Associé
Analyses & décryptages
Guidelines on Processing Sensitive Personal Data
The long-awaited amendments to Personal Data Protection Law No 6698 (the “Law« ) were introduced through Law No 7499 dated 16 February 2024. This was published in the Official Gazette on 12 March 2024 and entered into force on 1 June 2024. The changes were aimed at aligning Turkish legislation with European Union legislation and eliminating the difficulties faced in practice.
While the definition of sensitive personal data remains unchanged, the conditions under which such data can be processed without explicit consent have been expanded. Accordingly, the Personal Data Protection Authority (the “Authority”) published its Guidelines on Processing Sensitive Personal Data (the “Guidelines”) on its website on 26 February 2025, to ensure that the processing of sensitive personal data is carried out in compliance with the Law.
DEFINITION OF SENSITIVE PERSONAL DATA
Article 6 paragraph 1 of the Law defines sensitive personal data as data concerning a person’s “race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data.” In other words, sensitive personal data are those that, if disclosed, may lead to discrimination or victimization of the individual. The amendments did not alter the definition of sensitive personal data, but only modified the conditions for processing such data.
PROCESSING CONDITIONS OF SENSITIVE PERSONAL DATA
Initially, the Law stipulated that sensitive personal data could not be processed without the explicit consent of the data subject, except in limited exceptional cases. The recent amendments maintained the general prohibition on processing sensitive personal data. However, it removed the distinction between different categories of sensitive personal data regarding processing conditions[1] and introduced new processing conditions, thereby expanding the circumstances under which sensitive personal data may be processed.
Pursuant to Article 6 paragraph 3 of the Law, sensitive personal data may be processed in the following cases:
- Obtainment of the explicit consent of the data subject:
According to the Law, sensitive personal data may be processed with the explicit consent of the data subject. However, explicit consent should only be relied upon when none of the other data processing conditions specified in the Law are applicable.
For explicit consent to be valid, it must (i) relate to a specific subject, (ii) be based on informed consent, and (iii) be given freely.
- Explicit provisions in legal texts:
The processing of personal data is permitted when there is an explicit provision in any law. In other words, if there is a clear provision in any law regarding the processing of sensitive personal data, or if secondary legislation explicitly refers to such processing, the processing of sensitive personal data may be possible.
Example: Pursuant to the Law on the Civil Registration Services No 5490, fingerprints of the data subject are taken by the civil registration directorate during the allocation of passports or driving licences.
- Necessity to protect the life or physical integrity of a person or of any other person who is unable to express their consent due to a physical disability or whose consent is not deemed legally valid:
Sensitive personal data may be processed without the explicit consent of the data subject if processing is necessary to protect the life or physical integrity of the data subject or another person. In such cases, the processing must be essential for safeguarding a vital interest.
Example: Sharing a person’s past medical conditions and/or blood type by their relatives with a first-aid team who are not qualified as health officers when the relevant person is unconscious.
- Processing personal data disclosed by the data subject in accordance with their intention to disclose the data and aligned with the purpose of the disclosure:
Public disclosure occurs when data subject voluntarily makes their personal data available to the public. The intention to disclose refers to the purpose for which the data subject has shared their personal data with the public. To process the disclosed sensitive personal data on this basis, the disclosure alone will not be sufficient. The data controller must also ensure that the processing aligns with the data subject’s intention to make the data public.
Example: Displaying a person’s medical history, blood type and/or allergies in a visible location on their vehicle or bicycle, and processing the relevant data in the event of an emergency by a data controller.
- Necessity to establish, exercise or protect any right:
Sensitive personal data may be processed without the explicit consent of the data subject if it is obligatory for the establishment, exercise, or defence of legal claims, or in cases where the courts exercise their judicial authority. The data controller must justify that processing sensitive personal data is necessary. The data controller should process the data in a way that least interferes with the data subject’s fundamental rights and freedoms. The necessity condition means that no alternative method exists for establishing, exercising or protecting the data subject’s rights, and therefore the processing activity is deemed necessary for that specific purpose.
Examples:
– The employer preserving the health data of a former employee, despite the termination of the employment contract, in order to exercise the right to a defence in potential lawsuits.
– Where it is not possible for a lawyer to establish a client’s right in any other way, the lawyer can submit lawfully obtained sensitive personal data to the court.
– The employer processing sensitive personal data, such as disability or health information related to an employee’s spouse and children, when it is necessary in connection with salary payments.
- Necessity to protect public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management and financing of healthcare services by individuals subject to a legal obligation of confidentiality or by relevant public institutions and organisations:
Processing sensitive personal data based on the relevant provision is limited to specified persons, purposes and circumstances. Regarding persons, the Guidelines specify that the term “competent public institutions and organisations” includes not only public institutions and organisations, but also individuals providing healthcare services and legal entities under private law.
Example: Processing of health data by persons subject to a legal obligation of confidentiality, or by competent public institutions and organisations, for the purpose of protecting public health, such as the recording of mandatory childhood vaccinations by family doctors.
- Necessity to perform legal obligations in the areas of employment, occupational health and safety, social security, social services and social assistance:
For the fulfilment of legal obligations by data controllers, sensitive personal data may only be processed when it is necessary. The necessity condition may arise from an obligation explicitly set forth in laws, or from regulations, directives, notices, or even contracts.
Examples:
– Pursuant to Labor Law No 4857, processing sensitive personal data by the employer in order to fulfil its obligation to employ disabled individuals.
– Under Union and Collective Labour Agreement Law No 6356, workers may be subject to various health examinations required by the nature of their job within the framework of a collective labour agreement.
– Processing criminal conviction and health data of drivers using vehicles covered by the Road Transport Regulation.
– Processing sensitive personal data to select one of the options ‘Former convict’ or ‘Disabled’ in the Social Security Administration’s Employment Statement of the Insured, if the relevant person is employed under Article 30 of the Insured Employees Labour Law.
– Pursuant to Article 35 of the Regulation on Dialysis Centres published by the Ministry of Health, processing sensitive personal data available in the health report of the individual by the data controller providing transportation services in order to provide the relevant services to the healthcare facility for dialysis patients.
- Current or former members and affiliates of foundations, associations, and other non-profit organisations established for political, philosophical, religious or trade union purposes, or to individuals who are in regular contact with these organisations, provided that such processing complies with the applicable legislation governing these organisations and that their objectives is limited to the organisations’ fields of activity, and does not involve the disclosure of data to third parties:
Examples:
– Processing health data regarding the disability status of a member by a political party in order to provide a wheelchair to enable the exercise of the right to vote.
– Processing a worker’s health data by the union to ensure the monitoring of the process within the scope of protecting health and safety at work of the syndicate members, in the event of a work accident.
COMPLIANCE MEASURES RECOMMENDED FOR DATA CONTROLLERS
Data controllers are expected to take new measures regarding the new regulations in order to comply with the Law. The measures that data controllers can take, as addressed in the Guidelines, are as follows:
- Updating the personal data inventory: According to the Regulation on Data Controllers Registry No 302886 published in the Official Gazette on 30 December 2017, data controllers that are required to register with the Data Controllers Registry Information System (“VERBIS”) and prepare an inventory must review their procedure of processing of sensitive personal data, to ensure that the relevant inventories and records are accurate and up to date. For each item of the relevant data, the processing conditions in Article 6 of the Law should be taken into account, and an appropriate legal basis should be identified for the processed personal data. If there is any change in the legal basis, this change should be indicated in the inventory.
- Updating the privacy notice and explicit consent approval text: If personal data that were previously processed based on explicit consent can now be processed under a different legal basis due to new modifications, the relevant privacy notices and explicit consent approval texts should be updated. Data subjects should be informed of any changes and potential consequences.
- Updating the retention and destruction policy: Data controllers who are required to prepare a personal data retention and destruction policy must review their policies to comply with the new stipulations of the Law. When the processing conditions for sensitive personal data change, data should not be retained for longer than necessary in accordance with the new applicable processing condition
- Implementing data security measures: Data controllers processing sensitive personal data are expected to (i) establish a separate policy for ensuring the security of such data, (ii) take technical, organisational, and legal measures for employees involved in processing the data, (iii) enhance security and technical measures in both electronic and physical storage environments, and (iv) ensure the security of data transfers by implementing necessary technical precautions if data transfer is anticipated.
In the presence of one of the exceptional circumstances mentioned above, sensitive personal data may be processed by data controllers in compliance with the Law, within defined limits, and in a proportionate manner, without requiring the explicit consent of the data subject. Additionally, data controllers must adhere to the general principles set out in Article 4 of the Law when processing sensitive personal data.