On 24.08.2022, the Draft Guidance on the Matters to be Considered in the Processing of Genetic Data was shared via the website of the Personal Data Protection Authority. We have compiled the highlights of the Shared Draft Guide for you.
- Considering the European practice, genetic data is defined in paragraph 13 of Article 4 of the GDPR as “Relating to the inherited or acquired characteristics of a natural person, which provides unique information regarding the physiology or health of a natural person, and in particular resulting from the analysis of a biological sample taken from that natural person. personal data.” defined as; In Recital 34, it is emphasized that genetic data should be defined as personal data related to hereditary or acquired genetic characteristics of natural persons.
- Genetic data must be analyzed in order to be meaningful or informative.
- Since there is no clear conclusion about the anonymization of genetic data, the concept of de-identification should be used instead of the concept of anonymization.
- Genetik verilerin Kanun’un 6. maddesi uyarınca; yalnızca tıbbi teşhis ve tedavi amacıyla işlenmesi durumunda kişisel sağlık verisi olarak kabul edilmesi gerekmektedir.
- Genetik verilerin işlenmesi hususunda önemli sorunlardan birinin ilgili kişilerin açık rızaları alınmaksızın ve tıbbı teşhis ve tedavi amaçlı zorunlu olarak ya da zorunlu nedenler dışında kişilerin tercihine bağlı olarak yurt dışına veri aktarımı olduğuna değinmiştir.
- In the second paragraph of the 34th article of the Medical Laboratories Regulation; “The authority to send samples abroad for examination purposes only belongs to licensed medical laboratories. Within the scope of this Regulation, the entrance and exit of human-sourced biological samples to Turkey for examination is done with the approval of the Ministry of Health. In the second paragraph of Article 25 of the Regulation on Genetic Diseases Evaluation Centers; “The authority to send samples abroad for examination purposes only belongs to the licensed Center.
- Determining the purposes and means of processing the personal data of the Genetic Diseases Evaluation Centers operating by obtaining a license in accordance with the Regulation on Genetic Diseases Evaluation Centers, and responsible for the establishment and management of the data recording system real or legal persons (Ministry of Health, university, private law legal entity, etc.) are data controllers.
- When Processing Genetic Data;
◊ Not to touch the essence of fundamental rights and freedoms,
◊ The genetic data processing activity is suitable for the purpose to be achieved,
◊ The genetic data processing method is necessary for the purpose to be achieved,
◊ There is a proportionality between the aim and the tool to be achieved by genetic data processing,
◊ The processed genetic data must be kept for the required period of time, and after the necessity disappears, the said data must be processed in accordance with the principles of destruction without delay in accordance with the personal data retention and destruction policy.
- The genetic data processed as a result of the explicit consent of the person concerned for a specific genetic data processing activity should not be used for other purposes.
- Consequences to be faced by the persons concerned within the scope of processing genetic data with the explicit consent of the persons concerned, the possibility that this processing includes the personal data of not only the persons but also the persons belonging to the lineage to which they belong, and the risks of this situation, especially in case of transfer abroad, the genetic data The data subject must be clearly and in detail in terms of uncertainties such as possible difficulties in tracking the fate of the data, the risks posed by data controllers residing abroad, in this context, the possibility of transferring the genetic data transferred abroad to third parties, and the negative consequences of these situations. should be informed.
- Due to the importance of genetic data, the nature of this data and the fact that it also contains information about the family of the person who has the genetic data, the scope of the obligation to inform will be expanded and a preliminary consultancy at a level where the data subject whose genetic data will be processed can understand the reasons, consequences and possible risks of the genetic data processing activity, will ensure that the data is obtained in the first place. must be provided by the data controller or the data processor.
- Information and Communication Security Guide prepared under the coordination of the Presidential Digital Transformation Office within the scope of the Board of Genetic Data Processors dated 31.07.2018 and numbered 2018/10 "Adequate Precautions to be Taken by Data Controllers in the Processing of Special Quality Personal Data" and the Circular No. 2019/12 on Information and Communication Security Measures and Circular It is evaluated that the administrative and technical measures foreseen within the scope of the project should be taken.
- Data controllers who process genetic data should conduct a Data Protection Impact Assessment regarding the nature of the data and the possible risks that data processing may pose for the data subject.
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.