Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.
The Draft Guideline on Processing Genetic Data (“Draft Guideline“) has been published on the official website of the Personal Data Protection Authority (“Authority“) on 24.08.2022. Opinions and evaluations regarding the Draft Guideline can be submitted to the Authority in writing and/or by e-mail to the e-mail address of genetikveri@kvkk.gov.tr until 24.09.2022.
The concept of genetic data has not been defined comprehensively under the Turkish legislation to date, and the definition in the European Union General Data Protection Regulation (GDPR) is included in the Draft Guideline. In this context, genetic data has been defined as “personal data that provides unique information about the physiology or health of a natural person, and specifically arises from the analysis of a biological sample taken from that natural person and relates to the inherited or acquired characteristics of that person“.
In the Draft Guideline, it is stated that it is not possible to anonymize genetic data completely and therefore, the term de-identification should be used.
The genetic data to be processed within the scope of Article 6 of the Personal Data Protection Law (“PDPL“) will be accepted as health data only if it is processed for medical diagnosis and treatment.
In the Draft Guideline, the transfer of genetic data abroad with the consent of the data subject, for medical diagnosis and treatment purposes, in obligatory cases or depending on the preferences of the persons is also emphasized. In this context, the Regulation on Genetic Diseases Evaluation Centers and the Regulation on Medical Laboratories are also mentioned. In this framework, it has been stated that the natural or legal persons who determine the purposes and means of processing the personal data to which they are affiliated, and are responsible for the establishment and management of the data recording system, will have the title of data controller, and the cloud systems where genetic data are kept will have the title of data processor.
In addition, it is stated that the data controller can process genetic data in accordance with the conditions in Articles 4 and 6 of the PDPL.
While processing genetic data the followings must be taken into attention:
Within the scope of the processing of genetic data with the explicit consent of the data subject, the data subject must be informed clearly and in detail about the following:
In cases where the interests of Turkey or the data subject will be seriously harmed, it is possible to transfer data abroad with the permission of the Personal Data Protection Board, only after obtaining the opinion of the relevant public institution or organization. In addition, if necessary technical and administrative measures are not taken by the data controllers who process genetic data abroad and it is considered that the interests of Turkey or the data subject will be seriously harmed, measures may be taken by the Board within the scope of the PDPL.
Also, in the Draft Guideline, certain criteria are mentioned for the processing of genetic data in case of processing of genetic data for scientific purposes within the scope of article 28 of the PDPL. In this context, it is necessary to comply with Article 16 of the Regulation on Personal Health Data, the processing of genetic data must be mandatory in order to achieve the expected result from scientific research, the necessary security measures must be provided, the principle of being related, limited and proportional to the purpose for which personal data is processed must be complied with, and in terms of completed scientific research, it is necessary to provide the necessary mechanism for the destruction of personal data in accordance with the personal data retention and destruction policy.
It has been stated that data controllers who are processing genetic data, should also take into account the measures recommended in the Draft Guideline and the issues included in the Personal Data Protection Board's decision dated 31.01.2018 and numbered 2018/10 as well as the issues related to personal data security regulated under Turkish data protection legislation.
You may reach the full Turkish text of the Guideline via the link below.
https://kvkk.gov.tr/SharedFolderServer/CMSFiles/438e502e-93da-4ac9-82ff-0df0c2b010c2.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.