top of page

Privacy & Data
Protection KVKK

 

 

BONA VIVA INTERNATIONAL HEALTH TOURISM CONSULTANCY CONSTRUCTION AND TRADE LIMITED COMPANY

 

POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

1. INTRODUCTION

 

As Bona Viva International Health Tourism Consultancy Construction and Trade Limited Company (“Company” or “Bona Viva”), we consider the protection of personal data within the scope of safeguarding fundamental rights and freedoms and attach utmost importance to this matter. We operate in line with the Law on the Protection of Personal Data No. 6698 (“Law” or “LPPD/KVKK”), relevant regulations, guidelines and decisions of the Board.

 

The purpose of this Policy is to ensure that personal data obtained, processed, transferred and stored within the scope of our Company’s activities are processed and protected in compliance with the law, to inform data subjects and to establish the principle of transparency.

 

2. SCOPE AND FIELD OF APPLICATION

 

This Policy applies to all personal data, excluding employees’ data, that are processed by Bona Viva through automatic means or non-automatic means provided that they form part of a data recording system.

The categories of data subjects within the scope are as follows:

  • Customers and potential customers

  • Website visitors

  • Individuals receiving health tourism services

  • Individuals interacting with service providers

  • Representatives of suppliers, intermediaries and business partners

  • Visitors and applicants

 

3. DEFINITIONS

 

Certain concepts used in this Policy are defined below:

  • Personal Data: Any information relating to an identified or identifiable natural person.

  • Special Categories of Personal Data: Sensitive data listed under Article 6 of the LPPD, such as race, ethnic origin, political opinion, health information, sexual life, biometric/genetic data.

  • Data Subject: The natural person whose personal data are processed.

  • Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system (Bona Viva within the scope of this Policy).

  • Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

  • Authority: The Personal Data Protection Authority.

  • LPPD / KVKK: The Law on the Protection of Personal Data No. 6698.

 

4. DATA CONTROLLER AND REPRESENTATIVE

 

Bona Viva is the data controller within the scope of this Policy.

Data subjects may submit their requests for exercising their rights through the following channels:

Our Company will conclude the applications made pursuant to Article 13 of the LPPD within 30 days at the latest, depending on the nature of the request.

The Data Controller Representative will be notified separately in the event that the VERBIS registration obligation arises.

 

5. PRINCIPLES ADOPTED IN THE PROCESSING OF PERSONAL DATA

 

Bona Viva fully complies with the fundamental principles set forth in Article 4 of the LPPD when processing personal data:

  • Lawfulness and fairness:
    Personal data are processed in a way that does not harm the fundamental rights and freedoms of the data subject.

  • Accuracy and being up to date when necessary:
    Efforts are made to ensure that the data obtained are accurate and kept up to date when necessary.

  • Processing for specific, explicit and legitimate purposes:
    The purposes of processing are determined in advance, notified to the data subjects and clearly defined.

  • Being relevant, limited and proportionate to the purpose:
    Unnecessary, excessive or irrelevant data are not collected. Each data item is used only to the extent required for the relevant processing purpose.

  • Retention for the period prescribed by relevant legislation or required for the purpose of processing:
    Upon expiry of the relevant period, data are deleted, destroyed or anonymized in line with the destruction policy.

 

6. CONDITIONS FOR PROCESSING PERSONAL DATA

 

In accordance with Articles 5 and 6 of the LPPD, personal data may be processed without the explicit consent of the data subject if at least one of the following conditions is present:

  • Clearly prescribed by law

  • It is mandatory for the protection of life or physical integrity of the person who is unable to express consent due to actual impossibility or whose consent is not deemed legally valid, or of another person

  • It is directly related to the conclusion or performance of a contract

  • It is necessary for the data controller to fulfil its legal obligation

  • The data have been made public by the data subject

  • It is mandatory for the establishment, exercise or protection of a right

  • It is mandatory for the legitimate interests of our Company, provided that the fundamental rights and freedoms of the data subject are not harmed

Apart from the above conditions, personal data cannot be processed without obtaining explicit consent.

 

7. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

 

Pursuant to Article 6 of the LPPD, special categories of personal data are subject to stricter rules. Health data fall within this scope.

As a rule, such data cannot be processed without the explicit consent of the data subject. However, they may be processed without consent in the following cases:

  • Health and sexual life data, for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services or the planning and management of health services and their financing, by persons under a confidentiality obligation

  • In cases of actual impossibility (vital situations)

  • When it is mandatory for the establishment, exercise or protection of a right

Additional technical and administrative measures determined by the Personal Data Protection Authority are implemented for the protection of such data.

 

8. CATEGORIES OF PERSONAL DATA

 

The personal data that may be processed by Bona Viva are categorized as follows:

CategoryDescription

Identity InformationName, surname, passport/ID details, date of birth, nationality, etc.

Contact InformationPhone, e-mail, address, communication preferences

Health DataHealth reports, diagnosis, treatment plan, medical history (special data)

Travel InformationFlight, accommodation, transfer details

Financial InformationIBAN, payment receipts, invoice details

Visual / Audio DataPhotos, video recordings, meeting (e.g. Zoom) recordings where necessary

Request / Complaint DataContent in customer forms and correspondence

Web Usage DataIP address, cookies, user behaviour

Transaction Security DataLog records, encrypted access data

Visitor InformationName-surname and entry/exit times in case of physical office visits

These data are processed solely for clear, legitimate and limited purposes.

 

9. PURPOSES OF PROCESSING PERSONAL DATA

 

Bona Viva processes personal data in accordance with Article 4 of the LPPD for specific, explicit and legitimate purposes, including but not limited to:

  • Planning health tourism activities

  • Coordination with relevant clinics and hospitals

  • Provision of travel and accommodation services

  • Planning of translation and companion services

  • Execution of insurance procedures

  • Monitoring of website usage and performance

  • Responding to requests and complaints

  • Establishment and performance of contracts

  • Fulfilment of legal obligations

  • Conducting internal audits, business continuity and security processes

  • Exercising the right of defence when necessary

  • Conducting personalized promotions, campaigns, notifications and advertising activities, and creating digital marketing strategies in this context

Data are not used for purposes other than those stated.

 

10. METHODS OF COLLECTING PERSONAL DATA AND LEGAL GROUNDS

 

Personal data may be collected through the following methods:

  • Website contact forms

  • Communication channels such as e-mail, telephone, WhatsApp

  • Reservation forms

  • Documents obtained before the provision of health services

  • Face-to-face meetings with customers

  • Cookies and web analytics tools

  • Contracts and forms

Legal grounds for the collection of data include:

  • Explicit consent pursuant to Articles 5 and 6 of the LPPD

  • Conclusion and performance of a contract

  • Fulfilment of legal obligations

  • Legitimate interests

  • Information made public by the data subject

  • Public health and treatment processes

 

11. TRANSFER OF PERSONAL DATA

 

11.1 Transfer within Türkiye

 

Bona Viva may transfer personal data to third parties located within Türkiye if at least one of the following legal grounds exists:

  • Explicit consent is obtained

  • Clearly prescribed by law

  • Directly related to the conclusion or performance of a contract

  • Necessary for the Company to fulfil its legal obligations

  • Necessary for the establishment, exercise or protection of a right

  • Existence of a legitimate interest (provided that fundamental rights and freedoms are not harmed)

Parties to whom personal data may be transferred include:

  • Clinics and hospitals contracted with the Company

  • Interpreters and companion service providers

  • Hotels and accommodation facilities

  • Transfer and transportation companies

  • Insurance companies

  • Overseas representatives, agencies and health tourism partners working within the scope of overseas patient referrals and operations

  • Consultancy firms involved in the Company’s strategic, financial, legal and administrative processes (legal, incentives, LPPD, financial and strategic consultants)

  • Digital marketing agencies, social media management and content providers

  • Software and IT service providers (CRM, hosting, reservation infrastructure)

  • Certified public accountants and accounting offices

  • Law firms

  • Competent public authorities and institutions in case of request or legal obligation

  • Company shareholders and members of the board of directors within the scope of their legal rights and obligations

  • Notaries, cargo companies and physical archive service providers

  • Hotel reservation platforms and airline ticketing systems where integrated services are provided

 

The transferred data are shared only to the extent necessary for the transfer purpose and with all required technical and administrative security measures in place.

 

11.2 Transfer Abroad

 

Within the scope of our Company’s activities, personal data may, in the future, be transferred to overseas representatives, agencies or health tourism partners in the framework of cooperation.

Such transfer will only be carried out:

  • With the explicit consent of the data subject,

  • To countries with adequate level of protection as announced by the Personal Data Protection Authority, or

  • Where adequate protection is not available, based on undertakings or standard contracts approved by the Authority.

Personal data to be transferred abroad are shared solely for the performance of the service that necessitates such transfer and in a limited manner, in compliance with Article 9 of the LPPD and the decisions of the Authority.

 

12. RETENTION AND DESTRUCTION OF PERSONAL DATA

 

Bona Viva retains personal data only for the period necessary to achieve the relevant purposes and limited to the maximum periods set out in applicable legislation.

 

When determining retention periods:

  • It is verified whether a specific period is stipulated in the relevant legislation

  • If no period is stipulated, a period required for the purpose of processing is determined

  • Upon expiry of the period, data are destroyed

 

Methods of destruction:

  • Deletion: Making data inaccessible and non-reusable

  • Destruction: Physically destroying the data

  • Anonymization: Rendering the data incapable of identifying an individual

 

These processes are carried out within the framework of a separate “Personal Data Retention and Destruction Policy” to be prepared by Bona Viva.

 

13. MEASURES FOR DATA SECURITY

Bona Viva takes all necessary administrative and technical measures to ensure data security in accordance with Article 12 of the LPPD.

Technical Measures:

  • Access controls and password security

  • Firewalls and antivirus systems

  • Prevention of unauthorized access

  • Backup systems

  • Log and record systems

 

Administrative Measures:

  • Defining authorized personnel

  • Staff trainings

  • Confidentiality agreements

  • Internal audit and monitoring systems

  • Data protection agreements with subcontractors

In the event of data breaches, the notification obligation to the Authority is also fulfilled.

 

14. RIGHTS OF DATA SUBJECTS

Pursuant to Article 11 of the LPPD, personal data subjects may apply to Bona Viva and exercise the following rights:

  • To learn whether their personal data are processed

  • To request information if their personal data have been processed

  • To learn the purpose of processing and whether they are used in line with such purpose

  • To know the third parties to whom personal data are transferred within or outside Türkiye

  • To request correction if personal data are incomplete or incorrectly processed

  • To request deletion or destruction of personal data if the reasons for processing no longer exist

  • To request notification of the above-mentioned correction and deletion/destruction to third parties to whom data have been transferred

  • To object to any result that is to the detriment of the data subject through analysis by exclusively automated systems

  • To claim compensation for damages in case of unlawful processing of personal data

 

15. APPLICATION PROCEDURE AND RESPONSE TIME

 

Data subjects may apply to Bona Viva in order to exercise their rights.

Application channels:

  • Via info@bonavivahealth.com

  • Through the “Data Subject Application Form” to be made available on the website

  • In writing, in person or via notary

Response time:

  • Applications are concluded within 30 days at the latest

  • Applications are, as a rule, free of charge

However, if an additional cost arises, a fee may be charged according to the tariff determined by the Personal Data Protection Authority.

 

16. PUBLICATION, UPDATE AND ENTRY INTO FORCE OF THE POLICY

 

This Policy has been prepared in accordance with the Law on the Protection of Personal Data No. 6698, relevant regulations and the decisions and guidelines issued by the Personal Data Protection Authority.

This Policy constitutes the main framework of all personal data processing activities of the Company, and separate procedures and policy documents may be prepared for special cases.

Bona Viva may update the provisions of this Policy in line with changes in legal regulations, practices of the Authority and the needs arising from its activities. Updated texts will be published on the website and announced to the public.

The effective date of this Policy is 01.08.2025, and when necessary, new versions entering into force will be published with their respective dates.

 

ANNEXES

 

ANNEX–1: Categories of Processed Personal Data

 

Category Description

Identity Information, Name, surname, date of birth, passport and ID information

Contact InformationPhone number, e-mail, address

Health DataDiagnosis, treatment history, medical reports (special data)

Financial InformationIBAN, payment details, invoice content

Visual/Audio DataPhotographs, document scans, meeting recordings where needed

Web Usage DataIP, cookies, visit duration, page views, etc.

Request/Complaint DataForm content, e-mails, feedback texts

Location DataLocation information (for optional services)

Visitor InformationOffice entry-exit information

Transaction Security DataLog records, access times

 

ANNEX–2: Purposes of Processing Personal Data

  • Provision of services related to health tourism

  • Coordination with domestic health institutions

  • Organization of travel services such as accommodation, transfers and flights

  • Management of customer relations and satisfaction processes

  • Follow-up of insurance procedures

  • Execution of information, contract and reservation processes

  • Fulfilment of obligations arising from legislation

  • Evaluation of requests and complaints

  • Ensuring the functionality of the website

  • Establishment of the right of defence

 

ANNEX–3: Third Parties to Whom Personal Data Are Transferred

Recipient Party Purpose of Transfer

Clinics and Hospitals Planning of health services, treatment coordination

Interpreting and Companion Service Providers Communication support and patient accompaniment

Hotels and Accommodation Facilities Making customer reservations

Transportation and Transfer Companies Organization of flights, land transport and airport transfers

Insurance Companies Issuance of health or travel insurance

Overseas Agencies and Health Tourism Partners Patient referrals, service coordination, representation relations

Consultancy Firms (legal, incentives, LPPD, marketing, strategy, etc.)Conduct of internal Company processes, marketing activities, monitoring of state incentives, compliance with legislation and project development

Digital Marketing Agencies and Social Media Management Firms Conduct of advertising, targeting, CRM management and content production

Software and IT Service Providers (CRM, hosting, communication infrastructure, etc.)Technical infrastructure support, reservation systems, data hosting, communication services

Independent Certified Public Accountants and Accounting Offices Financial transactions, issuance of invoices, tax and social security procedures

Law Firms Dispute resolution, litigation, fulfilment of legal obligations

Competent Public Authorities and InstitutionsIn case of request or legal obligation (e.g. Ministries, courts, law enforcement)

Company Shareholders and Board Members Company management, strategic decision-making processes, audit and reporting

Notaries, cargo and archiving companiesSending official documents, physical data storage or transfer

Hotel Reservation Platforms and Airline Ticketing Systems Providing integrated travel planning and reservation services

Digital advertising service providers (Google, Meta, etc.) Conduct of promotion and advertising processes based on explicit consent

bottom of page