Bulletin on Guidelines on the Processing of Sensitive Personal Data

With the amendment made to Article 6 of the Law on the Protection of Personal Data (“Law”) regarding the processing of sensitive categories of personal data, which entered into force on 01.06.2024, the conditions for processing sensitive categories of data have been expanded. In this regard, the Guideline on the Processing of Sensitive Categories of Personal Data (“Guideline”) has been published not for a new amendment, but to provide guidance on the amendments in force since 01.06.2024 (regarding sensitive categories of data).

(i) The first part of the Guideline includes information on sensitive categories of personal data, (ii)the second part of the Guideline includes the conditions for processing of sensitive categories of personal data, (iii)the third part of the Guideline includes the actions to be taken by data controllers in order to adapt to the new situation after the amendment of the Law and other recommendations.

• Information on sensitive categories of personal data:

a. Data on the racial and ethnic origin of persons: In this respect, personal data related to racial and ethnic origin such as black race, yellow race, Slavic, Indian, Roma and Chechen may be considered as sensitive personal data.

The important concept to be emphasized is the concept of “nationality”. Nationality is defined as the state of being bound to a state by the bond of citizenship. However, nationality information is not included among the sensitive categories of personal data under Article 6 of the Law. Since sensitive categories of personal data are determined by limited enumeration in the Law and cannot be extended by analogy, processing of data such as “foreign national”, “not a Turkish citizen”, “other” by a data controller due to the inclusion of nationality information in the identity card will not be processing sensitive categories of personal data. Therefore, personal data processed in the fields such as “country code”, “nationality”, “citizenship” in documents such as old type passport, driver’s licence, identity card or student ID card, workplace ID card will not be considered as sensitive personal data.

b. Data on the political opinion of individuals: To give an example from the Guideline;

“Information on a person’s political party membership or apolitical behavior is considered as political opinion data. However, a person’s socio-political behavior and attitudes are also within the scope of political opinion data as they reflect his/her political opinion.”

“In the survey prepared by survey companies conducting public opinion research in the parliamentary elections; the answer to the question “Which party do you support?” -X Party -Y Party -None can be considered as the processing of sensitive personal data related to political opinion.”

c. Data relating to the philosophical beliefs, religion, sect or other beliefs of individuals: To give an example from the Guideline;

“In the case of a lawsuit between the employer and its former employee, if the employer submits the images of the employee praying in the case file, it can be said that the employer has engaged in sensitive categories of personal data processing.”

d. Data on the appearance and clothing of persons: To give an example from the Guideline;

“When the decision of the 12th Chamber of the Council of State dated 20.04.2022 and numbered E. 2021/7000, K. 2022/2247 regarding the cancellation of the provision “Beard is shaved every day and beard is not grown” in subparagraph (b) of the first paragraph of Article 5 of the “Regulation on the Appearance and Clothing of Personnel Working in Public Institutions and Organizations” is examined; “… 2022/2247 dated 20.04.2022 regarding the request for the cancellation of the relevant provision of the above-mentioned Regulation upon the disciplinary penalty imposed on the plaintiff on the grounds that he “wore jeans and did not shave his beard”; “… Since human rights are the rights that individuals have from birth, individuals should not be violated due to their appearance, physical characteristics, lifestyle and similar characteristics. Any legal practice that envisages sanctions that may lead to a perception that people are inferior to other people because of these distinctive features, whether innate, inherent or acquired later, will legitimize inequality and discrimination”, and also stated that; … individuals can express themselves by having a long or short beard …”

e. Data on individuals’ membership of associations, foundations or trade unions: In case of membership to foundations, associations and trade unions by real persons, Article 6 of the Law will be applicable in the processing activities carried out by data controllers regarding membership information.

“In the event that an employer processes the information that an employee is a member of a trade union, sensitive categories of personal data processing activities will be carried out within the scope of Article 6 of the Law.”

f. Data on the health and sexual life of individuals: It is possible to say that health data, in the sense of the application of the Law, does not only include data that determines or indicates the state of health of the person, but also includes data that indicates the possibility of the person being sick or determines the state of being sick, and basically includes the results of the examination, preliminary diagnosis, diagnosis and treatment information that allows the determination of the physical, mental and social condition of the person within the framework of the limits of medical science. For example;

“Information on the hospital, clinic or unit where the person made an appointment or applied in case of emergency (such as the psychiatry outpatient clinic appointment created at 10.00 on 05.09.2024 by A***** A*****), the preliminary diagnosis made by the physician and the examinations requested in line with this diagnosis and the results of these examinations, the diagnoses made as a result of the examinations (such as the information that the person is healthy or has epilepsy), treatment information to be applied as a result of the diagnoses (prescribed medications or physical therapy procedures to be applied) will be evaluated within the scope of health data.”

In this regard, it should be noted that; since the blood type information contained in documents such as old type passport, driver’s license, identity card, workplace ID is a health data, it has the characteristics of sensitive categories of personal data, and the processing conditions in the processing conditions of sensitive categories of personal data must be complied with in the processing of the personal data in question.

g. Data on criminal convictions and security measures: A conviction is a criminal judgement given when it is finalized that a person has committed an offence and is regulated in the Code of Criminal Procedure. Security measures are sanctions that can be applied instead of or in addition to the conviction and are determined according to the dangerousness of the offender. Finalized convictions are considered as sensitive personal data. For example;

“In the event the data controller processes decisions such as conviction decision regarding imprisonment, conditional release decision, conviction decision regarding judicial fine, revocation of driver’s license, etc. in the judicial record, sensitive categories of personal data processing activity may be in question.”

h. Biometric data of individuals: In order for personal data to qualify as biometric data, the distinctive characteristics of the person, such as physiological, physical or behavioral characteristics, must be revealed as a result of a specific technical processing and the revealed characteristics must be personal data that serve to identify the identity of the person or verify the identity of the person. While biometric data such as fingerprint, retina, palm print, face, hand shape, iris of the person constitute physiological biometric data, biometric data such as the way the person walks, presses the keyboard, drives a car constitute behavioral biometric data. For example;

“The processing of fingerprint data obtained by using the fingerprint verification system at the entrances and exits to the rooms of the institutions that require high security is considered as a sensitive category personal data processing activity.”

i. Genetic data of individuals: Personal data relating to inherited or acquired characteristics of a natural person that provide unique information about the physiology or health of that natural person, in particular resulting from the analysis of a biological sample taken from that natural person. For example;

“When a genetic sample taken ten years ago is analyzed with today’s technology to determine that the children born to the owner of the sample in question may have certain diseases, it can be said that the information determined by the result of the analysis has the quality of genetic data.”

• Conditions for processing of sensitive categories of personal data: This section provides information on the expanded conditions for sensitive categories of data processing.

a. It is mandatory for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance: Pursuant to the amendments made, sensitive categories of personal data may be processed by data controllers in order to fulfil their legal obligations in the fields mentioned in the article only if they are mandatory. It should be noted that this obligation does not arise from the law in form. In the event the processing of sensitive personal data is mandatory for the fulfilment of legal obligations in the field of employment, occupational health and safety, social security or social services and social assistance, the concept of legal obligation that forms the basis of the processing activity may arise from an obligation expressly stipulated in the law or a regulation, directive, communiqué or even a contract. For example;

“Per the obligation of the employer to issue personal file for the employee within the framework of Article 75 of the Labor Law No. 4857, it is possible to evaluate the processing of sensitive personal data within the scope of subparagraph (f) of the third paragraph of Article 6 of the Law.”

• Employment: It is defined as accepting into service; using, employing. The concept refers to a process by definition. This process starts with the job application and continues until the end of the work. For example;

“In subparagraph (h) of the first paragraph of Article 2 titled “Definitions” of the Law No. 6356 on Trade Unions and Collective Bargaining Agreements (Law No. 6356), a collective bargaining agreement is defined as “an agreement concluded between a trade union of employees and a trade union of employers or an employer who is not a member of a trade union in order to regulate matters relating to the conclusion, content and termination of the employment contract”. The first paragraph of Article 36 of the Law No. 6356 states that “Unless otherwise specified in the collective bargaining agreement, employment agreements cannot be contrary to the collective bargaining agreement. Provisions of employment agreements contrary to the collective bargaining agreement shall be replaced by the provisions in the collective bargaining agreement. In the event there are provisions in the collective bargaining agreement that are contrary to the employment agreements, the provisions of the employment agreement in favor of the employee are valid, and the second paragraph states that the provisions of the terminated collective bargaining agreement regarding the employment agreement are valid until the new one enters into force.” In this framework, within the framework of a collective bargaining agreement, it may be possible for employees to be subjected to different health examinations required by the job within the scope of this subparagraph.”

• Occupational Health and Safety: Occupational health and safety (“OHS”) is the systematic and scientific studies carried out to protect against conditions that may harm health caused by various reasons during the execution of work in the workplace and to improve the existing health and safety conditions. OHS aims to keep the health and safety of employees at the highest level, to ensure the continuity of production or service, and to ensure that the enterprise is prepared for emergencies and focuses on the most important value, the human being. For example;

“According to Article 34 of the Road Transport Regulation titled “Qualifications and conditions to be sought in drivers”; drivers who drive vehicles within the scope of the Regulation must not have been sentenced to imprisonment for drugs, weapons, human and customs smuggling and terrorism offences and must obtain a health report from the authorized health institutions every five years showing that they are physically and psycho-technically healthy for the profession of driving. Therefore, criminal convictions and the processing of health data of the drivers who will drive the vehicles within the scope of the Regulation may be considered within the scope of this subparagraph.”

• Social Security: Social security means the use of premium or non-premium systems as a “human right” and essentially as a “state duty” from the damages caused by social hazards that disrupt social peace and welfare, and the assurance of saving people from the damages of social hazards, regardless of people’s income. For example;

“If the insured person is employed according to Article 30 of the Labor Law”, one of the options “Ex-convict” or “Disabled” must be marked as an option in the “Social Security Institution Insured Person Employment Notification” and in this context, sensitive personal data can be processed by the data controller employer through the said notification. Social Services: Social services are defined in the subparagraph (a) of Article 3 titled “Definitions” of the Social Services Law No. 2828 as: “The whole of systematic and programmed services aimed at eliminating the material, moral and social deprivations of individuals and families arising from their own structure and environmental conditions or beyond their control and meeting their needs, helping to prevent and solve their social problems and improving and raising their living standards.”

“Pursuant to Article 35 of the Regulation on Dialysis Centers published by the Ministry of Health on 01.03.2019, the processing of the personal data of sensitive nature included in the health report of the person in order to perform the transportation service to the health institution provided to dialysis patients by the data controller providing the transportation service can be evaluated within the scope of this subparagraph.”

• Social Assistance: Social assistance is defined as “In-kind and in-cash aids provided to households and individuals in need unilaterally, gratuitously and/or on the condition(s) of fulfilling an obligation such as participation in public services, reimbursement, etc.” in subparagraph (p) of Article 4 titled “Definitions” of the Regulation on Recording and Sharing of Social Assistance Data. For example;

“The activity of a social aid association to process the health reports of persons in order to open donation campaigns in order to meet the prosthesis needs of persons who have lost their limbs as a result of natural disasters can be evaluated within the scope of this subparagraph.”

b. Presence of explicit consent of the data subject: According to the Law, sensitive categories of personal data may be processed in the presence of explicit consent. In Article 6 of the Law, as in Article 5, there is no hierarchical difference between explicit consent and other legal processing grounds. It should be noted that if there is a processing condition other than explicit consent, the other condition and explicit consent should not be used together as a personal data processing condition. Because, if explicit consent is used while there is another data processing condition, this may be contrary to the principle of compliance with the law and good faith.

c. It is explicitly stipulated in the laws: If there is an explicit provision in any law on the processing of sensitive categories of personal data or if there is a clear direction to the secondary legislation, then it may be possible to process sensitive categories of personal data. For example;

“Pursuant to the Law No. 5490on Civil Registration Services, the personal data processing activity carried out by taking the fingerprints of the person concerned by the civil registry offices during the allocation of passports or driving licenses to the person concerned is within the scope of the reason for compliance with the law clearly stipulated in the law.”

“Article 121 of the Law No. 6458 on Foreigners and International Protection stipulates that the procedures and principles regarding the implementation of this Law shall be determined by regulations. Article 124 of the Regulation on the Implementation of the Law on Foreigners and International Protection issued within this scope, titled “Receiving and storing personal data”, sets out the procedures and principles on how biometric data such as “fingerprint, palm print, retina, voice scan” will be processed by the Directorate of Migration Management. In this context, it can be considered that the sensitive categories of personal data processed are processed in accordance with the processing condition of “explicitly stipulated by law”.”

d. It is mandatory for the protection of the life or physical integrity of the person concerned or of another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid: Sensitive personal data may be processed without the explicit consent of the data subject in cases where processing is mandatory for the protection of the life or physical integrity of the data subject or another person. Here, the vital interests of the data subject or a third person are protected. For example;

“Sharing the information regarding the previous diseases and blood type of an unconscious person trapped under the rubble due to an earthquake with the rescue and first aid teams, which are not healthcare professionals, by the relatives of the person, may be considered as a processing activity in accordance with the Law.”

e. It is related to the personal data made public by the data subject and is in accordance with the will of the data subject to make it public: With the amendment made to the Law, a new ground of lawfulness has been stipulated for the processing of sensitive personal data. Accordingly, sensitive personal data made public by the data subject may be processed, provided that it is in accordance with the will of publicisation. In other words, in order to process sensitive personal data on the basis of this provision, it will not be sufficient for the data subject to have made his/her personal data public, and the data controller must act in accordance with the data subject’s will of publicisation when processing such data. Therefore, the processing of a person’s sensitive personal data in any publicly accessible area should not be accepted within this scope. At the same time, the data subject is expected to have made this sensitive personal data public voluntarily. For example;

“In the event that a natural person prints his/her “blood type” information on a publicly visible part of the motor vehicle or bicycle that he/she drives in order to be used in emergencies, this personal data can only be processed in the presence of emergencies in line with the will and purpose of the person concerned to make it public. The processing of the data contrary to the data subject’s will and purpose of publicisation shall not be deemed lawful.”

f. It is mandatory for the establishment, exercise or protection of a right: It is seen that the employer’s continuance to keep the health data of its former employee in order to use the right of defense in lawsuits that may be filed after the termination of the employment agreement will be evaluated within this scope, again, in order for a disabled person to benefit from the right to buy a sensitively equipped vehicle exempt from sensitive consumption tax, the acquisition of health reports regarding disability by the tax office and the processing of sensitive quality personal data contained in these documents will also be evaluated within the scope of this subparagraph. For example

“In cases where it is mandatory to process sensitive categories of personal data such as disability or health information of spouses and children for salary payments of employees, the processing of such data by the employer may also be considered within the scope of the establishment of a right.”

“In cases where it is not possible for a lawyer to establish his/her client’s right in another way, presenting the lawfully obtained sensitive categories of personal data to the court within the scope of the case file may be considered as a lawful processing reason on a relevant case basis. Another important issue is the use of the term “mandatory” in the wording of the Law. In this context, it is necessary to determine the necessity in each data processing activity and to determine the limits of the establishment, exercise and protection of the right. Here, it is meant that there is no alternative method for the establishment, exercise and protection of the right, and therefore the processing activity is mandatory for the purpose in question.

g. It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and planning, management and financing of health services by persons under the obligation of confidentiality or authorized institutions and organizations: In order to process sensitive categories of personal data based on the relevant provision, a limitation has been introduced in terms of person, purpose and situation. In this context, it is regulated that the processing activity may be carried out by persons under the obligation of confidentiality or by authorized institutions and organizations when it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and for the planning, management and financing of health services. It should be noted that the term “authorized institutions and organizations” includes not only public institutions and organizations, but also real persons and private law legal entities providing health services. All members of healthcare professions, persons who are not members of healthcare professions but who participate responsibly in the provision of healthcare services, and healthcare institutions and organizations are obliged to comply with the principles of privacy and confidentiality. On the other hand, within the scope of Article 6 of the Law, in order to be able to talk about the processing of sensitive personal data by persons or authorized institutions and organizations under the obligation of confidentiality, it is useful to state that the processing activity in question must be carried out for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. For example;

“The follow-up of childhood vaccinations, which are mandatory as per the state policy, by family physicians may be considered within the scope of the processing of health data of sensitive quality personal data for the protection of public health by persons under the obligation of confidentiality or by authorized institutions and organizations.”

h. Current or former members and members of foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organizations and formations, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties: To give an example from the Guideline;

“The processing of health data regarding the disability status of a disabled member by a political party in order to provide a wheelchair to the person in question in order for the disabled member to vote can be evaluated within the scope of this article.”

“The processing of the health data of the worker for the follow-up of the process within the scope of the protection of the occupational health and safety of its members by the trade union to which the person who has an occupational accident in the production enterprise where he works is affiliated can be evaluated within the scope of this subparagraph.”

• Actions to be taken by Data Controllers for Compliance with the Law:

Within the scope of the amendment specified in the Guideline, the following items are suggested to be reviewed:

• Updating the personal data processing inventory,
• Organization of processes for obtaining explicit consent,
• Making amendments to information notes,
• Updating the retention and disposal policy,
• Taking data security measures.

If you would like to review the Guideline in detail, you can access it via the following link:

https://kvkk.gov.tr/SharedFolderServer/CMSFiles/70f95c73-06a2-44dc-81e9-34201bdd7f5c.pdf.

Should you have any questions regarding the topics, please do not hesitate to contact us.