The protection of personal data and personal health data is regulated under Personal Data Protection Law (“DPL”) numbered 6698. The DPL provides that the general rule for the processing of personal data is that such data may only be processed with the explicit consent of the data subject.
As for sensitive personal data (data relating to race, ethnic origin political beliefs, philosophical beliefs, religion, denomination or other faiths, clothing and attire, membership of an association, charity or union, health, sexual orientation, criminal convictions and security measures; and biometric and genetic data), these can only be processed with the explicit consent of the data subject. Personal data relating to health or sexual orientation is protected more strictly than other sensitive data, as the scope of the additional legal grounds for processing is very limited.
Personal data related to health or sexual data may only be processed with the explicit consent by persons under the obligation of confidentiality, or by authorized institutions and establishments for the purposes of protection of public health, protective medicine, medical diagnosis, and treatment and care services.
Sensitive and non-sensitive personal data may be transferred to third parties if the explicit consent of the data subject is obtained, or if one of the additional legal grounds mentioned, above, is applicable for such transfer.
While the data protection legislation affects all companies located in Turkey, it poses some practical challenges to pharmaceutical and medical device companies that are collecting vigilance information and quality complaints and, as such, the gathering of information means that the company must sometimes directly interact with patients, collect and store information, and obtain their explicit consent for the processing, sharing, and transfer of the data abroad to their global companies.
In order to overcome the challenges faced by pharma companies, the Agency published the Guidelines on Protection of Personal Data in Pharmacovigilance Activities on 1 August 2019. The Guidelines state that no explicit consent is required for the processing of patient data reported by an adverse effect notification, regardless of whether the person making the adverse effect notification is a patient, healthcare professional or relative. Additionally, pursuant to the Guidelines, the persons under the confidentiality obligation stated in Article 6 of the Data Protection Law shall process adverse effect data without explicit consent for the protection of the public health and preventive medicine.
According to Article 6 of the Data Protection Law published in 2016, personal data related to health or sexual data may only be processed by persons under an obligation of confidentiality, or by authorised institutions and establishments, for the purposes of protection of public health, protective medicine, medical diagnosis, and treatment and care services.
The Guidelines do not refer to any consultation made with the Turkish Institution of Protection of Personal Data for the preparation of the Guidelines and, therefore, the Guidelines’ interpretation of Article 6 of the Data Protection Law has not been confirmed by Institution of Protection of Personal Data as of the date of this paper.
Even though the Guidelines entered into force as of its publication, the pharmaceutical industry awaits guidance from the Turkish Institution of Protection of Personal Data as to whether pharma companies may be defined as persons under an obligation of confidentiality, as this obligation shall be explicitly stated in a Law and cannot be introduced through Guidelines.