The Draft Guideline on Processing Genetic Data (“Draft Guideline”) has been published on the official website of the Personal Data Protection Authority (“Authority”) on 24.08.2022. Opinions and evaluations regarding the Draft Guideline can be submitted to the Authority in writing and/or by e-mail to the e-mail address of genetikveri@kvkk.gov.tr until 24.09.2022.
The concept of genetic data has not been defined comprehensively under the Turkish legislation to date, and the definition in the European Union General Data Protection Regulation (GDPR) is included in the Draft Guideline. In this context, genetic data has been defined as “personal data that provides unique information about the physiology or health of a natural person, and specifically arises from the analysis of a biological sample taken from that natural person and relates to the inherited or acquired characteristics of that person”.
In the Draft Guideline, it is stated that it is not possible to anonymize genetic data completely and therefore, the term de-identification should be used.
The genetic data to be processed within the scope of Article 6 of the Personal Data Protection Law (“PDPL”) will be accepted as health data only if it is processed for medical diagnosis and treatment.
In the Draft Guideline, the transfer of genetic data abroad with the consent of the data subject, for medical diagnosis and treatment purposes, in obligatory cases or depending on the preferences of the persons is also emphasized. In this context, the Regulation on Genetic Diseases Evaluation Centers and the Regulation on Medical Laboratories are also mentioned. In this framework, it has been stated that the natural or legal persons who determine the purposes and means of processing the personal data to which they are affiliated, and are responsible for the establishment and management of the data recording system, will have the title of data controller, and the cloud systems where genetic data are kept will have the title of data processor.
In addition, it is stated that the data controller can process genetic data in accordance with the conditions in Articles 4 and 6 of the PDPL.
While processing genetic data the followings must be taken into attention:
- Essence of the fundamental rights and freedoms must not be violated,
- The data processing activity must be suitable for the intended purpose,
- The data processing method must be necessary for the purpose to be achieved,
- There must be a proportionality between the e tool and the purpose to be achieved by the data processing,
- The processed genetic data must be kept for the required period of time and the data must be destroyed without delay in accordance with the personal data retention and destruction policy, after the necessity ceases.
Within the scope of the processing of genetic data with the explicit consent of the data subject, the data subject must be informed clearly and in detail about the following:
- the consequences that the data subject will face,
- the risk that this processing activity triggers not only the data subject’s but also the persons belonging to the lineage to which they belong, and the risks of this situation,
- possible difficulties in tracking what will happen to the genetic data in case of transfer abroad,
- risks of data controllers residing abroad regarding data security,
- the possibility of transferring the genetic data transferred abroad to third parties and the adverse consequences thereof.
Also, in the Draft Guideline, certain criteria are mentioned for the processing of genetic data in case of processing of genetic data for scientific purposes within the scope of article 28 of the PDPL. In this context, it is necessary to comply with Article 16 of the Regulation on Personal Health Data, the processing of genetic data must be mandatory in order to achieve the expected result from scientific research, the necessary security measures must be provided, the principle of being related, limited and proportional to the purpose for which personal data is processed must be complied with, and in terms of completed scientific research, it is necessary to provide the necessary mechanism for the destruction of personal data in accordance with the personal data retention and destruction policy.
It has been stated that data controllers who are processing genetic data, should also take into account the measures recommended in the Draft Guideline and the issues included in the Personal Data Protection Board’s decision dated 31.01.2018 and numbered 2018/10 as well as the issues related to personal data security regulated under Turkish data protection legislation.
You may reach the full Turkish text of the Guideline via the link below.
https://kvkk.gov.tr/SharedFolderServer/CMSFiles/438e502e-93da-4ac9-82ff-0df0c2b010c2.pdf