Protection of Personal Health Data has been a hot topic in the legal circles ever since the Law No. 6698 on the Protection of Personal Data ("Law") was published in 2016. The first regulation on personal health data ("Former Regulation") was published by the Ministry of Health ("Ministry") right after the Law, in order to ensure coherence in legislation. However, being prepared without the consultancy of the Personal Data Protection Board ("Board"), the Former Regulation failed to meet the needs of the sector as well as to include necessary measures in relation to the relevant data category. In fact, Council of State ruled for the stay of execution for the Former Regulation twice, based on the grounds mentioned above.

In light of these developments, it was for certain that Turkish legislation needed a new regulation on the protection of personal health data. Recently, the Ministry published the long-awaited Regulation on Personal Health Data ("Regulation") in the Official Gazette dated 21.06.2019 and the Regulation came into force on the same date.

What is new in the Regulation?

All natural and legal persons and public legal entities processing personal health data are bound by this Regulation, which introduces detailed explanations and methods regarding the rights of data subjects as stipulated in the Law.

Especially in terms of data access, the Regulation provides such detailed rules, in a sense it almost defines what a sufficient safety precaution is. However, it will be at the Board's discretion to determine whether the measures stipulated under the Regulation are sufficient to protect personal health data or not.

De-identification and masking

The Regulation introduces de-identification and masking as methods disabling any personal data from being associated with the data subject. In this regard, de-identification is defined as "a way of data processing disassociating personal data with an identified or an identifiable person, provided that the relevant administrative and technical measures are taken" whereas masking is defined as "the erasure, crossing out, dyeing or starring of personal data in a way disassociating the personal data from any identified or identifiable person".

Integration of such provisions is of utmost importance for the future of the Turkish data privacy legislation. Even though the Law in Turkey is originated from the EU Directive numbered 95/46/EC, there is an ongoing debate on whether the Board will steer the wheel towards a unique approach, or continue to follow its ancestor. Integration of methods foreseen in the GDPR, such as de-identification, to the data privacy legislation signals that the Turkish legislation's tendency is to follow and implement European developments closely.

Personal health data of the deceased

Another interesting provision of the Regulation is Article 11 where access to the personal health data of the deceased is regulated. Pursuant to this provision, personal health data of the deceased shall be retained for at least 20 years and the legal heirs of the deceased shall individually be authorized to access such data.

Right to data privacy is a fundamental right for the living, governed under the Constitution as well as the Law. This being said, attaining this right to persons who are no longer living, at a time when digital inheritance and post mortem privacy are matters in question does not seem to be a coincidence. Even though one approach believes that retaining personal health data of the deceased benefits the next generation by providing insight for inherited medical conditions, this approach cannot find many supporters in the field. Putting away all these theories aside, simple explanation is that the Ministry is creating a pool of information for itself for the purposes of healthcare statistics and overseeing public health in a better manner.


The Ministry has not only published a new regulation but in fact signalled a way for the future of this area of law by following the footsteps of the GDPR. However, we should keep in mind that the decisive body is the Board, when it comes to data protection. Therefore, time will show whether the Regulation will be a remedy for the deficiencies in personal health data legislation and whether the spirit of the Regulation will be adopted by the Board.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.