Turkey: Regulation of the conditions for data processing in the lifesciences sector

Turkiye

The Regulation on the Processing and Maintenance of the Privacy of Personal Health Data (“Regulation”) was published in the Official Gazette and entered into force on 20 October 2016. The Regulation is based on the Law on the Protection of Personal Data (“DPL”) of 7 April 2016, which empowers the Ministry of Health to issue such regulations and communiqués regarding the processing and safety of personal health data.

Purpose of the Regulation

The Regulation sets forth rules and principles for the collection, processing and transfer of personal health data and for notifications to the Ministry of Health regarding the security and inspection of the personal health data registry system and the actions of the relevant healthcare personnel.

Scope of the Regulation

Although the Regulation does not cover all health data processors, it does specifically regulate (i) health service providers, (ii) individuals whose personal health data is processed, (iii) individuals and legal entities who provide data processing systems to healthcare service providers, and (iv) individuals and both public and private law legal entities that legally process personal health data.

Processing of Health Data

In contrast to the DPL, the Regulation requires the explicit consent of the data subject to be provided in writing in order for his/her personal health data to be processed. However, at the same time the Regulation sets forth that such data may be processed without a consent provided that it is anonymized.

On the other hand, personal health data may be processed and transferred without the data subject’s explicit consent for the purposes of protecting public health, implementing preventive medicine, making medical diagnoses and providing treatment and care services. Accordingly, personal health data shall be transferred to public bodies through a protocol determining the procedure and other necessary elements of the transfer.

Furthermore, the Regulation introduces two (2) systems, namely the Central Health Data System and the Personal Health Record System. The Central Health System requires healthcare service providers to record personal health data onto the system whereas the Personal Health Record System allows individuals to manage and have access to their own personal data by creating a user account.

Conclusion

The Regulation governs detailed information regarding the processing and transfer of personal health data. However, the practical aspects of data protection legislation remain unclear due to a lack of relevant secondary legislation at this stage.