Voila Health Tourism

Voila Health Tourism - Volia Clinic - Dr Furkan Certel
Voila Health Tourism - Volia Clinic - Dr Furkan Certel

Personal Data Protection Law Information Notice

Voila Health Tourism

Personal Data Protection Law (KVKK) Information Notice

1 – Data Controller
As Voila Health Tourism (Voila), we process your personal data under the Personal Data Protection Law No. 6698 (“KVKK”), the Regulation on the Processing and Protection of Personal Health Data, other relevant legislation, and the regulations of the Ministry of Health of the Republic of Turkey and relevant authorities within the scope of this Information Notice.

The corporate identity details of Voila, the “Data Controller,” are as follows:

Headquarters Address: Atatürk Mah. Ertuğrul Gazi Sk. No: 2H / 21 Ataşehir / ISTANBUL
Phone: +90 545 575 57 24
Website: www.voilahealthtourism.com
Email Address: [email protected]

Voila respects the principle of “patient confidentiality” and upholds the privacy and protection of personal data belonging to its patients, potential patients, and their relatives while providing healthcare services. Your personal data is processed under KVKK and all relevant legislation, securely stored, and safeguarded against unauthorized access through administrative and technical measures. This Information Notice explains the nature of personal data collected, methods of collection, legal grounds, purposes of processing, data sharing, and your rights concerning such data.

2 – Method of Collecting Personal Data and Legal Grounds for Processing

Your personal data is collected by Voila, either fully or partially through automated or non-automated means, as part of any data recording system. This collection occurs during communication via our website or social media, during patient registration processes at our clinic through printed forms and surveys, during medical examinations conducted by doctors, during medical tests/examinations, through interactions with our clinic’s doctors and other staff, or via information management systems, communication channels, email, phone, fax, WhatsApp, other online or offline electronic communication platforms, mail/courier services, social media accounts, healthcare institutions, and laboratories with which we collaborate, and their integrated systems. Future methods (channels) may also be included.

The processing of your personal data serves purposes such as protecting public health, providing preventive healthcare, conducting medical diagnosis, treatment, and care services, as well as planning and managing the financing of healthcare services. It is carried out by authorized personnel or institutions bound by confidentiality obligations and in compliance with laws. The processing does not require explicit consent when based on the following legal grounds:

  • Explicit provision in laws,
  • Necessity for establishing or executing a contract,
  • Legitimate interest,
  • Legal obligations,
  • Establishment, exercise, or protection of a legal right,
  • Publicly disclosed personal data,
  • Other conditions outlined in KVKK for processing personal data.

3 – Categories of Processed Personal Data and Processing Purposes

The categories of personal data processed and their purposes include:

Identity Data: Name, surname, nationality, Turkish ID number, passport number (or temporary Turkish ID number for non-citizens), place and date of birth, marital status, gender, and other identity-related information.
Contact Data: Residential address, postal address, mobile number, email address, and other contact details.
Visual and Audio Data: Closed-circuit camera recordings obtained through clinic security cameras, voice recordings from interactions with our call center, and photographs or videos used for medical or cosmetic procedures for promotional, research, verification, or patient persuasion purposes.
Feedback and Complaint Data: Feedback and complaints submitted to our clinic via website, social media, or other channels, based on the individual’s consent.
Location Data: Address or location information voluntarily provided by the individual.
Transaction Security Data (IP Data and Cookies): Includes IP addresses, browser details, and website access/exit information (Mac ID, IP address, etc.).
Financial Data: Bank account and IBAN numbers of employees and patients who receive services from our company.
Health Data: Laboratory and imaging results, blood type, test data, prescription details, and other health records required for medical diagnosis, treatment, and care services.
Vehicle Plate Data: Vehicle plate numbers used for accessing company parking lots or valet services.
Customer Transaction Data: Call center records, invoices, receipts, order information, and requests.
Physical Space Security Data: Entry/exit logs of employees and visitors, and security camera recordings.
These data categories and their processing aim to:

  • Fulfill legal and contractual obligations,
  • Provide medical or cosmetic healthcare services,
  • Manage financial and operational healthcare requirements,
  • Ensure public health and deliver preventive and curative healthcare,
  • Fulfill information-sharing obligations with official institutions as required by healthcare regulations,
  • Enhance patient satisfaction through feedback and quality assessments,
  • Execute financial processes, such as billing, and
  • Facilitate healthcare-related arrangements, including travel, accommodation, and reception services for health tourism purposes.

Technical Requirements

Planning and managing internal processes by call centers, patient relations, and hospital management,
Conducting research and analysis by service quality, patient experience, and information technology departments to improve the quality of healthcare services,
Providing training to employees by human resources management and quality departments,
Monitoring and preventing misuse or unauthorized actions by internal audit and information technology units,
Conducting risk management and quality improvement activities by quality and information technology departments,
Taking all necessary technical and administrative measures regarding data security by hospital management and information technology units,
Facilitating necessary communications regarding transportation, accommodation, and hosting services for health tourism by authorized personnel,
Providing participation in campaigns and campaign information; designing and delivering special content, tangible and intangible benefits on the web, mobile channels, and social media by patient relations, marketing, and call center departments,
Conducting training and activities by educational institutions collaborating with the organization.

Personal data obtained and processed in accordance with relevant legislation may be transferred to Voila’s physical archives and/or information systems and stored in both digital and physical environments.

4 – Transfer of Personal Data to Third Parties in Turkey and Abroad

The transfer of your personal data and sensitive personal data to third parties located within and outside the country will be carried out for the following purposes:
Access to your personal data is only permitted for employees within the doctor’s office/facility who have limited authority and need access to perform their duties.
In accordance with Articles 8 and 9 of the Personal Data Protection Law (KVKK), personal data may be processed without explicit consent by individuals or authorized institutions and organizations under confidentiality obligations or legal obligations, in cases where processing is mandatory for legitimate interests, establishment, use, or protection of a right, protection of public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of healthcare services and financing, under the following circumstances and in compliance with relevant legislation:
Within the scope of the Basic Law on Healthcare Services No. 3359, the Decree-Law No. 663 on the Organization and Duties of the Ministry of Health and Its Affiliates, the Personal Data Protection Law No. 6698, the Regulation on the Processing and Privacy of Personal Health Data, and other applicable legislation:
To individuals, companies, or institutions authorized to supply products and/or services for the operation of the doctor’s office/clinic (e.g., social security institutions, certified public accountants and legal advisors, IT and data hosting service providers, appointment scheduling and consultancy platforms),
To family members/close relatives, companions, representatives, legal guardians, and other authorized third parties for the purposes of informing the patient about their health status, accompanying the patient, receiving and delivering the patient’s personal belongings/medications, and completing payment transactions in accordance with medical necessity, court orders, or the approval of the patient/legal heirs under KVKK, the Patient Rights Regulation, and the 

Personal Health Data Regulation,

To our business partners, potential business partners, and their employees (e.g., affiliated laboratories and pharmaceutical warehouses) to ensure the continuity of clinic activities and establish potential collaborations,
With your explicit consent, on our social media accounts,
To banks, affiliated private health or supplementary insurance companies, or contracted institutions and organizations for planning or executing financial and accounting transactions related to healthcare services,
To institutions where patient referrals/transfers are made, other healthcare organizations, physicians, healthcare professionals, and domestic or international laboratories to ensure the accuracy of diagnosis and treatment processes and to obtain consultations,
To legally authorized institutions and private individuals (e.g., the Ministry of Health of the Republic of Turkey, Provincial Health Directorates, other units affiliated with the Ministry of Health, the Social Security Institution of the Republic of Turkey, courts) to fulfill legal obligations and follow up on the clinic’s legal processes,
To our lawyers, consultants, and auditors, as well as our shareholders and legal representatives, with whom we have contractual relationships or collaborations both domestically and abroad.

5 – Duration of Personal Data Processing

Your personal data is stored and disposed of under the Regulation on the Deletion, Destruction, or Anonymization of Personal Data and other relevant legislation, as specified in storage and disposal policies and procedures.
In this context, personal data will be deleted, destroyed, or anonymized when the legal grounds for processing no longer exist, as outlined in Articles 5 and 6 of KVKK. Even after your relationship with our clinic ends, your personal data may continue to be processed during legal limitation periods. Personal data processed based on explicit consent will be destroyed during the first deletion period following the withdrawal of consent.
For requests regarding the destruction of personal data, please refer to Section 6 of this Information Notice.

6 – Your Rights Under KVKK

As a data subject, you have the following rights under Article 11 of KVKK:

To learn whether your personal data has been processed,
To request information about the processing of your personal data,

  • To learn the purposes for which your data is processed and whether it is used for those purposes,
  • To know the third parties in Turkey or abroad to whom your personal data is transferred,
  • To request correction of incomplete or inaccurate data and have such corrections communicated to third parties,
  • To request the deletion or destruction of personal data when legal grounds for its processing no longer exist and have this communicated to third parties,
  • To object to decisions made solely based on automated systems that negatively affect you, and
  • To claim compensation for damages caused by unlawful processing of your personal data.
  • To exercise these rights, you may submit a request containing the necessary identification information and details of the right you wish to exercise. Requests can be sent via a notary to Atatürk Mah. Ertuğrul Gazi Sok. 2H/21 Ataşehir/ISTANBUL, delivered in person along with identifying documents, or sent via secure electronic signature to [email protected].

7 – Cases Where Personal Data May Be Processed Without Explicit Consent

Under Article 5 of KVKK and Article 7 of the Regulation, personal data may be processed without explicit consent in the following cases:
Where explicitly provided by law,
When it is necessary to protect the life or physical integrity of the data subject or another person, and the data subject is unable to provide consent due to actual impossibility or legal invalidity,
When processing is necessary for the execution or establishment of a contract to which the data subject is a party,
When processing is required to fulfill legal obligations,
When the personal data has been made public by the data subject,
When processing is necessary to establish, exercise, or protect a legal right, or
When processing is necessary for public health, preventive medicine, medical diagnosis, treatment, and care services, and the management of healthcare services and financing.
Personal health data may be processed and transferred without explicit consent by authorized individuals or institutions bound by confidentiality obligations for purposes such as protecting public health, preventive healthcare, medical diagnosis, treatment, and care services, and planning and managing healthcare financing.