Last updated:
Privacy Policy
Effective date: 28.04.2026 Last updated: 28.04.2026
This Privacy Policy explains how Assoc. Prof. Dr. Hacı Hasan Abuoğlu ("we", "us", "our", or "the Clinic") collects, uses, discloses, and protects personal data of visitors and patients accessing www.drhasanabuoglu.com ("the Website").
This policy is prepared in accordance with:
- Regulation (EU) 2016/679 — General Data Protection Regulation ("GDPR")
- UK GDPR and the Data Protection Act 2018 (for UK residents)
- Turkish Law No. 6698 on the Protection of Personal Data ("KVKK") — for processing within Türkiye
- Bulgarian Personal Data Protection Act (Закон за защита на личните данни, "PDPA")
- Spanish Organic Law 3/2018 on Personal Data Protection ("LOPDGDD") — where applicable
- Turkish Patient Rights Regulation and Personal Health Data Regulation (Official Gazette No. 30808)
1. Data Controller
| Information | Detail |
|---|---|
| Data Controller | Assoc. Prof. Dr. Hacı Hasan Abuoğlu, Associate Professor of General Surgery |
| Legal Entity | Hacı Hasan Abuoğlu (Sole Proprietor — Independent Surgeon) |
| Tax ID | 0020324033 |
| Registered Address | Küçükbakkalköy Mah. Dudullu Cad. Brandium R2 Blok No: 23-25B İç Kapı No: 8 Ataşehir/İstanbul, Istanbul, Türkiye |
| Phone | +90 544 165 05 04 |
| info@drhasanabuoglu.com | |
| Website | https://www.drhasanabuoglu.com |
| Health Tourism Authorization Number | ST-2697 (Republic of Türkiye, Ministry of Health) |
1.1 Data Protection Officer
A Data Protection Officer ("DPO") has been designated:
Name: Abdurrahman Çağlayan Email: abdurrahman@drhasanabuoglu.com Postal: Küçükbakkalköy Mah. Dudullu Cad. Brandium R2 Blok No: 23-25B İç Kapı No: 8 Ataşehir/İstanbul (mark "for the attention of the DPO")
1.2 EU/UK Representative
For data subjects in the EU/EEA, you may contact the data controller directly via the channels above, or through our Data Protection Officer (Abdurrahman Çağlayan, abdurrahman@drhasanabuoglu.com).
2. Scope
This policy applies to:
- Visitors to www.drhasanabuoglu.com (English, Spanish, Bulgarian language versions)
- Users who submit the contact form
- Recipients of email, telephone, or messaging communications
- Patients undergoing consultation or treatment
Note: The Turkish-language website www.drhasanabuoglu.com.tr is governed by a separate Privacy Policy in Turkish.
3. Categories of Personal Data Processed
3.1 Data You Provide Directly
| Category | Examples |
|---|---|
| Identity | First name, last name, date of birth (only at consultation) |
| Contact | Email, phone, country of residence, postal address (when relevant) |
| Health (special category, Article 9 GDPR) | Medical history, BMI, current medications, planned procedure, lab results, imaging studies (when shared with explicit consent) |
| Financial (only when relevant) | Treatment cost estimates communicated; no payment data is processed via the website |
| Communications | Message content from contact form, emails, calls |
3.2 Data Collected Automatically
| Category | Examples |
|---|---|
| Technical | IP address, device type, browser type, OS, referring URL, language preference |
| Usage | Pages visited, duration, click-stream (anonymised analytics if you consent) |
| Cookies | See Cookie Policy |
3.3 Data from Third Parties
We do not purchase or receive personal data from third parties for marketing purposes.
4. Purposes and Legal Bases
| Purpose | Categories | Legal Basis |
|---|---|---|
| Responding to inquiries | Identity, contact, health, communications | Article 6(1)(b) — pre-contractual measures; Article 9(2)(h) — provision of healthcare |
| Medical consultation and treatment planning | All relevant categories | Article 6(1)(b) and Article 9(2)(h) GDPR |
| Health data outside healthcare provision (e.g., publishing case studies, marketing) | Health data | Article 9(2)(a) — explicit consent, separately and freely obtained |
| Compliance with legal obligations | All required categories | Article 6(1)(c) — legal obligation (health, tax, e-commerce, advertising regulations) |
| Website security and abuse prevention | Technical | Article 6(1)(f) — legitimate interests |
| Anonymous statistical analysis | Anonymised technical data | Not personal data once anonymised |
| Marketing communications (newsletter) | Email, name | Article 6(1)(a) — consent (opt-in only) |
5. International Data Transfers
The data controller is located in Türkiye. Türkiye is not the subject of a European Commission adequacy decision under Article 45 GDPR. Personal data transferred from the EEA/UK to Türkiye is protected by the following mechanisms:
5.1 Standard Contractual Clauses (SCCs)
Module One (Controller-to-Controller) or Module Two (Controller-to-Processor) SCCs are signed with all relevant counterparties, supplemented by a Transfer Impact Assessment (TIA).
5.2 Derogations (Article 49 GDPR)
For specific transfers:
- Article 49(1)(a) — your explicit consent after being informed of risks
- Article 49(1)(b) — necessity for performance of a contract at your request (e.g., medical consultation)
- Article 49(1)(d) — important reasons of public interest in healthcare (rare)
5.3 Service Providers Outside the EEA
| Provider | Service | Country | Safeguards |
|---|---|---|---|
| Resend Inc. | Email delivery | USA | SCC + DPA |
| Vercel Inc. | Hosting | USA / EU regions | SCC + DPA + EU region preference |
| Cloudflare Inc. | CDN, security | Global | SCC + DPA |
| Google Ireland Ltd. (Workspace) | Email inbox | EU data centers | Within EU/EEA — no transfer concerns |
You may obtain a copy of the SCCs or details of safeguards by contacting our DPO.
6. Data Recipients
We share personal data only with:
- Medical and administrative staff under confidentiality
- Contracted hospital for surgical procedures: Emsey Hospital (Aydınevler Mh., Çamlık Cd. 50, 34854 Maltepe/Istanbul). Surgical interventions are performed at this contracted facility under the patient's explicit consent (Article 9(2)(a) GDPR) and Article 9(2)(h) GDPR (provision of healthcare).
- Data processors listed in Section 5.3
- Healthcare partners (laboratories, imaging centers) with your prior consent
- Public authorities only when legally required (Turkish Ministry of Health, courts, tax authorities, EU/national supervisory authorities)
- Legal and tax advisors under professional secrecy
We never sell your personal data to third parties.
7. Retention Periods
| Data Category | Retention | Legal Basis |
|---|---|---|
| Contact form (responded, no consultation) | 12 months | Legitimate interest |
| Contact form (unanswered) | 6 months | Data minimisation |
| Patient records (consultation/treatment) | Minimum 20 years | Turkish Health Legislation; Article 17 of Turkish Patient Autonomy Law |
| Server logs | 6 months to 2 years | Turkish Law No. 5651 |
| Tax/financial records | 10 years | Turkish Tax Procedure Code |
| Email service logs (Resend) | 30 days | Manual deletion configured |
| Cookies | See Cookie Policy | — |
8. Security Measures
We have implemented technical and organisational measures appropriate to the risks posed by processing health data, including:
8.1 Technical
- TLS 1.3 encryption for all data in transit
- Encrypted storage at rest
- POST-only form submissions (no sensitive data in URLs)
- Multi-factor authentication for staff accounts
- Firewall, DDoS protection, intrusion detection
- Regular security patching
- Database access logging
- Pseudonymisation where feasible
8.2 Organisational
- Role-based access control (least privilege)
- Staff confidentiality agreements
- Records of Processing Activities (Article 30 GDPR)
- Data Protection Impact Assessment (DPIA) for high-risk processing
- Regular GDPR/KVKK training
- Incident response plan
- Vendor due diligence and DPAs (Article 28 GDPR)
9. Data Breach Notification
Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware (Article 33 GDPR)
- Inform affected data subjects without undue delay if the breach is likely to result in high risk (Article 34 GDPR)
10. Your Rights Under the GDPR
You have the following rights regarding your personal data:
| Right | Description | Article |
|---|---|---|
| Access | Obtain confirmation and a copy of your data | Art. 15 |
| Rectification | Correct inaccurate data | Art. 16 |
| Erasure | Request deletion ("right to be forgotten") | Art. 17 |
| Restriction | Limit how we process your data | Art. 18 |
| Data Portability | Receive your data in a portable format | Art. 20 |
| Objection | Object to processing based on legitimate interest or for direct marketing | Art. 21 |
| Withdraw consent | At any time, where processing is based on consent | Art. 7(3) |
| Not to be subject to automated decision-making | Including profiling | Art. 22 |
| Lodge a complaint | With a supervisory authority | Art. 77 |
Note: Some rights may be limited where retention is required by law (e.g., medical records under Turkish health legislation).
11. How to Exercise Your Rights
Submit your request via:
- Email: info@drhasanabuoglu.com
- DPO Email: abdurrahman@drhasanabuoglu.com
- Postal: Küçükbakkalköy Mah. Dudullu Cad. Brandium R2 Blok No: 23-25B İç Kapı No: 8 Ataşehir/İstanbul (mark "Data Subject Request — for DPO")
We will:
- Acknowledge receipt without undue delay
- Respond within one month (extendable by two further months for complex requests, Article 12(3) GDPR)
- Provide responses free of charge, except where requests are manifestly unfounded, repetitive, or excessive
12. Right to Lodge a Complaint
You may complain to a data protection supervisory authority:
| Country/Region | Authority |
|---|---|
| Your EU Member State | The supervisory authority of your residence |
| Spain | Agencia Española de Protección de Datos (AEPD) |
| Bulgaria | Commission for Personal Data Protection (CPDP) |
| United Kingdom | Information Commissioner's Office (ICO) |
| Türkiye | Kişisel Verileri Koruma Kurumu (KVKK) |
13. Children's Privacy
The Website is not directed at children under 16 (or the relevant age in your EU Member State; in Spain, 14; in Bulgaria, 14; in UK, 13). We do not knowingly collect data from children. Where a minor needs to be in contact, parental/guardian consent is mandatory.
14. Cookies
We use limited cookies for essential, analytical, and functional purposes. See our separate Cookie Policy for full details, including how to manage your preferences.
15. Third-Party Links
The Website may contain links to third-party sites (e.g., scientific resources at IFSO, ASMBS, PubMed). We are not responsible for the privacy practices of those sites. Please review their respective privacy policies before providing personal information.
16. Automated Decision-Making
We do not make decisions based solely on automated processing that produce legal effects on you or similarly significantly affect you. All clinical decisions are made by qualified medical professionals.
17. Health Tourism Specifics
For international patients seeking treatment in Türkiye through the Health Tourism program:
- The Clinic is authorised by the Turkish Ministry of Health under Authorization Number ST-2697
- We comply with the Regulation on International Health Tourism (Official Gazette No. 32882, dated 26.04.2025)
- Patient testimonials, where included on this site, are published only with explicit written consent in accordance with Article 7(b) and Annex 1 of the Turkish Health Promotion Regulation
18. Changes to This Policy
We may update this policy from time to time. Material changes will be notified at least 15 days in advance via the Website. Please review periodically.
| Version | Date | Change |
|---|---|---|
| 1.0 | 28.04.2026 | Initial publication |
19. Contact
For questions about this policy or our data processing:
Email: info@drhasanabuoglu.com DPO: abdurrahman@drhasanabuoglu.com Phone: +90 544 165 05 04 Postal: Küçükbakkalköy Mah. Dudullu Cad. Brandium R2 Blok No: 23-25B İç Kapı No: 8 Ataşehir/İstanbul
Assoc. Prof. Dr. Hacı Hasan Abuoğlu Associate Professor of General Surgery, Bariatric & Metabolic Surgery Küçükbakkalköy Mah. Dudullu Cad. Brandium R2 Blok No: 23-25B İç Kapı No: 8 Ataşehir/İstanbul, Istanbul, Türkiye
Last updated: 28.04.2026