Regulation on Processing and Protecting the Privacy of Personal Health Data


As of 20 October 2016, the Regulation on Processing and Protecting the Privacy of Personal Health Data No.29863 (the "Regulation") was published and came into force on the same date in line with the Law on Protection of Personal Data dated April 7, 2016, No. 6698 (the “Law”).

Within the scope of the Regulation, additional principles and procedures were introduced to the health institutions (“Health Institutions”) which are holding and processing personal health data (“Personal Health Data”).

Sensitive Personal Data under the Law and Regulation

According the Law, Personal Data consisting of information as to racial, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, costume and clothing, association, foundation or trade union membership, health, sexual life, criminal conviction, security measures and biometric and genetic data is defined as “Sensitive Personal Data”. It is regulated under the Law that such data cannot be processed without the express consent of the individual.

According to the Regulation, Personal Health Data means any information related to an identified or identifiable real person and process of such data means any operation performed on Personal Health Data, such as collection, record, storage and transfer.

Provisions introduced by the Regulation on Personal Health Data

The Regulation is prepared by the Ministry of Health to stipulate the principles and procedures to be followed in order to ensure the privacy and protection of the Personal Health Data and to establish a system (“Personal Health Registration System”) to assure monitoring of the collection, access processing and transfer of the Personal Health Data as well as the security and control of the system to be established and  notifications to be made to the Ministry of Health ("Ministry") on the employee movements during the provision of health services.

The Regulation covers the provisions on;

  • health service providers ("Health Service Provider"),
  • real persons ("Data Subject", "Data Owner") whose personal health data ("Personal Health Data") is processed,
  • real persons and legal entities ("Data Processor") who provide services such as data processing systems, software and hardware and filing system of health service providers, and
  • any other entities public institutions and organizations and private law real persons and other legal including health institutions entities which process Personal Health Data ("Data Controller" or "Data Processor") within the framework of a legislation.

The Regulation is not only applicable to the Health Service Providers or the Data Subjects whose Personal Health Data is processed but also covers real persons and legal entities who process Personal Health Data within the scope of a legislation. Therefore all companies processing Personal Health Data for reasons such as employment procedures, periodic inspection or due to obligations arising from social security legislation will be subject to provisions of the Regulation.

Obligations of the Data Controller regarding processing, transferring and recording the Personal Health Data

Within the scope of the Regulation, the content of the explicit consent required from Data Owner under the Law has been expanded. In contrast to the Law, the Regulation requires the explicit consent of the Data Subject to be provided in writing in order the Personal Health Data to be processed. However, Data Subject can always retrieve given written consent, unless otherwise stated in the law or such data may be processed without a consent provided that it is anonymized.

In this context, the first and absolute condition of processing Sensitive Personal Data within the scope of the Law is the explicit consent, and the absolute condition of the processing Personal Health Data within the scope of the Regulation is the explicit written consent. The Regulation also requires individuals who are subject to processing to be informed in detail.

In addition to these matters, Data Controller is obliged to take necessary measures in order to provide an adequate level of security of the Personal Health Data and the System to be established.

Personal Health Data may be processed and transferred to the relevant public institutions and organizations by taking measures determined by the Personal Data Protection Board and fulfilling the conditions for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and maintenance services, planning and management of health services and financing.

Recording the Personal Health Data   

The Regulation further requires the Ministry of Health to establish a Personal Health Registration System in order to provide access to Personal Health Data by persons who have been authorized according to the Regulation as well as to establish, execute and protect such data. Within the Personal Health Registration System, such persons will be authorized to create a user account and reach their Personal Health Data.


The sanction provisions of Law also apply to all crimes and misdemeanors on Personal Health Data under the Regulation.

In case of a breach of the obligations stipulated under the Law referred to within the scope of the Regulation, administrative fines will be imposed on Data Controllers in the amounts indicated under the Law.



Please contact us to view the full content.