On October, Turkey's Personal Data Protection Authority ("DPA") published a guideline to emphasise the importance of personal data security in the processing of genetic data and to provide guidance to data controllers.
The Guideline on the Processing of Genetic Data ("Guideline") provides, for the first time, a detailed definition of genetic data and the points to be considered in the processing of genetic data.
We summarise highlights of the Guideline below.
What is Genetic Data?
According to the Guideline, genetic data is defined as "all or part of the information extracted from the entire DNA, RNA and protein sequence encoded from the genome, cell nucleus or mitochondria of a living organism."
Genetic Data as Sensitive Data
Under Article 6 of the Personal Data Protection Law Numbered 6698 ("DP Law"), genetic data is one of the limited categories of data classified as sensitive data.
The Guideline emphasises that the processing of genetic data not only affects the individuals themselves, but also relatives with whom they have a genetic connection, future generations, an even national security and the economy. Furthermore, while genetic data becomes meaningful primarily through analysis, it is highlighted that raw data and biological samples are valuable and meaningful even before analysis, due to their potential to identify an individual.
From this perspective, the Guideline states that all data controllers collecting genetic data must implement the necessary technical and administrative measures to ensure the security of these biologic samples.
Processing of Genetic Data
The Guideline specifies that for the lawful processing of genetic data under the DP Law, it is necessary to (i) have the legal bases for the processing, and (ii) comply with the general principles regulated under the DP Law.
1. Determination of the Legal Basis
| Rule | Processing of sensitive personal data without explicit consent is prohibited. |
|
In order to procure genetic data, the explicit consent of the data subject is required. This explicit consent must be (i) related to a particular matter, (ii) based on information, and (iii) based on the data subject's free will. In this context:
|
|
| Exemption-1 | Sensitive data, other than health and sexual life, can be processed without the explicit consent of the data subject when it is prescribed by law. |
| If obtaining genetic data is prescribed by laws and such data is not related to health information, it is possible to carry out processing without the data subject's explicit consent. | |
| Exemption-2 | Personal data relating to health and sexual life can be processed without seeking the explicit consent of the data subject, only by persons or authorised institutions and organisations under the obligation of confidentiality, for purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing. |
| If genetic data qualifies as health data (e.g., a blood sample), it can be processed without the need for explicit consent, provided the conditions specified in the aforementioned exception are met. | |
2. Compliance with the General Principles
| Principal-1 | Compliance with the law and rule of fairness |
|
|
| Principle-2 | Having specific, clear, and legitimate purposes |
|
|
| Principle-3 | Being relevant, limited, and measured in relation to the purposes for which they are processed |
|
|
| Principle-4 | Storage for the required period of time |
|
|
Cross-Border Transferring of Genetic Data
If genetic data is subjected to transfer abroad, this activity must be carried out in accordance with the DP Law. In this context, it is required to (i) obtain explicit consent from the data subject, or (ii) a commitment letter must be submitted to the DPA.
The Guideline also touches upon the fact that under the Regulation on Genetic Diseases Evaluation Centres, the sending of samples abroad can be transferred with the permission of the Turkish Ministry of Health.
Data Controller & Data Processor
Within the scope of the Guideline, although not limited to, the following examples are provided as data controllers and data processors in genetic data processing processes:
- Data Controller: The hospital to which genetic disease evaluation centres are affiliated.
- Data Processor: Cloud systems where genetic data is stored.
Obligations of the Data Controller
- Obligation to Inform: During the collection of genetic data, it is essential for data controllers to fulfil the obligation to inform data subjects in accordance with the DP Law. Within the scope of this obligation, it should be ensured that the data subject clearly understands the genetic data processing activity and its results, and that the processing of genetic data may grant access not only to the data of the data subject but also to the data of other family members.
- VERBIS Registry Obligation: Data controllers processing sensitive data as their primary activity are required to register with the data controllers' registry (known as VERBIS), without any exception.
- Data Security Obligation: During genetic data processing, the data controller should implement adequate technical and administrative measures for data security. Some of the measures specified in the guide are provided below:
Attention: Informed Consent Is Not Explicit Consent!
Within the Guideline, it is emphasised that the concept of informed consent and information regulated under the Regulation on Patient Rights is different from the obligation to inform and explicit consent concepts regulated under the DP Law, and thus they should be presented separately to the data subject (i.e., patient).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
