarding the identity of the Contact Person, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and its legal reason, and the rights of the Personal Data Owner.

6.2. Rights of the Personal Data Owner in Accordance with the PDP Law

Our company informs you about your rights in accordance with Article 10 of the Law, guides you on how to exercise these rights, and performs the necessary internal functioning, administrative and technical arrangements for all of these. Our Company explains to the persons whose personal data are collected that they have the following rights pursuant to Article 11 of the Law:

Ø learning whether personal data is processed,

Ø if their personal data has been processed, requesting information regarding the situation,

Ø learning the purpose of processing personal data and whether it is used suitably for this purpose,

Ø learning the third parties with whom the personal data is transferred at home or abroad,

Ø requesting correction of personal data if it is incomplete or incorrectly processed,

Ø requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,

Ø requesting notification of the transactions made pursuant to subparagraphs (d) and (e) of Article 11 of the Law, to third parties to whom personal data has been transferred,

Ø objection to the emergence of a result against the person by making the processed data analyzed exclusively through automated systems,

Ø in case of damage of the personal data due to unlawful processing of it, the right to demand compensation for damage.

You can submit your requests to our Company regarding the implementation of the Law by using the Data Owner Request Form for the Law on the Protection of Personal Data in writing or with a secure electronic signature, or with other methods to be determined by the Personal Data Protection Board (“Board”) by following the procedures in the application form. Depending on the nature of the request, our Company concludes your requests in the application free of charge as soon as possible or within thirty days at the latest. However, if the transaction in question requires additional costs, the fee in the tariff determined by the Board may be charged.

Our Company may accept the request or reject it by explaining the reason; notifies the relevant person in writing or electronically. In case of the request in the application is accepted, our Company will fulfill its requirement. If the application is caused by the error of our Company, the fee received will be returned to the data owner.

6.3. Conditions in which the Policy and Law will not be Enforced whole or Partially

The provisions of this Policy and Law will not be applied in the following cases:

Ø Processing them by natural persons within the scope of activities related to them or their family members living in the same residence provided that personal data is not given to third parties and that the obligations regarding data security are complied with.

Ø Processing personal data for purposes such as research, planning, and statistics by anonymizing it with official statistics.

Ø Processing personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression if it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights or constitute a crime.

Ø Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by Law to ensure national defense, national security, public safety, public order, or economic security.

Ø Processing personal data by judicial authorities or enforcement authorities in relation to the investigation, prosecution, trial, or execution proceedings.

Provided that it is in accordance and well-proportioned with the purpose and basic principles of this Policy and the Law, Article 10, which regulates informing obligation of the data controller, Article 11 which regulates the rights of the person concerned, excluding the right to demand compensation for the damage and Article 16 which regulates the obligation to register in the Data Controllers Registry shall not be applied in the following cases:

Ø Processing personal data when it is necessary for the prevention of crime or for criminal investigation.

Ø Processing personal data which was made public by the person concerned.

Ø Processing personal data when it is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution purposes by the authorized public institutions, organizations, and professional organizations that are in the nature of the public institution, based on the authority given by the Law.

Ø when processing personal data is necessary for the protection of the economic and financial interests of the State with regard to budget, tax, and financial matters.

SEVENTH SECTION

7. CLASSIFICATION OF PERSONAL DATA OWNERS AND MATCHING THEM WITH THE PERSONAL DATA

7.1. Classification of Personal Data Owners

Only natural persons can benefit from the protection of this Policy and the Law, Personal Data Owners within this scope have been grouped as follows:

Employee Candidate: Individuals who have applied for a job in any way to our company or have submitted their resume and related information to our company’s review.

Company Customer: Individuals who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company.

Company Shareholder: They are the shareholders of MEDICAL FLY HEALTH AND TOURISM LTD. STI.

Company Official: They are the board members and other authorized real persons of MEDICAL FLY HEALTH AND TOURISM LTD. STI.

Third Person: Other persons who are not covered by MEDICAL FLY SAGLIK VE TURIZM LTD. STI.’s Personal Data Protection and Processing Policy and who do not fall under any Personal Data Owner category in this Policy.

Visitor: All natural persons who have entered the physical settlements owned by our Company for various purposes or have visited our websites for any purpose.

7.2. Matching the Personal Data with the Personal Data Owners

The matching of the classified Personal Data, whose definition and scopes are given above, with the classified Personal Data Owners is presented below.

Identity Information: Company Shareholder; Company Official; Company Customer; Potential Customer; Company’s Business Partner; Shareholder, Official, and Employee of Business Partners; Employee Candidate; Visitor, Third Parties

Contact Information: Company Shareholder; Company Official; Company Customer; Potential Customer; Company’s Business Partner; Shareholder, Official, and Employee of Business Partners; Employee Candidate; Visitor, Third Parties

Transaction Security Information: Company Shareholder; Company Official; Company Customer; Potential Customer; Company’s Business Partner; Shareholder, Official, and Employee of Business Partners; Employee Candidate; Visitor, Third Parties

Financial Information: Company Shareholder; Company Official; Company Customer; Potential Customer; Company’s Business Partner; Shareholder, Official, and Employee of Business Partners; Employee Candidate; Visitor, Third Parties

Visual and Audial Information: Company Shareholder; Company Official; Company Customer; Potential Customer; Company’s Business Partner; Shareholder, Official, and Employee of Business Partners; Employee Candidate; Visitor, Third Parties

Personnel Information: Company’s Business Partner; Shareholder, Official, and Employee of Business Partners; Employee Candidate, Third Parties

Location Information: Company’s Business Partner; Shareholder, Official, and Employee of Business Partners

Family Members and Relatives Information: Company Customer; Potential Customer; Company’s Business Partner; Shareholder, Official, and Employee of Business Partners; Employee Candidate; Visitor, Third Parties

Physical Area Safety Information: Company Shareholder; Company Official; Company’s Business Partner, Shareholder, Official, Employee of Business Partners; Employee Candidate; Visitor, Third Parties

Legal Action Information: Potential Customer; Company’s Business Partner, Shareholder, Official, Employee of Business Partners; Visitor, Third Parties

Sensitive Personal Data: Company Shareholder; Company Official; Company Customer; Potential Customer; Company’s Business Partner, Shareholder, Official, Employee of Business Partners; Employee Candidate, Visitor, Third Parties

Request/Complaint Management Information: Company Shareholder; Company Official; Company Customer; Potential Customer; Company’s Business Partner; Shareholder, Official, and Employee of Business Partners; Employee Candidate; Visitor, Third Parties