This year in Turkey, one of the most interesting pieces of legislation came from the Ministry of Health, when it published the “Regulation on the Processing of Personal Health Data and Maintenance of Privacy”. The Regulat ion introduced detailed provisions regarding the processing and transfer of personal health data, particularly in relation to the format of consent and the requirement for anonymisation before transfer. While the Regulation primarily contains measures that must be taken by healthcare service providers and other associated persons, there has been uncertainty regarding the scope of application of the Regulation.

The current wording of the provision detailing the scope of application is phrased in a way that includes all data subjects whose health data is processed and any data controller that may be processing personal health data pursuant to a legislative requirement. Particularly the latter category would include many parties that are not under the authority of the Ministry of Health, including all employers who process health data within the context of employee files that they must lawfully maintain. In light of the boundaries of the authority of the Ministry, arguments are being made that the regulation is intended to only to apply to healthcare service providers and other associated person. However, until further guidance is to be provided by the Ministry, uncertainty will remain about the scope and there will be differences in levels of application. The impact of the Regulation once again shows the necessity for the establishment of the Turkish Data Protection Authority, which was supposed to be formed by October 7, 2016. As the DPA has not yet been formed, there is a lack of both ancillary regulations and a body that can be petition for guidance regarding data protection issues.

We expect that these ambiguities will be clarified in 2017 with more guidance on application of the Turkish Data Protection Law as well as the Regulation. It is for sure that the business will be busier with an increase in compliance projects on data protection in general.

First published by The Oath, in 10.01.2016