PERSONAL DATA PROTECTION LAW
The Law on the Protection of Personal Data (“LPPD”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board (“Board”) and to keep them up-to-date.
In August, the Board published Public Announcement and Data Breach Notifications on the “Draft Guidelines on the Issues to be Considered in the Processing of Genetic Data”.
With the Board’s Decision dated 16.08.2022 and numbered 2022/848, it is envisaged to receive public opinions on the Draft Guidelines, and it is possible to send opinions and evaluations regarding the Draft Guidelines to the Authority in writing and/or by e-mail to genetikveri@kvkk.gov.tr e-mail address until 24.09.2022.
DATA BREACH NOTIFICATIONS
Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
In August 2022, two data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.
AstraZeneca İlaç Sanayi ve Ticaret Limited Şirketi
In the data breach notification submitted to the Board by the data controller; it was reported that the breach occurred in the “Workday Limited” system, which serves as a data processor and allows employee candidates to apply for job applications for open positions within the company.
It was stated that in the relevant system, candidates can submit job applications without logging into their own accounts, and in order for this system to function, Workday Limited uses a JavaScript variable to track the data related to the user session; it was determined that due to the inclusion of this variable in the HTML source, the variable value became visible to external persons examining the HTML source.
In the notification, it was stated that due to the aforementioned situation, the personal data of prospective job applicants became accessible, that the breaches that occurred between 13-14 July and 20 July-1 August were detected on 31 July, and that an estimated 981 individuals belonging only to the prospective employee group were affected by the breach.
It is estimated that the personal data affected by the breach are country, name, e-mail, telephone number, salary expectation, current salary information, previous employment relationship information with “AstraZeneca”, if any, visa status, details of restrictive clauses related to current or previous employer; however, it is also emphasised that prospective employees can additionally provide personal URL, work experience, education, language, skills and CV data within the data processing system.
Güreli Yeminli Mali Müşavirlik ve Bağımsız Denetim Hizmetleri Anonim Şirketi
It was notified to the Board that the data breach, which started on 16 July, was detected on 8 August after the information systems supervisor noticed text files indicating that a ransom was requested for the stolen files; in this context, the breach was caused by a ransomware attack, the affected person groups consisted of potential customers and customers, but the number of people could not be determined.
In the data breach notification, it was stated that it is estimated that the personal data affected by the breach may be the name, surname, e-mail address, telephone number, invoice and commercial records included in the identity, communication, financial data categories and commercial data requested from legal entity customers within the scope of certified public accountancy and independent audit activities.
PUBLIC ANNOUNCEMENT
Public Announcement on the “Draft Guidelines on the Issues to be Considered in the Processing of Genetic Data”
INTRODUCTION
Genetic data, which is listed among special categories of personal data under the LPPD, has not been comprehensively defined in the legislation published to date. Article 4, paragraph 13 of the European Union General Data Protection Regulation (General Data Protection Regulation, “GDPR”) regulates what genetic data is with the provision stating that “‘genetic data’ is personal data relating to inherited or acquired characteristics of a natural person which provide unique information relating to the physiology or health of that natural person and which result in particular from the analysis of a biological sample taken from that natural person”.
Genetic data is all or part of the information obtained from all DNA, RNA and Protein sequences encoded from the genome, cell nucleus or mitochondria of the living organism. Genetic data may be only a Single Nucleotide Polymorphism information or a very comprehensive whole genome sequence information. These data cover all genomic changes, hereditary or non-hereditary, from DNA and/or RNA obtained from living organisms.
Genetic data must be analysed in order to be meaningful or informative. Firstly, DNA or RNA is obtained from the sample that reaches the laboratory environment, then this DNA/RNA sample is subjected to other processes according to the targeted study and the raw data obtained from the individual becomes analysable.
However, it should be noted that raw data and biological samples are valuable and meaningful even before they are analysed and have the potential to identify a real person. Another important point is that DNA/RNA samples provide access to all genomic data of the individual at any time under appropriate storage conditions.
For example; Since the DNA of an individual whose genetic data was studied 10 years ago will still be stored, all kinds of genetic tests can be studied from DNA obtained 10 years ago with brand new genetic technologies. It should not be forgotten that there is also the possibility that samples taken from dead people can be analysed in a way that will make a real person identifiable years later.
Any kind of tissue or material sent to the laboratory for research or diagnostic purposes can be made very easy to obtain information from that moment on. In this respect, all data controllers who collect biological samples must take the necessary technical and administrative measures to ensure the security of the samples.
At this point, in our opinion, the contradictory part is whether the data of the deceased person will fall within the scope of personal data. In the definition of personal data, it is known that what is meant by “identifiable person” is real persons and death legally terminates the personality. Therefore, it may be interpreted that this example in the draft is contrary to the provisions of the Turkish Civil Code regarding personality.
It is a matter of debate whether it is possible to fully and truly anonymise DNA samples, which provide unique data about the person concerned, i.e. genetic data in general. This is because, no matter what method is used, it is not possible to actually break the contact between the data obtained and the person concerned. Therefore, it is important to pay more attention to taking the necessary technical and administrative measures during the processing of genetic data.
PURPOSE AND SCOPE
Genetic data can be used in many fields today. The most important of these areas is genetic analysis for diagnostic and therapeutic purposes in the field of health. These analyses can be performed by hospitals or medical laboratories for the diagnosis and treatment of diseases before or after birth, or samples can be sent abroad for these analyses.
Another area where genetic data is used is analyses for the purpose of determining parentage and offspring. Such analyses can be carried out in order to carry out legal transactions, as well as through commercial tests directly for consumers, by individuals individually taking biological samples and transmitting them to the relevant companies for analysis.
In addition to these, genetic data processing activities can also be carried out for purposes such as genetic predisposition in nutrition, sports or talent, etc., depending on the preference of individuals, except in mandatory cases.
Since Article 6/3 of the LPPD stipulates that personal data other than health and sexual life may be processed without the explicit consent of the data subject in cases stipulated by law, genetic data may also be processed in cases stipulated by law, except for explicit consent. On the other hand, it should be noted that genetic data should be considered as personal health data only if they are processed for medical diagnosis and treatment purposes. The obligation to comply with the general principles set out in Article 4 of the LPPD shall also apply here.
The processing of genetic data may affect not only the data subjects themselves, but also their relatives with whom they have genetic contact, future generations, and even national security and economy. Therefore, it is necessary to take various measures regarding the transfer of genetic data abroad, taking into account the fundamental rights and freedoms of individuals.
According to the information received from the Ministry of Health, most of the tests of genetic methods applied in developed countries can be performed in Turkey. Among these methods; Conventional DNA sequence analysis, Next Generation DNA sequence analysis, Microarray, Digital PCR, Real Time PCR, FISH, Chromosome analysis etc. are frequently used methods.
There are also tests such as extended cancer profiling tests, MRD (minimal residual disease) detection, which are also studied with these methods but have not yet established sufficient clinical use in our country, and different tests, especially liquid biopsy, NIPT (non-invasive prenatal tests), which can be performed very easily in our country, are sent abroad mostly for financial purposes.
DATA CONTROLLER AND DATA PROCESSOR
It is stipulated that tests for the diagnosis of genetic diseases and the treatment response of various diseases or to determine whether the person carries a gene responsible for a disease or to reveal whether the person has a genetic predisposition or sensitivity to a disease can only be performed in Genetic Diseases Evaluation Centres only in cases of medical necessity or for scientific research for medical purposes and provided that appropriate genetic counselling services are provided. Within this framework, real or legal persons (Ministry, university, private law legal entity, etc.) who determine the purposes and means of processing personal data to which the Genetic Disease Evaluation Centres are affiliated and who are responsible for the establishment and management of the data recording system are data controllers. Cloud systems where genetic data are kept can be considered as data processors.
RELEVANT PERSON
In the process of processing genetic data, it may be possible to process not only the genetic data of the persons concerned, but also the genetic data of their relatives with whom they have genetic contact.
PROCESSING OF GENETIC DATA AND PRINCIPLES
The data controller may process genetic data in accordance with the general principles set out in Article 4 and the conditions set out in Article 6 of the KVKK, but only in accordance with the following principles
The essence of fundamental rights and freedoms is not to be touched
Since the right to protection of personal data is one of the fundamental rights and freedoms, it is clear that genetic data processing activities should also be subject to basic guarantees in terms of fundamental rights and freedoms stipulated in the Constitution, and at this point, the issue of proportionality is of great importance. Personal data processing activities carried out through genetic data processing must be carried out without touching the essence of the right, in compliance with the principle of proportionality and by taking measures regarding data security.
In this sense, the data necessary and sufficient for the realisation of the purpose of processing genetic data should be processed, and processing activities that exceed the purpose of genetic data processing should be avoided. The principle of proportionality should be respected by establishing a reasonable balance between the processed genetic data and the purpose of processing these data, and genetic data should not be processed for purposes that do not exist or are likely to occur in the future.
The activity must be appropriate for the purpose to be achieved
Genetic data of the quality and type suitable for the realisation of the result targeted by the genetic data processing activity should be processed and suitable methods should be used in terms of obtaining these genetic data. During the processing of personal data that is suitable for the purpose of genetic data processing, it should not be preferred to process additional personal data after obtaining the amount and type of genetic data suitable for achieving the purpose.
The method must be necessary for the purpose to be achieved
In the event that any less intrusive alternative is available in terms of the tools/methods used to achieve the purpose of genetic data processing, or if it is possible to process less amount and type of genetic data, a lawful personal data processing activity cannot be mentioned in terms of genetic data processed within the scope of interventions exceeding the limit of necessity.
Proportion between the purpose and the means to be achieved
There must be a proportionate ratio between the tool used in genetic data processing and the purpose of genetic data processing. The tool used should not be disproportionate in terms of the purpose to be achieved. At the point of genetic data processing, there must be proportionality between the weight of the interference with the right to protection of personal data and the reasons that justify this interference. In cases where there is more than one tool for the realisation of the purpose of genetic data processing, the selection of the most appropriate tool expresses proportionality.
Retention and destruction for the required period
Pursuant to the principle of retaining personal data for the period stipulated in the relevant legislation or for the period required for the purpose for which they are processed in Article 4/1/d of the LPPD, the maximum period of time should be determined in the processing of personal data. Article 24, paragraph 4 of the Regulation on Genetic Diseases Evaluation Centres titled “Recording System” stipulates that: “Reports and records shall be kept at the Centre for at least thirty years, electronic records shall be kept indefinitely with backup, samples and slides shall be kept for at least two years under suitable conditions in a non-destructive manner.”
The period for which genetic data will be retained, together with the reasons, should be explained by the data controller in the personal data retention and destruction policy. Genetic data should be kept for as long as necessary to fulfil the purpose of their processing. It is necessary to periodically and carefully review whether the genetic data used should continue to be kept, and the genetic data that is concluded that it is not necessary to be kept should be destroyed without delay.
Processing of genetic data within the scope of KVKK
In order for the explicit consent given for the processing of genetic data to be valid, it must first be given in relation to a specific subject and limited to that subject. Since explicit consent is a declaration of will, in order for the person to give consent freely, he/she must also know what he/she is consenting to; the person must have full knowledge not only on the subject but also on the consequences of his/her consent. This must be done before the processing of the data.
Genetic data processed as a result of the explicit consent of the data subject for genetic data processing activity should not be used for other purposes. Considering that the most important persons in the issues of informing the data subjects and obtaining their explicit consent are specialised healthcare professionals, healthcare professionals should evaluate the processing of genetic data within the framework of the principles of KVKK, especially the principle of necessity, and inform the data subjects.
In order for explicit consent to be valid, the person must be aware of his/her behaviour and this decision must be his/her own decision. The provision of any product and/or service or the utilisation of the product and/or service should not be conditional on the explicit consent of the person concerned, and in cases where the parties are not in equal position or one of the parties has an influence on the other, it should be carefully evaluated whether the consent is given with free will.
Apart from any medical diagnosis and treatment purposes, genetic data may also be processed for commercial purposes for various reasons such as determination of lineage/ancestry or kinship relations, determination of predisposition to sportive activities or any talent within the scope of the explicit consent of the persons, and in this regard, it is important to obtain the explicit consent of the persons as defined in the KVKK.
The consequences that the data subjects will face within the scope of the processing of genetic data, the possibility that this processing activity contains the personal data of not only the individuals but also the persons belonging to the family lineage to which they belong and the risks of this situation, the possible difficulties in tracking the fate of genetic data, especially in case of transfer abroad, the risks of data controllers residing abroad regarding data security, the possibility of transferring genetic data transferred abroad to third parties within this scope. The person concerned should be clearly and in detail informed about the unclear situations such as the possibility of transferring genetic data to third parties and the negative consequences that these situations may cause.
As a health data, genetic data may be processed without seeking the consent of the persons concerned for mandatory tests in line with health requirements within the scope of Article 6/3 of the LPPD for the purpose of preventive medicine, medical diagnosis, treatment and care services. The most important criterion is that the processing of data for health reasons is mandatory and the data subjects must be informed about such mandatory data processing activities.
According to Art. 9 on the transfer of personal data abroad
For the transfer of genetic data abroad, in the event that the data is processed by obtaining the explicit consent of the data subjects or for the reason stipulated in the laws within the scope of Article 6 of the LPPD, the conditions specified in Article 9/2 (a) and (b) of the LPPD must be met and the provisions of other laws are reserved. Without prejudice to the provisions of international agreements, in cases where the interests of Turkey or the data subject will be seriously damaged, transfer abroad can only be possible with the permission of the Personal Data Protection Board by obtaining the opinion of the relevant public institution or organisation, and measures may be taken by the Board within the scope of the LPPD if the necessary technical and administrative measures are not taken by the data controllers who process genetic data abroad and it is evaluated that the interests of Turkey or the data subject will be seriously damaged.
Processing for scientific purposes within the scope of Art. 28/1/c of the LPPD
Article 16 of the Regulation on Personal Health Data regulates the conditions for the use of health data in scientific research. It is only possible to render genetic data of a singular nature not to be associated with an identifiable natural person by the data controller by converting it into cumulative variant frequency lists to be obtained as a result of combining a large number of such data belonging to different individuals, and these lists can be processed within the scope of scientific research by obtaining ethics committee permissions and complying with the current legislation, and minimising the risks related to personal data security by conducting such studies on data that has been rendered unidentifiable to the extent possible, and using methods such as using pseudonyms for this purpose,
Although it is possible to use genetic data for scientific purposes, provided that it does not violate the right to privacy and personal rights or constitute a criminal offence, this is only applied as a last resort if the processing of genetic data is mandatory in order to achieve the expected result of scientific research,
In terms of the protection of genetic data used in scientific research, ensuring the necessary security measures to ensure that the constitutionally guaranteed right to protection of personal data is not violated, and in this direction, in particular, acting in accordance with the principle of being connected, limited and proportionate to the purpose for which personal data are processed,
In terms of completed scientific research, it is necessary to carefully evaluate whether it is necessary to continue to keep the personal data used, and if it is concluded that it is not necessary, necessary mechanisms should be provided for the destruction of these personal data in accordance with the personal data retention and destruction policy.
OBLIGATIONS OF DATA CONTROLLERS
Due to the importance of genetic data, data controllers who will process genetic data must also inform the data subjects about which genetic data are collected for what legal reason and for what purpose, the importance of these data, and what the consequences may arise in case of violation (risks of processing genetic data). Due to the importance of genetic data, the nature of these data and the fact that genetic data also contain information about the family of the data subject, the scope of the obligation to inform should be expanded and a preliminary counselling should be provided by the data controller or data processor during the initial acquisition of the data so that the data subject whose genetic data will be processed can understand the reasons, consequences and possible risks of the genetic data processing activity.
It should be ensured that he/she clearly understands that the processing of genetic data may provide access to his/her data not only for the data subject but also for other family members. In case of further questions or confusion, the data controller shall take all necessary actions to clarify these issues.
Since the main activity is the processing of special categories of personal data, the obligation to register with the Data Controllers Registry is required.
In addition, it should be repeated that data controllers are responsible for taking all kinds of technical and administrative measures as mentioned above.
GENETIC DATA SECURITY
Technical and administrative measures regarding the processing of genetic data are included in detail. In the Draft Guideline, in addition to all the technical and administrative measures listed in the legislation and listed so far, it is stated that the issues in the decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 regarding the “Adequate Measures to be taken by Data Controllers in the Processing of Sensitive Personal Data” should be paid attention to and the technical and administrative measures listed additionally are included in the Draft Guideline.
SUGGESTIONS AND RECOMMENDATIONS
The processing of genetic data is extremely sensitive in terms of the information it reveals and may cause national strategic consequences that may affect the entire society. The processing of genetic data should be subject to certain rules and procedures, as well as raising awareness in the social sphere. The processing of genetic data may affect not only the individual, but also his/her relatives with genetic links, future generations and even national security and economy.
Since the economic sector referred to by terms such as “biotechnology” and “bioeconomy” can produce economic output with high efficiency, especially in areas such as health, agriculture and bioenergy, but uses “genetic data” as the main economic input, the management of data breach risks that this sector, which has a high innovation capacity, and R&D studies involving other genetic data processing activities may be exposed to is considered a high priority issue for every country in terms of national security and economic interests.
The Draft Guidelines also include measures that the Board considers can be taken at the national level.