Last Updated: 11/08/2025

Introduction

Magical Clinic, through the website Protesi-Peniena.it, is committed to protecting the privacy and personal data of its users. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679) and applicable Italian legislation.

This policy applies to all users of the Protesi-Peniena.it website and all patients who use our medical tourism services.

1. Data Controller

Data Controller:

• Name: Magical Clinic
• Address: Bahçelievler Mahallesi, E-5 Karayolu / Kültür Sok No:1, 34180 Bahçelievler/İstanbul, Turkey
• Email: privacy@penileimplant.us
• Phone: +90 531 912 5591
• Website: penileimplant.us

Data Protection Officer (DPO):

• Email: dpo@penileimplant.us

2. What Personal Data We Collect

2.1 Identification and Contact Data

• First and last name
• Date of birth
• Residential address
• Phone number (landline and mobile)
• Email address
• Nationality
• ID document/passport (when necessary for travel booking)

2.2 Health Data (Special Categories)

As a medical service provider, we process health data considered “special categories” under Art. 9 GDPR:

• Medical history and anamnesis
• Current medical conditions (erectile dysfunction, diabetes, hypertension, etc.)
• Medications taken
• Allergies and intolerances
• Diagnostic tests and laboratory results
• Medical reports and diagnostic images
• Clinical notes and diagnoses
• Details of surgical procedures performed
• Post-operative recovery information
• Data related to sexual life (strictly necessary for medical evaluation)

2.3 Financial Data

• Payment details (credit card, bank transfer)
• Billing information
• Transaction history

Note: Credit card data is processed through PCI-DSS certified secure payment gateways. We do not store complete credit card data on our servers.

2.4 Navigation and Technical Data

• IP address
• Browser type and device
• Operating system
• Pages visited and time spent
• Referral source (how you arrived at our site)
• Cookies and similar technologies (see Cookie Policy)
• Access logs and site usage

2.5 Communication Data

• Content of emails sent and received
• Online chat recordings
• Call transcripts (if recorded and with your consent)
• WhatsApp messages or other messaging channels

2.6 Images and Videos

• Pre and post-operative photographs (only with explicit consent)
• Demonstrative or educational videos (only with explicit consent)
• Surveillance images in hospital facilities (for security purposes)

3. Legal Basis and Purpose of Processing

3.1 Contract Performance (Art. 6(1)(b) GDPR)

We process your data to:

• Provide the requested medical consultation
• Organize and manage your medical trip to Turkey
• Perform penile prosthesis surgery
• Provide pre and post-operative care
• Manage hotel bookings, transfers, and ancillary services
• Communicate with you regarding your treatment
• Process payments and issue invoices

3.2 Explicit Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR)

With your explicit consent, we process health data to:

• Assess your suitability for the procedure
• Plan personalized medical treatment
• Maintain your medical record
• Post-operative medical follow-up
• Send you marketing communications related to medical services (you can withdraw at any time)

3.3 Legal Obligation (Art. 6(1)(c) GDPR)

We process data to:

• Comply with tax and accounting obligations
• Respond to requests from competent authorities
• Maintain medical records as required by Turkish and Italian law
• Comply with health and pharmaceutical regulations

3.4 Legitimate Interests (Art. 6(1)(f) GDPR)

We process data to:

• Prevent fraud and abuse
• Ensure IT system security
• Improve our services through anonymized statistical analysis
• Defend our legal rights in case of disputes
• Direct marketing for similar services (if already a customer, with opt-out)

3.5 Protection of Vital Interests (Art. 6(1)(d) GDPR)

In medical emergency situations, we may process data to protect your life or that of others.

4. How We Collect Your Data

4.1 Directly from You

• Contact forms and information requests on the website
• Online consultation (video, chat, email)
• Pre-operative medical questionnaires
• Phone and WhatsApp conversations
• During medical visits at the clinic
• Documents you provide (reports, tests, identity documents)

4.2 Automatically

• Cookies and tracking technologies on the website
• Web server logs
• Browsing behavior analysis

4.3 From Third Parties

• Referring physicians or other healthcare professionals (with your consent)
• Insurance companies (if applicable)
• Travel service partners (hotels, transportation)
• Medical testing laboratories

5. With Whom We Share Your Data

We do not sell or rent your personal data to third parties. We share data only when necessary:

5.1 Medical and Healthcare Staff

• Urological surgeons
• Anesthesiologists
• Nurses and healthcare personnel
• Other specialists consulted for your case

5.2 Service Providers (Data Processors)

• Accredited hospitals and clinics in Turkey
• Medical testing laboratories
• Partner hotels
• Transportation services (airport transfers)
• Medical translators and interpreters
• IT service providers (hosting, backup, CRM)
• Secure payment gateways
• Email marketing services (with consent)
• Telemedicine platforms

5.3 Authorities and Legal Obligations

• Tax authorities (for accounting obligations)
• Health authorities (if required by law)
• Law enforcement (by legal order)
• Legal advisors (for rights defense)

5.4 International Data Transfers

Since our medical services are provided in Turkey (non-EU country), your data will be transferred and processed in Turkey. We ensure adequate protection through:

• Standard Contractual Clauses (SCC) approved by the European Commission
• Adequacy decisions (when applicable)
• Appropriate data security safeguards
• Security certifications of hospital facilities

All transfers are made in compliance with Art. 44-50 GDPR.

6. How We Protect Your Data

We adopt appropriate technical and organizational measures to protect your personal data:

6.1 Technical Measures

• SSL/TLS encryption for all online communications
• Database encryption for sensitive data at rest
• Advanced firewalls and intrusion detection systems
• Regular encrypted backups
• Multi-factor authentication (MFA) for administrative systems
• Constantly updated antivirus and anti-malware systems
• Network segregation for sensitive medical data
• Masking and pseudonymization when possible

6.2 Organizational Measures

• Data access limited to authorized personnel only (need-to-know principle)
• Mandatory GDPR training for all staff
• Confidentiality agreements signed by all employees and collaborators
• Strict password management policies
• Security incident response procedures
• Periodic security audits
• Data Protection Impact Assessments (DPIA) for high-risk processing
• “Clean desk” and “clear screen” policy

6.3 Physical Premises Protection

• Controlled access to areas where medical records are stored
• Locked cabinets for paper documents
• Video surveillance systems in facilities
• Secure destruction of documents no longer needed (cross-cut shredders)

7. How Long We Keep Your Data

7.1 Medical Data

• Medical records: 10 years from date of last treatment (Turkish and Italian legal requirement)
• Diagnostic images: 10 years
• Informed consents: For entire duration of medical record retention

7.2 Administrative Data

• Billing data: 10 years (tax obligation)
• Contracts and legal documents: Contract duration + 10 years
• Email correspondence: 5 years or until relationship closure + 2 years

7.3 Marketing Data

• Newsletter data: Until consent withdrawal or 2 years of inactivity
• Marketing cookies: Maximum 12 months

7.4 Navigation Data

• Server logs: 12 months
• Anonymized statistics: Retained indefinitely (not identifiable)

Upon expiration of retention periods, data is deleted or irreversibly anonymized.

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (Art. 15 GDPR)

You have the right to obtain:

• Confirmation that we are processing your data
• Copy of your personal data
• Information about processing (purposes, categories, recipients, retention period)

How to exercise: Send request to privacy@penileimplant.us Response time: 30 days (extendable to 60 in complex cases)

8.2 Right to Rectification (Art. 16 GDPR)

You have the right to correct inaccurate or incomplete data.

Example: Update address, phone number, correct errors in medical history

8.3 Right to Erasure – “Right to be Forgotten” (Art. 17 GDPR)

You can request deletion of your data when:

• No longer necessary for purposes
• You withdraw consent and no other legal basis exists
• You object to processing
• Data has been unlawfully processed

Limitations: We cannot delete data if necessary to:

• Comply with legal obligations (e.g., 10-year medical record retention)
• Defend legal rights in court
• Public interest reasons in the health sector

8.4 Right to Restriction (Art. 18 GDPR)

You can request restriction of processing when:

• You contest data accuracy (for time needed for verification)
• Processing is unlawful but you don’t want erasure
• We no longer need data but you need it for legal defense
• You exercised right to object (pending verification)

8.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in structured, commonly used, machine-readable format (e.g., CSV, PDF) and transmit it to another controller.

Applies to: Data provided by you based on consent or contract and processed automatically.

8.6 Right to Object (Art. 21 GDPR)

You have the right to object at any time to processing based on legitimate interest, including direct marketing.

Direct marketing: You can object free of charge by clicking “unsubscribe” in emails or contacting us.

8.7 Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce significant effects.

Note: We do not currently use fully automated decision-making processes for medical evaluations.

8.8 Right to Withdraw Consent

You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

How to withdraw:

• Email: privacy@penileimplant.us
• “Unsubscribe” link in newsletters
• Through personal area on site (if available)

8.9 Right to Lodge a Complaint

If you believe our data processing violates GDPR, you have the right to lodge a complaint with:

Italian Data Protection Authority (Garante per la Protezione dei Dati Personali):

• Address: Piazza di Monte Citorio n. 121, 00186 Roma
• Email: garante@gpdp.it
• Phone: +39 06.696771
• Website: www.garanteprivacy.it

Or the supervisory authority of your EU country of residence.

9. Minors

Our services are intended exclusively for adults (18+ years). We do not knowingly collect personal data from minors under 18. If we become aware of having collected data from a minor, we will promptly delete it.

10. Cookies and Tracking Technologies

Our site uses cookies and similar technologies. For detailed information, consult our separate Cookie Policy.

Cookie Categories Used:

• Strictly Necessary Cookies: Essential for site functionality (e.g., security, cart)
• Performance Cookies: Traffic analysis (Google Analytics with IP anonymization)
• Functionality Cookies: Save preferences (language, settings)
• Marketing Cookies: Targeted advertising (with consent)

Cookie Management: You can manage preferences via cookie banner or browser settings.

11. Links to Third-Party Sites

Our site may contain links to third-party websites (partners, social media, medical resources). We are not responsible for the privacy practices of these sites. We invite you to read their privacy policies.

12. Social Media

We use social sharing buttons (Facebook, Instagram, YouTube). When you click these buttons, the social network may collect data about your visit.

If you interact with us on social media, your communications are subject to those platforms’ privacy policies.

13. Marketing and Newsletter

13.1 With Explicit Consent

If you subscribe to our newsletter or consent to receive marketing communications, we will send:

• Information about new medical services
• Special offers and promotions
• Educational content on male sexual health
• Clinic updates

13.2 Soft Opt-In (Existing Customers)

If you are already our patient, we may send you marketing about similar services (e.g., follow-up, complementary services) based on our legitimate interest, with opt-out option at any time.

13.3 How to Unsubscribe

• Click “Unsubscribe” at bottom of every email
• Send email to: unsubscribe@penileimplant.us
• Contact: privacy@penileimplant.us

14. Data Breaches

In case of personal data breach involving risk to your rights and freedoms:

• Authority Notification: We will notify the Privacy Authority within 72 hours of discovery
• Individual Notification: We will inform you without undue delay if breach involves high risk
• Mitigation Measures: We will immediately adopt measures to mitigate risks

15. Changes to This Policy

We reserve the right to modify this Privacy Policy at any time. Substantial changes will be communicated through:

• Prominent notice on website
• Email to registered users
• Information banner on first visit after modification

Check this page regularly for updates. Last update date: [Date] (at top of page)

16. Contacts and Requests

To exercise your rights, ask questions, or raise privacy concerns:

• Main Email: privacy@penileimplant.us
• Phone: [phone number]
• Postal Address: Magical Clinic – Privacy Office [Complete address] [City, ZIP], Turkey
• Data Protection Officer (DPO): Email: dpo@penileimplant.us

Response Times: We will respond to all requests within 30 days (extendable to 60 for complex requests, with communication of delay reason).

17. Certifications and Compliance

✓ GDPR Compliant (EU Regulation 2016/679) ✓ Italian Privacy Code Compliant (Legislative Decree 196/2003 updated) ✓ Partner hospitals JCI (Joint Commission International) certified ✓ PCI-DSS certified payment gateways ✓ 256-bit SSL/TLS encryption ✓ Servers located in ISO 27001 certified data centers

18. Glossary

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation on data (collection, recording, storage, modification, consultation, use, communication, deletion).

Data Controller: Magical Clinic, which determines purposes and means of processing.

Data Processor: Entity that processes data on behalf of the Controller (e.g., IT service providers, partner hospitals).

Data Subject: You, the natural person to whom personal data refers.

Consent: Free, specific, informed, and unambiguous indication of will.

Special Categories of Data: Sensitive data (health, sexual life, ethnic origin, religion, etc.) requiring enhanced protection.

Consent Statement

By using our website and services, you declare that you have read, understood, and accepted this Privacy Policy.

For processing of health data and other special categories, we require explicit consent through dedicated forms before proceeding with medical consultation or treatment.