Dr. Enis Ekincioglu Clinic

Privacy Policy

Last updated: 2 July 2026

1. Introduction

This Privacy Policy ("Policy") explains how Dr. Enis Ekincioglu Clinic ("Clinic", "we", "us", or "our") collects, processes, stores, transfers, and protects personal data of visitors, patients, and prospective patients ("you") through our website drenisekincioglu.com, our consultation and appointment forms, and related communications.

This Policy is prepared in accordance with the Republic of Türkiye's Law No. 6698 on the Protection of Personal Data ("KVKK"), the Regulation on the Processing of Personal Health Data, the Law No. 3359 on Basic Health Services, the Law No. 5651 on the Regulation of Publications on the Internet, and, where applicable to international visitors, the EU General Data Protection Regulation ("GDPR") and the UK Data Protection Act 2018.

2. Data Controller

For the purposes of KVKK Article 3 and GDPR Article 4, the data controller is:

Dr. Enis Ekincioglu Clinic

Nef 22 Atakoy D Blok, 15th Floor, Door 143, Bakırköy / Istanbul, Türkiye

Email: info@drenisekincioglu.com

Phone: +90 537 321 65 71

3. Categories of Personal Data We Process

Depending on your interaction with us, we may process the following categories of personal data:

  • Identity data: full name, gender, date of birth, nationality.
  • Contact data: email address, mobile phone number, country and dialling code, country of residence, preferred contact channel.
  • Health data (special category / sensitive data under KVKK Art. 6 and GDPR Art. 9): procedure or treatment of interest, medical history, allergies, medications, prior surgeries, photographs you voluntarily upload for consultation, and any information you share regarding your condition.
  • Appointment data: requested date and time, consultation notes, appointment status.
  • Communication data: messages exchanged via forms, email, phone, or messaging apps, and records of our correspondence.
  • Technical data: IP address, browser type and version, device identifiers, operating system, referring URLs, pages visited, session duration, and log records retained pursuant to Law No. 5651.
  • Cookie and marketing data: cookie identifiers and preferences, analytics identifiers, and interactions with marketing content (only where you have consented).

4. Purposes of Processing

We process your personal data for the following purposes:

  • Responding to inquiries and consultation requests.
  • Scheduling, confirming, rescheduling, or cancelling appointments.
  • Providing pre- and post-operative information and clinical follow-up.
  • Coordinating international patient travel, accommodation, and translation services where requested.
  • Complying with medical record-keeping obligations under Turkish health legislation.
  • Fulfilling legal, regulatory, and tax obligations, including Ministry of Health reporting where required.
  • Ensuring the security, integrity, and lawful operation of our website.
  • Improving our services and the visitor experience through analytics (only with consent).
  • Sending marketing communications, where you have explicitly opted in.
  • Establishing, exercising, or defending legal claims.

5. Legal Bases for Processing

Under KVKK Articles 5 and 6, and GDPR Articles 6 and 9 where applicable, we rely on the following legal bases:

  • Your explicit consent — for the processing of special-category health data, marketing communications, and non-essential cookies.
  • Performance of a contract or pre-contractual steps — to respond to your consultation or appointment request.
  • Compliance with a legal obligation — including medical record-keeping, tax, and internet-log retention obligations.
  • Protection of vital interests — where processing is necessary to protect the life or physical integrity of a person who is unable to give consent.
  • Legitimate interests — for the security of our website, fraud prevention, and internal administration, provided such interests do not override your fundamental rights and freedoms.
  • Establishment, exercise, or defence of legal claims.

6. Methods of Collection

Personal data is collected through automated and non-automated means, including website contact and consultation forms, email, telephone, messaging applications (such as WhatsApp), cookies and similar technologies, in-person consultations, and from authorised third parties (for example, referring physicians or travel coordinators) where you have authorised such disclosure.

7. Cookies and Similar Technologies

Our website uses cookies and similar technologies. You can manage your preferences at any time through the cookie banner or the "Cookie settings" link in the footer.

  • Strictly necessary cookies — required for the website to function (session, security, form-submission integrity). These do not require consent.
  • Analytics cookies — help us understand how visitors use the site. Set only with your consent.
  • Marketing cookies — used to measure and, where enabled, deliver relevant advertising. Set only with your consent.

You may withdraw or change your cookie consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out prior to withdrawal.

8. Sharing and Disclosure of Personal Data

We do not sell your personal data. We may share personal data, only to the extent necessary and under appropriate confidentiality and data-protection safeguards, with the following recipients:

  • Contracted hospitals, anaesthesiologists, laboratories, and other healthcare professionals involved in your treatment.
  • Service providers acting as data processors on our behalf, including hosting, database, email delivery, appointment management, analytics, and customer-support tools.
  • Travel, accommodation, and translation partners where you have requested international patient coordination.
  • Financial institutions and payment processors for the settlement of fees.
  • Independent legal, tax, and accounting advisors under confidentiality obligations.
  • Public authorities, courts, and regulators (including the Ministry of Health, tax authorities, and the Personal Data Protection Authority — KVKK Kurumu) where required by law or lawful request.

9. International Transfers of Personal Data

Some of our service providers (for example, hosting, email delivery, and analytics vendors) may be located outside Türkiye. Where personal data is transferred abroad, we rely on the transfer mechanisms permitted under KVKK Article 9 — including your explicit consent, the existence of adequate protection in the recipient country as determined by the Personal Data Protection Board, or written undertakings (commitments) approved by the Board. Where GDPR applies, we rely on adequacy decisions or Standard Contractual Clauses supplemented by appropriate technical and organisational safeguards.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal obligations. Indicative retention periods:

  • Medical records: minimum 20 years, as required by Turkish health legislation.
  • Consultation and appointment records without treatment: up to 10 years for the establishment or defence of legal claims (Turkish Code of Obligations, Art. 146).
  • Accounting and tax records: 10 years pursuant to the Tax Procedure Law and Turkish Commercial Code.
  • Website traffic and log records: retained for the periods required by Law No. 5651 and its secondary legislation.
  • Marketing data: until you withdraw consent, and then deleted or anonymised within a reasonable period.

At the end of the applicable retention period, personal data is deleted, destroyed, or anonymised in accordance with our Personal Data Retention and Destruction Policy and the Regulation on Deletion, Destruction or Anonymisation of Personal Data.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful access, disclosure, alteration, or destruction. These measures include, without limitation, encryption in transit (TLS/HTTPS), access controls, role-based permissions, secure authentication for administrative interfaces, activity logging, regular backups, vendor due diligence, and staff confidentiality obligations.

12. Your Rights

Under KVKK Article 11, and, where applicable, GDPR Articles 15–22, you have the right to:

  • Learn whether your personal data is processed.
  • Request information about the processing.
  • Learn the purposes of processing and whether the data is used consistently with these purposes.
  • Know the third parties, in Türkiye or abroad, to whom your data is transferred.
  • Request the correction of inaccurate or incomplete data.
  • Request the deletion, destruction, or anonymisation of your data in the cases foreseen by KVKK Article 7.
  • Request that the correction, deletion, or destruction be notified to third parties to whom the data has been transferred.
  • Object to outcomes produced solely by automated analysis that adversely affect you.
  • Request compensation for damages arising from unlawful processing.
  • Withdraw consent at any time (without affecting the lawfulness of prior processing).
  • Lodge a complaint with the Personal Data Protection Authority (KVKK Kurumu) or, where applicable, your local EU/UK supervisory authority.

To exercise these rights, please contact us using the details in Section 14. In accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller, we will respond within thirty (30) days.

13. Children's Privacy

Our website is not directed to children under the age of 18. We do not knowingly collect personal data from minors without verifiable parental or legal guardian consent. Where treatment involves a minor, all consents and communications must be provided by the parent or legal guardian.

14. Contact and Data Subject Requests

Applications regarding this Policy or your rights must be submitted in writing, in Turkish or English, including your identifying information and the subject of your request. You may reach us at:

Dr. Enis Ekincioglu Clinic

Nef 22 Atakoy D Blok, 15th Floor, Door 143, Bakırköy / Istanbul, Türkiye

Email: info@drenisekincioglu.com

Phone: +90 537 321 65 71

If you believe your rights have been infringed, you may also lodge a complaint with the Personal Data Protection Authority of Türkiye (Kişisel Verileri Koruma Kurumu) at www.kvkk.gov.tr.

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be highlighted on this page, and the "Last updated" date at the top will be revised accordingly. Please review this Policy periodically.

16. Governing Law

This Policy is governed by the laws of the Republic of Türkiye. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the Istanbul (Çağlayan) Courts and Enforcement Offices, without prejudice to your mandatory statutory rights in your country of residence.