I. INTRODUCTION
A. Purpose and Scope
Istanbul Hair Transplant’s principles for the protection and processing of personal data are defined in this policy.
This Policy aims to explain the personal data processing activities and the systems adopted by Istanbul Hair Transplant to protect such data. It ensures transparency by informing the Relevant Person—including individuals receiving products or services, employees and employee candidates, potential customers, shareholders, visitors, participants, suppliers, and third parties.
The objectives of this Policy are to:
- Set and implement standards for personal data management in alignment with organizational goals and obligations,
- Establish control mechanisms consistent with an acceptable level of risk,
- Comply with international agreements, constitutional provisions, laws, regulations, contracts, and other legal requirements regarding data protection,
- Safeguard the fundamental rights and freedoms of the Relevant Person to the highest extent.
Additionally, this Policy applies to all physical and electronic data recording systems and media used for the automatic or non-automatic processing of personal and sensitive data, provided that the data is part of any data recording system.
B. DEFINITIONS
| Definition | Description |
|---|---|
| Explicit Consent | Consent given for a specific subject, based on adequate information and expressed with free will. |
| Constitution | The Constitution of the Republic of Turkey, No. 2709. |
| Employee | All staff and managers working at Istanbul Hair Transplant. |
| Employee Candidate | Individuals who have applied for a job at Istanbul Hair Transplant or have made their CV and related data available for review. |
| Shareholder/Partner | Real persons who are shareholders or partners of Istanbul Hair Transplant. |
| Relevant Person | A natural person whose personal data is processed. |
| Destruction | The act of deleting or destroying personal data. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Personal Data Processing Inventory | A record of personal data processing activities carried out by data controllers, linked with processing purposes, data categories, recipient groups, and data subject groups; includes data retention durations, potential international transfers, and data security measures. |
| Anonymization of Personal Data | Making personal data impossible to associate with an identified or identifiable person, even when combined with other data. |
| Disposal of Personal Data | The deletion, anonymization, or destruction of personal data. |
| Deletion of Personal Data | Making personal data inaccessible and unusable by any Relevant User. |
| Destruction of Personal Data | Making personal data permanently inaccessible, irrecoverable, and unusable by anyone. |
| Committee | Istanbul Hair Transplant Personal Data Protection Committee. |
| Board | The Personal Data Protection Board or the relevant supervisory authority in applicable jurisdictions. |
| KVKK | Law No. 6698 on the Protection of Personal Data (Turkey). |
| GDPR | The General Data Protection Regulation (EU). |
| Sensitive Personal Data | Special categories of data such as race, ethnicity, political opinions, religion, health, biometric/genetic data, sexual orientation, and criminal records. |
| Periodic Destruction | Routine deletion, destruction, or anonymization of personal data at specified intervals when the legal basis for processing no longer exists. |
| Policy | Istanbul Hair Transplant Personal Data Processing and Protection Policy. |
| Istanbul Hair Transplant | Istanbul Hair Sağlık Hizmetleri ve Turizm Dan. Tic. Ltd. Şti. |
| Supplier Employee | Individuals working for institutions in business relationships with Istanbul Hair Transplant (e.g., suppliers, service providers). |
| Supplier Representative | Natural persons representing institutions that have business relations with Istanbul Hair Transplant. |
| Product or Service User / Authorized Representative | Natural persons or legal entity representatives using or having used services or products provided by Istanbul Hair Transplant, regardless of contractual status. |
| Data Processor | A natural or legal person processing personal data on behalf of the Data Controller. |
| Data Recording System | A structured system where personal data is processed according to defined criteria. |
| Data Controller | A natural or legal person who determines the purposes and means of processing personal data and is responsible for managing the data recording system. |
| Visitor | Natural persons visiting Istanbul Hair Transplant’s facilities or websites for various purposes. |
II. GENERAL PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA
Istanbul Hair Transplant processes personal data in compliance with Article 20 of the Constitution of the Republic of Turkey, Article 4 and Article 5 of the Law on the Protection of Personal Data (KVKK), and Article 5 of the General Data Protection Regulation (GDPR).
Personal data is processed lawfully, fairly, accurately, and—when necessary—updated; for specific, clear, and legitimate purposes; in a way that is relevant, limited, and proportionate to those purposes. Data is retained only for as long as required by relevant legislation or the intended purpose of processing.
For data subjects residing in Turkey, personal data is processed based on at least one of the conditions in Article 5 of the KVKK. In addition, Istanbul Hair Transplant complies with Article 6 of the KVKK for sensitive personal data, and Articles 8 and 9 for data transfers. According to Article 10, the relevant person is informed in cases of data processing. For residents of the European Union, data processing is also conducted in line with the GDPR.
A. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
Personal data is processed in accordance with the following principles, as set forth in Article 4 of the KVKK and Article 5 of the GDPR:
- Lawfulness and Fairness: All personal data processing activities are carried out in compliance with relevant laws and ethical principles, with due respect for the rights and expectations of data subjects.
- Accuracy and Being Up to Date: Reasonable steps are taken to ensure that personal data is accurate and kept up to date. Data subjects have the right to request correction or deletion of inaccurate data.
- Purpose Limitation: Data is processed only for clearly defined and lawful purposes and is not further processed in a manner that is incompatible with those purposes.
- Data Minimization: Personal data is processed in a way that is adequate, relevant, and limited to what is necessary in relation to the purpose for which it is processed.
- Storage Limitation: Data is retained only for as long as necessary to fulfill the purpose of processing or as required by law, after which it is deleted, anonymized, or destroyed.
B. CONDITIONS FOR PROCESSING PERSONAL DATA
Personal data is processed when at least one of the legal bases in Article 5 of the KVKK or Article 6 of the GDPR is present:
- Explicit Consent: Data is processed with the clear and informed consent of the data subject.
- Legal Obligation: If explicitly required by law, data may be processed without the need for consent.
- Vital Interests: If the data subject cannot provide consent due to physical or legal incapacity, personal data may be processed to protect their or another person’s life or physical integrity.
- Contractual Necessity: When data processing is necessary for the performance of a contract between the data subject and Istanbul Hair Transplant.
- Compliance with Legal Obligations: When necessary to fulfill legal responsibilities under applicable laws.
- Public Disclosure by the Data Subject: If the data subject has made their personal data publicly available, it may be processed without further consent, limited to the scope of that disclosure.
- Establishment, Exercise, or Defense of Legal Claims: Data may be processed when required to protect a legal right.
- Legitimate Interest: Provided it does not violate fundamental rights and freedoms of the data subject, data may be processed to serve the legitimate interests of Istanbul Hair Transplant. A balancing test is performed to ensure compliance.
C. CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA
According to Article 6 of the KVKK, special categories of personal data include information on race, ethnicity, political opinions, religion, philosophical beliefs, health, sexual life, criminal records, and biometric or genetic data.
Istanbul Hair Transplant may process such data only under the following conditions and with additional measures required by the Personal Data Protection Board:
- For Data Other Than Health and Sexual Life: May be processed with the data subject’s explicit consent or if explicitly permitted by law.
- Health and Sexual Life Data: May be processed with explicit consent, or without consent only when carried out by authorized persons or institutions under confidentiality obligations, for purposes such as public health protection, medical diagnosis, treatment, or management of healthcare services.
Istanbul Hair Transplant ensures that general data processing principles are followed even in sensitive data processing, and a dedicated Special Categories of Personal Data Protection Policy is in place. All business units act in accordance with this policy.
Under GDPR, special categories of personal data may be processed under the following circumstances:
For public interest archiving, research, or statistical purposes, under Article 89(1) of the GDPR.
With the explicit consent of the data subject.
To fulfill obligations in the field of employment, social security, or social protection law.
When the data subject is physically or legally incapable of giving consent.
If the data is made public by the data subject.
If processing is necessary for legal claims or judicial proceedings.
For reasons of substantial public interest, with appropriate safeguards.
For preventive or occupational medicine.
III. CATEGORIES OF PERSONAL DATA PROCESSED BY ISTANBUL HAIR TRANSPLANT
At Istanbul Hair Transplant, personal data is processed in accordance with the Law on the Protection of Personal Data (KVKK), the General Data Protection Regulation (GDPR), and other relevant legislation. The categories of personal data processed are as follows:
1. Identity Information
Data that clearly identifies an individual, such as:
- National ID
- Passport
- Driver’s license
- Residence permit
- Marriage certificate
2. Contact Information
Information used to communicate with the individual, including:
- Phone number
- Email address
- Physical address
3. Personal Information
General personal data related to individuals who are employees or have a professional relationship with our clinic, processed to establish personal rights or fulfill HR-related obligations.
4. Legal Transaction Information
Data processed for:
- Legal obligations
- Enforcement of rights
- Compliance with Istanbul Hair Transplant’s policies
5. Customer Transaction Information
Data related to the use of our services or interactions with our clinic, such as:
- Service usage history
- Instructions or requests from clients
6. Physical Space Security Information
Security-related data obtained through monitoring during visits to our clinic, such as:
- Entry/exit logs
- Security camera recordings within the premises
7. Transaction Security Information
Data processed to ensure:
- Technical and administrative system security
- Legal and commercial transaction integrity
8. Financial Information
Financial data relevant to the individual’s relationship with the clinic, including:
- Invoices
- Payment details
- Transaction records
9. Professional Experience
Work-related data used for evaluating and improving employee performance and career planning, in accordance with our human resources policy.
10. Marketing Information
Data used to personalize and promote our services, such as:
- Preferences and interests
- Marketing reports
- Behavioral and usage analysis
11. Audio-Visual Data
Multimedia content that may include:
- Photographs
- Audio or video recordings (excluding those used strictly for physical security purposes)
12. Sensitive Personal Data
Includes:
- Health and medical information
- Data regarding sexual life
- Criminal record and security measures
All special categories of personal data are processed with enhanced security and in strict compliance with relevant legal requirements.
IV. TRANSFER OF PERSONAL DATA
At istanbulhairtransplant.org, personal data may be transferred to third parties when necessary for delivering healthcare services, fulfilling legal obligations, managing employment procedures, ensuring occupational health and safety, and complying with requests from authorized public institutions.
Personal data is not shared with any third party without the explicit consent of the data subject, except where permitted or required by applicable law, including KVKK, GDPR, or related regulations. In cases where there is a legal basis, personal and sensitive data may be transferred to:
- Private individuals and legal entities,
- Business partners, suppliers, and contractors,
- Shareholders,
- Public institutions and other authorized bodies.
All data transfers are carried out securely and in accordance with Article 8 of the KVKK, and Articles 6, 8, and Chapter 5 of the GDPR.
A. Transfer of Personal Data
Personal data may be shared with third parties without explicit consent if one or more of the following legal grounds are present:
- Clearly permitted by law,
- Necessary to protect the life or physical integrity of the data subject or another person,
- Required for the performance of a contract,
- Necessary to comply with legal obligations,
- Publicly disclosed by the data subject,
- Required for the establishment, exercise, or defense of legal rights,
- Necessary for the legitimate interests of istanbulhairtransplant.org, provided such processing does not infringe on the fundamental rights and freedoms of the data subject.
Personal data may also be transferred to countries with adequate data protection as recognized by the Turkish Personal Data Protection Board or the European Commission. If the recipient country does not offer adequate protection, data may still be transferred if both parties commit to ensuring adequate safeguards in writing, and the necessary approvals are obtained.
B. Transfer of Special Categories of Personal Data
Sensitive personal data (such as health or biometric data) is processed with extra protection. Such data, except for health and sexual life information, may be transferred without consent if explicitly permitted by law. Data related to health and sexual life may be processed and transferred without explicit consent only by authorized persons or institutions under confidentiality obligations, for purposes such as:
- Public health protection,
- Preventive medicine,
- Medical diagnosis and treatment,
- Management and financing of healthcare services.
If the above conditions are not met, explicit consent from the data subject is required.
When transferring special category data abroad, the conditions outlined in applicable data protection legislation must be met, including assurance of adequate protection in the destination country.
