On October 20, 2016, the Ministry of Health published the “Regulation on the Processing of Personal Health Data and Maintenance of Privacy.” The regulation introduced detailed provisions regarding the processing and transfer of personal health data, particularly in relation to the format of consent and the requirement for anonymization before transfer. While the regulation primarily contains measures that must be taken by health care service providers and other associated persons, there has been uncertainty regarding the scope of application of the regulation.
The current wording of the provision detailing the scope of application is phrased in a way that includes all data subjects whose health data is processed and any data controller that may be processing personal health data pursuant to a legislative requirement. Further it creates ambiguities with regard to transfer of health data abroad.
The impact of the regulation once again shows the necessity for the establishment of the Turkish Data Protection Authority, which was supposed to be formed by October 7, 2016. As the DPA has not yet been formed, there is a lack of both ancillary regulations and a body that can be petition for guidance regarding data protection issues. We expect that these ambiguities will be clarified in 2017 with more guidance on application of the Turkish Data Protection Law as well as the regulation.
First published by IAPP – Privacy Tracker in Jan 09, 2017.
Download PDF