Last updated:
Privacy Notice
This Privacy Notice has been prepared in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and applies to the contact form, communications, and information requests submitted via drhasanabuoglu.com.
When you contact us through the website's contact form, by email, telephone, or messaging applications, we collect and process your personal data as described below. This notice provides you with the information required by Articles 13 and 14 GDPR.
1. Identity and Contact Details of the Data Controller
| Information | Detail |
|---|---|
| Data Controller | Assoc. Prof. Dr. Hacı Hasan Abuoğlu — Associate Professor of General Surgery, Bariatric & Metabolic Surgery |
| Legal Entity | Hacı Hasan Abuoğlu (Sole Proprietor — Independent Surgeon) |
| Address | Küçükbakkalköy Mah. Dudullu Cad. Brandium R2 Blok No: 23-25B İç Kapı No: 8 Ataşehir/İstanbul, Istanbul, Türkiye |
| Phone | +90 544 165 05 04 |
| info@drhasanabuoglu.com | |
| Website | https://www.drhasanabuoglu.com |
| Health Tourism Authorization | ST-2697 (issued by the Republic of Türkiye, Ministry of Health) |
2. Data Protection Officer
We have designated a Data Protection Officer ("DPO") who can be contacted for any questions about this notice or our data processing activities:
Name: Abdurrahman Çağlayan Email: abdurrahman@drhasanabuoglu.com Postal Address: Küçükbakkalköy Mah. Dudullu Cad. Brandium R2 Blok No: 23-25B İç Kapı No: 8 Ataşehir/İstanbul (marked "for the attention of the Data Protection Officer")
3. Categories of Personal Data Collected
When you submit the contact form or otherwise communicate with us, we may collect:
Identification data: First name, last name Contact data: Email address, phone number, country of residence (where provided) Special category — health data (Article 9 GDPR): Information you voluntarily provide in the message field about your medical history, current health condition, body mass index, planned surgical procedure, or other health-related queries Technical data: IP address, browser type and version, device type, access timestamps (server logs)
⚠️ Important — Health data are special category data under Article 9 GDPR. Please share only the information necessary to assess your initial inquiry. Detailed medical history, imaging studies, and laboratory results should be exchanged through secure channels during a formal consultation, not through the public contact form.
4. Purposes and Legal Bases of Processing
| Purpose | Categories of Data | Legal Basis |
|---|---|---|
| Responding to your inquiry | Identification, contact, message content | Article 6(1)(b) GDPR — performance of a contract / steps prior to entering into a contract at your request |
| Providing medical information and consultation scheduling | Identification, contact, health data | Article 6(1)(b) + Article 9(2)(h) GDPR — processing necessary for the provision of health care under the responsibility of a health professional subject to professional secrecy |
| Health data outside healthcare provision (e.g., marketing) | Health data | Article 9(2)(a) GDPR — your explicit consent |
| Fulfilling legal obligations | All categories as required | Article 6(1)(c) GDPR — legal obligation under Turkish health legislation, tax law, e-commerce law |
| Server security and abuse prevention | Technical data | Article 6(1)(f) GDPR — legitimate interests |
| Marketing communications (newsletter) | Article 6(1)(a) GDPR — your consent |
5. Recipients of Your Personal Data
Your personal data may be disclosed to the following recipients under appropriate safeguards:
5.1 Internal Recipients
- The medical team directly involved in your care
- The administrative staff supporting your inquiry
- The Data Protection Officer
5.2 External Processors (Data Processors under Article 28 GDPR)
| Processor | Service | Location | Safeguards |
|---|---|---|---|
| Resend Inc. | Email delivery | USA | Standard Contractual Clauses (SCC) + Data Processing Agreement |
| Vercel Inc. | Web hosting | USA / EU regions | SCC + DPA |
| Google Ireland Ltd. (Workspace) | Email inbox management | EU data centers | EU/EEA hosting; covered by GDPR |
| Cloudflare Inc. | CDN, security | Global edge / USA | SCC + DPA |
5.3 Other Recipients (only when required by law)
- Public authorities (e.g., Turkish Ministry of Health, courts) when legally compelled
- Legal counsel in case of legal proceedings
- Auditors and accountants (under confidentiality)
6. International Data Transfers
The Data Controller is located in Türkiye, which is not currently subject to a European Commission adequacy decision (Article 45 GDPR). Therefore, transfers of your personal data from the European Economic Area (EEA) or the United Kingdom to Türkiye are protected by the following safeguards:
- Standard Contractual Clauses (SCCs) adopted by the European Commission, signed between the data controller and processors
- Explicit consent for specific transfers when no other legal basis applies (Article 49(1)(a) GDPR)
- Necessity for the performance of a contract at your request (Article 49(1)(b) GDPR) — when you request medical consultation, the transfer is necessary
- Necessity for important reasons of public interest in healthcare (Article 49(1)(d) GDPR), where applicable
You may request a copy of the SCCs or details of the transfer safeguards by contacting our DPO at abdurrahman@drhasanabuoglu.com.
7. Retention Periods
| Data Category | Retention Period |
|---|---|
| Contact form (responded to, no consultation) | 12 months |
| Contact form (no response received) | 6 months |
| Patient records (consultation completed) | Minimum 20 years (Turkish Health Legislation) |
| Server logs | 6 months to 2 years (Turkish Law No. 5651) |
| Resend email logs | 30 days (manually shortened) |
| Cookies | See Cookie Policy |
After the retention period expires, your data is deleted, destroyed, or anonymised in accordance with our retention and disposal procedures.
8. Your Rights Under the GDPR
As a data subject, you have the following rights:
- Right of access (Article 15): obtain a copy of your data
- Right to rectification (Article 16): correct inaccurate data
- Right to erasure / "right to be forgotten" (Article 17): request deletion (subject to medical record retention obligations)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20): receive your data in a structured format
- Right to object (Article 21): including objection to processing for direct marketing
- Right not to be subject to automated decision-making (Article 22)
- Right to withdraw consent (Article 7(3)) at any time, where processing is based on consent
- Right to lodge a complaint with a supervisory authority (Article 77)
9. Exercising Your Rights
To exercise any of your rights, contact us at:
Email: info@drhasanabuoglu.com DPO Email: abdurrahman@drhasanabuoglu.com Postal: Küçükbakkalköy Mah. Dudullu Cad. Brandium R2 Blok No: 23-25B İç Kapı No: 8 Ataşehir/İstanbul
We will respond to your request within one month (Article 12(3) GDPR). The response is free of charge unless requests are manifestly unfounded or excessive.
10. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. You may contact:
- The supervisory authority in your EU Member State of residence, or
- Türkiye's Personal Data Protection Authority (KVKK) — for processing within Türkiye:
- Web: www.kvkk.gov.tr
- Address: Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No: 4, 06520 Balgat-Çankaya, Ankara, Türkiye
For UK residents, you may contact the Information Commissioner's Office (ICO):
- Web: www.ico.org.uk
11. Automated Decision-Making
We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you (Article 22 GDPR).
12. Source of Personal Data
We collect personal data directly from you when you complete the contact form, send an email, message, or call us. We do not purchase data from third parties.
13. Statutory or Contractual Requirement
Providing the data on the contact form (name, email, phone, message) is a contractual requirement to enable us to respond. Without this data, we cannot reply to your inquiry. There is no statutory obligation to provide health data; however, omitting relevant medical information may limit the usefulness of our preliminary response.
14. Updates to This Privacy Notice
This notice may be updated to reflect changes in law or our processing activities. The effective date appears at the top of this document.
| Version | Date | Change |
|---|---|---|
| 1.0 | 28.04.2026 | Initial publication |
This Privacy Notice should be read together with our Privacy Policy and Cookie Policy.
Last updated: 28.04.2026