Healthcare Sector Publishes a Guideline on Data Protection
Introduction
The Turkish Medicines and Medical Devices Agency (“TITCK”) published Guidelines on Protection of Personal Data in Pharmacovigilance Activities (“Guideline”) on 1 August 2019.[1] The Guideline aims to protect personal data that is processed during pharmacovigilance activities and, accordingly, to inform the data processors regarding their incumbencies and the relevant procedures and principles. The Guideline is based on Data Protection Law No. 6698 (“Law”) and the relevant secondary legislation.
Pharmacovigilance
Pharmacovigilance is defined as the activities and scientific studies with regard to exploring the determination, understanding and preventing of adverse reactions and other problems related to medicines. “Adverse reactions” are the dangerous and undesirable responses that are developed to medicines. “Adverse incidents” are the medical cases in which an undesirable result that cannot be related to the prescribed treatment has occurred to the patient, or the clinical study volunteer that the medicine has been applied on.
Pharmacovigilance Actions and Personal Data
The Guideline defines the “company” as the license owner and/or the service institutions that provide services to the license owner (the third-party service providers). Within that scope, the pharmaceutical companies should be defined under the word “company”.
The pharmaceutical companies have legal responsibilities that include the notification of suspicious adverse reactions. Accordingly, in order to provide the patient with safety and obey the laws, they collect this related data on a regular basis.
The patient’s age/age group, sex, weight, height, medical history and current situation should be noted for an efficient analysis of the safety data in the adverse reaction notifications. The initials, or a contact number and/or the date of birth of the patient, is important for providing followup notifications. Moreover, the reporting parties’ names and contact information should be taken in order to collect complete and accurate data. In that sense, the pharmacovigilance data may comprise personal data or sensitive data of the patient, as well as the personal data of the reporting party.
Sensitive Data
The conditions under which to process sensitive personal data have been set forth under Article 6 of the Law. According to Article 6 (1), personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, memberships with associations, foundations or trade-unions, health, sexual orientation, criminal convictions and security measures, and biometric and genetic data are deemed to be sensitive data. Pursuant to Article 6 (2), it is prohibited to process sensitive data without the explicit consent of the data subject.
On the other hand, Article 6 (3) reads as follows:
“Personal data, excluding that which is related to health and sexual orientation, as listed in the first paragraph, may be processed without seeking the explicit consent of the data subject, in the cases provided for by the law. Personal data relating to health and sexual orientation may only be processed without seeking the explicit consent of the data subject, by any person or authorized public institutions and organizations that have confidentiality obligation, for the purposes of the protection of the public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services, as well as their financing.”
For instance, the data retained and processed for the purposes mentioned under Article 6 (3) by the Ministry of Health, healthcare institutions, or the Social Security Institution, is within the scope of the relevant exception.
The Highlight of the Guideline
When an adverse incident has been notified to a pharmaceutical company, in order to comply with the pharmacovigilance requirements regarding “definable patient” and “definable reporter,” personal data shall be collected.
Pursuant to Article 2.1 of the Guideline, for the processing of personal data for the purpose of pharmacovigilance, the explicit consent of the data subject is not necessary. The former rule is independent from the notifying party’s identity: Whether it is the data subject or the reporter of the adverse effect.
The Guideline bases the relevant Article 2.1 to Article 6 (3) of the Law. In that scope, the Guideline accepts the pharmacovigilance data as “sensitive data,” and the pharmaceutical companies as those who are under the “confidentiality obligation”.
In addition, the Guideline explicitly states that even though Article 2.1 does not require explicit consent, this shall not be construed to be a general exemption from the Law. Accordingly, during pharmacovigilance activities, the parties shall abide by all incumbencies, particularly the obligation to inform, and the obligations regarding data safety.
Other Issues in the Guideline
The Guideline explains data safety measures in detail. Furthermore, with regard to international data transfer, the Guideline makes a separation between “safe” and “unsafe” countries. If there is deemed to be sufficient protection in the recipient country, personal data may be transferred without seeking the explicit consent of the data subject. If sufficient protection is not provided in the recipient country, the controllers in Turkey and in the related foreign country shall guarantee sufficient protection, in writing, and the Data Protection Board’s authorization shall be obtained.
Through referring Article 28 of the Regulation on the Safety of Medicines[2], the Guideline determines the retaining period of personal data as the relevant medicines’ license period to be a minimum of 10 years starting from the termination date of the medicine license.
Conclusion
Considering the large amount of sensitive data floating around in the healthcare sector, it is opined that the Guideline is an enlightening regulation. On the other hand, the regulation in the Guideline with regard to the processing of sensitive data without seeking the data subject’s explicit consent should be assessed in light of the principles that have been set forth in the Law. Accordingly, and as explained above, the explicit consent-free processing of personal data relating to health and sexual orientation may only be processed by any person or authorized public institutions and organizations that have the “confidentiality obligation” for the determined purposes in the same Article.
Within that scope, it can be interpreted that the Guideline accepts the pharmaceutical companies as the ones who are under the “confidentiality obligation.” The Law, or the relevant secondary regulation, on the other hand, does not speak about the pharmaceutical companies’ status. Therefore, it is opined that the Data Protection Board’s opinion, or any secondary regulation that sheds light on the issue, would be beneficial.
[1] https://www.titck.gov.tr/mevzuat/farmakovijilans-faaliyetlerinde-kisisel-verilerin-korunmasi-hakkinda-kilavuz-01082019183233 (Access date: 13.09.2019).
[2]http://www.mevzuat.gov.tr/Metin.Aspx?MevzuatKod=7.5.19578&MevzuatIliski=0&sourceXmlSearch=ila%C3%A7lar%C4%B1n%20g%C3%BCven (Access date: 16.09.2019).
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
