On April 7 2016 the long-awaited Law on the Protection of Personal Data (the Data Protection Law) was published in the Official Gazette. While many of the Data Protection Law's provisions came into effect on publication, the implementation of a few important provisions has been postponed until six months after the publication date.
The Data Protection Law provides the framework for a central data protection regime, which Turkey previously lacked, and clarifies many uncertainties regarding the collection, processing and transfer of personal data. However, important questions remain, mostly due to a lack of secondary regulations and the fact that the Turkish Data Protection Authority has yet to be established.
While the Data Protection Law has a far-reaching effect across multiple industries, certain additional considerations have arisen for the healthcare industry. This update discusses its effects on the life sciences industry and the use of health data.
Before the enactment of the Data Protection Law, the protection of personal data in Turkey was governed primarily by reference to a single article of the Constitution and the relevant provisions of the Criminal Code.
Although the general right to personal data protection is defined in Article 20 of the Constitution, the wording of the article previously led to a degree of uncertainty regarding its implementation. Primarily, the fact that it does not define the word 'person' led to different interpretations of whether the right to personal data protection also applied to legal persons. This led to differences in implementation, particularly regarding processes such as obtaining the consent of healthcare industry stakeholders for the purposes of disclosure of charitable donations or general transfers of value.
Article 20 of the Constitution and the relevant provisions of the Criminal Code provide only very basic guidance on obtaining consent and processing personal data. Given that a violation in this regard could result in a prison sentence, multinationals have been unwilling to engage in certain data processing activities in Turkey that are more commonplace in jurisdictions such as the European Union.
Further, the fact that no additional legislative or regulatory measures existed to clarify the implementation of the right to personal data protection or the applicable security measures gave rise to concerns regarding the scope of data protection. These concerns were made evident in criticisms of projects implemented by different state institutions that involved the collection and processing of personal data. The criticisms focused on the fact that in essential areas such as the regulation of data controllers, the obligations regarding security measures and the notification of data breaches were undefined.
The new Data Protection Law has addressed many of the above uncertainties.
Importantly, the law has clarified that 'personal data' is a term that applies only to real persons. As stated above, due to the lack of legislative measures or explanatory regulations, differences had emerged in the practice of approaching healthcare organisations and institutions in order to obtain consent for the disclosure of value transfers. As the scope of the law clearly encompasses only real persons, it can be interpreted that information relating to legal persons should not be regarded as personal data.
This clarification is useful; however, the regulatory measures governing the mandatory disclosure of value transfers to the Turkish Pharmaceutical and Medical Device Agency impose separate conditions on such disclosure notifications. As per the relevant regulation, pharmaceutical companies must obtain written consent for disclosure from both healthcare professionals and healthcare organisations in order to make a value transfer. The requirement to obtain written consent from healthcare organisations remains in force and is unaffected by the Data Protection law.
The Data Protection Law also defines personal data of a special nature, including personal data relating to race, ethnicity, health and sex life, as well as biometric data. The law states that such data can only be processed if sufficient safeguards are applied to the processing of such data. The safeguards will be determined by the new Turkish Data Protection Authority. Further, the exceptional situations in which such data may be processed without the consent of the data subject have been severely limited.
In fact, the only exception relating to health and sex-related data is where the data is processed by parties bound by a duty of confidentiality for the purpose of protecting public health or providing medical, diagnostic and treatment services. This means that health-related data can be processed by parties that fall outside the scope of the exception only if consent for processing is obtained. Thus, an additional consideration relating to data protection and consent has been imposed on a subset of data that may be used regularly by companies operating in the life sciences industry.
However, these provisions have been imposed on all parties – that is, both private and public-sector bodies. Combined with the fact that the Data Protection Law also establishes a more extensive framework of penalties that can be applied against private companies and public officials, some of the concerns regarding a lack of appropriate protection or redress for processing involving sensitive data have arguably been addressed.
Further, the Data Protection Law also specifies exceptions to its application. Regarding data processes that are commonly used in the pharmaceutical and medical device sector, the most relevant exception is the one listed under Article 28(1)(b), which exempts data processing where personal data is anonymised and processed for the purposes of research, planning or statistical analysis.
Therefore, on the condition that the personal data that is used for these processes is anonymised in accordance with the law, companies operating in the life science industry will be able to conduct the above activities without being bound by the obligations imposed on data controllers.
For further information on this topic please contact Hande Hancer or Bentley James Yaffe at Gün + Partners by telephone (+90 212 354 00 00) or email (firstname.lastname@example.org or email@example.com). The Gün + Partners website can be accessed at www.gun.av.tr.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.