Update: Rules for Processing Health Data in Turkey


Controversial Regulation on Processing of Health Data has been recently amended

Following the Law on Protection of Personal Data (“Law”) dated April 7, 2016; the Ministry of Health (“MoH”) issued the Regulation on the Processing of Health Data and the Maintenance of Privacy (“Regulation”) on October 22, 2016 which was heavily criticized due to its various provisions contradicting with the Law and introducing burdensome obligations beyond the Law.

Actions were brought before the Council of State and on July 6, 2017, and the Council of State rendered its decision and stopped the execution of the Regulation. Upon stay of execution decision, on November 24, 2017, the MoH issued the Amendment on the Regulation (“Amendment”).

The Amendment mostly clarifies the inconsistencies and removes the burdensome obligations created with the Regulation as expected. Further revisions are made to determine the sole authority of the Board for data protection matters, claims and breaches.

How to Process Health Data?

With regard to health data, explicit consent remains to be the basis for processing which is coupled with information obligation in parallel with the Law. In addition adequate measures that the Personal Data Protection Board (“Board”) will issue must be also taken into account by processors. It is worth repeating here that the consent must be related to a specific subject, informative and, explained by free will of the individual. To clarify there is no need to obtain written consent to this effect and there is no formation obligation on how to obtain the explicit consent but as known, the burden to prove is on the processor, not on the data subject. While obtaining the consent the data subject must be informed of the details of the process together with its rights as imposed by Law.

The conditions stated under the Law for processing health data without a need for consent remains to be the same under the Amendment. Health data can only be processed, without consent of the data subject, by the people or institutions and organizations that under the obligation of confidentiality and only for the purposes of protecting the public health, preventive medicine, medical diagnose, performing the services of treatment and care, planning and managing the health services and its financing.

In other cases, health data can be processed once the data subject is informed as per the Law and explicit consent is duly obtained.

How to Transfer Health Data?

The conditions stated under the Law (Articles 8 and 9) for transfer of data are applicable to transfer of health data under the Amendment.

In the absence of consent or in cases where transfer of data does not fall within any of the conditions stated under the Law, the data can be transferred upon anonymization. For transfer of health data abroad, countries having adequate level of data protection are not yet listed by the Board as of today thus for transfer of health data abroad, explicit consent is required to be obtained or in other cases where there is no consent but there are conditions to transfer without a need for consent, it is required to obtain a permit from the Board and data processors must undertake to provide adequate level of protection in writing.

What Constitutes Health Data?

There is no guidance under the Amendment as to what constitutes health data. Health data is defined to be health information attributable to a person or an identifiable person under the Regulation. It is treated as a personal data of special nature by Law. Personal data related to health may include any information or record for provision of healthcare services or data derived from tests or samples. In this concept one can ask if burned calories or steps counted by a smart phone be classified as health data.

Considering that new technologies already play a major part in healthcare sector and new tools will be more in place for e-health services in coming days, what constitutes health data and how such data will be processed and transferred abroad is a substantial issue for data controllers dealing with process of health data.