The decision of the Personal Data Protection Board (‘Board’) dated 31/01/2018 and numbered 2018/10 (‘Decision’) regarding ‘Adequate Measures Taken by Data Controllers in Processing The Special Categories of Personal Data’ below discussed.
First of all, we would like to state that in this decision of the Board, there is valuable information that will enlighten the data controllers and what needs to be done in the processing of special categories of personal data.
In the paragraph number (4) of Article 6 of the Law on the Protection of Personal Data (Law) numbered 6698, ‘Adequate measures determined by the Board shall be also taken while processing the special categories of personal data.’ provision is included. Based on this, the Board took a decision and formed the regulation on this issue.
In this context, the adequate measures to be taken by data controllers who process special categories of personal data in accordance with sub-paragraphs (ç) and (e) of paragraph (1) of Article 22 of the Law are determined by the Personal Data Protection Board as follows:
1-Establishing a systematic, clearly defined, manageable and sustainable separate policy and procedure for the security of special categories of personal data,
2- There are also specific determinations for employees involved in the processing of special categories of personal data.
Especially for employees involved in the processing of special categories of personal data,
- Regular trainings on the law and related regulations in the areas of security of special categories of personal data,
- Making confidentiality agreements,
- Clear definition of the users who have access to data, the scope and duration of their authorization,
- Periodically making the authorization controls,
- Immediately terminate the authorization of employees who have a change of position or leave their job.
In this context, issues such as returning the inventory allocated to her by the data controller.
3- Environment where special categories of personal data is processed, stored and/or accessed, if it is an electronic environment,
- Storage of data using cryptographic methods,
- Keeping cryptographic keys in a secure and different environment,
- Secure logging of transaction records of all transactions performed on the data,
- Continuous monitoring of the security updates of the environments where the data is located, regularly conducting/ having the necessary security tests, recording test results,
- If the data is accessed by a software, the user authorization of this software is made, the security tests of these software are carried out regularly, the test results are recorded,
- Providing at least two-stage authentication system if remote access to data is required,
4- The environments where special categories of personal data are processed, stored and/or accessed, if they are the physical environment
- Ensuring that adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken depending on the nature of the environment in which special categories of personal data is available,
- Preventing unauthorized entry and exit by ensuring the physical security of these environments,
5- If special categories of personal data will be transferred, again
- If data need to be transferred via e-mail, encrypted with a corporate e-mail address or using a Registered Electronic Mail (REP) account,
- Encrypting it with cryptographic methods if it needs to be transferred via media such as Portable Memory, CD, DVD and keeping the cryptographic key in a different environment,
- If transfer is made between servers in different physical environments, transferring data between servers using VPN or sFTP method,
- If the data is to be transferred via paper, necessary measures should be taken against risks such as theft, loss or being seen by unauthorized persons and the document should be sent in the ‘confidentiality grade documents’ format.
Of course, we would like to point out that besides these measures, technical and administrative measures to ensure the appropriate security level specified in the Personal Data Security Guide published on the website of the Personal Data Protection Authority should also be taken into account.
Otherwise, when violations are detected by the Board, some legal and criminal sanctions may be incurred.
In the another precedent Board decision dated 05/12/2018 and numbered 2018/143 that evaluations were made about the data controller who transfers the Health Data to third parties without relying on one of the processing conditions in Article 6 of the Law.
This decision is about the complaint application made to the Authority regarding the sharing of this special category health data with the third party by the pharmacy where the drugs are provided, without any processing condition.
In the paragraph number (1) of Article 6 titled ‘Conditions for the processing of special categories of personal data’ of the Law on the Protection of Personal Data No. 6698 (‘Law’), it is stated that the health data of individuals are special categories of personal data.
In paragraph (2) of the aforementioned article, it is prohibited to process special categories of personal data without the express consent of the person concerned, however, in paragraph (3), other cases where special categories of personal data can be processed without explicit consent are listed.
Accordingly, it has been stated that health data can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing without explicit consent.
On the other hand, clause (1) of Article 12 of the Law states that the data controller;
- To prevent unlawful processing of personal data,
- To prevent unlawful access to personal data,
- Ensuring the protection of personal data
It has to take all necessary technical and administrative measures in order to ensure the appropriate level of security.
In the paragraph number (4) of the aforementioned article, it is stated that data controllers and data processors cannot disclose the personal data they have learned to anyone in violation of the provisions of the Law and cannot use them other than the purpose of processing.
In this context, it is against the clause (4) of Article 12 of the Law to share the special categories of personal data of the person using the medicine under the control of a doctor by the pharmacy where the drugs are supplied with the third person without meeting the conditions listed in Article 8 of the Law on the Protection of Personal Data and an administrative fine has been imposed on the data controller pharmacy in accordance with Article 18 of the Law.
We would like to state that with the precedent decisions above, the Law on Protection of Personal Data emphasizes the remarkable points that should be considered in practice and the necessary regulations regarding personal data are made at offices.
The information video contains the following issues.
- What are the sufficient precautions to be taken by the data controllers in the processing of special categories of personal data?
- Which issues were considered in the precedent Board decision in accordance with the regulation of paragraph (4) of Article 6 of the Personal Data Protection Law No.6698, as ‘Adequate measures determined by the Board shall be also taken while processing the special categories of personal data.’?