The Personal Data Protection Board (“Board”) rendered a decision dated 06.02.2020 and numbered 2020/93 (“Decision”) regarding the complaints (“Complaints”) of the complainant data subjects (“Complainant”) in respect of the rejection of correction or deletion of health reports and psychiatric diagnoses, which were recorded in the past for various reasons and currently causing problems due to inaccuracy, by the data controller Ministry (“Data Controller”).
Within the defense that was requested of the Data Controller, the Data Controller stated that; (i) requests for deletion of personal data of the data subjects could be rejected by the data controller on the grounds that processing conditions for personal data are not fully eliminated, pursuant to Article 12 of the Regulation on the Deletion, Destruction and Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224, (ii) the deletion of past psychiatric diagnoses of individuals from their health history could pose serious dangers in terms of public security and public order, (iii) in accordance with Article 28, sub-clause 1 the Personal Data Protection Law numbered 6698 (“PDP Law”) it is stated that the PDP Law will not be implemented in cases of public security and public order by full exemption, (iv) in accordance with Article 6, sub-clause 3 of the PDP Law, personal data may be processed by the data controller without seeking the explicit consent of the data subject, (v) the letters written by the relevant physician, chief physician, provincial health directorate or the relevant General Directorate regarding the inadvertently recorded diagnoses should be forwarded to relevant General Directorate for deletion of the same, (vi) it is required to apply to the relevant provincial health directorate for diagnoses that are not proven to be inadvertently recorded, (vii) the diagnoses that are proven to be made inadvertently or no longer affecting the person could be deleted.
As a result of the examination made by the Board, it was decided that, (i) there is no procedure to be established within the scope of the PDP Law because the processing conditions did not cease in terms of the personal health data of the Complaints, (ii) the Data Controller continues to process the personal health data subject to the Complaints in accordance with Article 6, sub-clause 3 of the PDP Law, (iii) therefore, there is no procedure to be established within the scope of the PDP Law.
You may reach the full Turkish version of the Decision via the link below.