The Personal Data Protection Authority (the "DPA") published the Draft Guideline on the Issues for Consideration about Processing of Genetic Data (the "Draft Guideline") on August 24, 2022.
The DPA indicated the importance of genetic data and emphasized that the information acquired by processing genetic data, which is data of special nature as per Law on Protection of Personal Data ("DPL"), is extremely sensitive and might have results that can affect the entire society. For this reason, the DPA has been trying to stipulate the rules and procedures about processing genetic data and to raise public awareness on the matter.
The primary issues raised in the Draft Guideline and our initial assessments related to the same are further explained below.
What is Genetic Data?
Even though it has not been specifically defined under DPL, pursuant to the Draft Guideline, the DPA accepted the definition under European General Data Protection Regulation ("GDPR"). Accordingly, genetic data is being defined as 'personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question'.
As it has been further explained in the Draft Guideline, another issue that differentiates genetic data from other special categories of personal data is that natural person can become identifiable by raw data and biological samples even if they are not subject to any analysis. Therefore, the DPA emphasizes that, instead of anonymization, the genetic data might only be de-identified according to the data protection legislation since the data subject and their genetic data can be connected regardless of the method used for analysis. In principle, de-identified data shall be considered within the scope of the DPL even after the de-identification process since the genetic data does not become anonymous.
Principles and Conditions for Processing of Genetic Data
In accordance with the DPL, as a sensitive personal data, genetic data can be processed without the explicit consent of the data subject when such processing is regulated/stipulated by the law. Also, according to the general principles of DPL, data processing must be lawful and compliant with the good faith principle and processed data must be accurate and up-to -date when necessary. Furthermore, processing shall be conducted for certain, explicit and legitimate purposes and shall be in connection with, limited to and proportional for the purpose the relavant are processed. In addition to these principles, personal data must be stored for the period of time stipulated under the relevant legislation or no more than required for realization of the purpose why the relevant data is transferred.
The DPA comprehensively detailed the conditions of processing in the Draft Guideline and specifically emphasized the principle of necessity and proportionality. It has been particularly indicated that the data controllers must comply with these principles when they determine the scope of the genetic data to be processed and choose the data processing tools. The DPA pointed out that genetic data must not be collected if an alternative which involves less data to be processed is available to realize the purpose and for the purposes which can be carried out without the need to collect any genetic data.
In accordance with the Draft Guideline, genetic data can be processed (i) for the tests that are compulsory for the purpose of fulfilling the obligations of preventive medicine, medical diagnosis, treatment and care services as health data and (ii) in other circumstances in which such processing is permitted by the law (e.g., for the molecular genetic examinations that might be conducted as per the Criminal Procedure Law). Even in these circumstances, the data controllers must comply with the obligation to inform the data subjects about how their personal data will be processed (i.e., privacy notice obligation). Other than these purposes, explicit consents of the data subjects must be obtained for commercial purposes of various reasons such as determination of lineage/origin or affinity, identification of tendency to sports activities or any other talents, diet services.
Lastly, the Draft Guideline has further evaluated processing of genetic data for scientific purposes as an exemption to the DPL as per article 28 of the DPL. Taking the general principles in the Regulation on Personal Heath Data into consideration, the DPA stated that the data controllers can process genetic data for scientific purposes by means of making individual genetic data of a real person unidentifiable by various ways, such as acquiring cumulative variant frequency lists (genome aggregation data) as a result of combining various data of the same type of different individuals and pseudonymisation. It is extremely important for the relevant scientific research to be permitted by the ethic boards. In any circumstances, genetic data must also be processed for scientific purposes as a last resort.
Restrictions Applicable to Cross-border Transfer of Genetic Data
The DPA identified that one of the most significant problems regarding processing genetic data is transferring data abroad for compulsory reasons with the purposes of medical diagnosis and treatment or for non-compulsory reasons depending on the choice of the data subjects. As it is known, cross-border transfers of personal data are subject to explicit consent of the data subjects unless the DPA grants permission to such transfer considering there is no adequacy decision taken by the DPA. Cross-border transfer of personal data for compulsory reasons conflicts with conditions of explicit consent.
By considering that genetic data might have sensitive results, the DPA specifically addressed this issue under the Draft Guideline. According to the guidance of the Ministry of Health, the DPA stated that transfer to a foreign country is not mandatory for most of the tests since the tests of genetic methods performed in developed countries can also be performed in Turkey. However, being aware of the fact that several tests cannot be performed in Turkey, it is stated that data transfers abroad might be required occasionally. The DPA implied the importance of transferring data abroad over the licensed genetic diseases assessment centres/licensed medical laboratories and under the supervision of the Ministry of Heath as per Regulation on Genetic Diseases Assessment Centres and Regulation on Medical Laboratories. Even in such circumstances, genetic data must not be transferred abroad without obtaining explicit consent unless the DPA permits such transfer.
In the Draft Guideline, there are also several important issues about the privacy notices for data transfers abroad. In accordance with the Draft Guideline, the data controllers must inform the data subjects clearly and in detail about unclear situations such as possible challenges in flow of genetic data, data security risks of foreign data controllers, possible further transfers to other third parties and adverse outcomes of these situations.
Technical and Administrative Measures
Considering sensitivity of genetic data and outcomes of processing such sensitive data for the public, importance of data security measures is emphasized under the Draft Guideline. Since the genetic data cannot be anonymised and only be deidentified due to the nature of such data, importance of taking appropriate data security measures is reminded and various data security measures have been set as examples under the Draft Guideline in this respect. In the event of a possible security breach, the DPA may check whether the security measures in the Draft Guideline are implemented and in case of any deficiency, conclude that the data security measures are not taken as required by the DPL. Therefore, it is extremely important for the data controllers processing genetic data to implement and integrate to their systems security measure examples mentioned in the Draft Guideline.
Registration to Data Controllers Registry
Data controllers that process special categories of data as their main activity must register to the Data Controllers Registry. The Draft Guideline has reminded that all the data controllers engaged in genetic data processing activities must also comply with this obligation.
The DPA assessed data processing conditions, cross-border transfer issues, systems where data is stored and technical and administrative measures specifically for genetic data due to the individual, hereditary, economic and national importance of such data. For this reason, the Draft Guideline is extremely important for the data controllers, and it is a document that the DPA will take into consideration in possible disputes.
The DPA also determined certain national measures that might be taken by itself, which might eliminate compulsory cross-border transfers for example. The DPA may set forth other regulations and restrictions for cross-border transfer of genetic data soon by working closely with the relevant institutions, especially with the Ministry of Health. The developments must be closely followed.
Special thanks to Merve Arslanhan for her contributions.