The Personal Data Protection Authority (KVKK) published the "Guideline on Matters to be Considered in the Processing of Genetic Data" ("Guideline") on 13.10.2023, which is an important resource for data controllers and data subjects regarding the processing of genetic data.

The Guideline covers various topics such as the definition of genetic data, processing purposes, legal bases, responsibilities of data controllers, rights of data subjects, and the scope of the Guideline.

The Board in the Guidelines has underlined the fact that it is not possible to fully anonymise genetic data by stating that: "Because, no matter what method is used, it is not possible to actually cut the contact between the data obtained and the person concerned."

Therefore, it is crucial to pay more attention to taking the necessary technical and administrative measures when processing genetic data.

The Guideline serves as an important resource for data controllers in the processing of genetic data and provides a comprehensive list of technical and administrative measures that data controllers should take.

In the "Genetic Data Security" section of the Guideline, it is emphasized that data controllers processing genetic data must comply with the personal data security requirements specified in the law, regulations, notifications, and the Authority's decisions. Subsequently, the necessary technical and administrative measures are listed. In line with this the main measures that data controllers who process genetic data must comply with are as follows:

Technical Measures:

  • It is preferable not to store genetic data in cloud systems. If genetic data need to be processed in cloud systems for the analysis of raw data within devices processing genetic data, a detailed record of the data stored in the cloud should be maintained. Backups should be kept outside the cloud, and two-factor authentication should be applied for remote access to genetic data in the cloud.
  • Processed and stored genetic data should be encrypted using cryptographic methods that provide adequate security in accordance with current technology.
  • Access to cryptographic keys should be limited to authorized personnel with clearance (crypto security certificate).
  • When devices are delivered to authorized companies for maintenance, repair, or other purposes, data storage units on the devices should be removed, or all data should be handed over to a laboratory habitat on a hard disk. A written commitment should be obtained from the company stating that there is no data on the device or server owned by the company.
  • Before setting up the system and after any changes, testing environments should preferably be created with synthetic data (non-real data) to test the system.
  • Hardware and software security tests of systems processing genetic data should be conducted periodically.
  • Compliance with the measures specified in the Information and Communication Security Measures General Communique numbered 2019/12 and the Information and Communication Security Guideline prepared under the coordination of the Presidency Digital Transformation Office should be ensured.

Administrative Measures

  • Personal data security, especially genetic data privacy, should be established and managed according to the "Privacy by Design" principle, taking into account the design of all mechanisms at the design stage.
  • Genetic data should be stored in a way that is inaccessible to anyone other than authorized personnel who have received relevant training and have signed confidentiality agreements.
  • A Personal Data Processing Inventory should be prepared and reported to the Data Controllers' Registry Information System (VERBIS).

The Guideline also emphasizes the critical nature of processing genetic data. It is noted that genetic data have a highly sensitive nature in terms of the information they reveal and can lead to national strategic consequences that may affect the entire society.

In this context, the Guideline recommends supporting national laboratories to minimize sending genetic data abroad as much as possible, procuring necessary local medical devices, and strengthening specialized human resources in this field.

You can access the full Guideline using the following link:

https://kvkk.gov.tr/SharedFolderServer/CMSFiles/f3ca871c-bdac-48b1-ace3-9d40dbe533d2.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.