Tantalya Dental Clinic
Book konsultation
Legal

Privacy Policy

How Tantalya Dental Clinic collects, uses and protects your personal data under Türkiye's KVKK (Law No. 6698 on the Protection of Personal Data) and the EU General Data Protection Regulation (GDPR, Regulation 2016/679).

Last updated: 9 May 2026

1. Data Controller

Özel Tantalya Ağız ve Diş Sağlığı Polikliniği (hereinafter "Tantalya", "we") is the controller of personal data collected via this website and during patient care.

  • Address: Siteler Mah., Şehit Polis Memuru Muhammet Oğuz Kılınç Sok., Dream Houses, A Blok, No: 8/B, 07070 Konyaaltı / Antalya, Türkiye
  • Email: privacy@tantalya.com
  • Phone: +90 539 777 76 78
  • Authorisation: Republic of Türkiye Ministry of Health · IHT No. ST-2095

2. What Data We Collect

We process the following categories of personal data:

  • Identification: name, surname, date of birth, nationality, ID/passport number (where required by Turkish health regulations).
  • Contact: email, phone, WhatsApp number, postal address.
  • Health: dental and medical history, photographs (intra-oral / face), CBCT / X-ray scans, treatment notes — collected only when you initiate consultation or treatment. This is special-category data under GDPR Art. 9 and processed under Art. 9(2)(h) (medical care) with explicit consent.
  • Financial: payment receipts, invoices.
  • Technical: IP address, browser, device type, language preference (cookie tantalya_locale).

3. Lawful Basis for Processing

  • Consent (KVKK Art. 5(1) / GDPR Art. 6(1)(a)) — for marketing, photographs and reviews.
  • Contract (GDPR Art. 6(1)(b)) — to deliver the dental services you have requested.
  • Legal obligation (GDPR Art. 6(1)(c)) — to comply with Turkish Ministry of Health record-keeping rules.
  • Vital interests (GDPR Art. 6(1)(d)) — emergency medical decisions.
  • Legitimate interest (GDPR Art. 6(1)(f)) — fraud prevention, IT security.

4. Data Sharing

We share data only with:

  • Our in-house dental specialists, technicians and consultants — bound by professional confidentiality.
  • External laboratories and imaging centres — under written data-processing agreements.
  • Public authorities — Republic of Türkiye Ministry of Health, where required by law.
  • Payment providers (e.g. Stripe, bank wire) — under PCI-DSS compliance.

We do not sell your data.

5. International Transfers

As an international health-tourism provider, we may receive your data from the EU/EEA. Data is stored on servers in Türkiye. Adequate safeguards under GDPR Art. 46 (Standard Contractual Clauses) apply where required.

6. Retention

Medical records are retained for 20 years after the last treatment, in line with Turkish Ministry of Health regulations. Marketing data is held until you withdraw consent. Website cookies expire as described in our Cookie Policy.

7. Your Rights

Under KVKK Art. 11 and GDPR Articles 15-22 you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase data ("right to be forgotten") where permitted.
  • Restrict or object to processing.
  • Data portability.
  • Withdraw consent at any time.
  • Lodge a complaint with KVKK (in Türkiye) or your local Data Protection Authority (in the EU).

To exercise these rights, email privacy@tantalya.com. We respond within 30 days.

8. Data Protection Officer (DPO)

Under GDPR Article 37, we have appointed a Data Protection Officer who oversees compliance with this notice and acts as your contact point for any privacy concern.

  • Dr. Taha Tanrıverdi — Data Protection Officer (interim)
  • Email: dpo@tantalya.com
  • Phone: +90 539 777 76 78
  • Address: Siteler Mah., Şehit Polis Memuru Muhammet Oğuz Kılınç Sok., Dream Houses, A Blok, No: 8/B, 07070 Konyaaltı / Antalya, Türkiye

We are in the process of appointing an EU representative under Article 27. Until then, contact the DPO directly at the address above for any GDPR matter.

9. Exercising Your Rights — Practical Steps

To exercise any right listed above, use our dedicated data-rights request form. The form generates a ticket number and starts the legal response clock. We respond within one calendar month (extendable by two additional months for complex requests, with notification — GDPR Art. 12(3)). Identity verification is handled by the DPO separately through a secure channel; we never accept identity documents through the public web form.

Data portability (Art. 20): we provide your personal data in a structured, commonly used and machine-readable format (JSON or CSV) upon request. The export covers data you provided to us under consent or contract; it excludes data inferred or derived from clinical analysis.

10. Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we notify the relevant supervisory authority (KVKK in Türkiye and/or your local EU DPA) within 72 hours of becoming aware of it (GDPR Art. 33). Where the breach is likely to result in a high risk to you, we also notify you directly without undue delay (Art. 34).

11. Automated Decision-Making

We do not subject you to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects (GDPR Art. 22). All clinical decisions are made by qualified human practitioners. Website analytics and marketing personalisation, where used, operate on aggregated anonymised data only.

12. Children's Data

Our services are directed at adults. We do not knowingly process personal data of children under the age of 16 (or the applicable age of digital consent in your EU member state, where lower) for information-society services without verifiable parental consent (GDPR Art. 8). Where a minor receives dental treatment at our clinic, processing is based on parental consent given in person at the clinic, in line with Turkish health law.

13. International Transfers — Mechanisms (Art. 46)

Patient data is hosted in Türkiye, which is currently not subject to a European Commission adequacy decision under GDPR Art. 45. When we receive your data from the EEA, we rely on the following safeguards (Art. 46):

  • Standard Contractual Clauses (SCCs) — we execute the European Commission's 2021 SCCs (Module 2 — Controller to Processor or Module 4 — Processor to Controller, as applicable) with each external processor that handles your data.
  • Transfer Impact Assessment (TIA) — for transfers to or from third countries we conduct a written TIA addressing local-law access risks.
  • Supplementary measures — pseudonymisation of identifiers in clinical imaging exchanged with external laboratories; end-to-end encryption for file transfers.

The signed SCCs and the latest TIA are available on request to the DPO.

14. Supervisory Authorities — Where to Complain

You may lodge a complaint with the authority of your residence:

15. Contact & Complaints

For privacy questions: privacy@tantalya.com
KVKK authority (Türkiye): kvkk.gov.tr

This document is provided in good faith. The Turkish version of this notice prevails in case of conflict.

Tantalya — The PromiseAntalya / Türkiye
TruthTrustTantalya

Three things we will not trade away — the dawn-light promise behind every smile we build.

  1. 01Truth

    A price you can fly on.

    An honest diagnosis and an itemised plan. What we quote is what you pay — nothing buried, nothing upsold.

  2. 02Trust

    Credentials you can check.

    Ministry-licensed specialists, ISO-certified processes and CE-marked materials — with answers in your own language.

  3. 03Tantalya

    Where your smile begins.

    Not a clinic but a Mediterranean studio in Antalya — named for the dawn that the city is built to watch.

Tantalya Dental Clinic · Est. Antalyatan · /tan/ · n. — the first light before sunrise