The Regulation on the Protection and Processing of Data at the Social Security Institution (“Regulation”), prepared by the Social Security Institution (“Institution”) and published in the Official Gazette dated 19.02.2022, entered into force as of the date of publication.

1. Subject of the Regulation

The Regulation determines the procedures and principles to be followed in the processing of data obtained by the Institution through fully or partially automatic means or non-automatic means, provided that it is a part of any data recording system. In addition, there are some provisions of the Regulation that may concern the data processing activities of private legal entities.

In this context, the Regulation generally refers to the necessity of processing and transferring personal data, personal health data and data that are classified as trade secrets by the Institution in accordance with the principles set forth in the Law on the Protection of Personal Data (“Law”). There are also some provisions that impose obligations on private legal entities.

2. Articles Regarding Private Legal Entities

  • Article 6: This article regulates the general obligations of data controllers regarding the data within the scope of the Regulation and underlines the confidentiality obligation regarding personal health data and data having the nature of trade secrets.

An issue that is not clearly stated in the Law, but mentioned in the decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10 is clearly stated under this Regulation: In the event that it is determined that the data processed within the scope of the Regulation has been obtained by others illegally, the data controller is required to notify the Personal Data Protection Board within 72 hours at the latest, and required to notify the relevant persons as soon as possible, following the identification of the persons affected by the said data breach.

  • Article 17: This article concerns private law legal entities that may request data transfer from the Institution regarding the products (such as medical devices, medical consumables) for which they have a license or sales permit.
  • Article 20: This article specifies the general rules that should be complied with by private law legal entities that will request data transfer from the Institution
  • Article 21: In this article, the rules that the persons and institutions to whom the data is transferred by the Institution must comply with in order to protect the confidentiality of this data are set forth.

3. Conclusion

The Regulation generally includes the rules for the processing and transfer of data before the Institution. In this framework, while important obligations regarding data protection are brought to the Institution, the data controller private legal entities requesting data from the Institution will also have to take into account the provisions of the Regulation regarding the transmission of this request and the processing of data.

You can access the regulation (in Turkish) from the link below:

Batuhan Şahmay
Partner | [email protected]
Naz Ergörün
Associate | [email protected]
Behiç Ateş Gülenç
Associate | [email protected]