Personal Data Protection and Processing Policy

TRUSELF HEALTH TOURISM AND CONSULTANCY SERVICES LIMITED COMPANY

PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. Purpose and Scope

Truself Sağlık Turizm Ve Danışmanlık Hizmetleri Limited Şirketi (TRUSELF) makes maximum effort to comply with all applicable legislation regarding the processing and protection of personal data.

Within the framework of this Policy, the principles adopted by TRUSELF in the conduct of personal data processing activities are explained.

The Policy aims to ensure the sustainability of the principle of conducting TRUSELF's professional activities in transparency. In this context, the basic principles adopted in terms of compliance of data processing activities with the regulations in the Personal Data Protection Law No. 6698 ("KVK Law") are determined and the practices fulfilled by TRUSELF are explained.

The Policy is intended for natural persons whose personal data are processed by TRUSELF by automatic means or by non-automatic means provided that they are part of any data recording system, but the issues regarding the protection of the personal data of its employees are also regulated.

2. Policy Guidelines

2.1. General Principles

The Policy is published on TRUSELF's website at www.trueself.com in a manner accessible by personal data owners. In parallel with the changes and innovations to be realized in the legislation, the amendments to be made in the Policy will be made available in a manner that data owners can easily access.

In the event of a conflict between the legislation in force regarding the protection and processing of personal data and this Policy, TRUSELF agrees that the legislation in force shall apply.

2.2. Groups of Persons Covered by the Policy

The data subject groups covered by the Policy and whose personal data are processed by TRUSELF are as follows:

• Employee Candidates
  Persons who do not have a service contract with TRUSELF but are under consideration for one.

• Officials, Employees of Business Partners
  Real person officials, shareholders and employees of the organizations with which TRUSELF has commercial relations.

• Visitors
  Natural persons visiting TRUSELF's office or websites operated by TRUSELF.

• Other Real Persons
  All natural persons who are not covered by TRUSELF Personal Data Protection and Processing Policy.

3. Disclosure of Personal Data Subjects

In accordance with Article 10 of the KVK Law, TRUSELF carries out the necessary processes to ensure that data subjects are informed during the acquisition of personal data. In this context, the following information is included in the disclosure texts provided by TRUSELF to data subjects:

• (1) Title of TRUSELF,

  (2) The purposes for which TRUSELF will process the personal data of data subjects,

  (3) To whom and for what purpose the processed personal data may be transferred,

  (4) The method and legal reason for collecting personal data,

  (5) The rights of the data subject;

• Learn whether their personal data is being processed,
• Request information if their personal data has been processed,
• To learn the purpose of processing personal data and whether they are used for their intended purpose,
• To know the third parties to whom personal data are transferred domestically or abroad,
• To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction to third parties to whom personal data is transferred,
• To request the deletion or destruction of personal data within the framework of the stipulated conditions and to request notification of the transaction to third parties to whom personal data is transferred,

• To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,

  In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

4. Finalization of Personal Data Subjects' Requests

In the event that data subjects submit their requests regarding their personal data to TRUSELF in writing, TRUSELF, as the data controller, carries out the necessary processes to ensure that the request is finalized as soon as possible and within thirty (30) days at the latest, depending on the nature of the request, in accordance with Article 13 of the KVK Law.

Within the scope of ensuring data security, TRUSELF may request information to determine whether the applicant is the owner of the personal data subject to the application. TRUSELF may also ask questions to the personal data owner about the application in order to ensure that the application of the personal data owner is finalized in accordance with the request. In cases where the application of the data subject is likely to prevent the rights and freedoms of other persons, requires disproportionate effort, or the information is publicly available, TRUSELF may reject the request by explaining the reason.

4.1. Rights of Personal Data Subjects

Pursuant to Article 11 of the KVK Law, you can apply to TRUSELF via the form available at www.trueself.com and make a request on the following issues:

• (1) To learn whether your personal data is being processed,

  (2) Requesting information if your personal data has been processed,

  (3) To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,

  (4) Learning the third parties to whom your personal data are transferred domestically or abroad,

  (5) To request correction of your personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,

  (6) Requesting the deletion, destruction or anonymization of your personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting that the transaction made within this scope be notified to third parties to whom your personal data has been transferred,

  (7) To object to the occurrence of a result against you by analyzing your processed data exclusively through automated systems,

  (8) In case you suffer damage due to unlawful processing of your personal data, to demand the compensation of the damage.

4.2. Cases Excluded from the Rights of Personal Data Subjects Pursuant to the Legislation

Pursuant to Article 28 of the KVK Law, it will not be possible for personal data owners to assert their rights on the following issues, since the following situations are not covered by the KVK Law:

• (1) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public safety, public order, economic security, privacy of private life or personal rights or constitute a crime.
• (2) Processing of personal data for purposes such as official statistics and research, planning and statistics by anonymization.
• (3) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
• (4) Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures.

Pursuant to Article 28/2 of the KVK Law; In the cases listed below, it will not be possible for personal data owners to assert their rights, except for requesting compensation for the damage:

• (1) Processing of personal data is necessary for the prevention of crime or criminal investigation.
• (2) Processing of personal data made public by the personal data owner himself/herself.
• (3) Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by the law.
• (4) Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.

5. Ensuring the Security and Confidentiality of Personal Data

TRUSELF takes all necessary measures to prevent unlawful disclosure, access, transfer or other security deficiencies that may occur in other ways, within the limits of possibilities, depending on the nature of the data to be protected.

In this context, all necessary (i) administrative and (ii) technical measures are taken by TRUSELF, (iii) an audit system is established within TRUSELF, and (iv) in case of unlawful disclosure of personal data, the measures stipulated in the KVK Law are acted in accordance with.

(1) Administrative Measures Taken by TRUSELF to Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data

• TRUSELF trains and raises awareness of its employees regarding the law on the protection of personal data.
• In cases where personal data is subject to transfer, TRUSELF ensures that the contracts concluded with the persons to whom personal data is transferred by TRUSELF include records stating that the party to whom personal data is transferred will fulfill the obligations to ensure data security.
• Personal data processing activities carried out by TRUSELF are examined in detail, and in this context, the steps to be taken to ensure compliance with the personal data processing conditions stipulated in the KVK Law are determined.
• TRUSELF determines the practices that must be fulfilled to ensure compliance with the PDP Law and regulates these practices with internal policies.

(2) Technical Measures Taken by TRUSELF to Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data

• TRUSELF takes technical measures for the protection of personal data to the extent that technology allows, and the measures taken are updated and improved in parallel with the developments.
• Specialized personnel are employed in technical matters.
• Regular audits are conducted for the implementation of the measures taken.
• Software and systems to ensure security are installed.
• Authorization to access personal data processed within TRUSELF is limited to the relevant employees in line with the determined processing purpose.

(3) Conducting Audit Activities by TRUSELF on the Protection of Personal Data

TRUSELF audits the functioning of the technical and administrative measures taken by TRUSELF to ensure the protection and security of personal data and carries out practices to ensure the continuity of the functioning. The results of the audit activities carried out within this scope are reported to the relevant department within TRUSELF. In line with the audit results, activities are carried out to ensure the development and improvement of the measures taken regarding data protection.

(4) Measures to be Taken in Case of Unlawful Disclosure of Personal Data

Within the scope of the personal data processing activity carried out by TRUSELF, in the event that personal data is unlawfully obtained by unauthorized persons, the situation will be notified to the PDP Board and the relevant data owners without delay.

6. Determination of the Unit Responsible for the Protection and Processing of Personal Data

TRUSELF has designated a responsible person who will ensure the necessary coordination within TRUSELF within the scope of ensuring, preserving and maintaining compliance with the personal data protection legislation. The responsible person is responsible for the execution and improvement of the systems established to ensure that the activities carried out comply with the personal data protection legislation.

In this context, the main duties of the relevant responsible person are set out below:

• To prepare and put into effect basic policies on the protection and processing of personal data,
• To decide how the implementation and supervision of the policies on the protection and processing of personal data will be carried out and to make assignments and ensure coordination within this framework,
• To determine the matters to be done to ensure compliance with the PDP Law and related legislation; to oversee and coordinate its implementation,
• Raising awareness about the protection and processing of personal data within the workplace and among collaborating organizations,
• To ensure that necessary measures are taken by identifying the risks that may arise in TRUSELF's personal data processing activities; to submit suggestions for improvement,
• Designing and conducting trainings on the protection of personal data and implementation of policies,
• To decide on the applications of personal data subjects at the highest level,
• To coordinate the execution of information and training activities to ensure that personal data owners are informed about TRUSELF's personal data processing activities and their legal rights,
• To prepare and put into effect amendments to the basic policies on the protection and processing of personal data,
• To follow the developments and regulations on the protection of personal data; to advise senior management on what needs to be done in TRUSELF operations in accordance with these developments and regulations,
• Managing relations with the PDP Board and the PDP Authority,
• To perform other duties to be assigned by TRUSELF's workplace management regarding the protection of personal data.

7. Purposes of Processing Personal Data and Personal Data Groups Subject to Data Processing

7.1. Categories of Personal Data

TRUSELF processes the following groups of personal data partially or fully automatically or non-automatically as part of the data recording system.

7.2. Purposes of Processing Personal Data

Personal data are processed by TRUSELF for the purposes listed below in accordance with the data processing conditions and principles. The existence of the purposes listed below may vary for each personal data owner.

The personal data obtained are processed by TRUSELF in accordance with the personal data processing conditions specified in Articles 5 and 6 of the KVK Law.

• Follow-up of Finance and/or Accounting Affairs
• Planning and Execution of Business Activities
• Follow-up of Legal Affairs
• Recruitment / Employment
• Planning Human Resources Processes
• Execution of Personnel Recruitment Processes
• Planning and Execution of Sales Processes of Products and/or Services
• Planning and Execution of Customer Relationship Management Processes
• Planning and Execution of Marketing Processes of Products and/or Services
• Planning and/or Execution of Efficiency/Effectiveness and/or Relevance Analyses of Business Activities
• Planning Information Security Processes
• Planning and/or Execution of Business Continuity Ensuring Activities
• Planning and/or Execution of Processes for Creating and/or Increasing Commitment to TRUSELF's Services
• Business Administration Application
• Planning and/or Execution of After-Service Support Services Activities
• Planning and Execution of Production and/or Operation Processes
• Management of Relations with Business Partners and/or Suppliers
• Follow-up of Contract Processes and/or Legal Requests
• Planning and Execution of Operational Activities Necessary for Ensuring that TRUSELF Activities are Conducted in Accordance with Professional Procedures and/or Relevant Legislation
• Planning and/or Execution of Client Satisfaction Activities
• Planning and Execution of Corporate Communication Activities
• Ensuring that Data is Accurate and Up-to-Date
• Planning and Execution of Market Research Activities for Sales and Marketing of Services
• Planning and Execution of Authorizations to Access Information Systems of Business Partners and/or Suppliers
• Creating and Tracking Visitor Records
• Providing Legislative Information to Authorized Institutions
• Planning and Execution of Workplace Inspection Activities
• Planning and/or Execution of In-Workplace Training Activities.
• Work and/or events, organizations, training activities that TRUSELF deems appropriate/assigned
• Execution of Client, Patient (product or service recipient) or prospective patient (potential product or service recipient) relationship management processes
• Receiving appointment requests, planning and execution of appointment processes
•  Updating Client, Patient (product or service recipient) or patient candidate (potential product or service recipient) information
• Carrying out the necessary work by business units to ensure that the relevant people benefit from the services provided by TRUSELF and executing the relevant business processes
• Conducting satisfaction surveys and communications through surveys and similar methods
• Carrying out the necessary work to meet the demands, suggestions and complaints.

7.3. Shared Party Categories

TRUSELF may transfer the personal data of the data owners within the scope of the Policy (See Section 5.2.) to the groups of persons listed below for the specified purposes in accordance with the principles set out in the KVK Law and, in particular, Articles 8 and 9 of the KVK Law:

• TRUSELF suppliers,
• Authorized public institutions and organizations and authorized private law persons,
• To other third parties in accordance with the terms of data transfer

The scope of the above-mentioned persons to whom data is transferred and possible data transfer purposes are stated below.

8. Definitions

The definitions of the terms used in the Policy are given below: