Insights
Lawful Data Processing
Processing Personal Data Personal data can be processed based on the below specified legal grounds: If explicit consent of the data subject is obtained; If processing is clearly proposed under the laws; If processing is mandatory for the protection of life, or to prevent the physical injury of a person, in cases where that person cannot express consent, or whose consent is legally invalid due to physical disabilities; If processing is necessary for and directly related to… »
Transfer of Personal Data to Third Party
Sensitive and non-sensitive personal data may be transferred to third parties if the data subject’s explicit consent is obtained or if one of the additional legal grounds is applicable for such transfer. The Data Protection Law does not define a third party; therefore, any individual or entity (other than the data controller and the data subject) may be considered a third party. This creates a problem, especially about transfers between data controllers and data processors… »
Transfer of Personal Data Abroad
Sensitive and non-sensitive personal data can be transferred abroad with the data subject’s explicit consent. Other legal grounds also apply to transferring personal data to a foreign country. The destination country must have “sufficient protection” to conclude the transfer abroad based on legal grounds other than explicit consent. The Board is expected to determine a list of jurisdictions that provide sufficient protection. The Board has confirmed that they have been… »
Data Breach Notification
The Data Protection Law requires data controllers to notify the relevant data subject and the Board as soon as possible when being made aware of such data breach. In its decision dated January 24, 2019 and numbered 2019/9, the Board clarified the rules and procedures to be applied in data breach incidents. The Board takes the GDPR approach in terms of timing of breach notifications, and clarified that the term of “as soon as possible” within the Data Protection Law must be… »
Data Controllers’ Registry (VERBIS)
According to Article 16 of the Data Protection Law, an obligation to register in the Data Controllers Registry has been introduced for data controllers. In 2018, the Board issued decisions granting exemptions from registration obligation to certain professional groups, associations, and political parties. The Board also granted a general exemption to local data controllers that have less than 50 employees, and actively less than TRY 25 million on their balance sheets. Data… »
Consequences of Data Breach
The Data Protection Law envisages both administrative fines and criminal liability. With regard to criminal penalties, the Data Protection Law refers to the relevant provisions of the Turkish Criminal Code that detail sanctions for the unlawful recording, or disclosing, or transferring of personal data. In addition to criminal sanctions, the Data Protection Law also contains provisions detailing administrative fines that are to be applied in the event of a breach. There are… »
Judicial Review of Board Decisions
The Data Protection Law does not include an explicit provision concerning the appeal process of Board decisions imposing administrative fines; however, it is accepted that criminal courts of peace are the authorized courts pursuant to Law No. 5326 on Misdemeanours dated 30/3/2005 since the title of Article 18 of the Data Protection Law is “Misdemeanours,” and administrative fines are issued as per Article 18 of the Data Protection Law. Having this in mind, decisions imposing… »
Planned Amendments to the Data Protection Law
Processing Sensitive Personal Data Proposed amendments to the Data Protection Law, which have been drafted by the DPA and which introduce some modifications to certain disputed provisions of the Data Protection Law, have been presented for the related institutions and organisation’s consideration. Articles proposed to be amended are Article 6, regulating the legal grounds for processing sensitive personal data and Article 9, regulation transfer of personal data abroad. Under… »
Draft Guidelines on Cookies Applications
The DPA prepared draft guidelines (“Guidelines”) on January 11, 2022, explaining cookies and practical advice for data controllers who process personal data through cookies. The Guidelines was published on the official website of the DPA on January 11, 2022, to gather views on the same. Within the scope of the Guidelines, which is still at the draft stage, cookies in general and their types are regulated. It also categorises cookies based on their timeframe, intended purpose… »
Pricing of Pharmaceuticals and the Fixed Exchange Rate
Pharmaceutical prices in Turkey have always been one of the most controversial issues. The prices of medicines that are to be marketed are set in accordance with the Decision on Pricing of Human Medicinal Products (“Decision”) and the Communiqué on the Pricing of Human Medicinal Products (“Communiqué”) of 29 September 2017, issued by the Ministry of Health (“MoH”), which is vested with the competencies to regulate this area. The Decision provides for a reference pricing… »
Market Access-Reimbursement Agreements
For an extended period, the pharmaceuticals industry needed a unique model of reimbursement where its conditions could be set together through negotiation with the SSI, and the regular price and reimbursement rules did not apply for innovative products. With the enactment of the Social Security and General Health Insurance Law numbered 6552 in September 2014, alternative reimbursement models also became an essential topic in the Turkish healthcare industry. The complementary… »
Patient Support Programs
An obligation for marketing authorisation holders to apply to the TITCK and obtain permission for training and support programs for patients/healthcare professionals for the rational use of drugs was regulated via Circular numbered 2016/4 dated March 14 2016, published by the TITCK. With the program, the marketing authorisation holder signs a contract with an organisation that has been licensed within the framework of the “Regulation on the Delivery of Home Care Services” to… »