PROTECTION OF PERSONAL DATA

As the Leukemia Children's Health and Education Foundation (“LÖSEV” or “Foundation”), our donors, patients, their relatives and companions, our employees, our candidates, our volunteers, our visitors, our business contacts, our customers, our users visiting our website and other third parties. It is our priority to process the personal data of individuals in accordance with the relevant legislation, especially the Constitution of the Republic of Turkey, the international conventions regarding human rights to which our country is a party, and the Law on the Protection of Personal Data No.

Therefore, but not limited to those listed; We process the personal data of our donors, patients, employees, employee candidates, volunteers, visitors, business contacts, customers, users visiting our website and other third parties that we obtain during our activities in accordance with the LÖSEV Personal Data Protection and Processing Policy (“Policy”). .

Protection of personal data and observance of the fundamental rights and freedoms of natural persons whose personal data are collected are the basic principles of our policy regarding the processing of personal data. For this reason, we carry out all our activities in which personal data are processed by taking into account the protection of the privacy of private life, the privacy of communication, freedom of thought and belief and the right to use effective legal remedies.

For the protection of personal data, we take all administrative and technical protection precautions required by the nature of the relevant data, in accordance with the legislation and up-to-date technology.

This Policy explains the methods we follow for the processing of personal data collected during our activities within the framework of the principles mentioned in the KVKK (for example, storage, transfer, deletion or anonymization).

2. SCOPE

All personal data processed by LÖSEV, including personal data of our donors, patients, employees, employee candidates, volunteers, visitors, business contacts, customers, users visiting our website and other third parties, are within the scope of this Policy.

Our policy is implemented for all processing activities related to personal data within LÖSEV and economic enterprises affiliated to LÖSEV, and has been handled and prepared by considering the KVKK and other legislation on personal data and international standards in this field.

3. DEFINITIONS AND ABBREVIATIONS

Within the scope of this policy;

3.1. LÖSEV: Children with Leukemia Health and Education Foundation and economic enterprises affiliated to the Foundation,

3.2. Economic enterprises affiliated to the Foundation Private LÖSANTE Child and Adult Hospital, LSV Shop and LÖJANS Design,

3.3. Explicit Consent: Consent, based on information and free will on a specific subject, with a clear and unambiguous, limited only to that transaction,

3.4. Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data,

3.5. Employee: LÖSEV personnel,

3.6. Employee candidate: Persons who have applied for a job to LÖSEV,

3.7. Personal data owner (Relevant Person): Natural persons whose personal data are processed,

3.8. Personal data: Any information relating to an identified or identifiable natural person,

3.9. Special categories of personal data: Regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions, and security precaution. data and biometric and genetic data,

3.10. Processing of personal data: Obtaining, recording, storing, keeping, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. or any kind of operation performed on the data, such as preventing its use,

3.11. Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,

3.12. Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,

3.13. KVK Board: Personal Data Protection Board,

3.14. KVK Authority: Personal Data Protection Authority,

3.15. KVKK: The Law on the Protection of Personal Data published in the Official Newspaper dated 7 April 2016 and numbered 29677 and

3.16. Policy: LÖSEV Personal Data Protection and Processing Policy

means.

4. ROLE AND RESPONSIBILITIES

4.1. Board of Directors

This Policy has been approved by the Board of Directors. It is the authorized approval mechanism for the creation, implementation and, if necessary, updating of the Policy.

4.2. Legal Consultancy

The Legal Counsel is responsible for the preparation, development, execution and updating of this Policy together with the IT Directorate. The Legal Department evaluates this Policy in terms of its up-to-dateness and development needs when necessary.

4.3. IT Directorate

The Legal Counsel and the Information Technologies Directorate are responsible for the preparation, development, execution and updating of this Policy. The Information Technologies Directorate evaluates this Policy in terms of up-to-dateness and development needs when necessary.

It is the responsibility of the IT Department Manager to publish the prepared document on the Foundation's website or sites.

5. LEGAL OBLIGATIONS

As a data controller, our legal obligations regarding the protection and processing of personal data are listed below.

5.1. Our obligation to inform

While collecting personal data as a data controller;

- The purpose for which your personal data will be processed,

- Our identity, information on the identity of our representative, if any,

- To whom and for what purpose your processed personal data can be transferred,

- The way we collect the data and the legal reason, and

- Rights arising from the law

We have an obligation to inform the person concerned.

As LÖSEV, we take care to ensure that this Policy, which is open to the public, is clear, understandable and easily accessible.

5.2. Our obligation to ensure data security

As the data controller, we take the administrative and technical precautions stipulated in the legislation in order to ensure the security of the personal data under our responsibility. Obligations and precautions regarding data security are detailed in section 11 of this Policy.

6. CLASSIFICATION OF PERSONAL DATA

6.1. Personal Data

The protection of personal data is only related to real persons, and information belonging to legal entities that do not contain information about the real person is excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal entities.

6.2. Special Qualified Personal Data

Biometric and genetic data, as well as data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions and security precautions, are personal data.

6.3. Categories Regarding Personal Data

Within the scope of our foundation activities, we collect the following data:

ID information
Contact information
Information About Family Members
Financial Data
Personnel Data

6. Other Data

Data Category	ID information
Explanation	It is data related to the identification of the person.
Who is it collected from?	Identity information; we collect from our donors, employee candidates, employees, patients and their relatives, customers, business contacts, customers, consumers and third parties with whom we cooperate.
Contents	Name, surname, T.C. ID number, passport number, vehicle license plate information and ID photocopy.
Purpose of data collection	We collect the identity information of our donors in accordance with the legislation we are subject to and for the purpose of issuing donation receipts for donors. We collect the identity information of our employee candidates in order to carry out human resources activities for the position applied for. We are obliged to record the identity information of our employees in accordance with the labor and social security legislation. We collect the identity information of our patients and their relatives in accordance with the legislation we are subject to and in order to provide health services. We collect the identity information of our customers in accordance with the legislation we are subject to and to provide support services. We collect the identity information of suppliers, subcontractors and similar business partners in order to fulfill our commercial requirements and obligations and, if any, our obligations in contracts.
Legal reason for data collection	The main reason for collecting the said data is the obligations in the relevant legislation. We also collect identity information due to the contractual relationship between us and the relevant persons. We sometimes collect identity information in accordance with our legitimate interests and the Foundation principles we have adopted.
Data collection method	We collect data through printed forms, sometimes directly via electronic forms, telephone and GSM.

Data Category	Contact information
Explanation	It is the personal data that enables the person to communicate with the person.
Who is it collected from?	Identity information; we collect from our donors, employee candidates, employees, patients and their relatives, customers, business contacts, consumers and third parties with whom we cooperate.
Contents	Data such as e-mail address, residential address, home phone number, home fax number, mobile phone number.
Purpose of data collection	We collect the contact information of our donors in accordance with the legislation we are subject to and for the purposes of informing about the donation made. We collect the identity information of our employee candidates in order to carry out human resources activities for the position applied for. We are obliged to record the contact information of our employees in accordance with the labor and social security legislation. We collect the contact information of our patients and their relatives in accordance with the legislation we are subject to and in order to provide health services. We collect the contact information of our customers in accordance with the legislation we are subject to and to provide support services. We collect the contact information of suppliers, subcontractors and similar business partners in order to fulfill our commercial requirements and obligations and, if any, our obligations in contracts.
Legal reason for data collection	The main reason for collecting the said data is the obligations in the relevant legislation. We also collect contact information due to the contractual relationship between us and the relevant persons. We sometimes collect contact information in accordance with our legitimate interests and the Foundation principles we have adopted.
Data collection method	We collect data through printed forms, sometimes directly via electronic forms, telephone and GSM.

Data Category	Information About Family Members
Explanation	It is the personal data of the family members of the person concerned.
Who is it collected from?:	Data belonging to family members; We collect data from our candidates, employees, patients and their relatives.
Contents	Name, surname of family members, T.C. ID number, photograph, marital status information, home and work address, mobile phone number, fax number, home phone number, postal and e-mail address.
Purpose of data collection	We collect the family members of our employee candidates to evaluate their job applications. Employment and social security information of our employees' family members. We are obliged to record in accordance with the legislation. We collect the information of the family members of our patients and their relatives in accordance with the legislation we are subject to and in order to fulfill the health services.
Legal reason for data collection	The main reason for collecting the said data is the obligations in the relevant legislation. In addition, we collect information about family members due to the contractual relationship between us and the relevant persons. Sometimes, in accordance with our legitimate interests and the Foundation principles we have adopted, for example; We collect this data for purposes such as communicating in emergencies.
Data collection method	We collect data through printed forms, sometimes directly via electronic forms, telephone and GSM.

Data Category	Financial Data
Explanation	Data such as bank account information, credit card information, billing information.
Who is it collected from?	Financial information; we collect from our donors, employee candidates, employees, patients and their relatives, business contacts, customers and consumers.
Contents	Data such as salary, salary, bank account, credit card, billing information and tax number.
Purpose of data collection	We collect the financial information of our donors within the scope of sponsorship activities.. We are obliged to record the financial information of both our employees and employee candidates in accordance with labor and social security legislation. We collect the financial information of our patients and their relatives for the purpose of issuing invoices. We collect the financial information of customers, suppliers, subcontractors and similar business relations in order to fulfill our commercial requirements and obligations and, if any, our obligations in the contracts.
Legal reason for data collection	The main reason for collecting the said data is the obligations in the relevant legislation. We also collect financial information due to the contractual relationship between us and the relevant persons. Sometimes, in accordance with our legitimate interests and the Foundation principles we have adopted, for example; We collect financial information for purposes such as involving our employees in campaigns or promotions provided by the banks or other financial institutions we cooperate with.
Data collection method	We collect data through printed forms, sometimes directly via electronic forms, telephone and GSM.

Data Category	Personnel Data
Explanation	It is the information necessary for the smooth continuation of the business relationship.
Who is it collected from?	Personal data; We collect from our employees and employee candidates.
Contents	Position/title information, diplomas and certificates, work history and details, testimonial/service/work certificate from the previous workplace, resume, educational status, official correspondence about the employee, SGK employment statement, SGK dismissal statement, blood type, data such as health report, criminal record, disability report, periodic examination report, ex-convict report, military status information.
Purpose of data collection:	We collect the data of employees and employee candidates in accordance with the service contract we have made with them, the legislation we are subject to and our legitimate interests.
Legal reason for data collection	The main reason for collecting the said data is the obligations in the relevant legislation. In addition, we collect personal information due to the contractual relationship between us and the relevant persons. Sometimes, in accordance with our legitimate interests and the Foundation principles we have adopted, for example; We collect this data for purposes such as placing employee candidates in suitable positions.
Data collection method	We collect data through printed forms, sometimes directly via electronic forms, telephone and GSM.

Data Category	Other Data
Explanation	Other data collected within the scope of our foundation activities.
Who is it collected from?	This data; we collect from our donors, employee candidates, employees, patients and their relatives, business contacts and customers.
Contents	Signature, health information, information on criminal convictions and security precautions, device information and access records, OHS compliance information, complaints and data collected in company communication processes.
Purpose of data collection:	Employee data is collected for the purpose of fulfilling obligations under employment and service contract (salary payment, etc.). We also collect this data to ensure security. Data belonging to patients and their relatives are collected within the scope of the execution and development of medical diagnosis, treatment and care services, and the planning and management of health services and similar purposes. We collect the data of suppliers, subcontractors and similar business partners in order to fulfill our commercial requirements and obligations and, if any, our obligations in contracts.
Legal reason for data collection	The main reason for collecting the said data is the obligations in the relevant legislation. We also collect this information due to the contractual relationship between us and the relevant persons. Sometimes, in accordance with our legitimate interests and the Foundation principles we have adopted, for example; We collect this data for purposes such as improving the quality of the service provided.
Data collection method	We collect data through printed forms, sometimes directly via electronic forms, telephone and GSM.

7. PROCESSING PERSONAL DATA

7.1. Our Personal Data Processing Principles

We process personal data in accordance with the principles below.

7.1.1. Processing in accordance with the law and honesty rules

We process personal data in accordance with the rules of honesty, with transparent methods and within the framework of our disclosure obligation.

7.1.2. Ensuring the accuracy and, where necessary, up-to-date of personal data

We take the necessary precautions in our data processing procedures to ensure that the processed data is accurate and up-to-date. We also offer the relevant person the opportunity to apply to update their data and to correct any errors in their processed data, if any.

7.1.3. Processing for specific, explicit and legitimate purposes

As LÖSEV, we process personal data within the scope of our legitimate purposes, the scope and content of which are clearly defined and to continue our activities within the framework of the legislation and the ordinary course of life.

7.1.4. Personal data must be connected, limited and measured for the purpose for which they are processed.

We process personal data in connection with the purpose we have clearly and precisely determined, in a limited and measured way.

We avoid the processing of personal data that is not relevant or does not need to be processed. For this reason, we do not process personal data of a private nature unless there is a legal requirement, or we obtain express consent on the subject when we need to process it.

7.1.5. Keeping personal data for the periods stipulated in the legal regulations or for the period required by our legitimate interests

Many regulations in the legislation require personal data to be kept for a certain period of time. For this reason, we keep the personal data we process for as long as required by the relevant legislation or for the purposes of processing personal data.

In the event that the storage period stipulated in the legislation expires or the purpose of processing disappears, we delete, destroy or anonymize personal data. Our principles and procedures regarding retention periods are detailed in the relevant article of this Policy.

7.2. Our personal data processing purposes

As LÖSEV, we process personal data for the following purposes:

- Planning and management of foundation activities (donations, volunteering, events, etc.),

- Planning and management of health and other services within the Private LÖSANTE Child and Adult Hospital,

- Planning and management of e-commerce service activities within LSV Store,

- Planning and management of advertising, promotion and other related activities within LÖJANS,

- Protection of public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and financing,

- Foundations Law No. 5737, Law No. 6563 on the Regulation of Electronic Commerce, Tax Procedure Law No. 213, Health Services Basic Law No. 3359, Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliates, Regulation on Private Hospitals, Processing of Personal Health Data Ensuring the fulfillment of our legal obligations within the framework of the Regulation on Ensuring Privacy and Privacy (“Regulation”), the regulations of the Ministry of Health and other legislation,

- Planning and conducting national and international solidarity and awareness activities,

- Planning and managing employment needs,

- Conducting relations with suppliers and other third parties,

- Training of employees and patients/patient relatives,

- Creation and management of records of visitors and guests,

- Ensuring the security of the facilities,

- Monitoring and preventing illegal and unauthorized transactions,

- Planning and execution of risk management and quality improvement studies,

- Invoicing for our services,

- Managing all kinds of requests and complaints regarding our activities,

- Confirming your relationship with the institutions that have contracted with Private LÖSANTE Child and Adult Hospital,

- Providing information to the Ministry of Health and relevant public institutions and organizations in accordance with the relevant legislation,

- Providing information requested to private insurance companies within the scope of financing health services,

- Development of health services provided by Private LÖSANTE Child and Adult Hospital,

- Planning and management of medical research activities within the Private LÖSANTE Child and Adult Hospital,

- Providing the necessary information in line with the inspections of regulatory and supervisory institutions and official authorities,

- Providing financial reconciliation regarding the health services offered to you with the private and official institutions we have contracted with, and

- Measuring the satisfaction of patients, relatives, visitors, customers, guests and other relevant third parties so that LÖSEV can provide better service.

In the event that the processing activity carried out within the scope of the above-mentioned purposes does not meet any of the reasons for compliance with the law stipulated within the scope of KVKK, your express consent is obtained by LÖSEV for the relevant processing process.

7.3. Processing of personal data and special categories of personal data

7.3.1. Processing of personal data by obtaining express consent

In accordance with the legislation, personal data cannot be processed without the explicit consent of the person concerned. Explicit consent is defined in the law as “consent on a certain subject, based on information and expressed with free will”. In case the processed data is sensitive personal data, the explanations in this Policy are valid.

7.3.2. Reasons for compliance with the law where express consent is not sought in the processing of personal data

We may process personal data without express consent in cases where there are reasons for compliance with the law arising from the law listed below:

- Expressly stipulated in laws

The personal data of the data subject may be processed in accordance with the law in cases where it is expressly stipulated by the law.

- Failure to obtain the explicit consent of the person concerned due to de facto impossibility.

Personal data may be processed without explicit consent if it is necessary for the protection of life or physical integrity of the person or someone else, who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid.

- Being directly related to the establishment or performance of the contract

Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data without obtaining explicit consent, if it is necessary to process the personal data of the parties to the contract.

- Obligatory for LÖSEV to fulfill its legal obligation

LÖSEV, as the data controller, will be able to process the personal data that is required to be processed in order to fulfill a legal obligation, without the consent of the data subject.

- The person concerned has been made public by himself

Personal data made public by the person concerned, in other words, disclosed to the public in any way, can be processed without seeking the existence of explicit consent.

- Data processing is mandatory for the establishment, exercise or protection of a right

In the event that data processing is necessary for the establishment, exercise or protection of a right, personal data may be processed without seeking explicit consent.

- Data processing is mandatory for LÖSEV's legitimate interests

Provided that it does not harm the fundamental rights and freedoms of the person concerned, personal data may be processed without seeking explicit consent, even if data processing is necessary for LÖSEV's legitimate interests. (For example, monitoring of system rooms containing sensitive information with CCTV equipment)

7.3.3. Processing of special categories of personal data

Special categories of personal data are processed by us, by taking the administrative and technical precautions stipulated by the KVK Board, in the presence of the explicit consent of the data subject or in cases required by the legislation.

Private personal data regarding health and sexual life, for the purpose of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without the explicit consent of persons or authorized institutions and organizations under the obligation of keeping confidentiality. can be processed.

In this context, your sensitive personal data may be processed without seeking explicit consent within the scope of the health services provided by the Foundation and within the limits stipulated by the relevant legislation.

7.3.3.1. Processing of personal health data

Within the framework of the health services we provide through the Private LÖSANTE Children's and Adult Hospital, various information regarding both your physical and mental health are collected, stored and otherwise processed by us.

Being aware of the sensitivity of your personal health data, we use the said information in accordance with the KVKK, Regulation and other relevant legislation. For more information about the relevant data processing activities, you can refer to the section of this Policy titled Personal Data Processing.

7.4. Processing of personal data collected through cookies on our websites

As LÖSEV, we operate the following sites:

- www.losev.org.tr

- www.losante.com.tr

- www.losevokul.k12.tr

- www.lsvdukkan.com

- www.kanseredurde.com

- www.akillicocukdunyasi.com

- www.sagliginizservetiniz.com

- www.kusurat.com

- www.losevkent.com

- www.birtugladasenkoyarmisin.com

We use cookies to improve the functioning and use of our internet pages, and we try to make the time you spend on our website more productive and enjoyable. In addition to these, we use some cookies to remember the choices you make on our websites, thus providing you with an improved and personalized experience.

We may collect, transfer, store and otherwise process your personal data through cookies on our websites.

If you do not want your personal data to be collected and processed through cookies, you can refuse cookies on our websites. We remind you that if you refuse cookies, our websites may not work as they should and disruptions may occur in the display or presentation of goods and services.

For detailed information about the cookies we use on our websites, you can review the "Cookie Policy" published on the relevant sites.

7.5. Processing of personal data via mobile application

In order to provide services through mobile applications;

- Name surname,

- Phone number,

- Email,

- Wireless network information and

- Location

we may collect and process your information.

7.6. Processing of personal data collected within the scope of access to the wireless network

Wireless internet service is provided within the foundation and economic enterprises affiliated to the Foundation, and LÖSEV is defined as "Internet Collective Use Provider" in accordance with the relevant legislation within the scope of the said service.

Access to the wireless network within the Foundation and the economic enterprises affiliated to the Foundation is carried out through the hotspot device of Labris, and the registration of access records such as identification of users who want to benefit from the service in question, IP address information, start and end time, destination IP information in the system in electronic media. Internet Collective Usage Provider 's obligations. In addition to these records, log information is also kept in accordance with the Law No. 5651 on the Regulation of Broadcasts Made on the Internet and Combating Crimes Committed Through These Broadcasts and the relevant legislation.”

7.7. Processing of personal data collected for human resources and employment purposes

We process your personal data, which you share with us during the application process as an employee candidate, for the purpose of examining your job application and, in case of your consent, we store them for the required period of time to be evaluated in future positions within LÖSEV. The processing of the personal data you share as an employee candidate is carried out in accordance with the principles and rules set forth in this Policy.

Personal data of employee candidates:

- Evaluating the suitability of the employee candidate for the open position,

- To confirm the accuracy of the information and documents given by the employee candidate or to conduct research on the employee candidate,

- To communicate with the employee candidate regarding his/her application,

- To meet legal obligations or requests of authorized institutions or organizations,

- To improve our Human Resources Policy

It can be collected by the following tools and methods:

- Application form provided in written or electronic form,

- Sending e-mail, postal etc. to LÖSEV of the employee candidates. résumés they have forwarded,

- Employment or consulting companies,

- Universities,

- During the interview,

- Controls and investigations carried out to confirm the accuracy of the information conveyed by the employee candidate,

- Recruitment tests.

Personal data of our employees are collected, processed and stored within the framework of LÖSEV Human Resources needs, apart from this Policy. Our employees are also informed about the rules regarding the processing of their personal data.

7.8. Processing of personal data within the scope of Private LÖSANTE Children's and Adult Hospital activities

Within the scope of the health services provided to you by Private LÖSANTE Child and Adult Hospital, we process and transfer your various personal health data, store them for as long as required for the relevant data processing purpose and process them in other ways.

Any information we have about your physical and mental health;

- Verbally,

- Our diagnosis, treatment and care systems and equipment, and

- collecting with Printed health forms

- Physical (patient files) and

- Storing in electronic recording media (our databases)

and if it is prescribed by law, we forward it to authorized public institutions and organizations.

In accordance with the Regulation and KVKK, your personal health data, without your explicit consent; it will only be processed for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. Before the data processing activities to be carried out for a purpose other than those listed by LÖSEV, your explicit consent based on detailed information will be obtained in accordance with the requirements of the legislation.

7.8.1. Processing personal data within the scope of online transactions

In order for the health services we provide to you to be carried out in a fast, effective and safe manner, we provide consultancy services through our doctors on our website and allow you to make an online (online) appointment to determine your ailments. In this context;

- Name surname,

- Email address and

- Next to contact information such as mobile phone number

- Various information about your ailment

We collect it through the relevant online forms, transmit it to the relevant doctor and other healthcare professionals, store and process it.

7.8.2. Processing of personal data within the scope of code applications

In order to ensure the safety of our patients, relatives, visitors and our employees, especially our doctors, in our hospital quickly and effectively, primarily in cases of physical assault, sexual harassment or theft against their bodily integrity; regarding the persons involved in the incident;

- Name, surname, etc. ID information,

- Contact information,

- Camera footage and

- Information about the event

are collected through code applications, delivered to the competent judicial authorities and reported to the Ministry of Health via the website or telephone.

7.9. Processing of personal data within the scope of international projects

As LÖSEV, Cancer Will Not Be Our Destiny etc., realized in line with our founding purpose. Regarding our employees in order to complete international projects effectively and safely;

- Name surname,

- Title and

- Mobile phone

information of our patients

- Name surname,

- Photo and

- Information about the disease

We share, store and otherwise process with relevant organizations at home and abroad (such as the European Union).

7.10. Processing of personal data within the scope of LSV Shop activities

We process and store your personal data that you share within the scope of the shopping you have made on the LSV Shop website and shops, and the membership you have opened on the website, and we keep them for the periods stipulated by the legislation and/or required for the data processing purposes.

7.11. Processing of data processed by economic enterprises affiliated to the Foundation by the Foundation

In order to carry out the activities of economic enterprises affiliated to the Foundation in accordance with the principles and objectives of the Foundation, personal data processed by economic enterprises affiliated to the Foundation may also be processed by the Foundation within the limits determined by the legislation. In terms of these data processing, the Foundation with legal personality is in the position of data controller, and the Foundation informs the person concerned about this issue at the stage of collecting personal data.

7.12. Processing of personal data within the scope of donation and volunteering activities

We process the personal data and special quality personal data of our donors and volunteers during the donations and volunteering activities we carry out in order to provide all kinds of aid, including blood donation, to those in need within the framework of the foundation's founding purpose. In this sense, our donors through member registration forms;

- with blood type and other relevant health information

- name surname,

- date of birth,

- Place of birth,

- address,

- phone number,

- gender,

- marital status,

- educational status,

- profession and

- his signature;

Our volunteers are;

- name surname,

- graduated department and school,

- job,

- position,

- working status,

- the name of the place where he works,

- home and work address and telephone,

- reference information,

- member clubs,

- credit card number and

- credit card expiration date

We collect information, store it and process it in other ways in order to meet our legal obligations and possible future needs immediately.

In addition, we store and use the blood group information obtained from our employees through the health reports we obtain from our employees as part of the creation of their personal files, and the contact information of the relevant employees in order to meet possible future needs.

7.12.1. Sharing personal data on social media platforms to invite donations

If our patients need blood donation and marrow, in order to meet this need as quickly as possible;

- Name surname,

- Photo images and

- Blood group information

We share it with the public through the accounts we manage on social media platforms.

7.13. Processing personal data within the scope of ensuring general security

As LÖSEV, we collect, store and use the data of visitors, companions and other third parties, especially our employees and patients, for general security purposes. In this context, we obtain the camera images of the people in our facilities through CCTV systems and keep these records for the periods stipulated by the relevant legislation.

7.14. Processing of personal data within the scope of call center services

For purposes such as appointment control and measuring patient satisfaction and regarding our patients through our call center, but not limited to the following,

- Name surname,

- Relevant health problem and

- The unit for which treatment or examination is requested

We process your information.

8. TRANSFER OF PERSONAL DATA

8.1. Domestic transfer of personal data

As LÖSEV, we act in accordance with the regulations stipulated in the KVKK and the decisions taken by the KVK Board regarding the transfer of personal data.

Personal data and sensitive data are not transferred to third parties without the explicit consent of the person concerned, without prejudice to the reasons for compliance with the law in the legislation.

8.2. Transfer of personal data abroad

As a rule, personal data cannot be transferred abroad without the explicit consent of the person concerned. However, in case of existence of one of the reasons for compliance with the law in this Policy, third parties abroad:

- Located in countries where there is sufficient protection declared by the KVK Board, or

- If it is located in countries where there is no adequate protection, the data controllers in Turkey and in the foreign country in question must undertake an adequate protection in writing and have the permission of the KVK Board

Provided that personal data can be transferred abroad without express consent.

8.3. Third parties to whom personal data is transferred by LÖSEV

Personal data may be transferred to the following categories of persons within the scope of the rules set forth in this Policy:

- LÖSEV business partners,

- LÖSEV suppliers,

- LÖSEV officials,

- Legally authorized public institutions and organizations,

- Legally authorized private legal persons.

Person Category	Explanation	Transfer Purpose
Business partner	Organizing events, receiving services, etc. within the scope of LÖSEV's activities. It refers to parties such as insurance companies and international organizations (for example, the European Union) with which it has partnered for purposes.	In order to realize the planned activity within the scope of the business partnership,
Supplier	It refers to the parties that provide services to LÖSEV in return for a contract in line with LÖSEV's needs and in accordance with its instructions.	In order to fulfill the service to be provided from the supplier
Official	It refers to the authorities of the Foundation and the economic enterprises affiliated to the Foundation.	For the purposes stipulated by the said legal regulation
Legally Authorized Public Institutions and Organizations	Refers to public institutions and organizations authorized to receive information and documents from LÖSEV within the scope of relevant legal regulations.	For the purposes stipulated by the said legal regulation
Legally Authorized Private Law Persons	Refers to private legal persons authorized to obtain information and documents from LÖSEV within the scope of relevant legal regulations.	For the purposes stipulated by the said legal regulation

8.4. Precautions we take to ensure that personal data is transferred in accordance with the law

8.4.1. Technical Precaution

We take various precautions to protect personal data, including but not limited to the ones listed below. In this context;

- Making the technical organization within LÖSEV for the processing and storage of personal data in accordance with the legislation,

- Creating the necessary technical infrastructure to ensure the security of the databases where your personal data will be stored,

- Following and auditing the processes of the technical infrastructure created,

- Determines the procedures for reporting the technical precautionsand audit processes we take,

- Periodically updating and renewing the technical precautionsand,

- Re-examining risky situations and producing necessary technological solutions,

- Uses virus protection systems, firewalls and similar software or hardware security products and establishes security systems in line with technological developments, and

- We employ employees who are experts in technical matters.

8.4.2. Administrative Precautions

We take various precautions to protect personal data, including but not limited to the ones listed below. In this context;

- Establishing personal data access policies and procedures, including the employees of the Foundation and economic enterprises affiliated with the Foundation,

- Informing and training our employees on the legal protection and processing of personal data,

- In the contracts we make with our employees and/or in the policies we create, we record the precautions to be taken in case of unlawful processing of personal data by our employees, and

- We control the processing of personal data of the data processors we work with or the partners of the data processors.

9. STORAGE OF PERSONAL DATA

9.1. Keeping personal data for the period stipulated in the legislation or for the period required for the purpose for which they are processed.

We keep personal data for as long as required by the purpose of processing personal data, without prejudice to the storage periods stipulated in the legislation, and within the scope of the Personal Data Retention and Destruction Policy of the Children with Leukemia Health and Education Foundation.

In cases where we process personal data for more than one purpose, the data is deleted, destroyed or anonymized and stored if all the purposes of processing the data disappear or if there is no legal obstacle to the deletion of the data, upon the request of the person concerned. In matters of destruction, deletion or anonymization, the provisions of the legislation and the decisions of the KVK Board are complied with.

9.2. Precautions we take regarding the storage of personal data

9.2.1. Technical Precautions

- Establishes technical infrastructures and related control mechanisms for the deletion, destruction and anonymization of personal data,

- Takes the necessary precautions for the safe storage of personal data,

- Employs employees with technical expertise,

- Creates business continuity and emergency plans against possible risks and develops systems for their implementation, and

- We establish security systems in accordance with technological developments regarding the storage areas of personal data.

9.2.2. Administrative Precautions

- Raising awareness by informing our employees about the technical and administrative risks related to the storage of personal data, and

- In the case of cooperation with third parties for the storage of personal data, we include provisions regarding taking the necessary security measures in order to protect and securely store the transferred personal data in the contracts made with the companies to which the personal data is transferred.

11. DELETING, DESTROYING OR MAKING PERSONAL DATA

Personal data;

- the complete termination of our processing purposes, or

- At the request of the person concerned

deleted, destroyed or anonymized. The aforementioned deletion, destruction and anonymization processes are carried out within the scope of the Personal Data Retention and Disposal Policy of the Children with Leukemia Health and Education Foundation, without prejudice to the provisions of the relevant legislation.

While your personal data is being deleted, destroyed or anonymized, the security measures in this Policy are taken.

Records of the transactions made for the deletion, destruction or anonymization of personal data are kept for at least 3 (three) years, without prejudice to the provisions of other laws and regulations.

LÖSEV chooses the appropriate method of deleting, destroying or anonymizing personal data, unless otherwise specified by the Board.

Without prejudice to the Board decisions and the provisions of the relevant legislation, LÖSEV deletes or destroys personal data according to the method specified by the person concerned.

11. SECURITY OF PERSONAL DATA

11.1. Our obligations regarding the security of personal data

As LÖSEV;

- To prevent the unlawful processing of personal data,

- To prevent unlawful access to personal data, and

- Ensuring that personal data is stored in accordance with the law

We take administrative and technical measures according to technological possibilities and implementation costs.

11.2. Precautions we take to prevent unlawful processing of personal data

- Carries out and has the necessary inspections made within LÖSEV,

- Educating and informing our employees about the legal processing of personal data,

- In cases where cooperation is made with third parties for the purpose of processing personal data, it includes provisions regarding taking the necessary security measures in the contracts made with companies that process personal data, and

- In case of unlawful disclosure of personal data or data leakage, we notify the relevant person and the KVK Board, carry out the investigations stipulated by the legislation in this regard and take the relevant measures.

11.3. Technical and administrative measures taken to prevent unlawful access to personal data

To prevent unlawful access to personal data;

- Employs employees with technical expertise,

- Periodically updating and renewing the technical measures,

- Establishes access authorization procedures within LÖSEV,

- Determines the procedures for reporting the technical measures and audit processes we take,

- Establishes the data recording systems used in LÖSEV in accordance with the legislation and conducts periodic audits,

- Establishing emergency aid plans against possible risks and developing systems for their implementation,

- Educating and informing our employees about access to personal data and authorization,

- In contracts with companies that provide access to personal data, in cases where cooperation is made with third parties for activities such as processing and storage of personal data; It includes provisions regarding the taking of necessary security measures by persons providing access to personal data,

- We establish security systems within the scope of technological developments in order to prevent unlawful access to personal data.

11.4. Measures we take in case of unlawful disclosure of personal data

We take administrative and technical measures to prevent the unlawful disclosure of personal data and update them in accordance with our relevant procedures. If we detect that personal data has been disclosed without authorization, we establish the necessary systems and infrastructures to notify the relevant person and the KVK Board.

In case of an unlawful disclosure despite all the administrative and technical measures taken, this situation may be announced on the website of the KVK Board or by any other method, if deemed necessary by the KVK Board.

12. RIGHTS OF THE RELATED PERSON

Within the scope of our obligation to inform, we inform the relevant person and establish the necessary systems and infrastructures for this information. We make the necessary technical and administrative arrangements for the person concerned to exercise their rights regarding their personal data.

The person concerned has the following rights regarding his personal data:

- Learning whether personal data is processed or not,

- If personal data has been processed, requesting information about it,

- To learn the purpose of processing personal data and whether they are used in accordance with the purpose,

- To know the third parties to whom personal data is transferred in the country or abroad,

- Requesting correction of personal data if it is incomplete or incorrectly processed,

- Requesting the deletion or destruction of personal data in case the reasons requiring the processing of personal data disappear,

- Requesting notification of the above-mentioned correction, deletion or destruction processes to third parties to whom personal data has been transferred,

- Objecting to the emergence of an unfavorable result by analyzing the processed data exclusively through automated systems, and

- To request the compensation of the damage in case of damage due to the unlawful processing of personal data.

12.1. Exercise of rights regarding personal data

İlgili kişi, Without prejudice to other methods determined by the Board, the person concerned can send your claims regarding your personal data and documents confirming your identity (copy of identity card, etc.) to your application by e-mail to our registered e-mail address: losev@losev.org.tror Turgutlu Sokak No: You can send it to 30 Gaziosmanpaşa / ANKARA by mail.

The person concerned must clearly and comprehensibly state the requested issue in the application, which includes explanations regarding the right to be exercised and requested to use the above-mentioned rights.

Although the subject of the request must be related to the person of the applicant, if acting on behalf of someone else, the applicant must be specifically authorized in this regard and this authority must be documented (special power of attorney). In addition, the application must include identity and address information, and documents proving identity must be attached to the application.

Requests made by unauthorized third parties on behalf of someone else will not be considered.

12.2. Evaluation of the application

12.2.1. Application response time

Requests regarding personal data are concluded as soon as possible and in any case within 30 (thirty) days at the latest, free of charge, or against the fee in the tariff in case the conditions in the tariff to be published by the KVK Board regarding the fee are met.

Additional information and documents may be requested during the application or while the application is being evaluated.

12.2.2. Our right to refuse the application

Applications regarding personal data, but not limited to those listed, may be rejected in the following cases:

- Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics,

- Processing personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate the privacy or personal rights of the person concerned, or constitute a crime,

- Processing of personal data made public by the person concerned,

- The application is not based on a just cause,

- The application contains a request contrary to the relevant legislation, and

- Failure to comply with the application procedure.

12.3. Evaluation procedure of the application

12.2.1 of this Policy. In order for the response period specified in the article to start, the applications must be submitted via the Leukemia Children Health and Education Foundation KVK Application Form in written and wet signed form, by hand delivery or sent via a notary public, electronically signed via KEP, or previously notified to the data controller by the data controller and registered in the data controller's system. It must be done using the e-mail address available.

If the request is accepted, the necessary procedures are applied and the applicant is notified in writing or electronically. In case of rejection of the request, the applicant is notified in writing or electronically by explaining the reason.

12.4. Right to complain to the Personal Data Protection Board

In cases where the application is rejected, the answer given is insufficient, or the answer is not given in a timely manner; The applicant has the right to complain to the KVK Board within 30 (thirty) days from the date of learning the answer and in any case within 60 (sixty) days from the date of application.

13. PUBLICATION AND STORAGE OF THE POLICY

This Policy is stored in two different media, printed paper and electronic. The updated versions of the documents are available on the LÖSEV websites.

Wet signed copies and controlled copies are kept in the Legal Department and when necessary, they are destroyed by the Legal Department with the written approval of the Department Manager.

14. UPDATE FREQUENCY

This Policy is reviewed at least once a year without notice and updated as needed. Therefore, it is recommended that you periodically review this Policy.

15. ENFORCEMENT

This Policy is deemed to have entered into force after its publication on the Foundation's websites.

16. REVOCATION

If it is decided to be repealed, the original copies of this Policy with wet signatures are canceled and signed by the Legal Counseling and Information Technologies Coordinatorship with the written approval of the LÖSEV Board of Directors and are kept by the Legal Coordination Coordinatorship for a period of 5 years.