Turkey has amended the Regulation on Processing of Personal Health Data and Protection of Privacy (“Health Data Regulation”), concerning rules and regulatory framework for processing and transferring health-related personal data. Amendments were made by the Regulation Amending the Regulation on Processing Personal Health Data and Protecting Privacy (“Amendment Regulation”) published in Official Gazette number 30250 on 24 November 2017. Most significantly, explicit consent of the data subjects is no longer required to be in writing.
Other notable amendments to the Health Data Regulation include:
- Detailed obligations for transferring personal health data outlined under the Health Data Regulation have been removed (previously Article 8 of the Health Data Regulation). Accordingly, provisions under the Law on Protection of Personal Data number 6698 (“Law”) will apply when transferring personal health data.
- The definition of personal health data is clarified to now be “information related to the physical and mental health of the identifiable real person and information on health service provided to the identifiable real person”.
- A provision which would have established the Personal Health Data Commission has been removed (previously Article 12 of the Health Data Regulation). The body would have assisted the Ministry of Health to determine policies, express opinions, resolve disputes, as well as evaluate applications to transfer health-related personal data. Accordingly, the Board will evaluate complaints about processing of personal health data and carry out the necessary inspections.
- The requirement to notify the Ministry of Health in case of a suspected violation of personal health data has been removed (previously Article 6/3 of the Health Data Regulation). Accordingly, provisions under the Law will apply, meaning that if processed data is obtained by other persons in illegal ways, the data controller must notify the Board as soon as possible.
- The definition of Health Service Provider is clarified and tightened to now be “all health facilities operating in the first, second and third level and providing health services throughout the country“. It was previously defined as “real persons, public law and private legal entities who provide or produce health services“.
- The obligation to comply with software regulations will now only apply to Health Service Providers (Article 14(3) of the Health Data Regulation). Previously, these obligations applied to everyone processing personal health data.
Please see this link for the full text of the Amendment Regulation entering effect on 24 November 2017 (only available in Turkish).