On August 1, 2019, the Turkish Medicines and Medical Devices Agency ("Agency") published the Guidelines on the Protection of Personal Data in Pharmacovigilance Activities ("Guidelines"). The Guidelines focus on the principles and obligations pertaining to real persons or legal entities who routinely collect personal data while conducting pharmacovigilance activities of detecting, evaluating, understanding and preventing adverse reactions and other issues in medicines, for preventive medicine purposes and securing public health. The data collected by the relevant parties can often include personal health data as well. The scope of the Guidelines relates to all pharmacovigilance activities that do not require the data owner's explicit consent, and is in parallel with (and based on) the Personal Data Protection Law No. 6698 ("Law No. 6698").

By way of background, pharmacovigilance legislation requires data controllers to ensure that the individual cases (to be escalated in terms of adverse reactions) to include a minimum set of information, which can only be done through the collection of all information and personal data required for that adverse reaction notice to be filled in line with the legislation. For this reason, the data owner's explicit consent will not be required in terms of the personal data that does not qualify as sensitive personal data, as there are "legitimate interest and the fulfilment of a legal requirement" criteria, which are among the exceptions to the requirement to obtain consent, as per the Law No. 6698. Having said that, personal health data is a more sensitive form of personal data and is subject to more stringent measures and protections, compared to other types of personal data. Health data can be collected without the explicit consent of the data subject only if the data is being collected for specific reasons, such as securing public health, and by authorized institutions (such as the Ministry of Health).

The Guidelines make a distinction between the administrative and technical measures in this regard. Data collectors who are engaged in pharmacovigilance activities are required to (i) prepare data processing inventory, (ii) make a risk assessment, (iii) have the necessary policies and procedures in place, and (iv) have their employees trained in this regard, in addition to implementing technical measures, such as ensuring and monitoring cyber security. The Guidelines, in line with the Law No. 6698, initially prohibit data collectors from transferring personal data out of Turkey without the data owner's explicit consent, unless they provide their written undertaking to ensure sufficient protection, and also acquire the permission of the Personal Data Protection Board.

The Guidelines also set out rules and procedures pertaining to the data owner's access to their personal data, and the data owner's identification, deletion, destruction and anonymization of personal data, which appear to be in parallel with the Law No. 6698. The only exceptions to these procedures are (i) the obligation to store the source documentation of pharmacovigilance, as per the Guidelines, and (ii) the requirement to store documentation until the drug's license expires, and for a period of 10 years thereafter, as per Article 28 of the Regulation on Drug Safety.

The Guidelines also note that personal data should not be stored for a period that is longer than is necessary and should not include redundant personal data, while also providing a list of the personal data that the Ministry of Health recommends to be stored for an efficient pharmacovigilance evaluation, as well as the data that it does not deem necessary for that purpose. In this regard, the recommended data includes: Initials of the patient's name and surname or a case reference number, gender, date of birth, specific age or the relevant age bracket and the adverse event, symptoms, results, duration, hazardous drug, medical history, and concomitant medications. Accordingly, unnecessary data includes: Patient name, contact details (address, phone number, e-mail address), and file number. Therefore, data controllers who are engaged in pharmacovigilance activities will be able to use these recommendations as a guideline while determining which personal data to store to fulfil their pharmacovigilance obligations.

This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in December 2019. A link to the full Legal Insight Quarterly may be found here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.