The protection of personal data (including personal health data) is regulated under Personal Data Protection Law (“DPL”) numbered 6698. The DPL provides legal reasons for the processing of personal data and for sensitive personal data (data relating to race, ethnic origin, political beliefs, philosophical beliefs, religion, denomination, or other faiths, clothing and attire, membership of an association, charity or union, criminal convictions, and security measures, as well as biometric and genetic data). Data processing conditions are more regulated and subject to the explicit consent of the data subjects, or such data may be processed if case processing is required by law. It must be noted that personal data relating to health or sexual orientation is protected more strictly than other sensitive data, as the scope of the additional legal grounds for processing is quite limited.
Personal data related to health or sexual data may only be processed with the explicit consent of persons under the obligation of confidentiality, or by authorized institutions and establishments for the purposes of protection of the public health, protective medicine, medical diagnosis, and treatment and care services.
Sensitive and non-sensitive personal data may be transferred to third parties if the explicit consent of the data subject is obtained, or if one of the additional legal grounds mentioned, above, is applicable for such transfer.
While the data protection legislation affects all companies located in Turkey, it poses some practical challenges to pharmaceutical and medical device companies that are collecting vigilance information and quality complaints and, as such, the gathering of information means that the company must sometimes directly interact with patients, collect and store information, and obtain their explicit consent for the processing, sharing, and transfer of the data abroad to their global companies. In the field of medicines and medical device promotion, interaction with physicians also entails data privacy concerns, and privacy rules must be followed.
In order to overcome the challenges faced by pharma companies, the Agency published the Guidelines on Protection of Personal Data in Pharmacovigilance Activities on 1 August 2019. The Guidelines state that no explicit consent is required for the processing of patient data reported by an adverse effect notification, regardless of whether the person making the adverse effect notification is a patient, healthcare professional or relative. Additionally, pursuant to the Guidelines, the persons under the confidentiality obligation stated in Article 6 of the DPL shall process adverse effect data without explicit consent for the protection of the public health and preventive medicine.
According to Article 6 of the DPL published in 2016, personal data related to health or sexual information may only be processed by persons under an obligation of confidentiality, or by authorized institutions and establishments, for the purposes of protection of public health, protective medicine, medical diagnosis, and treatment and care services.
The Guidelines do not refer to any consultation made with the Turkish Institution of Protection of Personal Data for the preparation of the Guidelines and, therefore, the Guidelines’ interpretation of Article 6 of the Data Protection Law has not been confirmed by the Institution of Protection of Personal Data as of the date of this paper.
Even though the Guidelines entered into force as of the date of its publication, the pharmaceutical industry awaits guidance from the Turkish Institution of Protection of Personal Data as to whether pharma companies may be defined as persons under an obligation of confidentiality, as this obligation shall be explicitly stated in a law and cannot be introduced through Guidelines.