PATIENT PERSONAL DATA PROTECTION
 PROCEDURE ACCORDING TO THE LAW ON THE
 PROTECTION OF PERSONAL DATA

 Doc. Code: HE.PR.02
 Publication Date: 06.12.2023
 Rev. No/Date: 00

 1 - PURPOSE: To ensure the protection of patients' personal data and special categories of
 personal data during the provision of healthcare services.
 2 - SCOPE: This procedure covers all patients who apply to our hospital or receive treatment in the
 hospital.
 3 - ABBREVIATIONS:

 4 - DEFINITIONS:
 4.1 Data Subject: The natural person whose personal data is processed.
 4.2 Personal Data: Any information relating to an identified or identifiable natural person.
 4.3 Special Categories of Personal Data: Health information, sexual life, trade union or foundation
 membership, and biometric or genetic data.
 4.4 Data Processor: A natural or legal person who processes personal data on behalf of the data
 controller based on the authority given by the data controller.

 5 - RESPONSIBILITY: All hospital staff are responsible.

 6 - ACTIVITY FLOW:
 6.1 The preservation of data security in storing and sharing patients' personal data within the
 institution is essential. The patient may explicitly request secure storage of their personal data.
 6.2 Special categories of personal data of patients may not be shared within the institution between
 individuals or departments for purposes other than intended use.
 6.3 During consultations or examinations with physicians, nurses, and healthcare staff,
 communication must ensure that personal data cannot be learned by unauthorized persons.
 6.4 Patients' personal data may not be stored on personal phones, computers, or similar electronic
 environments belonging to staff. Personal data cannot be shared or disclosed via personal phones,
 computers, external email addresses, or social media accounts.
 6.5 Unless the patient gives explicit consent, personal data must not be shared with the patient’s
 relatives. If legal obligations arise without the patient’s explicit consent, data may only be shared
 with the permission of the department head.
 6.6 Care must be taken to protect patients' personal data during information exchange between
 healthcare staff.
 6.7 Printed forms, files, folders, and notebooks containing personal data must not be kept openly
 accessible. They should only be stored in a way accessible to relevant personnel.
 6.8 Counters, desks, and areas where patient registration or form-filling takes place must ensure
 that patient information cannot be seen or heard by others.
 6.9 All staff using automation systems, software, portals, and websites must have their own
 authorized access credentials, approved by their unit manager, and must not share them with
 others.
 6.10 Patients' personal data may not be taken outside the institution except for legal obligations.
6.11 If a breach of patients' personal data occurs, the institution will initiate legal proceedings.

 7 - RELATED DOCUMENTS