Personal data can be processed based on the following legal grounds:
- If explicit consent of the data subject is obtained.
- If processing is clearly proposed.
- If processing is mandatory for the protection of life or to prevent the physical injury of a person in cases where that person cannot express consent or whose consent is legally invalid due to physical disabilities.
- If processing is necessary for and directly related to the establishment or performance of a contract and limited to the personal data related to the parties therein.
- If processing is required for a data controller to fulfil its legal obligations;
- If the data is made manifestly public by the data subject.
- If processing is mandatory for the establishment, exercise, or protection of certain rights.
- If processing is compulsory for the legitimate interests of the data controller, provided that fundamental rights and freedoms of the data subject or any related person are not compromised.
Processing Sensitive Personal Data
The Law divides sensitive personal data into two categories:
- Personal data on health or sexual orientation; and
- “Other” sensitive personal data.
Personal data related to health or sexual orientation is protected more strictly than the other category, as the scope of the additional legal grounds for processing is very limited. Alongside the requirement to process data by obtaining the explicit consent of the data subject, personal data related to health or sexual data can only be processed by persons under an obligation of confidentiality, or by authorised institutions and establishments, for the protection of public health, protective medicine, medical diagnosis, treatment and care services purposes.
Other types of sensitive personal data can only be processed with the data subject’s explicit consent or if such processing is required by law.
In Turkey, processing sensitive data, especially health data, must be diligently handled. The processing of health data in different areas and for various purposes, including new technologies, quality services, pharmacovigilance or clinical trials, are areas where companies need to be careful in their data processing practices. Further, processing employee data must be diligently assessed and managed.