Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



Processing sensitive data under the new regulations

PrintMailRate-it

​​​​​​​​​​​​published on 24 July 2024 | reading time approx. 3 minutes


Turkish Data Protection Law, that came into effect in 2016 describes sensitive data as data on race, ethnic origin, political opinion, ideology, religion, sect or other beliefs, appearance and clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures applied to the real person, as well as biometric and genetic data. 

The Law distinguishes between processing1​​​ sensitive data and processing ordinary / normal personal data as it set stricter rules for processing certain type of sensitive data. Sensitive data regarding health and sexual life, until June 1, 2024, could only be processed with the consent of the data subject among other legal reasons as described in specific laws. However, with the recent legal amendment in Turkish Data Protection Law that came into effect as of June 1, 2024 (please see the note dated 25.03.2024), new conditions for the lawful processing of sensitive data are introduced. This change aims to ensure that data controllers do not process certain sensitive data solely based on consent, but also demonstrate a legally valid reason when processing is necessary. 

Among the processing of sensitive data, the most discussions were raised for processing health data and criminal history. Unfortunately, following the adaption of the amendments, the discussions on processing health data and criminal records are still going strong and has yet to be resolved.

Under Turkish Labor Law, employers are obligated to protect the health and safety of their employees and the workplace. This includes ensuring health and safety; thus, employers typically request a health report and criminal record from employees before initiating the hiring process. With Turkish Data Protection Law, the processing of such data was conducted only with the consent of the data subject, which sometimes put the employers in a difficult position. However, with the amendment, new rules are regulated.

Processing criminal record of the employee is generally prohibited unless required by another law. This exception is cited in laws such as the Banking Law and the Law on Private Security Services. Pursuant to these laws, individuals are obliged to provide a criminal record in certain fields of business due to the associated risks. Unless a special law explicitly requires the criminal record to be submitted for employment, its processing is prohibited to avoid violating the principle of equality.

Processing health data is also minimized as much as possible. If a company doctor is commissioned within the workplace by law, only the company doctor is allowed to process health data of the employee because of their confidentiality obligation. In cases where no company doctor is available, employer shall still request a health report from the employee to determine the employee's ability to work (before hiring or during the employment term for sick leave). In such cases, the employer, who receives the health report, is bound by confidentiality and may not request more data than just confirmation that the employee is able for work, without any remarks on illnesses, diagnoses, etc. on the report. 

With the amendments in Turkish Data Protection Act, it is evident that the Law aims to prevent arbitrary data processing and ensure that the processing of sensitive data is left to authorized persons.


[1] In accordance with Turkish Data Protection Act, Processing Data means: All types of processes performed on personal data, such as collection, storage, retention, modification, transformation, dissemination, transmission, acquisition, provision, classification, or prevention of the use of personal data, whether fully or partially automated or non-automated, provided they are part of a data collection system.​

 DATA PROTECTION BITES

author

Contact Person Picture

Bortecine Gultekin

Avukat

+90 212 3101 434

Invia richiesta

 RÖDL & PARTNER TURKEY

Discover more about our offices in Turkey. 
Deutschland Weltweit Search Menu