Processing Sensitive Personal Data
Proposed amendments to the Data Protection Law, which have been drafted by the DPA and which introduce some modifications to certain disputed provisions of the Data Protection Law, have been presented for the related institutions and organisation’s consideration. Articles proposed to be amended are Article 6, regulating the legal grounds for processing sensitive personal data and Article 9, regulation transfer of personal data abroad.
Under Article 6 of the Data Protection Law, explicit consent of the data subject must be obtained for processing sensitive personal data. In respect of the legal grounds for processing personal data without obtaining explicit consent; while personal data relating to health and sexual life may be processed only for the purposes outlined in the Article and by authorised persons/institutions and organisations, other sensitive personal data may be processed without seeking explicit consent of the data subject, in the cases provided for by laws.
With the proposed amendment; the data included in the sensitive personal data category may be processed when processing (i) is clearly required by laws, (ii) is related to personal data made public by the data subject himself/herself, (iii) is mandatory for protection of the life or bodily integrity of a person, who is incapable of giving consent or whose consent is not legally valid, or of another person, (iv) is made by persons or authorised institutions and organisations, which are under confidentiality obligation, for the protection of public health, for conducting preventive medicine, medical diagnosis, treatment and care services, for planning and management of healthcare services and their financing, (v) is carried out for the establishment, exercise or protection of a legal right, (vi) is necessary to carry out the obligations in the field of employment, business and social security or social services, and finally (vii) is made by political parties, foundations, associations, unions or any other non-profit organisations or bodies, relating to their members on the condition that the processing relates solely to their activities and purposes, it is made in accordance with their regulations, and that personal data is not disclosed to third parties. As you may see, in case the proposed amendments are put into practice, significant changes will be made in the systematics of the current law having a dual approach in sensitive personal data, such as data relating to health and sexual life and other sensitive personal data.
With the referred amendment, which is planned to be introduced, broader legal grounds will be provided for processing sensitive personal data, yet the legal grounds are still limited compared to the GDPR structure regarding the conditions sought for processing data. For this reason, it would be appropriate to say that even if the current proposal is put into practice, the Data Protection Law will not still be in total harmony with the GDPR.