Nis · Clinic

Legal

Privacy Policy

How we collect, process, and protect your personal data.

Last updated: 24 June 2026

1. Introduction and Scope

At Nis Clinic ("the Clinic", "we", "us"), we take the privacy of our patients and website visitors seriously. This Privacy Policy explains how we process personal data collected through the nisclinic.com website, web forms, WhatsApp and telephone channels, and in-clinic visits.

This policy has been prepared in accordance with the TRNC Personal Data Protection Law (No. 89/2007) and — in respect of persons located or resident in the EU — the principles of the General Data Protection Regulation (GDPR, 2016/679). Given the sensitive nature of health data, TRNC health legislation and professional regulations have also been taken into account.

By using our website or accessing our clinical services, you are deemed to have accepted the terms of this policy.

2. Data Controller

The organisation acting as data controller in respect of your personal data is:

  • Name: Nis Clinic
  • Address: Ulus Sokak No:9, Gönyeli, Nicosia, Northern Cyprus (TRNC)
  • Branches: Nicosia · Kyrenia · Famagusta
  • Email: [email protected]
  • Telephone: +90 548 899 0808

You may submit all requests, applications, and complaints relating to your personal data in writing via the contact channels above.

3. Categories of Personal Data Collected

Personal data collected from you or from third parties falls into the following categories:

3.1 Identity Data Name, surname, date of birth, nationality, identity/passport number (only at the clinic registration stage and where required by law).

3.2 Contact Data Email address, mobile telephone number, residential address, branch preference.

3.3 Transaction Data Appointment date and time, service preference, messages submitted via form, WhatsApp correspondence, telephone call notes.

3.4 Special Category Personal Data (Health Data) Health data classified as special category under the TRNC Personal Data Protection Law includes: your medical history, chronic conditions, current medications, allergies, previous medical or surgical procedures, examination findings, laboratory results, imaging records, clinical photographs (before/after — only with explicit written consent), and treatment plans and procedure notes.

Health data is handled with additional care; it is not processed without your explicit consent and is not shared with third parties.

3.5 Visual and Audio Data In-clinic CCTV recordings (common areas only), voice messages relating to appointment confirmations.

3.6 Technical Data (Website) IP address, browser type, language preference, pages visited, referrer URL, cookie identifiers. For details on how these data are used, please refer to our Cookie Policy.

4. Methods of Collecting Personal Data

We may collect your personal data through the following channels:

  • Web form: Contact and appointment forms (nisclinic.com/iletisim, nisclinic.com/randevu)
  • WhatsApp: Messages sent to our clinic WhatsApp lines
  • Telephone: Calls made via our appointment line
  • Email: [email protected] and branch email addresses
  • In-clinic visit: Receptionist registration, consent forms, anamnesis form
  • Automated collection: Website cookies and analytics tools (see Cookie Policy)
  • Third parties: Referring physician, contracted laboratory, medical tourism organiser (only in the context of your examination and treatment process)

5. Purposes for Processing Personal Data

Your personal data is processed only for the following legitimate purposes:

  1. Provision of healthcare services: Diagnosis, treatment planning, surgical procedures, follow-up appointments.
  2. Appointment management: Creating, confirming, reminding, cancelling, and rescheduling appointments.
  3. Patient communication: Responding to your enquiries, consultation recommendations, post-treatment care information.
  4. Legal obligations: Records required by health legislation, tax and accounting records, responding to requests from official authorities.
  5. Billing and payment: Collection of service fees, integration with payment providers.
  6. Quality and patient safety: Anonymised review of clinical cases, internal audit.
  7. Information and marketing (only with explicit consent): Campaign, news, and health content newsletters. Processing for this purpose occurs only if you have given consent, which you may withdraw at any time.
  8. Website improvement: Anonymised analysis of usage statistics.

Legal bases for processing (under the TRNC Personal Data Protection Law):

  • Explicit consent (marketing communications, before/after image sharing)
  • Necessity for the establishment or performance of a contract (appointment, treatment service)
  • Express provision by law (health legislation)
  • Protection of public health and medical diagnosis (for health data processing, under the applicable legislation)
  • Legitimate interest of the data controller (clinic security, internal audit — provided this does not prejudice your fundamental rights and freedoms)

6. Retention Periods

Your personal data is destroyed once the purpose of processing has ceased or the statutory retention period has expired. The retention periods we apply are as follows:

Data CategoryRetention PeriodLegal Basis
Medical records, anamnesis, examination notes10 yearsTRNC health legislation, medical record retention obligation
Surgical procedure and consent forms10 yearsMedical legislation + limitation period for potential legal disputes
Invoice and accounting records10 yearsTax legislation
Contact form / WhatsApp correspondence2 yearsLegitimate interest, internal audit
Appointment records (non-patient)1 yearOperational need
Website cookiesVaries by cookie typeSee Cookie Policy
CCTV recordings30 daysLegitimate interest, security
Marketing communication consentsUntil consent is withdrawnExplicit consent

Data for which the statutory retention period has expired is destroyed by one of the disposal, erasure, or anonymisation methods prescribed under the applicable legislation.

7. Transfer of Personal Data

Your personal data may be transferred to third parties only to the extent required by the purposes of processing and within the limits set out below:

7.1 Domestic Transfers

  • Contracted laboratories and imaging centres: To obtain test results (only the relevant patient data).
  • Payment providers: For invoicing and collection purposes (card details are not stored directly in Nis Clinic systems; a PCI-DSS-compliant provider is used).
  • Independent accounting and legal advisers: Under a confidentiality obligation, with only the necessary data shared.
  • Official authorities: Where legally required (court order, health inspection, public prosecutor's request).
  • Medical tourism organiser: Only with the explicit consent of the patient travelling from abroad, for the purposes of transfer, accommodation, and process coordination.

7.2 International Transfers Your personal data will not be transferred abroad without your explicit consent. Where website analytics tools or cloud infrastructure providers have servers outside the European Union, transfers are made to countries providing adequate protection within the framework of the applicable legislation, or under contracts containing adequate protection commitments.

7.3 Before/After Clinical Images Photographs of treatment outcomes are used only with your separate and explicit written consent. Without such consent, they will not be published on any platform (website, social media, advertising).

8. Your Rights as a Data Subject

Under the TRNC Personal Data Protection Law, you have the following rights in respect of your personal data:

  1. To learn whether your personal data is being processed.
  2. To request information if your personal data has been processed.
  3. To learn the purpose of processing and whether it is being used in accordance with that purpose.
  4. To know the third parties to whom your data has been transferred, domestically or internationally.
  5. To request correction if your data has been processed incompletely or inaccurately.
  6. To request erasure or destruction within the conditions set out in the applicable legislation.
  7. To request that correction, erasure, or destruction be notified to the third parties to whom your data has been transferred.
  8. To object to a result that is to your detriment arising from the analysis of processed data exclusively by automated systems.
  9. To claim compensation for any loss you suffer due to unlawful processing of your data.

How to apply: To exercise your rights, you may send a request verifying your identity to [email protected], or apply in writing to the postal address above. Your applications will be concluded within a maximum of 30 days.

If your application is rejected or you find the response inadequate, you retain the right to lodge a complaint with the TRNC Personal Data Protection Authority.

9. Data Security Measures

We implement the following measures to protect your personal data against unlawful access, alteration, disclosure, destruction, or loss:

Technical measures: SSL/TLS encrypted data transmission, encrypted database backups, firewall, malware protection, role-based access controls, regular security updates, two-factor authentication (administrator accounts).

Administrative measures: Staff confidentiality agreements, periodic data protection training, data protection compliance internal audit, data breach response plan, physical access restrictions, logging and record-keeping systems.

Data breach notification: In the event of a possible data breach, the relevant authorities will be notified and, where the breach affects you, you will be informed as soon as possible.

10. Children's Personal Data

Our website is not directed at persons under the age of 18. Registration of minor patients is carried out with the written consent of a legal representative. If we become aware that we have received data relating to a person under 18, we will delete that data unless we have obtained consent from their legal representative.

11. Policy Updates

This Privacy Policy may be updated in line with changes to our services or applicable legislation. The current version is published on this page with a "last updated" date. You may be notified by email to your registered address in the event of significant changes.

Your continued use of the website constitutes acceptance of the updated policy.

12. Contact

For any questions, comments, or requests regarding this Privacy Policy:

  • Email: [email protected]
  • Telephone: +90 548 899 0808
  • Post: Nis Clinic, Ulus Sokak No:9, Gönyeli, Nicosia, Northern Cyprus (TRNC)

We will respond to your applications within 30 days.


Last updated: 24 June 2026. Please check this page periodically for any changes.

This document is for informational purposes only and does not constitute legal advice. Please consult a legal advisor for your specific situation. Current legislation is binding.

For any questions, you can reach us via our contact page.

CallBook Now