Blog

GDPR, KVKK, and HIPAA apply to systems that process and store personal health data. CureLink doesn't. Here is why that distinction matters — and what it means for your institution's regulatory position.
 

The argument in one sentence

CureLink does not process or store patient data. It provides a secure interface to data that lives on your hospital's own servers — which means the compliance obligation stays exactly where it belongs: with the institution that controls the data, not the device in the OR.

 

The compliance question procurement teams are asking

When hospital procurement teams evaluate OR integration systems, one concern comes up consistently: "If we connect this to our PACS and surgical environment, does it create a GDPR, KVKK, or HIPAA exposure?"

It is the right question to ask. Any system that transmits, processes, or stores protected health information becomes a data processor under these frameworks — and that creates documentation requirements, audit obligations, and shared liability for the institution.

CureLink is architected specifically to avoid this scenario. Understanding why requires a brief look at how data actually moves — or doesn't — in a CureLink deployment.
 

How CureLink handles data - and why it matters 

The distinction that defines CureLink's regulatory footprint is architectural, not procedural. It is not a policy choice. It is how the system is built.

Hospital server & data center	←	PACS images, surgical data, and all patient records remain on the hospital's own infrastructure at all times.
CureLink display & interface	←	CureLink provides a real-time access interface to that data inside the OR — it does not extract, copy, or re-process it.
Data boundary	←	Data does not leave the hospital environment. When remote collaboration occurs, it does so within the hospital's own controlled systems and consent framework.

This architecture has a direct regulatory consequence: because CureLink does not process or store personal health data, it does not become a data processor under GDPR, KVKK, or HIPAA. The compliance obligation — and the compliance infrastructure — remains with the hospital, where it already sits.

What this means for GDPR, KVKKK, and HIPAA

Each of these frameworks is primarily concerned with systems that act as data processors or data controllers — entities that handle, transform, or store personal and sensitive health information. CureLink's design keeps it outside that definition.

GDPR (EU) — Regulation 2016/679

GDPR's obligations attach to data controllers and processors — entities that determine the purpose and means of processing personal data. Because CureLink does not independently process patient data, it does not introduce a new GDPR data processing relationship. Your hospital's existing GDPR compliance infrastructure — its DPO (Data Protection Officer), its data processing agreements, its access controls — covers the data. CureLink operates within that existing framework.

KVKK (TR) — Law No. 6698 - Türkiye's Personal Data Protection Law

Türkiye's KVKK framework similarly focuses on data controllers and processors. CureLink's architecture — with all data remaining on hospital servers — means the institution's own KVKK compliance posture is not disrupted by CureLink's deployment. The data does not leave the hospital's controlled environment, and when any data transfer does occur, it happens within the hospital's own consent and governance framework.

HIPAA (US) — 45 CFR Parts 160 & 164

HIPAA's Business Associate requirements apply when a vendor creates, receives, maintains, or transmits PHI (protected health information) on behalf of a covered entity. CureLink does not meet this threshold — it provides an interface to PHI that remains under the hospital's direct control, rather than receiving or independently maintaining that data. For institutions with US affiliates or operating in HIPAA-governed environments, this architectural distinction significantly simplifies the vendor evaluation process.

 

The practical result for your institution

Deploying CureLink does not require your institution to:

• Execute a new Data Processing Agreement (DPA) with CureVision under GDPR or KVKK — because CureLink does not act as a data processor.
• Register a new Business Associate Agreement (BAA) under HIPAA — because CureLink does not receive or independently maintain PHI.
• Extend your VERBIS registration scope (Türkiye) or update your EU Records of Processing Activities to include CureLink as a processor.
•  Conduct a Data Protection Impact Assessment (DPIA) for CureLink as a new processing activity — your hospital's existing DPIA framework already covers the underlying data.   

In practical terms: your compliance team's workload does not increase because of CureLink. Your hospital's existing data governance infrastructure covers the data. CureLink stays within it.     

CureLink vs. cloud-based OR platforms - the key difference

Consideration	Cloud-based OR platforms	CureLink
Data location	External cloud servers, often multi-region	Hospital's own servers & data center
Data processing	Vendor processes data independently	No independent processing — interface only
GDPR / KVKK status	Vendor = data processor → DPA required	Hospital remains sole controller → no new DPA
HIPAA status	Vendor = Business Associate → BAA required	No BAA required — PHI stays with hospital
Data leaving hospital	Yes — by design	No — by design
Compliance burden added	Additional documentation	No additional burden

 

What this means for procurement and compliance teams

When evaluating OR integration platforms, the compliance question is not just "does this vendor claim to be compliant?" — it is "does adding this vendor to our environment create new obligations?"

With cloud-based systems, the answer is almost always yes: new data processing agreements, new audit scope, new vendor risk assessments. With CureLink, the architecture eliminates this category of concern. The data stays where it is. The compliance framework your institution already has in place continues to govern it.

For hospital procurement teams working across EU, Türkiye, and US regulatory environments — simultaneously — this is a meaningful operational advantage. One less vendor in your data processing chain. One less agreement to maintain. One less audit scope to manage.

That is not a compliance claim. It is a design choice — and it was intentional.

Want to understand how CureLink fits your institution's compliance framework?

Our technical team can walk through the architectural details and help your IT and compliance teams confirm exactly where CureLink sits within your existing data governance structure.

Speak with our team > Contacts