Processing of personal data is of the utmost importance for pharmaceutical companies for their operations, which are highly dependent on collecting, classifying, and analyzing personal data of patients, physicians, and other healthcare professionals.

The DP Code and Its Application to Pharmaceutical Companies

OVER the last decade, the Turkish Grand National Assembly made repeated attempts to enact a data protection law, but only found success after final ratification of a longstanding treaty. Signed in 1981, Turkey finally approved the ratification of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Convention 108") on February 18, 2016, which ultimately led to passage of the Personal Data Protection Code[1] ("DP Code") on March 24, 2016. The DP Code became fully effective in its entirety on October 7, 2016 following the end of the grace period in relation to the enforcement certain provisions.

The DP Code was largely based on Directive 95/46/EC[2] of the European Parliament and the Council of the European Union (“Directive”), although it has certain deviations from the Directive. The DP Code allows processing of personal data only in accordance with the principles and procedures set out under the DP Code and other applicable legislation. It defines personal data as “any information relating to an identified or identifiable natural person.” Within the context of the DP Code, personal data includes personal information, such as name, surname, photograph, phone number, resume, criminal records, and medical records of a natural person.

The processing of personal data includes any operation that is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, or blocking its use, wholly or partly, by automatic means or by means other than automatic means, which form part of a filing system. Storage and use of data relating to customers, patients, healthcare professionals, or employees, which constitute a significant part of a pharmaceutical company’s operations, are likely to fall within the scope of processing of personal data under the DP Code. Therefore, pharmaceutical companies must implement necessary measures in order to comply with the principles and procedures set forth under the DP Code while conducting their daily operations.

Obligations Imposed by the DP Code

In order to identify the obligations imposed upon the pharmaceutical companies, the position of these companies under the DP Code must be evaluated. The DP Code defines a data controller as a “natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.” Based on this definition, pharmaceutical companies are likely to be considered data controllers for the personal data that they collect, store, and use within the scope of their daily activities and thus will be primarily obliged to take technical and administrative safety precautions to prevent unlawful access, processing, and preservation of personal data.

Consent Requirement and Exceptions to This Requirement

According to the DP Code, personal data may only be processed with a data subject's explicit consent. The definition of explicit consent is not explained in detail, and the DP Code only refers to a freely expressed consent on a specific and informed subject. However, E.U. implementation has made it clear that in order for consent to be valid, it must be freely given, informed, specific, unambiguous, and explicit.

Pharmaceutical companies should obtain the consent of data subjects (employees, healthcare professionals, patients, etc.) in order to process their data if the purpose for processing the data does not fall under one of the exceptions stipulated under the DP Code. With that said, the exceptions to the DP Code where explicit consent of the data subject is not required, are as follows:

It is explicitly permitted by law

Personal data (especially of healthcare professionals) processed by pharmaceutical companies would fall under the scope of this exception in the following cases: (i) the “value transfers” or “donations” as defined under the Regulation on Promotional Activities for Human Medicinal Products (“Promotion Regulation”);[1] (ii) scientific meetings or symposia organized by pharmaceutical companies as stipulated under the Promotion Regulation; (iii) patient or researcher data related to clinical trials sponsored by pharmaceutical companies as mentioned under the Regulation on Clinical Trials of Pharmaceutical and Biological Products;[2] or (iv) employee data covered by the Turkish Labor Code.[3]   

It is necessary to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent

Although not being directly linked to daily activities of pharmaceutical companies, this exception may come into play in cases where the data subject is receiving treatment at a hospital. Knowing the medical history or certain personal details of a patient is of crucial importance for a physician to diagnose and treat a patient; therefore, in such cases, there will be no need to obtain a separate consent of the data subject for processing of personal data. 

It is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract

This exception concerns all of the personal data processed by a pharmaceutical company within the scope of its contracts; however, companies should be cautious regarding this exception because it relates only to data which is necessary for the execution or performance of a contract such as bank account details for payments or address details for delivery. This exception should not be interpreted or implemented in a way that exceeds its purpose.

 It is necessary for compliance with a legal obligation to which the controller is subject

The difference between this exception and the exception regarding explicit permission by law mentioned above is not clear under the DP Code. The source directive does not include such a distinction, and therefore it is very hard to comment on how these two different exceptions will be implemented in practice. Only the future will tell how these different exceptions will be applied moving forward. Until then, we assume that this exception may be applied in cases where the relevant laws do not directly refer to the recording of personal data, but such processing is still necessary (maybe indirectly) in order to comply with obligations under the law. The drafters of the legislation offer the processing by employers of the bank account details of employees for payment of their salaries, or the family-related information of employees for fulfilling their duties under the social security laws, as examples that may be considered to fall within this exception for the employer. 

The relevant information is revealed to the public by the data subject herself/himself

This exception will apply for personal data which may be found in the public domain or which is revealed by the data subject to the pharmaceutical company himself/herself.

It is necessary for the institution, usage, or protection of a right

This exception may be applied in case of an action filed by one of its employees against the company. The company will be allowed to use personal data of that employee in order to defend itself in such action.

It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed

Under this exception, the company must be extremely cautions and analyze the balance between its own legitimate interest in processing the relevant personal data and the fundamental rights and freedoms of the data subject . For example, processing personal data of officials of the Turkish Medicines and Medical Devices Agency for a GMP audit or regular official contact purposes may fall under the scope of this exception as long as the processing does not extend beyond the intended purpose. In addition, data processed within the scope of Compassionate Use programs such as details of the relevant healthcare professionals applying this program and details related to treated patients (to the extent data that is reasonable and not going beyond its purpose is processed) may also fall under this exception considering that the benefit in processing personal data in this specific case is likely to outweigh the fundamental rights and freedoms of the data subjects.  

Processing Requirements

Companies should keep in mind that the general processing requirements under the DP Code are applicable even if the processing of personal data is allowed through consent of the data subject or through one of the above mentioned exceptions. According to the principles of processing personal data under the DP Code, personal data must be: (i) processed fairly and lawfully; (ii) accurate and up to date where necessary; (iii) processed for specific, explicit, and legitimate purposes; (iv) be adequate, relevant, and not excessive in relation to the purposes for which they are processed; and (v) retained until necessary for the purposes for which they are processed or envisaged under the applicable law.

Informing the Data Subject

Additionally, the DP Code requires data controllers to inform the data subjects when their data is processed. This requirement will apply even if the processing of personal data is allowed through the consent of the data subject or through one of the above mentioned exceptions. It is very important for the pharmaceutical companies to acknowledge this obligation to inform the data subjects. Pharmaceutical companies should also keep in mind that even if they are processing personal data under one of the exceptions above, they should inform the data subjects each time regarding: (i) the identity of the data controller and its representative; (ii) the purpose, means, and lawful purpose of processing; and (iii) to whom and for what purpose the processed data may be transferred.

Moreover, data controllers are also obliged to inform data subjects of their other rights specified under the DP Code which are: (a) to learn whether any of their personal data is processed, and if so, to request information on details of the processing; (b) to learn the purpose of processing and whether the data is relevant to the purposes for which they are processed; (c) to request information on the third parties to whom the data is transferred within and outside of Turkey; (d) to request rectification of the processed data, in the event that the data is not processed properly; (e) to request deletion and destruction of the personal data as per the conditions under the DP Code; (f) to request to inform third parties on any rectification deletion or destruction conducted upon data subject’s request; and (g) to claim compensation for any damage that occurred as a result of the unlawful processing of personal data.

Registration with the Registry for Data Controllers

The DP Code stipulates that all data processors must register with the registry of data processors prior to processing data.[4] When this registry is established, pharmaceutical companies processing personal data will need to be registered with the registry as a data processer. The details of the registry for data controllers will be further clarified via secondary legislation to be enacted.[5] However, such secondary legislation has yet to be issued.

The Processing of Personal Health Data

While the secondary legislation in relation to the implementation of the DP Code has yet to be issued, the Ministry of Health has issued the Regulation on the Processing and Protection of Privacy of Personal Health Data (“Health Data Regulation”).[6] Among others, the Health Data Regulation is applicable to public institutions and other natural persons or legal entities, including pharmaceutical companies, which process personal health data. The Regulation defines personal health data as “any health information relating to an identified or identifiable natural person,” which will cover patient data within the scope of the adverse event notifications or clinical trials sponsored by pharmaceutical companies.

Certain provisions of the Health Data Regulation have been subject to administrative lawsuits with the request of postponement and cancellation of application of the regulation, and the administrative courts have postponed the implementation of some provisions. However, these provisions have been amended by way of a new regulation, and the Health Data Regulation is essentially a repetition of the DP Code after this amendment in relation to the topics that it covers.

Most importantly, the above mentioned exceptions are not applicable to health data, and therefore, health data cannot be processed without the consent of the health data owner. The only exception to this rule is that health data can be processed without the explicit consent of the data owner by authorized institutions or persons under a confidentiality obligation only for the protection of public health, the operation of preventative medicine, medical diagnosis, treatment and care services, planning and management, and financing of health services.[7] Whether pharmacovigilance activities of pharmaceutical companies to fulfill their obligations imposed on them under the pharmacovigilance regulations and guidelines will be deemed to fall under this exception is yet to be clarified by the Ministry of Health and the Personal Data Protection Board, and the governmental authorities should consider the position of pharmaceutical companies carefully to avoid discrimination between the governmental institutions and pharma companies that also fulfills the public health protection duty with respect to pharmacovigilance.