Personal data can be processed based on the following legal grounds:

  • If explicit consent of the data subject is obtained;
  • If processing is clearly proposed under the laws;
  • If processing is mandatory for the protection of life or to prevent the physical injury of a person in cases where that person cannot express consent or whose consent is legally invalid due to physical disabilities;
  • If processing is necessary for and directly related to the establishment or performance of a contract and limited to the personal data related to the parties therein;
  • If processing is mandatory for a data controller to fulfil its legal obligations;
  • If the data is made manifestly public by the data subject;
  • If processing is mandatory for the establishment, exercise, or protection of certain rights; and
  • If processing is compulsory for the legitimate interests of the data controller, provided that fundamental rights and freedoms of the data subject or any related person are not compromised.

Processing Sensitive Personal Data

The Law divides sensitive personal data into two categories:

  • Personal data on health or sexual orientation; and
  • "Other" sensitive personal data.

Personal data related to health or sexual orientation is protected more strictly than other sensitive data, as the scope of the additional legal grounds for processing is very limited. Reserving the requirement to process data by obtaining the explicit consent of the data subject, personal data related to health or sexual data can only be processed by persons under an obligation of confidentiality, or by authorised institutions and establishments, for the protection of public health, protective medicine, medical diagnosis, treatment and care services purposes.

For other types of sensitive personal data, these can only be processed with the data subject's explicit consent or if such processing is required by law.

In Turkey, processing sensitive data, especially health data, must be diligently handled under the current legal backdrop. The processing of health data in different areas and for various purposes, including new technologies, quality services, pharmacovigilance or clinical trials, are the areas where companies need to be careful in their data processing practices. Further, processing employee data must be diligently assessed and managed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.