On 14 August 2023, Turkey's Personal Data Protection Authority ("DPA") published two violation decisions that focus mainly on healthcare institutions' personal data processing activities based on explicit consent. Once again, the DPA highlights that relying solely on explicit consent might not be sufficient to ensure the legality of personal data processing, and such consent could potentially be found invalid.

Below we summarize the outstanding points of these new decisions:

EXPLICIT CONSENT CANNOT NAVIGATE LEGAL BOUNDARIES

The DPA imposed an administrative fine of TRY 250,000 (approx. EUR 8,450) on a private healthcare institution, as a data controller, for engaging in promotional activities through the sharing of patients' data on social media. The DPA imposed the fine even though the institution had secured explicit consent from patients, as this kind of promotional activity is prohibited by Turkish healthcare regulations. As this activity is unlawful, the DPA clearly stated that if an activity necessitating personal data processing is forbidden by law, relying solely on explicit consent doesn't render it justifiable.

What happened in the background?

In this case, a patient (the data subject) raised their concern over the legal validity of the explicit consent forms that they had signed. These forms allowed their images and videos to be shared via media outlets partnered with the private hospital for promotional purposes.

On the other side, the healthcare institution (data controller) presented their defence and argued that (i) private hospitals are entitled to engage in promotional activities, (ii) their promotional activities are aimed at enhancing public awareness of diseases and treatments, and (iii) they obtained explicit consent from the patients to conduct such activity in line with Turkish Personal Data Protection Law numbered 6698 ("DP Law"). In their view, no breach of the law had occurred due to these actions.

What the DPA considered?

The DPA emphasised the principle that data controllers are bound to conduct data processing within the boundaries of all laws. In this respect, even if explicit consent is acquired, processing personal data in violation of sector-specific legal regulations remains unlawful.

In their assessment, the DPA found that the healthcare institution shared health information and promotions via media outlets, having obtained explicit consent from patients. However, the DPA's determined that:

  • such processing activity does not have a legitimate purpose, as the healthcare institution exceeded the allowed information and promotional activities permitted by Turkish legislation1;
  • the processing activity was not in compliance with Turkish healthcare regulations;
  • sharing patient data for raising awareness was not necessary, thus the principle of proportionality was breached.

What is the decision of the DPA?

Despite ensuring explicit consent from patients to share data on media outlets, the healthcare institution's actions were deemed in violation of Turkish healthcare regulations. Notably, the DPA reiterated that obtaining explicit consent does not validate excessive data collection.

As a result, the data controller faces an administrative fine of TRY 250,000 (approx. EUR 8,450). Furthermore, the DPA instructed the data controller to cease the implicated activity promptly and ensure the secure destruction of all personal data associated with the said activity.

MAY FREE WILL BE YOUR GUIDE: PRIVATE HEALTHCARE INSTITUTION FINED FOR REQUIRING EXPLICIT CONSENT FOR APPOINTMENT SCHEDULING

Yet another decision concerning a private healthcare institution and explicit consent has emerged from the DPA. In this decision, a fine of TRY 300,000 (approx. EUR 10,140) has been imposed on a private healthcare institution for the reason that the institution mandated patients to provide explicit consent in order to schedule appointments.

What happened in the background?

In the scenario that sparked this investigation, a data subject attempted to schedule an appointment through the healthcare institution. At that stage the individual noticed that providing explicit consent to receive information about the healthcare institution's services and announcements was an essential step. The data subject claimed that their appointment was conditioned upon granting the consent, and thus made a complaint about this process to the DPA.

In its defence, the healthcare institution stated that they obtain personal data to manage appointments, verify identities, and send clarification texts in this regard. The healthcare institution mentioned that they provide an optional checkbox, allowing individuals to provide their consent, if they wish, and emphasised that individuals are not obliged to provide their consent. The healthcare institution further noted that necessary adjustments were made on their website following the complaint, aligning with the DP Law.

What the DPA considered?

As a result of the investigation, the DPA determined that:

  • The appointment process cannot be finalised unless explicit consent is granted for the healthcare institution's promotional activities. Such a provision contradicts the element of "free will", which is an inherent component of explicit consent, and thus obtaining explicit consent in such a way damages the free will of data subjects;
  • Alternative legal bases, apart from explicit consent, exist for the healthcare institution to process personal data during appointment registration. Therefore, it is deceptive and an abuse of rights to rely on the explicit consent.

What is the decision of the DPA?

In light of the above-mentioned evaluations, the DPA stated that the unnecessary collection of explicit consent is contrary to the rule of fairness. Additionally, the DPA highlighted that the conditional presentation of explicit consent for promotional activities resulted in impairing the free will of the data subjects. For these reasons, an administrative fine of TRY 300,000 (approx. EUR 10,140) was imposed on the healthcare institution, accompanied by an instruction to implement the necessary adjustments on their website.

Footnote

1. You can read our summary of the newly introduced Turkish regulation on promotion and information activities in healthcare services here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.