Protecting the privacy of those who visit the website www.griklinik.com, operated by Lorien Clinic Dental Health Services Limited Company 'Lorien', is one of our priorities.

In this Disclosure Text, the principles regarding the processing of your personal data by the data controller, Lorien, located at Sahrayıcedit Mah. Atatürk Cad. No:7 D Kadıköy/Istanbul, in accordance with the Personal Data Protection Law No. 6698 (‘KVKK’) and the relevant legislation, are outlined below.

1. Purpose of Personal Data Processing

The personal data shared by you will be processed in accordance with the principles of legality and fairness, as well as being accurate and, where necessary, up to date, in accordance with Article 4 of the KVKK. These data are processed through verbal, written, visual, or electronic means via the internet, mobile applications, physical spaces, and similar channels for specific, explicit, and legitimate purposes. The processing activities are carried out in a manner that is linked, limited, and proportional to the relevant purpose. In addition, these data will be stored for the duration required by the legislation or for the period specified in this disclosure and information text, as determined by our organization.

Our fundamental principle is that personal data will not be processed without the explicit consent of the data subject. Your Personal Data Processed Based on Your Explicit Consent and the Purposes of Processing include the following personal data, including your health data and sensitive personal data, which may be processed by Lorien in a manner that is connected, limited, and proportionate to the purposes specified in this section:

• Your Identity Information includes your first name, last name, Turkish ID number, passport number or temporary Turkish ID number, place and date of birth, marital status, gender, insurance or patient protocol number, and other identity data that can be used to identify you;
• Your Contact Information includes your address, phone number, email address, and other communication data, navigation information obtained during the use of our website and mobile application, IP address, browser information, medical documents you provided with your consent, surveys, form data, and location data.
• Your Accounting Information includes your bank account number, IBAN number, credit card information, billing information, financial data such as your private health insurance information for the financing and planning of healthcare services, and Social Security Institution data; security-related camera recordings of your images.
• Your Health Information includes your laboratory results, test results, examination data, appointments, check-ups, prescriptions, diagnosis and treatment information, as well as data related to any surgical interventions and medical procedures under observation, including but not limited to any personal data related to health and sexual life obtained during or as a result of the provision of medical diagnosis, treatment, and care services, and any related personal data.

Any personal data obtained by Lorien may be processed for the purposes stated above;

• Verifying your identity, protecting public health, preventive healthcare, the provision of medical diagnosis, treatment, and care services, and the planning and management of healthcare and its financing,
• The planning and management of the internal operations of our clinic and affiliated hospitals and medical centers, monitoring your health condition, tracking your recovery process, evaluating the success of the performed procedure, providing healthcare services more efficiently and quickly, analyzing your use of healthcare services for the improvement and enhancement of the services we provide, storing your health data, medication provision, and notifying you regarding your appointment if you schedule one,
• Carrying out risk management and quality improvement activities, making assessments for the development of healthcare services, conducting research, fulfilling legal and regulatory requirements, and billing for our healthcare services,
• Sharing requested information with the Ministry of Health and relevant public institutions and organizations in accordance with the applicable legislation, responding to any inquiries and complaints regarding our healthcare services, ensuring that all necessary technical and administrative measures are taken within the scope of data security for the systems and applications of our clinic, providing the required information to regulatory and supervisory authorities and official bodies in accordance with their requests and inspections, training and development of our employees, monitoring, preventing, and reversing fraudulent and unauthorized activities,
• Storing information related to your health data that is required to be retained by applicable legislation, ensuring financial reconciliation for the healthcare services provided to you in cooperation with the institutions we are affiliated with, measuring patient satisfaction, and without limitation, the execution and development of medical diagnosis, treatment, and care services, planning and management of healthcare services and their financing, increasing patient satisfaction, research, and similar purposes.

However, in the presence of at least one of the following circumstances, it is possible for your personal data to be processed even without your explicit consent:

• Explicitly foreseen by the laws,
• It is necessary for the protection of the life or physical integrity of the person or another, when the person is unable to express their consent due to physical impossibility or when their consent is not legally valid.
• It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
• It is necessary for the data controller to fulfill their legal obligations.

It has been made public by the data subject themselves,

• It is necessary to process data for the establishment, exercise, or protection of a right,
• Where processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
• Your personal data related to health and sexual life may be processed by Lorien without your explicit consent, but only for the purposes of protecting public health, preventive healthcare, providing medical diagnosis, treatment, and care services, and planning and managing healthcare services and their financing. The regulations and measures related to the confidentiality obligation specified in the legislation will be strictly adhered to by us.

2. Places to Which Personal Data Is Transferred and the Purpose of Transfer

Your personal data related to our services may be transferred by Lorien to necessary institutions and individuals for the purpose of ensuring the execution of relevant processes and providing the necessary work to benefit those individuals from the services offered by Lorien, as well as for planning and executing Lorien's commercial or scientific strategies, ensuring the legal, technical, and commercial security of those in business relations with Lorien, and in accordance with the provisions of Law No. 3359 on Basic Health Services, the Personal Data Protection Law (KVKK), the Regulation on the Processing of Personal Health Data and the Protection of Privacy, Ministry of Health regulations, and other relevant legislation; including but not limited to, private insurance companies, the Ministry of Health and its affiliated units, the Social Security Institution, the General Directorate of Security and other law enforcement agencies, the General Directorate of Population, the Turkish Dental Association, the Turkish Pharmacists' Association, courts, and all judicial authorities, central and other third parties, authorized representatives, lawyers, tax and financial consultants, auditors, third-party consultants we cooperate with, regulatory and supervisory authorities, official authorities, as well as business partners and other third parties we cooperate with to develop or provide healthcare services for the purposes stated above. Your data may be transferred to third parties in Turkey as well as abroad in accordance with the conditions and purposes set out in Articles 8 and 9 of the KVKK.

3. Method of Collection of Personal Data and Legal Basis

Your personal data is collected automatically by Lorien through technical communication files, such as cookies, due to your visit to our website, and through the forms you have filled out for the purposes outlined in this Privacy Notice. For detailed information about cookies, please refer to the Cookie Privacy Notice. Personal data collected other than cookies is obtained through non-automatic means via the forms available on the website that you fill out.

Your personal data is collected and processed in any form, whether verbal, written, visual, or electronic, for the purposes mentioned above, to provide healthcare services within the established legal framework, and to enable Lorien to fully and properly fulfill its contractual and legal obligations. The legal reasons for the collection of your personal data are as follows;

• KVKK,
• Law No. 3359 on Basic Health Services,
• Law No. 3224 on the Turkish Dental Association,
• Decree Law No. 663 on the Organization and Duties of the Ministry of Health and Its Affiliated Institutions,
• Regulation on the Processing and Protection of the Privacy of Personal Health Data,
• Regulations of the Ministry of Health and other relevant legislative provisions.

As also stated in Article 6, paragraph 3 of the Law on the Protection of Personal Data (KVKK), personal data relating to health and sexual life may be processed without the explicit consent of the data subject, provided that it is carried out by persons or authorized institutions and organizations under a confidentiality obligation, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, as well as the planning and management of healthcare services and their financing.

4. Ways to Apply to the Data Controller and Your Rights

• According to Article 11 of the Law on the Protection of Personal Data (KVKK), the rights of the "data subject" are as follows:

• To learn whether your personal data is being processed,
• To request information if your personal data has been processed,
• To learn the purpose of processing your personal data and whether it is used in accordance with that purpose,
• To know the third parties to whom personal data is transferred, whether domestically or abroad,
• To request the correction of your personal data if it has been processed incompletely or inaccurately,
• To request the deletion or destruction of your personal data,
• To request that the actions regarding the correction, deletion, or destruction of personal data be notified to third parties to whom the data has been transferred,
• To object to a result arising against you through the exclusive analysis of processed data by automated systems,
• To request compensation if you suffer damage due to the unlawful processing of your personal data.

• Data Security and Methods for the Data Subject to Seek Legal Remedies:

Your personal data is carefully protected within the scope of technical and administrative means, and necessary security measures are taken at an appropriate level against potential risks, taking into account technological capabilities.

The Data Subject may submit their requests regarding the rights mentioned above and specified in Article 11 of the Law on the Protection of Personal Data (KVKK) by filling out the application form available at www.griklinik.com or physically obtainable from the clinic, providing clear and complete information along with documents verifying their identity. They can deliver a wet-signed copy in person or via a notary to the address Sahrayıcedit Mah. Atatürk Cad. No:7 D Kadıköy/Istanbul, send it to the Lorien communication address via email at info@griklinik.com, or submit it by filling out and signing the Application Form through other methods determined by the Personal Data Protection Board, free of charge.

Lorien will conclude the Data Subject’s application within 30 days, either accepting the request or rejecting it by providing a justified reason, and will notify the Data Subject of its response in writing or electronically.

In accordance with Article 14 of the Law on the Protection of Personal Data (KVKK), if the application is rejected, if the response is found insufficient, or if no response is provided within the required time, the Data Subject may file a complaint with the Personal Data Protection Authority within thirty days from the date they learn of Lorien’s response, and in any case, within sixty days from the date of the application.