CONTENTS
- TRANSFER OF PERSONAL DATA 9
- MATTERS REGARDING THE PROTECTION OF PERSONAL DATA 11
- RETENTION AND DESTRUCTION OF PERSONAL DATA 13
- INFORMING AND NOTIFYING THE DATA SUBJECT 14
- RIGHTS OF THE DATA SUBJECT AND EXERCISE OF THESE RIGHTS 15
** **
**Document Date:**
** **
**Date of Arrangement:**
** **
**Revision Number:**
** **
I. INTRODUCTION
** **
A. Purpose and Scope
** **
This Policy sets out the principles adopted by **Smile Hair Clinic** in the protection and processing of personal data.
Within the scope of this Policy, the aim is to provide explanations regarding **Smile Hair Clinic**’s personal data processing activities and the systems adopted for personal data protection, thereby ensuring transparency by informing Data Subjects, especially **Product or Service Recipients, Employees and Employee Candidates, Potential Customers, Shareholders, Visitors, Participants, Suppliers, and Third Parties**. It also aims to establish and implement standards in personal data management; define and support organizational goals and obligations; establish control mechanisms consistent with an acceptable risk level; comply with the principles and rules set forth by international conventions, the Constitution, laws, regulations, contracts, and other legislation regarding personal data protection; and ensure the best possible protection of Data Subjects’ fundamental rights and freedoms. Furthermore, this Policy covers all physical and electronic data recording systems and environments used for processing personal and special categories of personal data, whether automatically or non-automatically as part of a data recording system.
B. Definitions
** **
| **Definition** | **Description** |
| **Explicit Consent** | Consent relating to a specific matter, given based on information and declared with free will |
| **Constitution** | Constitution of the Republic of Turkey No. 2709 |
| **Employee** | Employees and managers at Smile Hair Clinic |
| **Employee Candidate** | Natural persons who have applied for a job at Smile Hair Clinic by any means or who have made their resume and related information available for Smile Hair Clinic’s review |
| **Shareholder/Partner** | Natural persons who are shareholders and partners of Smile Hair Clinic. |
| **Data Subject** | The natural person whose personal data is processed |
| **Destruction** | Deletion or destruction of personal data |
| **Personal Data** | Any information relating to an identified or identifiable natural person |
| **Personal Data Processing Inventory** | An inventory created by data controllers by associating their personal data processing activities carried out in connection with their business processes with personal data processing purposes, data categories, recipient groups transferred to, and data subject groups, detailing the maximum period for which personal data is processed for the purposes for which it is processed, personal data expected to be transferred to foreign countries, and security measures taken regarding data security |
| **Anonymization of Personal Data** | Anonymization of personal data means rendering personal data unable to be associated with an identified or identifiable natural person in any way, even by matching it with other data |
| **Destruction of Personal Data** | The process of deleting, anonymizing, or destroying personal data |
| **Deletion of Personal Data** | The process of making personal data inaccessible and unusable in any way for Relevant Users |
| **Destruction of Personal Data** | The process of making personal data inaccessible, irrecoverable, and unusable by anyone in any way |
| **Committee** | Smile Hair Clinic Personal Data Protection Committee |
| **Board** | Personal Data Protection Board and the data protection authority of the relevant member state |
| **KVKK** | Law on the Protection of Personal Data No. 6698 |
| **GDPR** | European General Data Protection Regulation |
| **Special Categories of Personal Data** | Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, dress and appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data |
| measures, and biometric and genetic data | |
| **Periodic Destruction** | The process of automatically deleting, destroying, or anonymizing personal data at recurring intervals specified in the data retention and destruction policy, when all conditions for processing personal data specified in KVKK and GDPR cease to exist |
| **Policy** | Smile Hair Clinic Personal Data Processing and Protection Policy |
| **Smile Hair Clinic** | Smile Hair Sağlık Hizmetleri ve Turizm Dan. Tic. Ltd. Şti. |
| **Supplier Employee** | Natural persons working in institutions with which Smile Hair Clinic has any business relationship (such as business partners, suppliers, but not limited to these). |
| **Supplier Official** | Natural persons who are shareholders and officials of institutions with which Smile Hair Clinic has a business relationship |
| **Product or Service Recipient / Product and Service Recipient Official** | Natural persons who use or have used the products and services offered by Smile Hair Clinic, regardless of whether they have a contractual relationship with Smile Hair Clinic (Product or Service Recipient), or Officials of Legal Entities who use/have used these |
| **Data Processor** | A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller |
| **Data Recording System** | A recording system in which personal data is processed by structuring it according to specific criteria |
| **Data Controller** | A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system |
| **Visitor** | Natural persons who have entered Smile Hair Clinic’s physical premises for various purposes or who visit our websites |
** **
II. GENERAL PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA
** **
**Smile Hair Clinic**, in accordance with Article 20 of the Constitution, Article 4 of the KVKK, and Article 5 of the GDPR, processes personal data in a manner that is lawful and fair, accurate and, where necessary, up-to-date; for specific, explicit, and legitimate purposes; and in a way that is relevant, limited, and proportionate to the purpose. In this context, for residents of Turkey, in accordance with Article 5 of the KVKK, it processes personal data based on one or more of the conditions specified in Article 5 of the KVKK for the processing of personal data, and retains personal data for the period required by law and/or by the purpose of personal data processing. Furthermore, in accordance with Article 6 of the KVKK, it acts in compliance with the regulations stipulated for the processing of special categories of personal data, and in accordance with Articles 8 and 9 of the KVKK, it acts in compliance with the regulations stipulated by law and set forth by the KVK Board regarding the transfer of personal data. In accordance with Article 10 of the KVKK, it informs the Data Subject and provides the necessary information if the Data Subject requests it. In addition, all the above-mentioned activities are carried out for European residents in accordance with the relevant provisions of the GDPR.
A. Principles Regarding the Processing of Personal Data
** **
Your personal data is processed by **Smile Hair Clinic** in accordance with the personal data processing principles set out in Article 4 of the KVKK and Article 5 of the GDPR. Compliance with these principles is mandatory for each personal data processing activity:
Processing personal data lawfully and fairly:
In processing your personal data, we act in accordance with laws, secondary regulations, and general principles of law; we prioritize processing personal data limited to the purpose of processing and taking into account the Data Subject’s reasonable expectations.
Personal data must be accurate and up-to-date:
Attention is paid to whether your processed personal data is up-to-date and to carrying out controls in this regard. The Data Subject is granted the right to request the correction or deletion of inaccurate or outdated data in this context.
Processing personal data for specified, explicit, and legitimate purposes:
Before each personal data processing activity, data processing purposes are identified, and compliance with the lawfulness of these purposes is observed.
Personal data must be relevant, limited, and proportionate to the purpose for which they are processed:
The personal data necessary to achieve the collection purpose is limited, and necessary technical and administrative measures are taken to prevent the processing of personal data not related to this purpose.
Retaining personal data for the period required by law or the processing purposes:
Personal data is deleted, destroyed, or anonymized after the personal data processing purpose ceases to exist or upon the expiration of the period stipulated by law.
B. Conditions Regarding the Processing of Personal Data
** **
Your personal data is processed by **Smile Hair Clinic** if at least one of the personal data processing conditions specified in Article 5 of the KVKK and Article 6 and subsequent articles of the GDPR is met. Explanations regarding these conditions are provided below:
Existence of the Data Subject’s Explicit Consent:
The Data Subject’s personal data can only be processed if the Data Subject gives consent freely, with sufficient information about the personal data processing activity, without any doubt, and limited only to that specific transaction.
Clearly stipulated in laws:
Personal data can be processed without the Data Subject’s Explicit Consent within the framework of the relevant legal regulation if it is explicitly stipulated in laws.
Inability to obtain the Data Subject’s Explicit Consent due to factual impossibility and the necessity of personal data processing:
Personal data belonging to a Data Subject who is unable to express consent or whose consent cannot be validated can be processed without Explicit Consent if the processing of personal data is necessary to protect the life or physical integrity of the Data Subject or a third person.
The personal data processing activity is directly related to the establishment or performance of a contract:
If it is necessary to process the personal data of the parties to a contract established or already signed between the Data Subject and **Smile Hair Clinic**, the personal data processing activity can be carried out without Explicit Consent.
Personal data processing activity is mandatory for the Data Controller to fulfill its legal obligation:
Personal data can be processed without Explicit Consent for the purpose of fulfilling legal obligations stipulated within the scope of current legislation.
The Data Subject has made their personal data public:
Personal data that has been disclosed to the public in any way by the Data Subject and has become accessible to everyone as a result of this public disclosure can be processed without the Data Subject’s Explicit Consent, limited to the purpose of public disclosure.
Personal data processing is mandatory for the establishment, exercise, or protection of a right:
If data processing is mandatory for the establishment, exercise, or protection of a right, the Data Subject’s personal data may be processed.
Personal data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the Data Subject:
Personal data can be processed provided that the Data Subject’s interests are balanced. In this context, when processing data based on legitimate interest, the legitimate interest that **Smile Hair Clinic** will obtain as a result of the processing activity is first determined. The possible impact of the processing of personal data on the Data Subject’s rights and freedoms is evaluated, and if it is concluded that the balance is not disturbed, the processing activity can be carried out without Explicit Consent.
C. Conditions Regarding the Processing of Special Categories of Personal Data
** **
In Article 6 of the KVKK, special categories of personal data are specified as limited in number. These are: individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
**Smile Hair Clinic** may process special categories of personal data by taking additional measures determined by the Board in the following situations:
Processing of special categories of personal data other than health and sexual life:
It can be processed with the Data Subject’s Explicit Consent or, if explicitly stipulated in laws, without the Data Subject’s Explicit Consent.
Personal data relating to health and sexual life:
It can be processed with the Data Subject’s Explicit Consent or by persons or authorized institutions and organizations under an obligation of confidentiality, without the Data Subject’s Explicit Consent, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.
Regardless of the processing reason, general data processing principles are always taken into account during processing, and compliance with these principles is ensured. Regarding the protection of special categories of data, our company has implemented the “**Policy on the Protection of Special Categories of Personal Data**”, and our business units act in accordance with the provisions of this policy and take the necessary measures.
Furthermore, the processing of special categories of personal data is possible if at least one of the following conditions listed in GDPR Article 9 exists. In the presence of these conditions, special categories of personal data can be processed by ensuring the appropriate security level also stipulated under KVKK. These issues are also clearly stated in our prepared Policy on the Protection of Special Categories of Personal Data:
- If the data subject has given explicit consent.
- To enable the data controller to fulfill its obligations under the Labor Law and Social Security Law.
- If the data subject is physically or legally unable to give consent.
- If the data has been made public by the data subject.
- If legal claims are made and data processing is necessary within the relevant judicial framework.
- Data processing for public interest, provided that necessary technical and administrative measures are ensured.
- For preventive medicine or occupational health purposes.
- For the purposes of carrying out archiving and research activities for the public interest in accordance with GDPR Article 89/1, based on EU Law.
III. CATEGORIES OF PERSONAL DATA PROCESSED BY SMILE HAIR CLINIC
** **
**Smile Hair Clinic** processes personal data belonging to the Data Subject within the framework of the purposes and conditions specified in this Policy, in accordance with the KVKK, GDPR, and other relevant legislative provisions, including:
|
**Identity Information** | Information clearly belonging to an identified or identifiable natural person; processed partially or entirely automatically or non-automatically as part of a data recording system; information contained in documents such as Driver’s License, Identity Card, Residence Permit, Passport, Marriage Certificate. |
|
**Contact Information** | Information clearly belonging to an identified or identifiable natural person; processed partially or entirely automatically or non-automatically as part of a data recording system; such as telephone number, address, e-mail. |
|
**Personnel Information** | Any personal data processed clearly belonging to an identified or identifiable natural person, processed partially or entirely automatically or non-automatically as part of a data recording system; processed to obtain information that will form the basis for the personnel rights of our employees or natural persons in a working relationship with Smile Hair Clinic. |
|
**Legal Transaction Information** | Personal data processed clearly belonging to an identified or identifiable natural person, processed partially or entirely automatically or non-automatically as part of a data recording system; processed for the determination, follow-up of our legal receivables and rights, and the performance of our debts, as well as for our legal obligations and compliance with Smile Hair Clinic’s policies. |
|
**Customer Transaction Information** | Information clearly belonging to an identified or identifiable natural person and contained within the data recording system; records related to the use of our products and services, as well as instructions and requests necessary for the customer’s use of products and services. |
| **Physical Space Security Information** | Personal data clearly belonging to an identified or identifiable natural person and contained within the data recording system; records taken upon entry to a physical space, during stay within the physical space, and personal data related to documents. |
| **Transaction Security Information** | Personal data clearly belonging to an identified or identifiable natural person and contained within the data recording system; personal data processed to ensure technical, administrative, legal, and commercial security during the conduct of activities. |
|
**Finance** | Personal data processed clearly belonging to an identified or identifiable natural person, processed partially or entirely automatically or non-automatically as part of a data recording system; personal data related to all financial outcomes, documents, and records created according to the type of legal relationship established between Smile Hair Clinic and the data subject. |
|
**Professional Experience** | Personal data clearly belonging to an identified or identifiable natural person, processed partially or entirely automatically or non-automatically as part of a data recording system; personal data processed for the purpose of measuring the performance of our employees or natural persons in a working relationship with our Company and planning and carrying out their career development within the scope of Smile Hair Clinic’s human resources policy. |
|
**Marketing Information** | Personal data clearly belonging to an identified or identifiable natural person, processed partially or entirely automatically or non-automatically as part of a data recording system; personal data processed for the purpose of customizing and marketing our products and services in line with the data subject’s usage habits, preferences, and needs, and reports and evaluations created as a result of this processing. |
|
**Visual and Audio Records** | Personal data clearly belonging to an identified or identifiable natural person; personal data processed partially or entirely automatically or non-automatically as part of a data recording system; Example: photographs and camera recordings (excluding records falling under Physical Space Security Information), audio recordings, and data contained in documents that are copies of documents containing personal data. |
| **Special Categories of Personal Data** | Data relating to health and sexual life, criminal convictions and security measures. |
categories of personal data are processed.
IV. TRANSFER OF PERSONAL DATA
** **
Data transfer is carried out by **Smile Hair Clinic** for purposes such as ensuring the fulfillment of its operational and establishment objectives, securing the provision of services externally obtained from suppliers and necessary for **Smile Hair Clinic**’s commercial activities, ensuring the implementation of human resources and employment policies, fulfilling obligations within the framework of occupational health and safety and taking necessary measures, and providing necessary information to authorized public institutions and organizations.
**Smile Hair Clinic** does not transfer personal data of data subjects to other persons without the explicit consent of the data subject, except in cases where KVKK, GDPR, or relevant legislation requires the transfer to administrative and judicial institutions and organizations.
However, in cases where a legal justification exists, it may transfer the Data Subject’s personal data and special categories of personal data to natural persons and private law legal entities, shareholders, suppliers, and authorized public institutions and organizations and other relevant parties, by taking the necessary security measures in line with personal data processing purposes, without seeking explicit consent. In this regard, actions are taken in accordance with the regulations stipulated in Article 8 of the KVKK and/or Articles 6 and 8 and Part 5 of the GDPR.
A. Transfer of Personal Data
** **
Under the KVKK, even without the Data Subject’s Explicit Consent, personal data may be transferred to third parties by **Smile Hair Clinic** with due diligence and by taking all necessary security measures, including methods stipulated by the KVK Board, if one or more of the following conditions are met:
- The relevant activities regarding the transfer of personal data are explicitly stipulated in laws.
- It is mandatory to protect the life or physical integrity of the person who is unable to express consent due to factual impossibility or whose consent is not legally valid, or of another person.
- The transfer of personal data is directly related to and necessary for the establishment or performance of a contract.
- The transfer of personal data is mandatory for the fulfillment of a legal obligation.
- Personal data has been made public by the Data Subject, provided that it is transferred in a limited manner for the purpose of public disclosure.
- The transfer of personal data is mandatory for the establishment, exercise, or protection of a right of **Smile Hair Clinic** or the Data Subject or third parties.
- It is mandatory to carry out personal data transfer activities for the legitimate interests of **Smile Hair Clinic**, provided that it does not harm the fundamental rights and freedoms of the Data Subject.
In addition to the above, personal data may be transferred to foreign countries declared by the KVK Board to have adequate protection, if any of the above conditions exist. If there is no adequate protection, data may be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country have committed in writing to provide adequate protection and where the KVK Board’s permission has been obtained, without the Data Subject’s Explicit Consent, in accordance with the data transfer conditions stipulated in the legislation.
Under the GDPR, the free movement of personal data within the European Union is permitted in accordance with Articles 6 and 8. Its transfer outside the European Union is possible as regulated in Part 5, which includes Articles 44 and 50. According to GDPR Article 44, an adequate level of security must be ensured for a transfer outside the European Union. According to GDPR Article 45, a decision by the European Union Commission is required stating that the relevant country, region, or relevant sector in that place has an adequate level of security. Furthermore, according to Article 46, it is possible for the data controller to transfer personal data to the relevant third country, provided that effective legal remedies are available to the data subjects.
B. Transfer of Special Categories of Personal Data
** **
Special categories of personal data can be transferred by **Smile Hair Clinic** in accordance with the principles stated in this Policy and by taking all necessary technical and administrative measures, including methods to be determined by the Board, and if the following conditions exist.
* Special categories of personal data, other than those relating to health and sexual life, may be processed without the **Explicit Consent** of the Data Subject if explicitly provided for by law, i.e., if there is an explicit provision in the relevant law regarding the processing of personal data. Otherwise, the **Explicit Consent** of the Data Subject will be obtained.
* Special categories of personal data relating to health and sexual life may be processed without explicit consent by persons under an obligation of secrecy or by authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, as well as planning and managing health services and their financing. Otherwise, the **Explicit Consent** of the Data Subject will be obtained.
In addition to the above, personal data may be transferred to foreign countries with adequate protection if any of the above conditions exist. If adequate protection is not available, data may be transferred to foreign countries where the Data Controller / Data Processor undertakes in writing to provide adequate protection, in accordance with the data transfer conditions stipulated in the legislation.
Regarding the transfer of special categories of personal data, our company has implemented a “**Policy on the Protection of Special Categories of Personal Data**,” and our operations adhere to the provisions of this policy, with necessary measures being taken. Regardless of the processing reason, general data processing principles are always considered during transfer processes, and compliance with these principles is ensured.
—
V. MATTERS REGARDING THE PROTECTION OF PERSONAL DATA
** **
**Smile Hair Clinic**, in accordance with Article 12 of the KVKK and Article 32 of the GDPR, takes the necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of personal data and unlawful access to data, and to ensure the preservation of data. Within this scope, it conducts or has conducted the necessary audits.
Systems compatible with technological advancements are utilized to protect personal data in secure environments. Technical security systems are established for storage areas, and the technical measures taken are periodically audited by an audit mechanism determined by **Smile Hair Clinic**. Issues posing a risk are re-evaluated, and necessary technological solutions are developed.
In contracts concluded by **Smile Hair Clinic** with relevant companies regarding the storage of personal data, provisions are included stating that the persons to whom personal data is transferred will take the necessary security measures for the protection of personal data and ensure compliance with these measures within their own organizations. In this regard, **Smile Hair Clinic** acts in accordance with the provisions of its Personal Data Protection Procedure in Third-Party Relations.
The data protection principles adopted by **Smile Hair Clinic** include:
* Providing clear information to individuals about who uses their personal data and how.
* Processing personal data to the necessary minimum extent for these purposes, without harming individuals’ fundamental rights and freedoms, and avoiding the processing of excessive data.
* Respecting the Data Subject’s rights regarding personal data, including the right of access.
* Maintaining an inventory of processed personal data categories.
* Ensuring personal data is accurate and up-to-date when necessary.
* Processing personal data fairly and lawfully.
* Processing personal data only when clearly necessary for legitimate corporate purposes.
* Retaining personal data only within the periods determined by legal regulations, **Smile Hair Clinic**’s legal obligations, or legitimate corporate interests, and as specified in **Smile Hair Clinic**’s Personal Data Retention and Destruction Policy.
* Transferring personal data abroad in accordance with the principles determined by KVKK and GDPR.
* Designating a Committee with special powers and responsibilities regarding the personal data protection system.
* Applying exceptions permitted by legislation.
* Preparation of this Policy.
* Taking all necessary technical and administrative measures, as determined by KVKK, GDPR, secondary legislation, and the Board, to ensure an appropriate level of security for all personal data.
* Processing only relevant and appropriate personal data.
A. Training Activities
** **
**Smile Hair Clinic** provides its employees with necessary training on personal data protection within the scope of Policies and KVKK & GDPR Regulations and Procedures. Special emphasis is given in the training to the definitions of Special Categories of Personal Data and practices for their protection. If a **Smile Hair Clinic** employee accesses Personal Data physically or in a computer environment, our Company provides specific training to that employee regarding these accesses (e.g., the accessed computer program).
**Smile Hair Clinic** ensures that employees are trained and that necessary notifications are made to increase awareness about preventing the unlawful processing of personal data, unlawful access to data, and ensuring the preservation of data.
B. Audit Activities
** **
**Smile Hair Clinic** reserves the right to regularly and autonomously audit at any time, without prior notice, whether all its employees, departments, and suppliers comply with this Policy and KVKK & GDPR Regulations, and conducts or has conducted the necessary routine audits within this scope. The results of these audits are evaluated within the company’s internal operations, and necessary activities are carried out to improve the measures taken.
VI. RETENTION AND DESTRUCTION OF PERSONAL DATA
** **
**Smile Hair Clinic** retains personal data for the period necessary for the purpose for which they are processed and in accordance with the minimum periods stipulated in the legislation applicable to the relevant activity. In this context, it first determines whether a retention period for personal data is stipulated in the relevant legislation; if a period is specified, it acts in accordance with that period. If there is no period in the legislation, personal data is retained for the period necessary for the purpose for which it is processed. Personal data is destroyed at the end of the determined retention periods, in accordance with the periodic destruction periods specified in **Smile Hair Clinic**’s Personal Data Retention and Destruction Policy or upon the Data Subject’s request, and using the determined destruction methods (deletion and/or destruction and/or anonymization).
For detailed information, you can access **Smile Hair Clinic**’s Personal Data Retention and Destruction Policy at [www.smilehairclinic.com](http://www.smilehairclinic.com/).
VII. INFORMING AND NOTIFYING THE DATA SUBJECT
** **
**Smile Hair Clinic** informs the Data Subject in accordance with KVKK, GDPR, and secondary regulations. In this context, if personal data is obtained directly from the Data Subject, it is informed at the time of acquisition; if it is not obtained from the Data Subject, within a reasonable period from the acquisition of personal data; but in any case, without being dependent on the Data Subject’s request, the Data Subject is informed of:
* **Smile Hair Clinic**’s identity,
* The purpose for which personal data will be processed,
* To whom and for what purposes it may be transferred,
* The method of personal data collection (which of the fully or partially automatic methods or non-automatic methods, provided that it is part of a data recording system, is used),
* The legal basis for personal data collection,
* The Data Subject’s other rights listed in KVKK or GDPR.
It must be ensured that this notification, in addition to the above, definitely includes the Data Subject’s rights listed in the KVKK, GDPR, and this Policy. The following points are taken into consideration when making the notification:
* The information within the scope of the notification is provided using clear and simple language. Expressions that might create the impression that the relevant personal data could be processed for other purposes that may arise in the future are not used.
* Notification can be made verbally, in writing, via sound recording through a call center, through various physical or electronic media, and by directing to a web page containing personal data notification texts and other media that may be announced later. The relevant department providing the information and fulfilling the notification obligation takes measures to prove this in a lawful and proper manner.
* If the data processing purpose specified in the notification changes while obtaining personal data, the notification obligation for this new purpose is additionally fulfilled in accordance with the procedures foreseen above.
* If the acquired personal data will only be used for communication with the Data Subject, the notification can be made at the time of the initial communication.
* If the acquired personal data will be transferred to third parties, care is taken to ensure that the notification is made at the latest at the time the personal data is first transferred.
VIII. RIGHTS OF THE DATA SUBJECT AND EXERCISE OF THESE RIGHTS
** **
The legal rights that the Data Subject can exercise regarding personal data are listed below:
* To learn whether personal data is processed.
* To request information if personal data has been processed.
* To learn the purpose of processing personal data and whether they are used in accordance with their purpose.
* To learn the third parties to whom personal data is transferred domestically or abroad.
* To request the correction of your personal data if it is incomplete or incorrectly processed and to request that the transaction made in this context be notified to third parties to whom your personal data has been transferred.
* To request the deletion, destruction, or anonymization of personal data if the reasons for its processing have ceased to exist, despite having been processed in accordance with the law and other relevant legal provisions, and to request that the transaction made in this context be notified to third parties to whom your personal data has been transferred.
* To object to an unfavorable outcome arising from the exclusive analysis of processed data through automated systems.
* To request compensation for damages incurred due to the unlawful processing of personal data.
* To transfer personal data to a different data controller requested by the data subject (right to data portability).
If the Data Subject is a resident of Turkey, they can submit their requests regarding the rights listed in this article in Turkish, in accordance with the Communiqué on the Procedures and Principles for Applications to the Data Controller No. 30356. If the Data Subject is a resident of Europe, they can submit their requests in English by filling out the **Smile Hair Clinic** Application Form in writing or by using a Registered Electronic Mail (KEP) address, Secure Electronic Signature, Mobile Signature, or the e-mail address previously notified and registered in our system, and forwarding it to **Smile Hair Clinic**.
IX. SMILE HAIR CLINIC’S RESPONSE TO APPLICATIONS
** **
**Smile Hair Clinic** takes all necessary technical and administrative measures to conclude applications made by the Data Subject effectively, lawfully, and in accordance with the rule of honesty.
The Data Subject’s applications may be accepted or rejected with an explanation of the reason. The response to the Data Subject’s application may be communicated to the Data Subject in writing or electronically.
If the Data Subject submits their request regarding the rights contained in Policy section VIII, titled “Rights of the Data Subject and Exercise of These Rights,” to **Smile Hair Clinic** in accordance with the aforementioned procedures, the relevant request will be concluded free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost and the conditions determined by the KVK Board are met, the fee specified in the tariff may be charged.
X. EFFECTIVENESS AND UPDATE PERIOD OF THE POLICY
** **
This Policy, prepared by **Smile Hair Clinic**, came into force on 01.05.2021. Necessary updates will be made if the entire Policy or specific articles thereof are renewed.
The Committee is responsible for the implementation, updating, and dissemination of this Policy. The Policy is published on the **Smile Hair Clinic** website.