ARTICLE
28 February 2022

Regulation On Protection And Processing Of Data Within The Scope Of The Social Security Institution's Operations Has Been Published

EA
Esin Attorney Partnership

Contributor

Esin Attorney Partnership logo
Esin Attorney Partnership, a member firm of Baker & McKenzie International, has long been a leading provider of legal services in the Turkish market. We have a total of nearly 140 staff, including over 90 lawyers, serving some of the largest Turkish and multinational corporations. Our clients benefit from on-the-ground assistance that reflects a deep understanding of the country's legal, regulatory and commercial practices, while also having access to the full-service, international and foreign law advice of the world's leading global law firm. We help our clients capture and optimize opportunities in Turkey's dynamic market, including the key growth areas of mergers and acquisitions, infrastructure development, private equity and real estate. In addition, we are one of the few firms that can offer services in areas such as compliance, tax, employment, and competition law — vital for companies doing business in Turkey.
Explore Firm Details
The Regulation on the Protection and Processing of Data within the scope of the Social Security Institution's (SSI) Operations ("Regulation") has been published in the Official Gazette No. 31755, dated 19 February 2022.
Turkey Privacy
Ilay Yilmaz,Can Sozer, and Yigit Acar
Your Author LinkedIn Connections

Recent development

The Regulation on the Protection and Processing of Data within the scope of the Social Security Institution's (SSI) Operations ("Regulation") has been published in the Official Gazette No. 31755, dated 19 February 2022. The Regulation stipulates the procedures and principles of data processing within the scope of the SSI's duties and authorities. The Regulation came into force as of its publication. The Regulation is available here in Turkish.

What does the Regulation cover?

General principles on processing data

  • The Regulation applies to processing activities connected to the SSI's duties and authorization, which concern the following people: SSI employees, data subjects, natural and legal persons providing system software and hardware services, public institutions and organizations that process personal data within the scope of the SSI's operations or on behalf of the SSI, as well as the natural and recipient parties of the transferred data.
  • The data processed is divided into three categories: (i) personal data; (ii) personal health data; and (iii) data as trade secrets (collectively, "Data"). The individuals who process Data are deemed to be under the confidentiality obligation.
  • Data processing is subject to Law No. 5502 and the legislation issued by the Personal Data Protection Board. With respect to transferring personal data, the Law No. 5502 is reserved.
  • Data controllers and data processors are jointly responsible for the processing and security of the Data. In this context, data controllers are required to perform audits. In the case of unlawful access to Data, data controllers are obliged to notify the Personal Data Protection Board within 72 hours and the data subjects within a reasonable time.
  • The contracted health service providers are obliged to keep the personal health data they process on behalf of the SSI in the SSI data recording system and must not copy or transfer this data outside the system.
  • SSI employees' access to personal data is limited to the situations stipulated under the Regulation and the employees must be specified and authorized prior to accessing it. The Regulation also sets forth the approval and authorization mechanism for accessing Data.
  • As per the Regulation, the data subjects have rights granted to them under the Personal Data Protection Law No. 6698 (LPPD).

Data requests and transfer of Data

  • As per the Regulation, the requests of data subjects, institutions and organizations, the Ministry of Health, contracted health service providers and the judicial and executory authorities are subject to different data transfer mechanisms.
  • In general, data transfer requests must be made in writing and where necessary, the legal basis for the request must be specified.
  • If the data request is accepted, a protocol must be prepared and signed by the recipient party. Secure ways, such as registered mail, hand delivery and an email address with the "gov.tr" extension, must be used for transferring data.
  • The data recipients must use the data solely for the requested purpose. They are obliged to ensure the data's confidentiality and security, and must not disclose the data to other parties.
  • As per the Regulation, the data may also be transferred anonymously for different purposes, such as determining strategies for health and social insurance services, preparing statistics and conducting scientific and academic research.
  • Those who violate the Regulation are subject to sanctions under the LPPD and Turkish Criminal Code.

Conclusion

  The Regulation stipulates the processing of Data within the scope of the SSI's operations and requests from institutions and organizations regarding Data and data transfer mechanisms in detail. Those who are subject to the Regulation should review it and align their practices accordingly.  

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ilay Yilmaz
Ilay Yilmaz
Photo of Can Sozer
Can Sozer
Photo of Yigit Acar
Yigit Acar
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More