Personal Data Processing and Protection Policy
PURPOSE AND SCOPE
Ezwell Seyahat Acenteliği ve Sağlık Turizmi Limited Şirketi, located at Mansuroğlu Mah. Ankara Cad. No:81, İç Kapı No:67, Bayraklı-İZMİR (hereinafter referred to as the "Company"), places great importance on the protection of personal data belonging to all natural persons with whom we come into contact in any manner while conducting our activities. In doing so, we are committed to complying with the requirements set forth in the Law on the Protection of Personal Data No. 6698 (“KVKK”), which regulates this as a constitutional right, as well as the provisions of the European Union General Data Protection Regulation (“GDPR”).
This Personal Data Protection Policy has been prepared to inform you about the processes related to the collection, use, sharing, and storage of personal data by Ezwell Seyahat Acenteliği ve Sağlık Turizmi Limited Şirketi, located at Mansuroğlu Mah. Ankara Cad. No:81, İç Kapı No:67, Bayraklı-İZMİR. During the processing and protection of personal data, the relevant provisions of applicable legislation shall be primarily observed.
In this context, the main purpose of this Personal Data Processing and Protection Policy (the “Policy”) is to set out, using a methodological approach, the principles, measures, duties, and responsibilities adopted by the COMPANY within the framework of personal data protection legislation, and to ensure transparency in the measures we implement to protect personal data.
DEFINITIONS AND ABBREVIATIONS
The following terms used in the implementation of this Policy shall have the meanings set forth below:
Employees: Refers to the employees of the Company.
Contact Person: The individual responsible for monitoring, on a personal basis, the personal data processing activities within the Company and the implementation of the data protection policies and procedures.
Personal Data: Refers to any information relating to an identified or identifiable natural person.
Examples include: name, surname, address, phone number, date of birth, place of birth, eye color, Turkish ID number.
Data Subject: The natural person whose personal data is processed.
Examples include: employee, visitor, customer, patient, or other concerned individuals.
Processing of Personal Data: Refers to any operation performed on personal data, whether wholly or partly by automated means or by non-automated means provided that it is part of a data recording system.
Examples include: collection, recording, storage, alteration, transfer.
KVKK: Refers to the Law on the Protection of Personal Data No. 6698.
GDPR: Refers to the General Data Protection Regulation of the European Union.
PRINCIPLES OF PERSONAL DATA PROCESSING
Our Company processes personal data in accordance with the procedures and principles set forth in the Law on the Protection of Personal Data (KVKK) and other applicable laws.
The following principles are observed in the processing of personal data:
Lawfulness and fairness:
Our Company processes personal data in compliance with legal regulations, laws, and principles of honesty and integrity. Data subjects are duly informed.
Accuracy and, where necessary, keeping data up to date:
Our Company takes necessary measures to ensure that the personal data it processes is accurate and, when needed, kept up to date.
Processing for specific, explicit, and legitimate purposes:
Our Company clearly and definitively identifies the lawful and legitimate purposes for processing personal data. It processes personal data only to the extent necessary and relevant to the services it provides.
ç) Relevance, limitation, and proportionality to the purpose of processing:
Our Company processes personal data only to fulfill the specified purposes within the scope of its services. It avoids collecting, processing, or storing data that is not necessary for the intended purpose.
Retention for the period stipulated in relevant legislation or required for the purpose of processing:
Our Company retains personal data in accordance with applicable legal regulations. Upon expiration of the retention period, personal data is deleted, anonymized, or destroyed.
CONDITIONS FOR PROCESSING PERSONAL DATA
Our Company processes personal data in accordance with the provisions of Law No. 6698 on the Protection of Personal Data (KVKK), adhering to the following conditions:
As a general rule, personal data cannot be processed without the explicit consent of the data subject.
Personal data may only be processed with the explicit consent of the data subject. In this regard, patients are informed and their explicit consent, based on free will, is obtained.
However, in the presence of one of the conditions listed below, personal data may be processed without the explicit consent of the data subject:
If it is expressly permitted by law,
If it is necessary for the protection of the life or physical integrity of the person or of
another person, who is unable to express their consent due to actual impossibility or whose consent is not legally valid,
If it is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract,
ç) If it is necessary for the data controller to fulfill their legal obligations,
If the personal data has been made public by the data subject,
If it is necessary for the establishment, exercise, or protection of a right,
If it is necessary for the legitimate interests of the data controller, provided that this does not violate the fundamental rights and freedoms of the data subject.
It is possible provided that it is related to foundations, associations, and other non-profit organizations or entities established for political, philosophical, religious, or union purposes; that the processing complies with the applicable legislation and the purposes of these organizations, is limited to their fields of activity, and is not disclosed to third parties; and that it concerns current or former members and affiliates, or individuals who are in regular contact with these organizations or entities.
METHODS OF COLLECTION AND PROCESSING OF PERSONAL DATA
In accordance with Articles 4, 5, and 6 of the Personal Data Protection Law and Articles 5, 7, 9, and 10 of the Regulation, and based on the Personal Data Processing Inventory—which must include the information listed below—our Company processes personal data belonging to natural persons.
Data category
Purposes and legal grounds for personal data processing
Recipients or recipient groups to whom data is transferred
Groups of data subjects
Maximum retention period of personal data necessary for the purposes for which they are processed
Transfer to foreign countries
Administrative and technical measures taken regarding data security
THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY OUR COMPANY AND PURPOSES OF TRANSFER
Regarding the sharing of personal data with third parties, our Company strictly complies with the conditions regulated under the Personal Data Protection Law (KVKK), without prejudice to provisions in other laws. Within this framework, personal data are not transferred to third parties without the explicit consent of the data subject. However, in the presence of one of the following conditions regulated by KVKK, personal data may be transferred by our Company without obtaining explicit consent from the data subject:
Explicitly stipulated by laws,
Necessary for the protection of the life or physical integrity of the data subject or another person in cases where the data subject is unable to express consent due to actual impossibility or when consent has no legal validity,
Necessary for the processing of personal data directly related to the establishment or performance of a contract, provided that it concerns the parties to the contract,
Necessary for the data controller to fulfill a legal obligation,
Personal data made public by the data subject themselves,
Necessary for the establishment, exercise, or defense of a right,
Necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Provided that sufficient measures are taken: for special categories of personal data excluding health and sexual life, processing as stipulated by law is permitted; for special categories of personal data related to health and sexual life, personal data may be transferred without explicit consent for the purposes of:
Protection of public health,
Preventive medicine,
Medical diagnosis,
Execution of treatment and care services,
Planning, management, and financing of health services.
The conditions specified for the processing of special categories of personal data are also observed when transferring such data.
Additionally, under GDPR Articles 9(2)(h), 6(1)(b), and 6(1)(f), there are cases where your data may be processed without explicit consent:
For the purpose of conducting medical examinations, diagnosis, treatment, and care services, your health data, considered as special category personal data, will be processed without your explicit consent by our Company, which is bound by confidentiality obligations under the law.
Your personal data will be processed without explicit consent by our Company to enable follow-up appointments after medical diagnosis and treatment, to communicate directly with you, and to manage appointment processes.
To ensure patient satisfaction and manage requests, your personal data will be processed without your explicit consent by our Company.
According to GDPR Article 6(1)(c), personal data will be processed without your explicit consent under legal obligations in the following cases:
Creation of patient files,
Preservation of health data as required by relevant legislation,
Controlling payments and issuing invoices,
Fulfilling tax obligations,
Compliance with Ministry of Health regulations,
Compliance with Health Tourism regulations,
Ensuring data security,
Fulfilling legal obligations before judicial authorities,
Fulfilling administrative obligations before public institutions and organizations.
STORAGE OF PERSONAL DATA IN ACCORDANCE WITH APPLICABLE LEGISLATION
Our Company stores personal data securely in physical or electronic environments for an appropriate period of time to fulfill the activities of our Company, in compliance with the Personal Data Protection Law (KVKK) and other relevant legislation. First, it examines whether there is a statutory retention period for the personal data and acts accordingly. If no legal retention period exists, an appropriate retention period is determined, and personal data is stored in accordance with this period. Once the retention period expires, personal data is deleted, destroyed, or anonymized.
However, in cases where the data controller has a legitimate interest, personal data may be retained until the expiration of the general statute of limitations period regulated under the Turkish Code of Obligations (ten years), provided that this does not harm the fundamental rights and freedoms of the data subjects, even if the purpose of processing and the retention periods specified in the relevant legislation have ended.
Within this scope, our Company provides necessary training to the relevant departments and raises awareness on this matter.
STORAGE OF PERSONAL DATA IN ACCORDANCE WITH APPLICABLE LEGISLATION
Our Company stores personal data securely in physical or electronic environments for an appropriate period of time to fulfill the activities of our Company, in compliance with the Personal Data Protection Law (KVKK) and other relevant legislation. First, it examines whether there is a statutory retention period for the personal data and acts accordingly. If no legal retention period exists, an appropriate retention period is determined, and personal data is stored in accordance with this period. Once the retention period expires, personal data is deleted, destroyed, or anonymized.
However, in cases where the data controller has a legitimate interest, personal data may be retained until the expiration of the general statute of limitations period regulated under the Turkish Code of Obligations (ten years), provided that this does not harm the fundamental rights and freedoms of the data subjects, even if the purpose of processing and the retention periods specified in the relevant legislation have ended.
Within this scope, our Company provides necessary training to the relevant departments and raises awareness on this matter.
Administrative Measures
Our Company conducts necessary audits to ensure compliance with legal regulations.
In the event that personal data processed is obtained unlawfully by others, our Company promptly notifies the data subject and the Authority (Personal Data Protection Board).
Regarding the sharing of personal data, the Company ensures data security through framework agreements, consent forms, explicit consent forms from data subjects, or provisions added to contracts with the recipients of the personal data.
The Company employs knowledgeable and experienced personnel regarding personal data processing and provides necessary data protection (KVK) training to its staff.
Technical Measures
Our Company employs knowledgeable and experienced personnel to ensure data security and provides necessary data protection (KVK) training to its staff.
It conducts necessary internal controls within the established systems.
It ensures the provision of technical infrastructure to prevent and/or monitor the leakage of personal data outside the institution and creates relevant matrices.
RIGHTS OF PERSONAL DATA OWNERS UNDER ARTICLE 11 OF THE KVKK:
Within the scope of Article 11 of the Personal Data Protection Law No. 6698 (KVKK), personal data owners can apply to our Company at the address provided and exercise the following rights:
To learn whether personal data is being processed,
If personal data is processed, to request information about this,
To learn the purpose of processing personal data and whether it is used in accordance with that purpose,
ç) To know the third parties to whom personal data is transferred, domestically or abroad,
To request correction of personal data if it has been processed incompletely or inaccurately,
To request deletion or destruction of personal data in accordance with the KVKK and other relevant legislation,
To request notification of the correction, deletion, or destruction of personal data to third parties to whom the personal data has been transferred,
To object to any result against oneself arising solely from the analysis of processed personal data through automated systems,
ğ) To claim compensation for damages if harmed due to unlawful processing of personal data.
RIGHTS OF DATA SUBJECTS UNDER GDPR:
As a Data Subject, your personal data is also protected under the GDPR. In cases where GDPR applies (e.g., EU citizens or residents in the European Union), Data Subjects have the following rights:
Right of Access (GDPR Article 15):
The Data Subject has the right to confirm with our Company whether their personal data is being processed and, if so, to obtain detailed information as stipulated in Article 15 of the GDPR.
Right to Rectification (GDPR Article 16):
The Data Subject has the right to request correction of their personal data held by our Company at any time.
Right to Erasure (Right to be Forgotten) (GDPR Article 17):
The Data Subject has the right to request the deletion of their personal data held by our Company. If conditions outlined in Article 17 occur, the Company will delete the personal data without undue delay.
Right to Restriction of Processing (GDPR Article 18):
Data Subjects have the right to request the restriction of processing of their personal data in the following cases:
When they contest the accuracy of the data until the accuracy is verified,
When the processing is unlawful and the Data Subject opposes erasure and requests restriction instead,
When the Company no longer needs the personal data for processing purposes but the Data Subject requires the data for legal claims,
When the Data Subject has objected to the processing pursuant to Article 21(1) of the GDPR, until it is verified whether the Company’s legitimate grounds override those of the Data Subject.
Right to Data Portability (GDPR Article 20):
The Data Subject has the right to request, where technically feasible, that their Personal Data held by our Company be transferred to another controller. However, this right can only be exercised when the processing is based on consent or a contract.
Right to Object (GDPR Article 21):
The Data Subject has the right to object to the processing of their Personal Data under Article 6(1)(e) and (f) of the GDPR, based on reasons related to their particular situation.
PURPOSE AND SCOPE
Ezwell Seyahat Acenteliği ve Sağlık Turizmi Limited Şirketi, located at Mansuroğlu Mah. Ankara Cad. No:81, İç Kapı No:67, Bayraklı-İZMİR (hereinafter referred to as the "Company"), places great importance on the protection of personal data belonging to all natural persons with whom we come into contact in any manner while conducting our activities. In doing so, we are committed to complying with the requirements set forth in the Law on the Protection of Personal Data No. 6698 (“KVKK”), which regulates this as a constitutional right, as well as the provisions of the European Union General Data Protection Regulation (“GDPR”).
This Personal Data Protection Policy has been prepared to inform you about the processes related to the collection, use, sharing, and storage of personal data by Ezwell Seyahat Acenteliği ve Sağlık Turizmi Limited Şirketi, located at Mansuroğlu Mah. Ankara Cad. No:81, İç Kapı No:67, Bayraklı-İZMİR. During the processing and protection of personal data, the relevant provisions of applicable legislation shall be primarily observed.
In this context, the main purpose of this Personal Data Processing and Protection Policy (the “Policy”) is to set out, using a methodological approach, the principles, measures, duties, and responsibilities adopted by the COMPANY within the framework of personal data protection legislation, and to ensure transparency in the measures we implement to protect personal data.
DEFINITIONS AND ABBREVIATIONS
The following terms used in the implementation of this Policy shall have the meanings set forth below:
Employees: Refers to the employees of the Company.
Contact Person: The individual responsible for monitoring, on a personal basis, the personal data processing activities within the Company and the implementation of the data protection policies and procedures.
Personal Data: Refers to any information relating to an identified or identifiable natural person.
Examples include: name, surname, address, phone number, date of birth, place of birth, eye color, Turkish ID number.
Data Subject: The natural person whose personal data is processed.
Examples include: employee, visitor, customer, patient, or other concerned individuals.
Processing of Personal Data: Refers to any operation performed on personal data, whether wholly or partly by automated means or by non-automated means provided that it is part of a data recording system.
Examples include: collection, recording, storage, alteration, transfer.
KVKK: Refers to the Law on the Protection of Personal Data No. 6698.
GDPR: Refers to the General Data Protection Regulation of the European Union.
PRINCIPLES OF PERSONAL DATA PROCESSING
Our Company processes personal data in accordance with the procedures and principles set forth in the Law on the Protection of Personal Data (KVKK) and other applicable laws.
The following principles are observed in the processing of personal data:
Lawfulness and fairness:
Our Company processes personal data in compliance with legal regulations, laws, and principles of honesty and integrity. Data subjects are duly informed.
Accuracy and, where necessary, keeping data up to date:
Our Company takes necessary measures to ensure that the personal data it processes is accurate and, when needed, kept up to date.
Processing for specific, explicit, and legitimate purposes:
Our Company clearly and definitively identifies the lawful and legitimate purposes for processing personal data. It processes personal data only to the extent necessary and relevant to the services it provides.
ç) Relevance, limitation, and proportionality to the purpose of processing:
Our Company processes personal data only to fulfill the specified purposes within the scope of its services. It avoids collecting, processing, or storing data that is not necessary for the intended purpose.
Retention for the period stipulated in relevant legislation or required for the purpose of processing:
Our Company retains personal data in accordance with applicable legal regulations. Upon expiration of the retention period, personal data is deleted, anonymized, or destroyed.
CONDITIONS FOR PROCESSING PERSONAL DATA
Our Company processes personal data in accordance with the provisions of Law No. 6698 on the Protection of Personal Data (KVKK), adhering to the following conditions:
As a general rule, personal data cannot be processed without the explicit consent of the data subject.
Personal data may only be processed with the explicit consent of the data subject. In this regard, patients are informed and their explicit consent, based on free will, is obtained.
However, in the presence of one of the conditions listed below, personal data may be processed without the explicit consent of the data subject:
If it is expressly permitted by law,
If it is necessary for the protection of the life or physical integrity of the person or of
another person, who is unable to express their consent due to actual impossibility or whose consent is not legally valid,
If it is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract,
ç) If it is necessary for the data controller to fulfill their legal obligations,
If the personal data has been made public by the data subject,
If it is necessary for the establishment, exercise, or protection of a right,
If it is necessary for the legitimate interests of the data controller, provided that this does not violate the fundamental rights and freedoms of the data subject.
It is possible provided that it is related to foundations, associations, and other non-profit organizations or entities established for political, philosophical, religious, or union purposes; that the processing complies with the applicable legislation and the purposes of these organizations, is limited to their fields of activity, and is not disclosed to third parties; and that it concerns current or former members and affiliates, or individuals who are in regular contact with these organizations or entities.
METHODS OF COLLECTION AND PROCESSING OF PERSONAL DATA
In accordance with Articles 4, 5, and 6 of the Personal Data Protection Law and Articles 5, 7, 9, and 10 of the Regulation, and based on the Personal Data Processing Inventory—which must include the information listed below—our Company processes personal data belonging to natural persons.
Data category
Purposes and legal grounds for personal data processing
Recipients or recipient groups to whom data is transferred
Groups of data subjects
Maximum retention period of personal data necessary for the purposes for which they are processed
Transfer to foreign countries
Administrative and technical measures taken regarding data security
THIRD PARTIES TO WHOM PERSONAL DATA IS TRANSFERRED BY OUR COMPANY AND PURPOSES OF TRANSFER
Regarding the sharing of personal data with third parties, our Company strictly complies with the conditions regulated under the Personal Data Protection Law (KVKK), without prejudice to provisions in other laws. Within this framework, personal data are not transferred to third parties without the explicit consent of the data subject. However, in the presence of one of the following conditions regulated by KVKK, personal data may be transferred by our Company without obtaining explicit consent from the data subject:
Explicitly stipulated by laws,
Necessary for the protection of the life or physical integrity of the data subject or another person in cases where the data subject is unable to express consent due to actual impossibility or when consent has no legal validity,
Necessary for the processing of personal data directly related to the establishment or performance of a contract, provided that it concerns the parties to the contract,
Necessary for the data controller to fulfill a legal obligation,
Personal data made public by the data subject themselves,
Necessary for the establishment, exercise, or defense of a right,
Necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Provided that sufficient measures are taken: for special categories of personal data excluding health and sexual life, processing as stipulated by law is permitted; for special categories of personal data related to health and sexual life, personal data may be transferred without explicit consent for the purposes of:
Protection of public health,
Preventive medicine,
Medical diagnosis,
Execution of treatment and care services,
Planning, management, and financing of health services.
The conditions specified for the processing of special categories of personal data are also observed when transferring such data.
Additionally, under GDPR Articles 9(2)(h), 6(1)(b), and 6(1)(f), there are cases where your data may be processed without explicit consent:
For the purpose of conducting medical examinations, diagnosis, treatment, and care services, your health data, considered as special category personal data, will be processed without your explicit consent by our Company, which is bound by confidentiality obligations under the law.
Your personal data will be processed without explicit consent by our Company to enable follow-up appointments after medical diagnosis and treatment, to communicate directly with you, and to manage appointment processes.
To ensure patient satisfaction and manage requests, your personal data will be processed without your explicit consent by our Company.
According to GDPR Article 6(1)(c), personal data will be processed without your explicit consent under legal obligations in the following cases:
Creation of patient files,
Preservation of health data as required by relevant legislation,
Controlling payments and issuing invoices,
Fulfilling tax obligations,
Compliance with Ministry of Health regulations,
Compliance with Health Tourism regulations,
Ensuring data security,
Fulfilling legal obligations before judicial authorities,
Fulfilling administrative obligations before public institutions and organizations.
STORAGE OF PERSONAL DATA IN ACCORDANCE WITH APPLICABLE LEGISLATION
Our Company stores personal data securely in physical or electronic environments for an appropriate period of time to fulfill the activities of our Company, in compliance with the Personal Data Protection Law (KVKK) and other relevant legislation. First, it examines whether there is a statutory retention period for the personal data and acts accordingly. If no legal retention period exists, an appropriate retention period is determined, and personal data is stored in accordance with this period. Once the retention period expires, personal data is deleted, destroyed, or anonymized.
However, in cases where the data controller has a legitimate interest, personal data may be retained until the expiration of the general statute of limitations period regulated under the Turkish Code of Obligations (ten years), provided that this does not harm the fundamental rights and freedoms of the data subjects, even if the purpose of processing and the retention periods specified in the relevant legislation have ended.
Within this scope, our Company provides necessary training to the relevant departments and raises awareness on this matter.
STORAGE OF PERSONAL DATA IN ACCORDANCE WITH APPLICABLE LEGISLATION
Our Company stores personal data securely in physical or electronic environments for an appropriate period of time to fulfill the activities of our Company, in compliance with the Personal Data Protection Law (KVKK) and other relevant legislation. First, it examines whether there is a statutory retention period for the personal data and acts accordingly. If no legal retention period exists, an appropriate retention period is determined, and personal data is stored in accordance with this period. Once the retention period expires, personal data is deleted, destroyed, or anonymized.
However, in cases where the data controller has a legitimate interest, personal data may be retained until the expiration of the general statute of limitations period regulated under the Turkish Code of Obligations (ten years), provided that this does not harm the fundamental rights and freedoms of the data subjects, even if the purpose of processing and the retention periods specified in the relevant legislation have ended.
Within this scope, our Company provides necessary training to the relevant departments and raises awareness on this matter.
Administrative Measures
Our Company conducts necessary audits to ensure compliance with legal regulations.
In the event that personal data processed is obtained unlawfully by others, our Company promptly notifies the data subject and the Authority (Personal Data Protection Board).
Regarding the sharing of personal data, the Company ensures data security through framework agreements, consent forms, explicit consent forms from data subjects, or provisions added to contracts with the recipients of the personal data.
The Company employs knowledgeable and experienced personnel regarding personal data processing and provides necessary data protection (KVK) training to its staff.
Technical Measures
Our Company employs knowledgeable and experienced personnel to ensure data security and provides necessary data protection (KVK) training to its staff.
It conducts necessary internal controls within the established systems.
It ensures the provision of technical infrastructure to prevent and/or monitor the leakage of personal data outside the institution and creates relevant matrices.
RIGHTS OF PERSONAL DATA OWNERS UNDER ARTICLE 11 OF THE KVKK:
Within the scope of Article 11 of the Personal Data Protection Law No. 6698 (KVKK), personal data owners can apply to our Company at the address provided and exercise the following rights:
To learn whether personal data is being processed,
If personal data is processed, to request information about this,
To learn the purpose of processing personal data and whether it is used in accordance with that purpose,
ç) To know the third parties to whom personal data is transferred, domestically or abroad,
To request correction of personal data if it has been processed incompletely or inaccurately,
To request deletion or destruction of personal data in accordance with the KVKK and other relevant legislation,
To request notification of the correction, deletion, or destruction of personal data to third parties to whom the personal data has been transferred,
To object to any result against oneself arising solely from the analysis of processed personal data through automated systems,
ğ) To claim compensation for damages if harmed due to unlawful processing of personal data.
RIGHTS OF DATA SUBJECTS UNDER GDPR:
As a Data Subject, your personal data is also protected under the GDPR. In cases where GDPR applies (e.g., EU citizens or residents in the European Union), Data Subjects have the following rights:
Right of Access (GDPR Article 15):
The Data Subject has the right to confirm with our Company whether their personal data is being processed and, if so, to obtain detailed information as stipulated in Article 15 of the GDPR.
Right to Rectification (GDPR Article 16):
The Data Subject has the right to request correction of their personal data held by our Company at any time.
Right to Erasure (Right to be Forgotten) (GDPR Article 17):
The Data Subject has the right to request the deletion of their personal data held by our Company. If conditions outlined in Article 17 occur, the Company will delete the personal data without undue delay.
Right to Restriction of Processing (GDPR Article 18):
Data Subjects have the right to request the restriction of processing of their personal data in the following cases:
When they contest the accuracy of the data until the accuracy is verified,
When the processing is unlawful and the Data Subject opposes erasure and requests restriction instead,
When the Company no longer needs the personal data for processing purposes but the Data Subject requires the data for legal claims,
When the Data Subject has objected to the processing pursuant to Article 21(1) of the GDPR, until it is verified whether the Company’s legitimate grounds override those of the Data Subject.
Right to Data Portability (GDPR Article 20):
The Data Subject has the right to request, where technically feasible, that their Personal Data held by our Company be transferred to another controller. However, this right can only be exercised when the processing is based on consent or a contract.
Right to Object (GDPR Article 21):
The Data Subject has the right to object to the processing of their Personal Data under Article 6(1)(e) and (f) of the GDPR, based on reasons related to their particular situation.