19 February 2024
A-
A+
On October 13, 2023, the Turkish Data Protection Authority ("TDPA") announced the Guidelines on Issues to be Considered in the Processing of Genetic Data ("Guidelines") through an announcement on its website. It is underlined that the Guidelines "provide guidance for data controllers to process personal data based on the appropriate legal grounds and to fulfill their obligations under Law No. 6698 on the Protection of Personal Data".
The Guidelines include discussions on the technical and legal definition of genetic data, the lawful grounds for processing genetic data, the technical and administrative measures to be taken, and explanations on the European Union General Data Protection Regulation ("GDPR").
Within the scope of the Guidelines, genetic data is used in a broader sense than its technical meaning and is defined as "all or part of the information obtained from all DNA, RNA and Protein sequences encoded from the cell nucleus or mitochondria from the genome of the living being". Following the definition of genetic data by the TDPA in the Guidelines, the following issues are discussed separately:
In the Guidelines, it is stated that the following principles should be complied with in terms of the processing of genetic data, together with the general principles set out in Article 4 and the conditions set out in Article 6 of the Law No. 6698 on the Protection of Personal Data ("TDPL"):
Particularly under the last principle, when assessing the minimum retention periods in domestic legislation on genetic data, it should be kept in mind that genetic data should be processed for as long as necessary.
According to the Regulation on Genetic Diseases Evaluation Centers ("Regulation"), organizations that will operate to identify genetic diseases cannot operate without a license. Tests for the diagnosis and treatment of genetic diseases can only be performed by the Genetic Diseases Evaluation Center, which is licensed only in cases of medical necessity or for medical purposes. Within this framework, the TDPA defines the real or legal persons (Ministry, university, private law legal entity, etc.) to which the Genetic Diseases Evaluation Center is affiliated that determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system as the data controller.
In the Guidelines, cloud systems where genetic data are stored are shown as an example of a data processor. It is also reminded that even if they do not perform any test or analysis with genetic data, the persons who have this data should be considered as data controllers or data processors within the framework of the TDPL.
When processing genetic data, it may be possible to process data not only of the data subject but also of other persons who have a genetic link with the data subject. For this reason, the Guidelines emphasize that the processing of genetic data of persons other than the data subject (e.g. the patient to be diagnosed) (such as the relatives and family members of that data subject) will result in a different processing purpose; in order to protect the data of other data subjects, the data controller is obliged to comply with the processing conditions and general principles set out in the TDPL and the necessary technical and administrative measures should be taken in this context.
Under the TDPL, genetic data is listed as a separate category, not as data relating to health or sexual life. Therefore, the legal ground for the processing of genetic data may be the explicit consent of the data subject or if such processing is stipulated in the laws.
However, the situation specifically mentioned in the Guidelines is the processing of genetic data for health reasons only. In this case, genetic data, just like data relating to health and sexual life, can only be processed by persons or authorized institutions or organizations under the obligation of confidentiality if they are processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing of such. According to the Guidelines, the most important criterion in this case is that the purpose of processing genetic data is for health reasons.
In terms of the explicit consent to be obtained from the data subjects, the Guidelines reiterate the established views of the TDPA and state that it is not sufficient to obtain the explicit consent of the data subjects whose genetic data is processed only by having them read and sign an explicit consent text. Accordingly, the data controller must ensure that the data subject clearly understands the genetic data processing activity and its consequences. In the information to be made while obtaining explicit consent from the data subject, in addition to the consequences that may occur for the data subject, the risks and uncertainties related to this situation should also be clearly and in detail.
In addition to the established views of the TDPA, another issue emphasized is that explicit consent should not be a condition for provision of the services. In the example given in the Guidelines on the subject, the requirement of a food intolerance test for the provision of a dietary service and the requirement to process the genetic data of the person in order to receive the dietary service are discussed and it is stated that the explicit consent given here is not valid.
Finally, according to the TDPA, the informed consent in the Patient Rights Regulation is a different procedure from the explicit consent that can be obtained from the patient, who is the person concerned within the scope of the TDPL, and obtaining informed consent does not mean that explicit consent has been obtained from the person concerned in accordance with the law.
After summarizing the legislation on the obligation to inform, it is emphasized that it is not sufficient to include only general explanations in the information to be provided to the data subjects whose genetic data are processed. The data controller is obliged to ensure that the data subject clearly understands the data processing activity and its consequences, and that not only his/her data but also the data of other family members can be accessed as a result of the processing of his/her genetic data. The data controller must also answer the data subject's questions and clear up any confusion.
In parallel with the difference between "informed consent" and "explicit consent" explained above, the TDPA also emphasizes the difference between the concept of "informing" the patient under the Regulation and “the obligation to inform” (stated as “Disclosure Obligation” under 7.1 of the Guidelines’ English translation at the TDPA’s website) in the relevant regulation. Therefore, these two processes should be carried out separately.
Other obligations of data controllers arising from the TDPL also continue in terms of genetic data.
According to the Guidelines, the criteria that data controllers must comply with in case of processing genetic data for scientific purposes pursuant to Article 28 of the TDPL are as follows:
According to the Guidelines, the Ministry of Health has confirmed that many tests performed in developed countries can also be performed in Turkey, but for financial reasons, tests that can be performed in Turkey may also be performed abroad and genetic data may be transferred abroad.
The transfer of personal data abroad is a critical issue in general, but in the case of genetic data, this processing activity is of greater importance as it may affect not only the data subjects themselves, but also their relatives and future generations who have a genetic link with the data subject. Accordingly, the Guidelines state that various measures should be taken by taking into account the fundamental rights and freedoms of individuals.
In accordance with the "Regulation on Medical Laboratories" and the Regulation, sending samples abroad can be done through genetic disease evaluation centers licensed by the Ministry of Health.
In terms of legal grounds, in accordance with the TDPL, either the explicit consent of the data subjects must be obtained or, if it is based on the reason “expressly provided for by the laws”, the condition of ” in the country where personal data are to be transferred;
(a) Adequate protection is provided.
(b) Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Türkiye and in the relevant foreign country and authorisation of the Board”
must be met. Nevertheless, the provisions of other laws should also be taken into consideration by data controllers.
In addition to the above explanations, the Guidelines also remind that the TDPA Board may impose restrictions on the transfer of personal data abroad in order to prevent serious damage to the interests of State of Turkish Republic or the data subject in accordance with Article 9 of the TDPL.
The Guidelines refer to the TDPA Board's Decision dated 31/01/2018 and numbered 2018/10 on "Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data" in terms of technical and administrative measures to be taken by the data controller.
As a technical measure, genetic data should not be kept in cloud systems, and the technical measures that can be taken if this method is preferred are explained in detail. Among these, it is recommended to take measures such as the use of cloud systems, cleaning devices from data, testing systems with synthetic data, logging user transactions, conducting security tests regularly, and complying with the measures within the scope of the Circular on Information and Communication Security Measures No. 2019/12 and the Information and Communication Security Guide prepared under the coordination of the Presidential Digital Transformation Office within the scope of the Circular.
In terms of administrative measures, "Privacy by Design" under Article 25 of the GDPR and Data Protection Impact Assessment under Article 35 of the GDPR are explained in detail by the TDPA in the Guidelines. It is important that these two issues should be observed by data controllers for processing of data from Turkey as well.
In addition to these, ensuring access to genetic data only by personnel who have been trained and have a confidentiality agreement, preparing an inventory and notifying the Data Controllers Registry Information System, preparing separate processing policies specific to genetic data, establishing emergency procedures and reporting mechanisms are among the other administrative measures to be taken by data processors.
Since the processing of genetic data has consequences that may affect the entire society, this issue is of national strategic importance for the TDPA. In this context, the Guidelines include the Presidential Circular No. 2019/12 on "Information and Communication Security Measures", the Information and Communication Security Guide published by the Digital Transformation Office of the Presidency, and the "National Cyber Security Strategy and Action Plan (2020-2023)", and the national measures that can be taken.
Among the recommendations made by the TDPA, there are issues such as the transfers to be made abroad be subjected to more detailed regulations in accordance with the Regulation and keeping the relevant records at the Ministry level, taking necessary measures to prevent the use of genetic data obtained for purposes other than the purposes for which they were collected, supporting national laboratories and supplying locally produced medical devices and strengthening the human resources specialized in this field.
Data Privacy Blog