1. Who Is the Data Controller
Op. Dr. Özlem Oymak is the data controller for all personal data processed through this website and through her medical practice in Bursa, Türkiye. Dr. Oymak is personally responsible for data protection decisions — there is no separate data protection officer or third-party processor managing your data on her behalf.
Contact: info@drozlemoymak.com · WhatsApp: +90 532 363 30 92
2. Which Regulation Applies to You
UK patients
The UK GDPR (retained from EU GDPR following Brexit) and the Data Protection Act 2018 apply to the processing of your personal data.
Supervisory authority: Information Commissioner's Office (ICO)
EU patients
The EU GDPR (Regulation 2016/679) applies. You may contact your national data protection authority.
Find yours: EDPB member list
3. Special Category Data — Health Information
Because this is a medical practice, we necessarily process health data — including medical history, photographs, and surgical records. Under GDPR Article 9, health data is classified as Special Category data and receives heightened protection.
We process your health data on the following Article 9 bases:
- Article 9(2)(a) — Explicit consent: you provide informed consent before any health data is collected.
- Article 9(2)(h) — Provision of health or social care: processing is necessary for the purposes of preventive medicine, medical diagnosis, and the provision of health care.
You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal, and does not affect data we are legally required to retain under Turkish medical law.
4. International Transfer to Türkiye
Our practice is based in Türkiye, which is not currently recognised by the UK ICO or the European Commission as providing an equivalent level of data protection (an "adequacy decision"). When you send us personal data, it is transferred to Türkiye.
We mitigate the risks of this transfer by:
- Collecting only the minimum data necessary for your consultation.
- Using end-to-end encrypted channels wherever possible.
- Obtaining your explicit, informed consent to the transfer before processing health data — including a clear explanation that Türkiye does not currently hold an adequacy decision.
- Applying the same data protection standards described in this policy regardless of where data is stored.
5. Your Rights Under GDPR
You may request a copy of all personal data we hold about you, free of charge, within 30 days.
You may ask us to correct inaccurate or incomplete personal data without undue delay.
You may request deletion of your data where we are not legally required to retain it. Surgical records are subject to a mandatory ten-year retention period under Turkish law.
You may ask us to pause processing of your data while a dispute about its accuracy or lawfulness is resolved.
Where processing is based on consent or contract, you may receive your data in a structured, machine-readable format.
You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
You may withdraw consent at any time. This does not affect prior lawful processing.
You have the right to lodge a complaint with your supervisory authority (UK: ICO; EU: national DPA) if you believe your rights have been infringed.
6. How to Exercise Your Rights
Make a data subject request
To exercise any of the rights above, contact Dr. Oymak directly. You do not need to use a formal form — a clear written request by email or WhatsApp is sufficient. We will acknowledge your request within 72 hours and respond in full within 30 days.
Email: info@drozlemoymak.com
WhatsApp: +90 532 363 30 92
We may ask you to verify your identity before processing a request involving health data, to protect against unauthorised disclosure.
7. Complaints
If you are not satisfied with our response to a data subject request, or if you believe we have processed your data unlawfully, you have the right to raise a complaint with your supervisory authority:
- UK patients: Information Commissioner's Office — ico.org.uk/make-a-complaint
- EU patients: Contact your national data protection authority. A full list is available at the European Data Protection Board.
We would ask that you contact us first, as we are committed to resolving concerns directly and promptly.
8. Updates to This Statement
This statement is reviewed annually and updated whenever there is a material change in our data processing activities or in applicable law. The date at the top reflects the most recent revision.