Directive on the Processing and Preserving the Confidentiality of Personal Health Data has been published

Directive on the Processing and Preserving the Confidentiality of Personal Health Data (“Directive”), which regulates the collection, transfer and processing of personal health data, as well as the setting up of a database by the Turkish Ministry of Health’s (“Ministry”) for the purposes of storing patients’ health data, has been published in the Official Gazette dated 20.10.2016 numbered 29863.


The Directive has been issued on the basis Data Protection Law No. 6698 (“Data Protection Law”), which came into first in April 2016, and echoes the principles enshrined therein.

The Directive defines the term “health service providers” as any real person or public or private legal entity licensed to provide health services and stipulates that such providers shall be obligated to take all measures specified by the Ministry for the protection of personal health data, which covers any data concerning the health of an indentified or identifiable person. To ensure the fulfilment of this obligation, the Directive stipulates that health service providers shall submit the personal details of its employees who shall be in charge of data processing to the Ministry within 15 days, failing which may they face legal action. The term “processing of personal health data” stands for the procurement of data through fully or partly electronic or non-electronic methods, storage, conservation, alteration, re-arrangement, divulgence, transfer, classification and obstruction of the subject data, where necessary.

 Pursuant to the Directive, personal health data can only be processed to the extent necessary for the rendering of health services concerned and any person who processes or has access to processed personal health data is under the obligation to keep it confidential. It is permissible for personal health data to be processed without the express consent of the relevant person for the protection of public health, medical diagnose, treatment and care purposes and the planning and management of health services and its financing. The processing of personal health data for any other purpose without anonymizing it or obtaining the express consent of the owner is strictly prohibited. The transfer of personal health data will be subject to the provisions of the Data Protection Law, however, the Commission’s approval must be obtained prior to transferring such data abroad. Once the purposes for which personal health data was processed cease to exist, the processors are required to delete or anonymize the data upon the relevant person’s request.

 In case of a suspicion of violation of the principles contained in the Directive, a standard complaint form may be submitted to the Ministry to request the launching of an investigation of the subject violation. The outcome of the investigation will then be reported to the Personal Health Data Commission, which will be established to resolve disputes, process applications and complaints and conduct the necessary supervisions relating to the processing of personal health data. Without any prejudice to the general provisions of law, any violation of the Directive will be penalized as per Articles 17 and 18 of the Data Protection Law. In the case where the wrongdoer is a public officer, he may also face disciplinaryproceedings and his/her authority to process personal health data will be withdrawn.

 Lastly, as per Article 15 of the Directive, any Turkish citizen will be grated the opportunity to review and monitor the health services provided to him and his personal data processed in the meantime by way of creating an account on the online personal health database, which will also be accessible through the e-Government portal.