The penalty-free term of the Law on Protection of Personal Data ("LPPD") numbered 6698 has ended as of October 2016 upon the entry-into-force of certain articles, the implementation of which were postponed, such as transfer of personal data, rights of data owner as well as administrative fines and crimes. Due to the fact that the secondary legislations with respect to the implementation of the LPPD have not been fully published and the Data Supervisor Registry ("Registry") to be kept by the Data Protection Board ("Board") has not yet been incorporated, the responsible entities and bodies that process personal data ("Data Processing Bodies") are not capable of complying completely with the obligations arising from the LPPD. Accordingly, it has become a common practice for the Data Processing Bodies to publish various declarations with respect to the processing of personal data and also to take written consent of people whose personal data are being processed. In light of the above, it is observed that due to the Registry has not yet been incorporated and the lack of secondary legislation had lead to confusions by bringing impractical work load upon the Data Processing Bodies.

Regulation on Processing and Ensuring Privacy of Personal Health Data:

In the meanwhile, the only secondary legislation of the LPPD, the Regulation on Processing and Ensuring Privacy of Personal Health Data ("Regulation"), has been published by the Ministry of Health on 20.10.2016 by introducing substantial liabilities upon sector-specific entities such as those engaged in commercial activities in health, insurance and health tourism sectors. In contrast to the LPPD, the Regulation mainly concerns the health service providers and health data processors that operate in health sector in general, rather than the institutions and organizations that have access to any type of personal data due to their operations. The Regulation moreover refers to heavy penalties, such as imprisonment, to be imposed in case of failure to comply with the obligations therein.

Accordingly, pursuant to the Regulation, the personal health data may only be processed in accordance with the procedures and principles set forth in the Regulation and the LPPD. In addition, the personal health data may be published due to a specific reason set forth in the Regulation such as determining health policies, calculating costs etc. provided that the data are anonymised. Personal health data of an individual can be processed and transferred only after the relevant individual is informed thoroughly and the written consent is obtained and preserved.

The consent with respect to the processing of personal health data can be withdrawn by the relevant individual at any time provided that there is not a legal regulation or a ruling to the contrary.

It is being observed that the restricted rights with respect to the processing and transfer of personal health data and withdrawal right in relation the consents given by the relevant individual have raised a main concern upon the particular sector-specific entities such as insurance companies as these substantively restrict the possibility of insurance companies to collect personal health data which play a crucial role for the analysis of risk and calculation of premiums.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.