GUIDANCE ON ISSUES TO BE CONSIDERED IN THE PROCESSING OF GENETIC DATA

INTRODUCTION
 
Article 6 of the Law No. 6698 on the Protection of Personal Data (“Law”) defines genetic data as special categories of personal data. Although genetic data has not been defined in our legislation to date, Article 4/13 of the European Union General Data Protection Regulation (“General Data Protection Regulation, “GDPR”) stipulates that genetic data is personal data that provides unique information about the physiology or health of a natural person, and in particular, personal data resulting from the analysis of a biological sample taken from that natural person and relating to the inherited or acquired characteristics of that person.
 
The Personal Data Protection Authority aims to guide data subjects and data controllers by addressing the data processing process under the headings of processing and principles of genetic data, obligations of the data controller and genetic data security with the Guideline on the Issues to be Considered in the Processing of Genetic Data (“Guideline”) published on 13.10.2023.
 
CONCEPTS OF DATA CONTROLLER – DATA PROCESSOR – DATA SUBJECT WITHIN THE SCOPE OF GENETIC DATA
 
Pursuant to the Regulation on Genetic Diseases Evaluation Centres (“Regulation”), it is stipulated that tests for the diagnosis of genetic diseases and treatment response of various diseases or to determine whether a person carries a gene responsible for a disease or to reveal whether a person has a genetic predisposition or sensitivity to a disease can only be performed in Genetic Diseases Evaluation Centres only in cases of medical necessity or for scientific research for medical purposes and provided that appropriate genetic counselling services are provided. In this context, when the relevant bodies are evaluated in terms of genetic data processing activity;
 
Data Controllers: Real and legal persons (Ministries, Universities, Private Law Legal Entities) to which Genetic Diseases Evaluation Centres are affiliated are data controllers,                      
 
Data Processing: Cloud systems that hold genetic data are data processors,
 
Related Persons: Real persons whose genetic data are processed + their relatives with whom there is genetic contact during the processing of genetic data may be an example of a related person.   
 
On the other hand, it is useful to remind that real and legal persons such as, but not limited to, education and rehabilitation centres, municipalities, institutions and organisations providing health services, public institutions and organisations, insurance companies, etc., which may have the genetic information of the data subjects even if they do not perform genetic data analysis, should also be evaluated within the scope of the definitions of data controller or data processor in the Law on the basis of the concrete case.
 
PROCESSING OF GENETIC DATA AND PRINCIPLES
Principles to be Considered During the Processing of Genetic Data
 
With the Guidelines, it is stated that the data controller may process genetic data in line with the following principles in addition to the general principles set out in Article 4 and the conditions set out in Article 6 of the Law:
 
Not touching the essence of fundamental rights and freedoms: Since the right to protection of personal data is one of the fundamental rights and freedoms regulated by the Constitution of the Republic of Turkey, the personal data processing activity carried out through genetic data processing must be carried out in accordance with the principle of proportionality, without touching the essence of the right.
The genetic data processing activity must be appropriate for the purpose to be achieved: In the decision of the Constitutional Court dated 28.09.2017 and numbered E.2016/125, K.2017/143, convenience is defined as “the rule introduced is convenient for the purpose to be achieved”.
During genetic data processing, no additional personal data should be processed after obtaining the amount and type of genetic data suitable for achieving the purpose.
The genetic data processing method is necessary for the purpose to be achieved: Pursuant to the Constitutional Court’s decision dated 09.2017 and numbered E.2016/125, K.2017/143, necessity means that the rule is necessary for the purpose to be achieved. Accordingly, in the event that there is more than one tool/method enabling the realisation of the same purpose, the least intrusive tool/method should be selected among them.
The proportionality between the purpose and the means to be achieved by genetic data processing: According to the Constitutional Court’s decision dated 09.2017 and numbered E.2016/125, K.2017/143, proportionality is defined as “the measure that should be between the rule introduced and the purpose to be achieved”. In cases where there is more than one tool for the realisation of the purpose of genetic data processing, the selection of the most appropriate tool expresses proportionality.
Keeping the processed genetic data for the required period of time, and destroying the data in question in accordance with the personal data retention and destruction policy without delay after the necessity is no longer required: Within the scope of the general principles in the Law, personal data should be kept for the period stipulated in the relevant legislation or for the period required for the purpose for which they are processed. [1] The period for which the data in question will be retained should be explained by the data controller in the personal data retention and destruction policy with the reasons.
Processing of Genetic Data under the Law
 
Pursuant to Article 6 of the Law, genetic data may be processed without the explicit consent of the persons concerned, limited to the cases specified in the law.  
 
In addition to this, in the event that the purpose of processing genetic data is only for health reasons, in the event that genetic data are processed only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, which are listed as the conditions for processing data on health and sexual life in paragraph (3) of the aforementioned article, it is possible to process them only by persons or authorised institutions or organisations under the obligation of confidentiality, subject to the conditions for processing personal health data, even if their genetic data title remains.
 
Although genetic data are counted separately from health or sexual life data within the scope of the definition in the Law, it is stated in the Guideline that the relevant processing can be evaluated within the scope of Article 6/3 of the Law if there is a purpose to process genetic data only for health reasons, and it is a very important evaluation that references are made to the Regulation on Personal Health Data. In this framework, genetic data may be processed without obtaining explicit consent from individuals in cases explicitly stipulated by law, unlike health data, and may also be categorised as health data according to the nature of the process and subject to the processing conditions of health data.
 
Transfer of Genetic Data Abroad
 
In order to transfer genetic data abroad within the framework of Article 9 of the Law, either the explicit consent of the persons concerned must be obtained or, in the case of processing personal data for the reason stipulated in the laws within the scope of Article 6 of the Law, the conditions in Article 9/2-a and b of the Law must be met, and the provisions of other laws are reserved.
 
Exceptions under Article 28 of the Law
 
Article 28 of the Law titled “Exceptions” regulates the cases where the Law will not be applied and subparagraph (c) of the relevant article stipulates that “Processing of personal data … for … scientific purposes”. In this context, the processing of genetic data must be carried out in accordance with the following criteria:
 
Combining a large number of singular genetic data belonging to different individuals and transforming them into cumulative variant frequency lists so that they cannot be associated with a natural person,
Processing of genetic data is mandatory as a last resort in order to achieve the expected result of scientific research,
Ensuring the necessary security measures and acting in accordance with the principles of being connected, limited and proportionate to the purpose for which personal data are processed,
Careful evaluation of the necessity to continue to retain the personal data used and if it is concluded that the relevant data should not continue to be retained, providing the necessary mechanisms for the destruction of the data in accordance with the personal data retention and destruction policy.
OBLIGATIONS OF DATA CONTROLLERS
Disclosure Obligation
 
Pursuant to the Law and the Communiqué on the Procedures and Principles to be followed in Fulfilling the Obligation to Inform (“Communiqué”), data controllers or persons authorised by them are obliged to inform the data subjects during the acquisition of personal data. In the Guideline, it is stated that in addition to the minimum elements (identity of the data controller and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the personal data may be transferred, the method of collecting personal data, the legal reason and the rights of the data subject), the importance of genetic data and the consequences that may arise in case of breach should also be stated.
 
In addition to this; it is stated that the scope of the disclosure obligation should be expanded by data controllers or data processors since genetic data also includes information about the family of the data subject, and a preliminary counselling should be provided so that the data subjects whose genetic data are processed can understand the reasons, consequences and possible risks of the data processing activity. Therefore, it should be ensured that the data subject clearly understands that the processing of genetic data may provide access to his/her data not only for himself/herself but also for other family members.
 
Pursuant to the Law, while data controllers are obliged to inform the data subjects, data processors are under the obligation not to disclose the relevant data to others and not to use it for purposes other than processing in respect of the personal data for which they are authorised. However, it is observed that the Guidelines impose a preliminary counselling obligation on data processors as well as data controllers within the scope of genetic data. Considering the impact area of genetic data, the expansion of the scope of disclosure and the obligations imposed is considered to be a very appropriate attitude in line with the purpose served by the personal data protection legislation. However, it can be discussed whether informing the persons concerned with the genetic data processing activity that the data of their family members can also be accessed serves the same purpose. Since having access to the data of the family members/relatives of the person as a result of the processing of genetic data may also make these persons a data subject, although it seems to be the ideal scenario that every person who is considered as a data subject, including family members, should be informed about the process of processing genetic data, its applicability raises question marks.
 
Obligation to Register with the Data Controllers Registry
 
Pursuant to Article 16 of the Law, data controllers who meet the criteria within the scope of Decision No. 2023/1154 dated 06.07.2023 are obliged to register with the Data Controllers Registry before starting data processing activities. However, data controllers whose main activity is to process special categories of personal data are obliged to register with the Data Controllers Registry without exception.
 
Genetic Data Security
 
Genetic data security is of great importance for data controllers due to the nature of the data. Since genetic data is considered to be in the category of special categories of personal data, it is necessary to take a more sensitive approach to the secure processing and storage of the data and to take the necessary measures. In this respect, the “Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data” dated 31/01/2016 and numbered 2018/10 published by the Personal Data Protection Board (“Board”) should be taken into consideration.
 
In addition to the personal data security measures in the aforementioned legislation and guidelines, data controllers are strongly recommended to take the following measures regarding genetic data processing.
 
WITHIN THE SCOPE OF GENETIC DATA PROCESSING ACTIVITY
 
SAFETY MEASURES
 
 
 
 
ADMINISTRATIVE MEASURES
 
 
 
TECHNICAL MEASURES
 
 
 
 
Personal data security and especially genetic data privacy should be taken into account at the design stage and all mechanisms should be established and managed according to the principle of “Privacy by Design”. Although it is a concept that does not currently exist in our legislation, it has been evaluated that if this principle is complied with, data controllers will be able to fulfil their obligation to take technical and administrative measures more easily and successfully.
 
 
 
It should be preferred not to keep genetic data in cloud systems. However, in cases where it is necessary to connect to the server where the analysis program is located in order for the raw data contained in the genetic data processing devices to be processed and analysed in the analysis programs, if the data will be processed through cloud systems; a detailed record of the genetic data stored in the cloud should be kept, backups should be taken outside the cloud, and two-stage authentication control should be applied for remote access to genetic data in the cloud. Genetic data should be encrypted with cryptographic methods that will provide sufficient security in accordance with current technology. Access to cryptographic keys should be limited to authorised personnel with a clearance (crypto security certificate).
 
 
 
 
The data controller should continuously measure and monitor its readiness against a possible data breach through in-house random and periodic audits and risk analyses regarding data processing activities related to genetic data.
 
 
 
 
Data controllers who process genetic data must carry out a Data Protection Impact Assessment regarding the nature of the data and the potential risks that data processing may pose to the data subject.
 
 
 
In the event that the devices are delivered to authorised companies for maintenance, repair, repair, etc. or the rented devices are returned to the relevant companies, the data storage units on the device must be removed and taken or all data must be delivered to the laboratory in hard disk media and a written commitment must be obtained from the company that there is no data on the device or server belonging to the company.
 
 
 
 
Personal Data Processing Inventory should be prepared and Data Controllers Registry Information System (VERBIS) should be notified.
 
 
 
 
In the event that a data processor is preferred by the data controller for a purpose in genetic data processing processes; security measures deemed necessary should be included in the service contracts to be concluded with the data processors and periodic audits should be carried out or made to ensure that the necessary technical and administrative measures are provided by the data processor to be preferred.
 
 
 
Data controllers should be able to monitor and limit user operations on genetic data processing software. Transaction records of all actions performed on the programme/system processing genetic data must be kept in a separate system, regularly and securely protected. It should be ensured that the administrator responsible for the transaction recording system and the people responsible for other systems are different.
 
 
 
 
Genetic data must be kept in such a way that they cannot be accessed by anyone other than authorised personnel who have received training on the subject and with whom confidentiality agreements have been concluded.
 
 
 
Hardware and software security tests of the systems that process genetic data should be performed periodically. Changes to the systems should be commissioned after the necessary security tests are carried out.
 
 
 
 
Separate processing policies, emergency procedures and reporting mechanisms must be established for genetic data processing processes. Genetic data in electronic media should be backed up regularly with a secure backup system. Data set backups must be kept outside the network.
 
 
 
Data controllers should use certified equipment, licensed and up-to-date software, provide patch management, prefer open source software as much as possible and make the necessary updates to the system on time.
 
 
 
 
Prior to the data processing activities involving the processing of genetic data, the data subjects must be informed in detail by means of valid disclosure texts in accordance with Article 10 of the Law and the provisions of the Communiqué and, if necessary, the explicit consent of the data subject must be obtained. It should also be noted that the genetic data of the data subjects can only be used in relation to the personal data processing activity for which explicit consent has been obtained, and in the event that these data are used for a purpose other than obtaining these data, it is necessary to obtain explicit consent by informing the data subject again.
 
 
 
Data controllers should test the system before installing the system and after any changes, if possible through synthetic data (unreal) in the test environments to be created. Data controllers should implement measures that warn the system administrator and/or protect and report genetic data in case of unauthorised access to the system despite unauthorised access attempts and taking all necessary security measures.
 
 
 
 
It is considered that the measures within the scope of the Circular on Information and Communication Security Measures No. 2019/12 and the Information and Communication Security Guide prepared under the coordination of the Presidential Digital Transformation Office within the scope of the Circular should be complied with.
 
The fact that all these principles and criteria listed above are met should be recorded and documented by the data controller and disclosed to the public.
 
SUGGESTIONS AND RECOMMENDATIONS     
 
The processing of genetic data is a highly sensitive data in terms of the nature of the information it reveals and may cause national strategic consequences that may affect the whole society. Therefore, it is important to bind the processing of genetic data to certain rules and procedures, as well as to raise awareness in the public sphere. Because the processing of genetic data of the persons concerned may affect not only themselves, but also their relatives, future generations and even national security and economy.
 
Considering that the economic sector uses genetic data as the main economic input, especially in areas such as health, agriculture, bioenergy, etc., as well as being able to produce economic output with high efficiency, the Guidelines also include some suggestions and measures that the Board considers can be taken nationally in order to manage data breach risks:
 
Since the purposes of processing genetic data differ, it may be useful to address the procedures and rules according to the purposes of processing. For example, it is considered that the sample sent abroad pursuant to Article 25/2 of the Regulation may be subject to a more detailed regulation under Articles 4 and 9 of the Law.
In the face of the obligation to conduct tests or research containing genetic data abroad, necessary measures should be taken to ensure the privacy of genetic data processed for scientific research or examination purposes, as stated in the “International Declaration on Human Genetic Data” of the UNESCO General Conference dated 16 October 2003, and to prevent the use of genetic data obtained for purposes other than the purposes for which they were collected.
In order to ensure that tests related to genetic data are not sent abroad as much as possible, efforts can be made to support national laboratories, to provide the necessary domestically produced medical devices and to strengthen the human resources specialised in this field.
Necessary administrative arrangements will be made for the storage of genetic data domestically, and domestic, national and accredited information infrastructure studies that will make this possible will be supported.
National genetic data banking will be developed for scientific purposes and the establishment of a genetic data storage centre will be encouraged.
The development of transparency, openness and accountability practices during the processing of genetic data, including research and studies carried out in this field, can be encouraged.
Organisations conducting research or testing activities that require the processing of genetic data may have a unit that includes personnel who have received the necessary training in the field of personal data protection, which informs the data subjects about the personal data they obtain and provides the solution of the requests from the data subjects, or this function may be fulfilled by the “Patient Rights Unit” within the health institutions by assigning personnel who have received the necessary training in the field of personal data protection.
By informing the relevant persons about the consequences that may arise in case their genetic data are sent abroad, social awareness can be increased through methods such as public service announcements and meetings, and thus, the number of people sending their genetic data abroad can be reduced.
GRC LEGAL COMMENT
 
The processing and protection of genetic data is of great importance both in terms of individual privacy and national security and economic interests. Accordingly, the processing and preservation of genetic data should be handled with a holistic view in accordance with the legislation that touches genetic data as well as the legislation on the protection of personal data. In addition, all kinds of technical and administrative measures mentioned in the Guidelines should be taken into consideration by data controllers and legal obligations should be complied with.
 
It can be said that this Guideline, which has been published for genetic data, which requires high protection due to its nature, supports Turkish Law in the process of harmonisation with the European Union legislation and provides many guiding directions in this period when awareness and awareness of personal data is increasing.  
 
[1] In the fourth paragraph of Article 24 titled “Recording System” of the Regulation on Genetic Diseases Evaluation Centres; “Reports and records are kept at the centre for at least thirty years, electronic records are kept indefinitely with backup, samples and slides are kept for at least two years under suitable conditions so as not to deteriorate.”