GDPR Policy

TESA MEDİKAL SAĞLIK HİZMETLERİ SAN. TİC. LTD. ŞTİ. places the utmost importance on the protection and processing of personal data, particularly the right to privacy as set forth in Article 20 of the Turkish Constitution. In this context, the Company is committed to ensuring that all personal data is handled and safeguarded in full compliance with applicable laws and regulations, and conducts all planning and operations with this principle at its core.

Our Company does not consider the protection and processing of personal data—an essential component of the right to privacy—as merely a legal obligation, but as a reflection of the value it places on individuals. Guided by this awareness, we take all necessary administrative and technical measures to ensure the secure storage of personal data and to prevent any unlawful processing or access.

a. Data Controller

Pursuant to the Law No. 6698 on the Protection of Personal Data (“Law”), your personal data is collected and processed by TESA MEDİKAL SAĞLIK HİZMETLERİ SAN. TİC. LTD. ŞTİ. (“Company”) acting as the data controller, within the scope and purposes described below.

b. Method and Legal Basis for Collecting Personal Data

Your personal data may be collected, in whole or in part, through automated or non-automated means; via verbal, written, or electronic channels including but not limited to documents submitted to our Company, job application forms, customer information forms, mail and emails, call center interactions, our corporate website, social media platforms, corporate communication tools and devices, company IT systems and equipment, security cameras, and through third parties such as group companies we serve or receive services from, business partners, product/service providers, staffing companies, and online recruitment platforms. Such data is retained for the duration required for the intended purposes.

Your personal data is processed based on your explicit consent. However, in accordance with Article 5(2) of the Law, your data may also be processed without explicit consent if one of the following legal grounds applies: (i) it is expressly stipulated by law; (ii) the personal data has been made public by the data subject; (iii) it is necessary for the protection of the life or physical integrity of the data subject or another person where the data subject is unable to give consent due to actual impossibility; (iv) it is necessary for the performance or execution of a contract to which the data subject is a party; (v) it is required for the Company to fulfill its legal obligations; (vi) it is necessary for the establishment, exercise, or protection of a right; or (vii) provided that it does not harm the fundamental rights and freedoms of the data subject, it is necessary for the legitimate interests of the Company.

c. Purposes of Processing Personal Data

Your personal data may be processed, without requiring explicit consent, if any of the conditions set forth in Article 5(2) of the Law apply. These purposes include: fulfilling legal and professional obligations explicitly required by applicable laws; accurately planning and executing our commercial relations, partnerships, and corporate strategies; ensuring the legal, commercial, and physical security of our Company and its business partners; maintaining the corporate operations of our Company; effectively planning and implementing our human resources policies; ensuring the functionality and security of our IT systems, including the creation of necessary databases; improving the services provided on our Company website and resolving any errors; registering and tracking visitors; and managing requests and complaints.

If you provide your explicit consent, your personal data may also be processed for the following purposes: enabling you to benefit from our products and services in the most effective way (including statistical evaluations, analysis, profiling, and preference reporting); keeping you informed through promotional, marketing, announcement, and informational communications; planning, developing, and executing corporate communication activities; and analyzing your financial profile.

ç. Recipients and Purpose of Personal Data Transfers

If one of the conditions specified in Article 5(2) of the Law is met, your personal data may be transferred—solely for the purposes outlined in paragraph 1 of section (c)—to our group companies, affiliates, business partners, and service providers (in areas such as security, healthcare, occupational safety, legal services, etc.) with whom we collaborate to fulfill our contractual or legal obligations, as well as to authorized public institutions and organizations. Such transfers shall be carried out in compliance with the conditions set forth in Articles 8 and 9 of the Law, and with appropriate security measures in place.

If you provide your explicit consent, your personal data may be transferred—limited to the purposes specified in paragraph 2 of section (c) of this document—to our group companies, affiliates, and business partners.

d. Rights of the Data Subject Under Article 11 of the Law

In accordance with Article 10 of the Law, our Company informs you of your rights as a data subject, provides guidance on how to exercise them, and has established the necessary internal procedures as well as administrative and technical measures to support this process. Pursuant to Article 11 of the Law, you have the following rights regarding your personal data: (a) to learn whether your personal data is being processed, (b) to request information if your personal data has been processed, (c) to learn the purpose of the processing and whether your data is being used in accordance with that purpose, (ç) to know the third parties, whether domestic or abroad, to whom your personal data has been transferred, (d) to request the correction of your personal data if it has been processed incompletely or inaccurately, (e) to request the deletion or destruction of your personal data within the scope of the conditions set forth in Article 7 of the Law, (f) to request that the actions taken under subparagraphs (d) and (e) be notified to third parties to whom your data has been transferred, (g) to object to the occurrence of a result against you by means of the exclusive analysis of your personal data through automated systems, (ğ) to demand compensation if you suffer damage due to the unlawful processing of your personal data.

You may submit your requests and applications regarding the implementation of the Law by completing the Personal Data Protection Law Data Subject Application Form and delivering it in person or via notary to the following address: “Başkent OSB Atatürk Bulvarı No: 19 Maliköy, Sincan / Ankara”.

Your request or application must include the following information:

• Full name and signature (if submitted in writing),
• For Turkish citizens: Turkish ID number; for foreign nationals: nationality, passport number, or if available, another identification number,
• Residential or business address for official notifications,
• If available, e-mail address, phone number, and fax number for notification,
• Subject and details of the request.

Relevant information and supporting documents related to the request must be attached to the application.

Our Company will evaluate and respond to your request as soon as possible and within a maximum of thirty (30) days, free of charge, depending on the nature of the request. However, if the processing of the request incurs a cost, a fee may be charged in accordance with the tariff set by the Personal Data Protection Board.

Our Company may either accept the request or reject it by providing a justified explanation, and will notify the data subject in writing or electronically. If the request is accepted, the Company will take the necessary actions without delay and inform the data subject. If the request results from an error on the part of the Company, any fee collected will be refunded.

If the request is rejected, the response is deemed insufficient, or no response is provided within the timeframe, the data subject has the right to file a complaint with the Board within thirty (30) days of learning the response, and in any case, within sixty (60) days from the date of application.

For more detailed information, please refer to our Company’s “Personal Data Protection and Processing Policy.”