The Guidelines on Processing of Genetic Data has been Published
Introduction
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority (“Authority”) in October 2023 draws attention to the fact that the processing of genetic data may have strategic consequences and addresses the concept of genetic data, conditions for and principles applicable to processing activities, the obligations of data controllers, administrative and technical measures for data security. In addition, the measures taken at the national level are also included. In this Newsletter, prominent assessments and recommendations of the Guidelines will be introduced.
Definition for Genetic Data
The Personal Data Protection Law numbered 6698 (“PDPL”) defines sensitive personal data as data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. The Guidelines draw attention to the fact that the concept of genetic data is not comprehensively handled by the legislation and also refers to the definition introduced by the General Data Protection Regulation (“GDPR”). Pursuant to art. 4/13 of the GDPR, genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.[1] Within the scope of the Guidelines, the concept of genetic data is handled in accordance with the definitions introduced by national and international legislation, regardless of technical breakdowns of this term.[2]
Genetic data makes sense when it is analyzed. On the other hand, a person can be identified with genetic data that is not studied yet; as DNA/RNA samples provide access to the genetic data of a person when studied. Therefore, the measures to be taken by “The Regulation on Deletion, Destruction or Anonymization of Personal Data” are important in terms of genetic data retained. The Guidelines draw attention to the fact that complete anonymization of genetic data is debated as it is not possible to break the contact between the genetic data and the data subject. Accordingly, it is recommended that genetic data should be de-identified when stored. In other words, genetic data should be stored not with labels such as date of birth or location, but with encrypted labels that break the contact between data and data subject. This way, only those who know the keys will be able to identify the data subject.[3]
Data Controllers and Data Subjects
Under the PDPL, the data controller is a natural or legal person who determines the purposes and means of processing and is responsible for the establishment and management of the data recording system. As per art. 18/2 of the Regulation on Genetic Diseases Evaluation Centers, diagnosis of genetic diseases, treatment response of various diseases, determination of the gene responsible for a disease and tests for genetic predisposition or susceptibility to a disease can only be performed in genetic diseases evaluation centers in cases of medical necessity or for scientific research for medical purposes and provided that appropriate genetic counseling is provided. In this context, the Guidelines state that the persons (such as ministries and universities) to which the aforementioned centers are affiliated, responsible for determining the purposes and means of data processing and keeping the data recording system will be the data controller. Depending on the characteristics of the concrete case, real and legal persons such as education and rehabilitation centers, municipalities, institutions and organizations providing health services, public institutions and organizations, and insurance companies may be data controllers.[4]
On the other hand, according to the PDPL, a data subject is a natural person whose personal data is processed, and the Guidelines point out that in terms of processing genetic data, not only the data subjects’ but also their relatives’ genetic data can be processed due to genetic connection.
Processing Genetic Data
The Guidelines refer to the general principles of personal data processing activities by stating that the fundamental rights and freedoms must be protected, and personal data processing activities must be appropriate for the purpose of processing genetic data, necessary for the purpose, and proportionate to the purpose. In addition, genetic data should be retained for the periods necessary for the fulfillment of the purpose; data controllers should regularly review the data retained and destroy it if it is no longer required.[5]
Under art. 6/2 of the PDPL, sensitive personal data may only be processed with the explicit consent of the data subject. The exception is stipulated under the third paragraph of the above-mentioned article and accordingly, health data can only be processed without explicit consent by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. Today, genetic data can also be processed for diagnosis and treatment, as well as for commercial tests such as determining nutritional and sportive predispositions. Accordingly, genetic data may be processed without explicit consent for preventive medicine, treatment and diagnosis purposes, and with the presence of explicit consent for commercial tests such as kinship determination or understanding sportive predispositions. Whether or not explicit consent is required, data subjects must be informed in all cases. The Guidelines remind us that explicit consent for data processing activities cannot be a condition for providing a product or service, and give an example in this regard. Accordingly, the provision of nutrition counseling cannot be conditional on taking a food intolerance test.[6]
Moreover, the Guidelines refer to Art. 9 of the PDPL (Cross border personal data transfer) for the transfer of genetic data abroad. It also draws attention to Art. 28 of the PDPL, which regulates the exceptions, and states that the PDPL is not applicable to cases where personal data is processed for scientific purposes. Processing for scientific purposes is regulated by the Regulation on Personal Health Data. Accordingly, genetic data may be processed for scientific purposes, provided that it does not violate the right to privacy or personal rights or does not constitute a crime. In this case, genetic data should be retained in a way that cannot be associated with the data subject. In addition, the processing of genetic data must be necessary for scientific research, purpose-related, limited and proportionate; and destruction policies must be complied with.
Obligations of Data Controllers and Recommendations by the Guidelines
The Guidelines generally refer to the obligations of data controllers stipulated by the PDPL, such as the obligation to inform, the obligation to register to the data controllers’ registry, and to adopt necessary technical and administrative measures. The Guidelines also provide recommendations for administrative and technical measures for processing genetic data. A selection of outstanding recommendations by the Guidelines are as follows.
Within the scope of the technical measures, it is recommended that genetic data should not be retained in cloud systems. If it is necessary to use cloud systems, especially for analysis programs, genetic data to be stored in the cloud should be recorded and two-step verification should be used when accessed. In addition, genetic data should be stored using cryptographic methods by industry standards and best practices.[7] Accordingly, a policy for encryption and key management should be prepared, and only certain employees should have access to the keys. In addition, the Guidelines remind us that servers located abroad constitute cross-border transfer.[8]
Moreover, data controllers should prefer licensed and up-to-date software. Operations to be conducted with software should be closely monitored and log records should be kept. In addition, systems holding genetic data should be tested regularly.[9] Tests to be conducted before streaming a system or for changes to a system should be carried out with synthetic data, and if this is not possible, the principle of data minimization should be complied.[10]
In terms of administrative measures, the Guidelines refer to the “Privacy by Design” principle stipulated by Art. 25 of the GDPR. Accordingly, privacy should be embedded into every stage of a product or a service. For example, an organization that will process genetic data should anticipate all possible risks, calculate potential damages and adopt appropriate measures in advance. In addition, it is recommended that data controllers conduct a Data Protection Impact Assessment (DPIA) under art. 35 of the GDPR in respect of data processing activities that constitute high-risk when data processed or the technologies used are considered. Although DPIA is not a concept regulated under Turkish data protection legislation, the Guidelines recognize it as a method that helps identify appropriate technical and administrative measures against the risks that may arise.[11]
Conclusion
In short, the Guidelines stand as an important source of information to understand the Authority’s approach to genetic data processing activities and provide examples for good practice. It also provides guidance for understanding data processing conditions, and appropriate technical and administrative measures for genetic data. The reference to the European Union data protection legislation, especially in terms of administrative measures exhibits the importance of genetic data as processing genetic data is of a nature that may affect not only the data subjects, but also their relatives, the economy, future generations, and countries.
- Personal Data Protection Authority, The Guidelines on Issues to be Considered in the Processing of Genetic Data, October 2023, p. 8.
- The Guidelines, p. 10.
- The Guidelines, p. 12.
- The Guidelines, p. 22-23.
- The Guidelines, p. 25-27.
- The Guidelines, p. 31.
- The Guidelines, p. 42.
- The Guidelines, p. 43.
- The Guidelines, p. 44.
- The Guidelines, p. 43.
- The Guidelines, p. 47.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
