The first paragraph of Article 6 of the Personal Data Protection Law, which regulates the “conditions for processing special categories of personal data,” defines the special categories of personal data as “data related to race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, data related to security measures, and biometric and genetic data.” In the initial version of the law, data related to health and sexual life were treated separately, with different processing conditions. However, with the amendment made on 12.03.2024, this distinction has been eliminated. In this context, the “Guidelines for the Processing of Special Categories of Personal Data” (the Guidelines) have been prepared to share the Personal Data Protection Authority’s perspective on special categories of personal data and their processing conditions with data controllers and relevant individuals. The Guidelines consist of three parts:
1) Special Categories of Personal Data:
The data listed in Article 6 of the Law are limited in number and cannot be expanded through analogy. The fundamental purpose of the law is to ensure the protection of data that, if learned, could lead to discrimination or victimization of individuals. The Guidelines provide detailed definitions of each special category of personal data, their sources, examples of potential discrimination or victimization arising from their processing, and relevant judicial decisions. It also references decisions from the European Court of Human Rights (ECHR) and the Turkish Court of Cassation to explain the potential negative impacts and legal consequences of processing such data.
2) Conditions for Processing Special Categories of Personal Data:
Generally, the processing of personal data is prohibited, but this prohibition can be limited in a manner that does not violate individuals’ fundamental rights and freedoms. The processing of personal data may be required due to legal obligations, or sometimes, to provide better services and products to customers, protect individuals’ privacy, ensure security, or adapt to technological innovations. In the original version of Article 6, it was regulated that personal data related to health and sexual life could only be processed with the explicit consent of the individual or when required by persons or institutions bound by confidentiality obligations for purposes like public health protection, preventive medicine, medical diagnosis, treatment, and care services, and health services planning and management. However, following an amendment to align with European Union legislation and adapt to changing global conditions, this distinction has been eliminated. The new regulation introduced a unified set of conditions for processing all special categories of personal data. The updated regulation now allows the processing of special categories of personal data under the following conditions:
Special categories of personal data can be processed:
- With the explicit consent of the individual,
- When explicitly stipulated by law,
- In situations where the individual cannot express their consent due to physical impossibility or the invalidity of their consent, but the processing is necessary for the protection of their life or bodily integrity or that of another person,
- When the individual has made the personal data public and the processing aligns with the intent of publicizing the data,
- When necessary for the establishment, exercise, or defense of legal claims,
- By individuals or authorized institutions or organizations bound by a confidentiality obligation for purposes such as public health protection, preventive medicine, medical diagnosis, treatment, and care services, and health services planning, management, and financing,
- When required to fulfill legal obligations related to employment, occupational health and safety, social security, social services, and social assistance,
- For purposes of non-profit organizations, foundations, associations, and similar entities that are politically, philosophically, religiously, or union-oriented, within their legal framework and scope of activities, and for individuals involved with these organizations, provided the data is not disclosed to third parties.
It has been acknowledged that there is no hierarchical difference between explicit consent and other processing conditions, meaning that special categories of personal data cannot be processed without explicit consent. The Guidelines emphasize the intentional use of terms such as “necessary” and “required,” underlining that the processing of data must be lawful, proportionate, and aligned with its intended purpose. The expansion of the conditions for processing personal data does not mean that personal data can be processed arbitrarily; rather, it ensures that the conditions for processing are clearer and more understandable, benefiting both data controllers and individuals.
3) Actions Required by Data Controllers to Comply with the Law:
A) Updating the Personal Data Processing Inventory:
Under the Personal Data Controllers Registry Regulation published in the Official Gazette dated 30.12.2017, data controllers who are required to register with the Data Controllers Registry must also prepare a personal data processing inventory. Following the changes in Article 6, data controllers may experience changes in processing conditions for special categories of personal data. Data controllers are still required to maintain their Data Controllers Registry registration and update the personal data processing inventory. The inventory should identify all personal data and categorize them according to their nature. Special attention should be given to identifying special categories of personal data and determining the legal basis for processing each data type according to Article 6. Any changes to the legal bases must be recorded in the inventory.
B) Regulating Explicit Consent Processes:
With the change in Article 6, special categories of personal data can now be processed not only based on explicit consent but also on other legal grounds. This allows for the processing of data that previously required explicit consent to be processed under other lawful conditions. With this change: There is no hierarchy between explicit consent and other processing conditions, but relying solely on explicit consent when another lawful ground is available may be inconsistent with legal and ethical principles. Explicit consent can be withdrawn, and the withdrawal only has future effects. That is, as soon as the withdrawal statement reaches the data controller, any processing activities based on explicit consent must cease. Data controllers must continue processing based on other valid legal grounds if explicit consent is no longer valid. If explicit consent is no longer valid, the previous consent statements should be updated, and the changes must be communicated to the relevant individuals.
C) Modifications to the Information and Disclosure Documents:
Data controllers must fulfill their obligation to inform individuals when collecting personal data. This obligation requires providing accurate and up-to-date information to individuals regarding who is processing their data, for what purpose, to whom the data will be shared, and the legal grounds for processing. The information and disclosure documents must not contain misleading, incomplete, or inaccurate details. Any changes in data processing must be communicated to the individuals with updated information and disclosure documents. The responsibility to prove that the information obligation has been fulfilled rests with the data controller, and relevant individuals must be informed that the documents have been updated.
D) Updating the Data Retention and Destruction Policy:
Data controllers are also required to establish and maintain a data retention and destruction policy according to the personal data processing inventory, as outlined in the Regulation on the Deletion, Destruction, or Anonymization of Personal Data published on 28.10.2017. This policy should outline the purposes for which data is retained and destroyed, the legal and technical requirements, security measures, and the roles and responsibilities of personnel involved in the retention and destruction process. Considering changes in the law and the expansion of processing conditions, the retention and destruction policies should be reviewed. If any changes are made to the retention periods, they should be adjusted in a limited and proportionate manner.
E) Implementing Data Security Measures:
Data controllers are required to take all necessary technical and administrative measures to prevent personal data from being processed unlawfully or accessed without authorization. The risks related to the protection of personal data and potential harms should be identified, considering the nature of the data being processed. When processing special categories of personal data, additional measures must be taken to ensure data security, as listed by the Personal Data Protection Authority.
