The Personal Data Protection Board (“Board“) published the guideline regarding the points to be considered for processing genetic data (“Guide“)[1] on its official website on 13.10.2023.

The important points in the Guide are as follows:

  1. Definition of Genetic Data

 According to the Guide, genetic data, which is a sensitive data pursuant to Article 6(1) of the Law on the Protection of Personal Data (“Law“):

  • is “all or part of the information obtained from all DNA, RNA and Protein sequences encoded from the cell nucleus or mitochondria from the genome of the living being“,
  • can be just SNP (Single Nucleotide Polymorphism) information or very comprehensive whole genome sequence information, and
  • covers all genomic alterations, heritable or non-heritable, from DNA and/or RNA derived from living organisms.
  1. Conditions for Processing Genetic Data
  • Article 6 of the Law provides the conditions for the processing of sensitive personal data. According to the Guide, if genetic data is processed only for health-related purposes, then, even if they retain the characteristics of genetic data, the personal health data can be processed without the data subject’s explicit consent, subject to the conditions for processing personal health data outlined in paragraph (3) of the said article. This exception applies only to individuals or authorized institutions or organizations who are under the obligation of confidentiality and when the processing is carried out for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, as well as planning and managing healthcare services and financing.

In this context, genetic data may be processed without obtaining the data subject’s consent for mandatory health-related tests. In this case, however, the data subjects must still be informed in accordance with Article 10 of the Law.

  • The Guide states that if genetic data are processed for commercial purposes for various reasons other than medical diagnosis and treatment, such as to establish parentage, ancestry or relationship, to determine aptitude for sporting activities or talent, the data subjects’ consents must be obtained. Also in this case, the data subjects must be informed in accordance with Article 10 of the Law.
  1. Transferring Genetic Data Abroad

According to the Guide, in order to transfer genetic data abroad, either the explicit consent of the data subjects must be obtained or, in the case of processing of personal data for the reason specified in the laws within the scope of Article 6 of the Law, the conditions in subparagraphs (a) and (b) of paragraph (2) of Article 9 of the Law must be met.

In the case of processing of genetic data for the reasons provided by law, the transfer of genetic data abroad without the explicit consent of the data subject will only be possible with the authorization of the Board (as safe countries are not currently announced).

  1. Processing of Genetic Data within the Scope of Exceptions Under Article 28 of the Law

 The Guide states that when genetic data are processed for scientific purposes within the scope of Article 28 of the Law, the processing activity should be carried out within the scope of the following criteria in order for the processing activity to be considered out of the scope of the Law:

  • Article 16 of the Regulation on Personal Health Data, regulates the conditions for the use of health data in scientific research. It is possible to make genetic data of a singular nature, which cannot be associated by the data controller with an identifiable natural person, only by transforming them into cumulative variant frequency lists (genome aggregation data) obtained as a result of combining a large number of such data belonging to different individuals, and these lists may be processed in the context of scientific research, subject to ethics committee approval and in accordance with applicable legislation, provided that such studies are carried out, as far as possible, on data that have been rendered unidentifiable to the data subject and that the risks to the security of personal data are minimized by using methods such as pseudonymization.
  • Although the Law allows the use of genetic data for scientific purposes, provided that it does not violate the right to privacy and personal rights or constitute a criminal offense, this should only be applied as a last resort when the processing of genetic data is mandatory to achieve the expected result of scientific research.
  • With regard to the protection of genetic data used in scientific research, it is necessary to provide the necessary safeguards to ensure that the constitutionally guaranteed right to the protection of personal data is not violated, and in this direction, in particular, the principle of relevance, limitation and proportionality to the purpose for which personal data are processed must be followed.
  • With respect to completed scientific research, careful consideration should be given to whether it is necessary to continue to retain the personal data used and, if it is determined that it is not, the necessary mechanisms should be in place to destroy such personal data in accordance with the personal data retention and destruction policy.
  1. Technical and Administrative Measures

 In the Guide, the Board stated that the Board’s Decision dated 31 January 2018 and numbered 2018/10 on the appropriate measures to be taken by data controllers in the processing of sensitive personal data regarding technical and administrative measures should be taken into account.

In this regard, the Board mentioned the following regarding technical measures:

  • It should be preferred not to store genetic data in cloud systems. Storage of genetic data in these systems may amount to transfer abroad within the scope of the Law.
  • In the event the equipment is delivered to authorized companies for maintenance, repair, servicing, etc., or the rented equipment is returned to such companies, the data storage units on the equipment must be removed or all data must be delivered to the lab on hard disk media, and a written agreement must be obtained from the company that no data is on the company’s equipment or server.
  • Where possible, data controllers should test the system using synthetic data (not real data) in test environments that should be created before the system is installed and after any changes are made. On the other hand, if data controllers use real data for testing purposes, they should use genetic data in accordance with the principle of data minimization. Data controllers should implement measures to alert the system administrator and/or protect and report genetic data in the event of unauthorized access to the system, despite unauthorized access attempts and the implementation of all necessary security measures.
  • Data controllers should use certified equipment, licensed and up-to-date software, provide patch management, favor open source software whenever possible, and perform necessary system updates in a timely manner.
  • Data controllers must be able to monitor and limit user actions on software that processes genetic data. Transaction records (logs) of all actions performed on the genetic data processing program/system must be kept in a separate system, regularly, and securely protected. It should be ensured that the administrator responsible for the log system is different from those responsible for other systems.
  • Hardware and software security testing of genetic data processing systems should be performed periodically. Changes to the systems should be implemented only after the necessary security tests have been performed.
  • The measures within the scope of the Circular on Information and Communication Security Measures No. 2019/12 and the Information and Communication Security Guide, prepared under the coordination of the Presidential Digital Transformation Office within the scope of the Circular, should be complied with.

In addition to the above, the administrative measures recommended by the Board in the Guide are set out below:

  • The security of personal data, and in particular the protection of genetic data, should be established and managed on the basis of “Privacy by Design”, where all mechanisms are prepared on this basis and taken into account at the design stage.
  • Data controllers who process genetic data must conduct a Data Privacy Impact Assessment of the nature of the data and the potential risks that the data processing may pose to the data subject.
  • Genetic data should be stored in a way that prevents access by anyone other than authorized personnel who have been trained in the subject and with whom confidentiality agreements have been signed. In addition, an inventory of the processing of personal data must be made and notified to the Data Controllers Registry Information System (VERBIS) regarding the processing of such data.
  • Separate processing policies, emergency procedures, and reporting mechanisms should be established for the processing of genetic data. Genetic data in electronic media should be backed up regularly using a secure backup system. Backups of records should be kept off the network.
  • Through random and periodic internal audits and risk analyses of data processing activities related to genetic data, the data controller should continuously measure and monitor its preparedness for a potential data breach.
  • In the event that a data processor is preferred by the data controller for a purpose in the genetic data processing; the security measures deemed necessary should be included in the service contracts to be entered into with the data processors, and periodic audits should be performed or arranged to determine whether the necessary technical and administrative measures are provided by the preferred data processor. When receiving services from a data processor, data controllers must ensure that the data processor in question provides at least the same level of security for personal data as they provide.

The Board has stated that all of the above-mentioned principles and criteria must be recorded and documented by the data controller and disclosed to the public. 

  1. Suggestions and Recommendations

In the continuation of the Guide, the Board stated that genetic data are of critical importance in line with the national security and economic interests of countries, and listed some measures that can be taken at the national level. These actions are listed below:

  • Addressing procedures and rules according to the purposes of processing, since the purposes of processing genetic data differ,
  • In the face of the necessity of conducting tests or research containing genetic data abroad, taking the necessary measures to ensure the confidentiality of genetic data processed for the purposes of scientific research or examination, as stated in the “International Declaration on Human Genetic Data” of the UNESCO General Conference dated 16 October 2003, and to prevent the use of genetic data obtained for purposes other than the purposes for which they were collected,
  • Supporting national laboratories in order to ensure that tests related to genetic data are not sent abroad as much as possible, supplying the necessary locally produced medical devices and strengthening the human resources specialized in this field,
  • Supporting domestic, national and accredited informatics infrastructure studies that will make this possible by making the necessary administrative arrangements for the domestic storage of genetic data,
  • Promote the development of a national genetic data banking and genetic data storing center to be used for scientific purposes,
  • Encourage the development of practices of transparency, openness and accountability in the processing of genetic data, including research and studies carried out in this field, and thereby ensure that the public is informed about the reasons and consequences of the processing of their genetic data by the organizations carrying out these studies,
  • Organizations conducting research or testing activities that require the processing of genetic data should have a unit staffed with personnel who have received the necessary training in the field of personal data protection to inform the individuals concerned about how and where the personal data they receive will be used and to provide solutions to the inquiries of the individuals concerned, or this function should be performed by the patients’ rights unit within health care institutions by assigning personnel who have received the necessary training in the field of personal data protection,
  • Raising public awareness, through methods such as public service announcements and meetings, by informing affected individuals of the consequences that may arise if their genetic data is sent abroad, thereby reducing the number of individuals who send their genetic data abroad, and conducting awareness-raising activities for health professionals to provide adequate information to affected individuals in order to prevent the tests that can already be performed domestically from being performed abroad.

In addition, the Guide also includes the assessment of the processing of genetic data in the context of the principles set forth in the Law, the issues to be considered when obtaining explicit consent, additional explanations regarding the specified technical and administrative measures, and additional information on the subject.

[1] You can access the Guide (in Turkish) from the following link: https://kvkk.gov.tr/SharedFolderServer/CMSFiles/f3ca871c-bdac-48b1-ace3-9d40dbe533d2.pdf

Batuhan Şahmay
Partner | [email protected]
Naz Ergörün
Associate | [email protected]
Behiç Ateş Gülenç
Associate | [email protected]