On April 7 2016 the long-awaited Law on the Protection of Personal Data was published in the Official Gazette. While many of the law's provisions came into effect on the publication date, the implementation of some key provisions has been postponed until six months after publication.
The Law on the Protection of Personal Data establishes the framework for a central data protection regime, which Turkey had been lacking, and clarifies many areas of uncertainty regarding issues of collection, processing and transfer of personal data. Although the law addresses certain areas of uncertainty, important questions remain. This is mostly because the Turkish Data Protection Authority is yet to be established and there is a lack of secondary regulation to provide further guidance on implementation.
While the law itself will have broad effect across multiple industries, it raises particular concerns for the healthcare industry.
Before the enactment of the new law, the protection of personal data in Turkey was governed primarily by a single article of the Constitution and the relevant measures in the Criminal Code.
While the general right to the protection of personal data is included in Article 20 of the Constitution, the wording of that article creates a degree of uncertainty regarding the implementation of this right. Primarily, the fact that the term 'person' had not been clarified led to differences in interpretation as to whether the right to the protection of personal data also applied to legal persons. This variation in interpretation led to issues with implementation, particularly for processes such as obtaining the consent of healthcare industry stakeholders for the disclosure of charitable donations or general transfers of value.
Further, as Article 20 of the Constitution and the relevant provisions of the Criminal Code provided only basic guidance on obtaining consent and processing personal data (the violation of which could result in a prison sentence), some multinational companies were unwilling to engage in data processing activities that were more common in other jurisdictions, such as the European Union.
On the other hand, the fact that no further legislative or regulatory measures detailed the implementation of this right or clarified the security and protection measures to be applied to personal data led to concerns relating to the scope of protection afforded to data being processed. These concerns were evident in some of the underlying criticisms of projects implemented by different state institutions that involved the collection and processing of personal data. The criticisms also focused on the fact that essential areas, such as the obligations of data controllers, the clarification of security measures and the notification of data breaches, had not been defined.
The new Law on the Protection of Personal Data addresses many of these areas of uncertainty.
Importantly, the law clarifies the notion that 'personal data' is a term that applies only to real persons. As stated above, due to a lack of legislative measures or explanatory regulations there were differences in implementation when approaching healthcare organisations and institutions to obtain consent for the disclosure of value transfers. As the scope of the law is clearly meant to apply to real persons, the interpretation is that information relating to legal persons should not be considered within the scope of personal data.
While the clarification provided by the new law is useful, due to regulatory measures governing the mandatory disclosure of value transfers to the Turkish Pharmaceutical and Medical Device Agency (TITCK), separate conditions apply to the disclosure notifications to the TITCK. According to the relevant regulation, pharmaceutical companies must obtain written consent for disclosure from both healthcare professionals and healthcare organisations in order to be make a value transfer. The requirement to obtain written consent from healthcare organisations is still in force and is not affected by the Law on the Protection of Personal Data.
The Law on the Protection of Personal Data also defines 'personal data of a special nature', which includes personal data relating to race, ethnicity, health, sex life and biometric data. The relevant provision states that such data can be processed only if sufficient safeguards – to be determined by the newly established Turkish Data Protection Authority – are applied to the processing of such data. Further, the exceptional situations in which such data may be processed without obtaining the consent of the data subject have been severely limited. In fact, the only exception relating to health and sex life data is if such data is processed by parties bound by the duty of confidentiality for the purposes of protection of public health or the provision of medical, diagnostic and treatment services. This means that health-related data can be processed only if consent for processing is obtained by parties that fall outside the scope of this exception. Thus, an additional consideration relating to data protection and consent has been imposed on a subset of data that may be used regularly by companies operating in the life sciences industry.
These provisions are imposed on all parties – both private sector and public bodies. Combined with the fact that the Law on the Protection of Personal Data also establishes a more extensive framework of penalties that can be imposed on private companies and public officials, some of the concerns regarding a lack of appropriate protection or redress for processing involving sensitive data have been addressed.
Further, the Law on the Protection of Personal Data also contains areas of exception where it does not apply. With regard to data processes that are commonly utilised within the pharmaceutical and medical device sector, the most relevant exception is included in Article 28(1)(b) of the law. This states that the law does not apply to data processing where personal data is made anonymous and processed for purposes such as research, planning or statistical analysis. Therefore, provided that the personal data used for these processes is made anonymous in accordance with the law, companies operating within the life sciences industry can conduct such activities without being bound by the obligations imposed on data controllers.
Hande Hancer & Bentley James Yaffe
This article first appeared in IAM. For further information please visit www.iam-media.com.