16 novembre 2023
On 13 October 2023, the Personal Data Protection Authority published guidelines on the matters to be considered when processing genetic data (the "Guidelines") regarding genetic data used in the analysis for diagnosis and treatment, determining ancestry, genetic predisposition tests, etc. in the field of health. The Guidelines provide information on the processing of genetic data within the scope of Law No 6698 on the Protection of Personal Data (the "Law"), including the principles regarding the processing and cross-border transfer of genetic data, the obligations of data controllers who process genetic data and setting out recommendations.
The following notes summarising the Guidelines are intended to serve as a guiding resource for data controllers to meet their obligations in accordance with the Law.
Under Article 6 of the Law – "Conditions for processing special categories of personal data" – genetic data is classified among special categories of personal data, but is not defined separately. The Guidelines define genetic data as "all or part of the information obtained from all DNA, RNA and Protein sequences encoded from the genome, cell nucleus or mitochondria of a living being." This is based on the definition provided under the European Union’s General Data Protection Regulation (the "GDPR").[1]
Under Article 6 of the Law, special categories of personal data, other than health data and data related to sexual life, cannot be processed without the explicit consent of the data subjects, unless stipulated otherwise by law. However, if genetic data is processed solely for health-related purposes, such as for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, as well as the planning and management of healthcare services and financing, then it can be processed people under the obligation of confidentiality, or authorised institutions or organisations, subject to the conditions on processing personal health data.
The Guidelines set out examples of public and private legal entities that can be qualified as data controllers and data processors in relation to processing genetic data. The Guidelines also state that cloud systems where genetic data is stored, education and rehabilitation centres, municipalities, institutions and organisations providing health services, public institutions and organisations, insurance companies, etc., if they possess genetic data, even if they do not perform genetic data analyses, should also be considered as data controllers or data processors within the scope of the Law on a case-by-case basis.
The Guideline emphasise that, when processing genetic data (regardless of the legal basis for data processing), compliance with the general principles and conditions set forth in Articles 4 and 6 of the Law is mandatory, as in all data processing activities, and highlights the principles that require attention in the processing of genetic data. The essence of fundamental rights and freedoms must not be violated and the criteria of suitability, necessity and proportionality must be observed. Processed genetic data should be retained no longer than the necessary period of time. Data retention periods should be explained by the data controller in the personal data retention and destruction policy. Genetic data should be periodically and carefully reviewed in order to assess whether it is necessary to continue to keep the genetic data, and if genetic data is deemed to be no longer necessary it should be destroyed without delay.
In the Guidelines, the aspects to be considered in terms of processing genetic data within the scope of the Law are explained under a separate heading. When processing genetic data, explicit consent must be obtained in a clear and understandable way before processing, and explicit consent cannot be a condition for providing any service or product. Even in cases where processing is due to health requirements that do not require explicit consent, it is stated that the data controller still has the obligation to inform data subjects.
While fulfilling their obligation to inform, data controllers must also inform the data subjects about the genetic data that is collected, specifying the legal basis for collection and the purpose of processing, the importance of the data and the potential consequences that may arise in the event of a breach (risks associated with processing genetic data). This issue is of a particular importance since processing the genetic data of the data subject provides access not only to the data of that data subject, but also to the data of other family members.
The Guidelines explain that, pursuant to Decision 2018/10 of the Personal Data Protection Board, all necessary technical and administrative measures should be taken to ensure the security of genetic data.
Technical Measures |
Administrative Measures |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The final part of the Guidelines state that processing genetic data is of critical importance for the protection of individuals, national security and economic interests, and that it is essential to take certain national measures in this regard, such as (i) supporting national laboratories and minimising the transfer of genetic data abroad by developing national genetic databanks, (ii) supporting national accredited IT infrastructure studies to enable the storage of genetic data in the country, (iii) establishing a classification process in the Ministry of Health's tracking system according to the various purposes of processing genetic data.
[1] The GDPR defines genetic data as "personal data relating to inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained."
[2] The Privacy-Based Design principle regulated in Article 25 of the GDPR is a data protection principle where all kinds of impacts are predicted at the design stage and the necessary administrative and technical measures are implemented by taking these risks into account from the very beginning of the process.
[3] In short, a Data Protection Impact Assessment, as defined in Article 35 of the GDPR, is a tool for identifying data breaches to which the individuals whose data are processed may be exposed during a data processing activity that is assessed to be high-risk due to factors such as the nature of the data processed or a new technology used in data processing, and thus minimising the estimated risks.