Personal Health Data Regulation Has Been Published 25 June 2019
According to the Law on Protection of Personal Data (“Law”), The Regulation on Personal Health Data (“Regulation”), concerning activities of private real and legal persons and public legal persons that process personal health data, which is related to the processes and practices carried out by the Ministry of Health (“the Ministry”) has been published in the Official Gazette dated 21 June 2019 and numbered 30808.
We would like to inform you of the Regulation in details here below.
1) What are the norms and principles to be followed during process of Personal Health Data?
During process of personal data, all data processing principles in the Law shall be observed, especially the general principles partaking in Article 4 of the Law. In addition to these principles, according to the Regulation;
- No one shall be compelled to submit or show past health data, except when it is necessary for health service delivery.
- Necessary physical, technical and administrative measures will be taken by health service providers, to prevent unauthorized persons from entering in departments such as counters, pay desks and desks and at the same time to prevent clients from hearing, seeing, learning or seizing each other’s personal data.
- Health service providers will implement the necessary partial de-identification or masking measures on printed material containing personal health data of the patient, such as analysis and examination results; and take other precautions on the material in question to make it difficult to identify who it belongs to, if it’s occupied by an unauthorized person.
2) How and to what extent will medical personnel have access to these data?
Persons, who are in charge of health service delivery; may access to the health data of the person concerned, limited to the requirements of medical services.
- Health data of people owning e-Nabız accounts; may be reached within the framework of their privacy preferences. Related persons are informed in detail about their privacy preferences and its consequences. The Ministry of Health will not be liable for any malfunctions and damages that may occur in medical service delivery, due to the preference of confidentiality and the inability to display past health data.
- Health data of people not owning e-Nabız accounts; may be reached limited to exceptional purposes, which are stated in Article 6 Paragraph 3 of the Law, yet;
- Without any time limit, by the family doctor to whom the person is registered,
- Limited to the day of appointment, by the doctor whom the person has made an appointment for health care, until the end of the procedures directly related to the health service received.
- Limited to 24 hours, by the doctors who are working at the medical service provider, in which the person enters to receive health care.
- By the doctors who are working at the medical service provider, to which the persons admission has been done, until the patient is discharged from the health care provider.
The above-listed access rules may be reassessed by General Directorate according to the requirements of the Ministry for health service provision and within the scope of Article 6/3 of the Law. In such case, what is necessary will be done within the scope of disclosure requirement.
For those who do not want to allow access by anybody to their past health data, the privacy preference will be provided via e-Nabız. Past health data of people, who use this privacy preference, can only be accessed, if the code, which will be sent to the phone number declared by the person, is shared with the doctor and entered by the doctor into the system.
Personal health data, which has a higher level of privacy, and which are at risk of adversely affecting the social life and mental health of the individuals in case of being seen and known by third parties, will be determined by the Ministry and restrictions may be placed on access of medical personnel to such data.
3) How and to what extent will the Ministry units provide access to these data?
Unit Chiefs of the Ministry determine the persons individually, who are authorized to match the health data, which is sent by the health service providers after de-identification to the central health data system with the persons they belong to, through the relational database separately and request the authorization of these persons from the General Directorate.
Users authorized by the General Directorate upon the request of the unit chief, can only exercise this authority in accordance with the principles of Personal Data Protection Legislation in the context of planning, managing, supervising and regulating of health care services and financing tasks.
The limits of the purpose of planning and managing health care services and financing are determined by the duties assigned to the relevant unit in legal and administrative regulations.
4) Who can access to the health data of children?
Parents can access their child's health records via e-Nabız without any need for approval. Children with ability to distinguish, may subject parental access to their health history to permission through e-Nabız.
In case of divorce of the parents, the party that has not been left on custody rights, has access to child’s health data in accordance with the legislation on protection of personal data and within the limits set by the General Directorate, taking into account the benefit of the child and the guardian.
5) How can the relatives access the patient’s health data?
By sharing of personal health data with the relatives of the patients, the third paragraph of Article 18 of the Patient Rights Regulation, which is published in the Official Gazette dated 01/08/1998 and numbered 23420, shall be followed in such a manner that does not contradict the principles of the Law.
6) Do lawyers have access to their clients' health data?
Lawyers are not entitled to request their client's health data by general proxy.The power of attorney issued for the transfer of the client’s health data to its lawyer should include a special provision indicating the express consent of the person concerned for processing and transferring of its special quality personal data.
7) Who can access the health data of a deceased person and for how long?
The legal heirs of the testator are individually authorized to receive the health data of the decedent by submitting their certificate of inheritance.
The health data of a deceased person is stored for at least 20 years.
8) How and by whom will the health data of people, who have been given a confidentiality order, be hidden?
The request for confidentiality of the health data of people, who have been given a confidentiality decision, and the warrant sent by the judicial authorities will be fulfilled by the local health authority.
The action taken by the local health authority will directly be reflected in the Identity Sharing System.
ll necessary technical and administrative measures shall be taken to ensure that confidentiality order are known only by persons who are required to know them by their duties.
9) How can the improperly process data be corrected?
The person concerned shall apply to the local health authority, to which the health care provider is affiliated, in order to correct the wrong health data about himself. If the local health authority reaches the information that the health data is created by mistake, as a result of the research on the relevant health service provider, it shall apply to the General Directorate with an official letter and ask for the correction of the health data, which created by mistake. The operation to be established by the General Directorate is also performed in the database of the health service provider.
The General Directorate determines the date, on which the wrongly created health data by the health service providers can be corrected and updates this date as required. Health data, which is created after this specific date given by the General Directorate, shall be corrected by the relevant health service provider; the health data, which is created before this date, shall be corrected by the General Directorate upon the request of the relevant provincial health directorate.
10) What is the procedure for transferring personal health data to other institutions?
One shall observe the article 8 of the Law for domestic transfer and the article 9 of the Law for international transfer of personal health data. A protocol shall be prepared for transferring personal health data to public institutions and organizations within the scope of these articles. The general principles of personal data protection legislation and the provisions regarding data security and information about data which will be transferred under the protocol, should be included in this Protocol. If the technical infrastructure is suitable, data will be transferred through KamuNET.
Demands for the transfer of personal health data are evaluated by the Ministry department, to which the requested health data is related, in terms of the Law and other relevant legislation. The process is established by the General Directorate according to the evaluation result.
11) Who can handle personal health data for scientific purposes and to what extent?
In the scope of article 28/1b of the Law; “Processing of personal data for purposes such as research, planning and statistics through anonymization with official statistics”, scientific studies can be carried out with health data, which is anonymized by the data officer.
In the scope of article 28/1c of the Law; “Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national crime, national security, public security, public order, economic security, privacy or privacy rights or constitute a crime”
Personal health data may be processed for scientific purposes within the framework of technical and administrative measures to be taken provided that they;
- do not violate the privacy or personal rights of the persons concerned or
- do not constitute a crime.
12) For which purposes and by whom can personal health data be made accessible to everyone?
By taking into account the regulations on data privacy and data security of the data contained in the systems used by the central and provincial organizations of the Ministry and its affiliated and related institutions, by the General Directorate, with some specific purposes such as;
- ensuring transparency and accountability in the health system,
- directing policies and strategies for health care delivery;
- supporting scientific research in the field of health; and
- ensuring the development of health-related products and services;
The Ministry shall determine the principles and procedures for making it accessible to everyone through a dedicated website.
13) How is the security of personal health data and information ensured?
Data security obligations in Article 12 of the Law will be observed. By taking technical and administrative measures, the Personal Data Security Guideline prepared by the Authority will be predicated on.
In the event that the processed personal data is seized by others by unlawful means, the notification to be made to the Council by the data officer shall be based on the provisions of the Law and the regulatory procedures of the Council regarding this matter.
Information security processes performed in the central units of the Ministry and provincial organizations and affiliated and related institutions are determined by the Information Security Policies Directive prepared by the General Directorate.
14) What is the sanction of non-compliance with the Regulation?
For the crimes and misdemeanors related to personal data protected by this Regulation, the procedure shall be carried out in accordance with Article 17-18 of Law.
Public officials who do not fulfill the requirements of this Regulation will be notified to the disciplinary authority to which they are registered and their authority will be cancelled, if they have any. Real persons and private legal entities shall be treated in accordance with the relevant legislation.
The health service providers that do not send data to the central health data system in accordance with the procedures and principles determined by the Ministry shall be warned twice. A penalty which is amounted of 1% of the gross income in the previous month hall be applied to the providers that do not follow the warnings .
15) When will the Regulation enter into force?
The Regulation has entered into force on 21 June 2019.
Other News
-
30.7.2025
Annual Leave, Severance Pay, and Notice Pay in Part - Time Employment Contracts
Part-Time Employment Contract Article 13 of the Labor Law No. 4857 defines a part-time employment contract as "a contract in which the employee's normal weekly working hours are significantly less than those of a full-time employee performing similar work."
-
29.7.2025
Legal Remedies And The Official Appeal Process For Property Tax Values
a. General Overview Following the enactment of Law No. 4751 in 2002, which amended the Tax Procedure Law, the Property Tax Law, and the Fees Law, the declaration-based system for determining the property tax base was abolished, and the tariff and assesment procedure implemented by administrative authorities was adopted.
-
24.7.2025
Labour Law No. 4857 Amended! Electronic Notification Opportunity Introduced With Rem
Article 109 of the Labour Law No. 4857 has been amended, together with its title and content, by the Law Amending the Law on the Protection of the Value of Turkish Currency and Certain Laws and the Decree Law No. 635 published in the Official Gazette dated 24 July 2025. With this important amendment, the procedures regarding the form of notifications to be made between employers and employees have been redefined.
-
15.7.2025
Terminatıon Right Of The Employer Due To Conviction And Detention And Legal Consequences
In labour law practice, which is a dynamic field based on the principle of protecting the balance between the employee and the employer, the employee's failure to fulfill their obligation to perform work-especially when this results from circumstances that restrict individual freedom, such as conviction or detention-has significant legal consequences regarding the termination of the employment contract.
-
13.7.2025
Radical Change In The Labor Law Dated 14.07.2025: Flexible Week Holiday Period Has Started In The Tourism Sector!
With the Law No. 7553 on the "Amendment of Certain Laws and Decree Law No. 375" published in the Official Gazette on July 14, 2025, important innovations have been introduced in the Labor Law and some other laws. In this context; as of 14.07.2025, with the provision added to the article Article 46 of the Labor Law which regulates the week holiday, flexible week holiday specific to the tourism sector have been introduced.
-
8.7.2025
Climate Law Enacted
The Climate Law No. 7552 ("Law"), which includes regulations on the procedures and principles related to the reduction of greenhouse gas emissions in the fight against climate change, climate adaptation activities, planning and implementation tools, revenues, permits and inspections, and the legal and institutional framework surrounding these, was published in the Official Gazette dated July 9, 2025, No. 32951, and entered into force. This Law sets out general principles and objectives from a casuistic perspective, preferring to leave detailed and technical regulations to secondary legislation.
-
6.7.2025
Mediation Practices In The Land Registry
Pursuant to the amendments introduced by Law on Amendments to the Enforcement and Bankruptcy Law and to Certain Other Laws which was published in the Official Gazette dated 05.04.2023, numbered 32154 to the Law on Mediation in Civil Disputes dated 7/6/2012 and numbered 6325 ("Law"), the scope of disputes that may be resolved through procedural- mandatory- and voluntary mediation has been expanded.
-
26.6.2025
Effects Of The Concordatum Period On Pledgees
Pursuant to Article 285 of the Enforcement and Bankruptcy Law (EBL), a debtor who is unable to pay their debts on time or is at risk of default may request a concordatum. During the period granted to the debtor upon such request, no enforcement proceedings may be initiated, and ongoing proceedings are suspended, in accordance with Article 294/1 of the EBL.
-
17.6.2025
M&A Dynamics in Publicly Traded Companies: New Investment Strategies Through Borsa Istanbul
In recent years, IPOs in Turkey have reached record levels. In 2023 and 2024, a large number of companies started trading in Borsa Istanbul as a result of initial public offerings (IPO) transactions. These IPOs, which attracted great interest from small investors, stand out as important strategic moves in which companies gain transparency and visibility, and also play a role as an important financing tool. With IPOs, publicly traded companies / partnerships are now drawing the attention of not only small investors but also domestic/foreign strategic and financial investors.
-
15.6.2025
The Court Of Cassation Abandoned Its Long-Standing Precedent Regarding Construction Conracts In Return For Land Shares, Known As "Advance Deed"
Construction contracts in return for land shares are a common practice in the construction sector in Turkey.
-
10.6.2025
Amendments To The Regulation On Distance Contracts: Return Shipping Fees And Right Of Withdrawal For Electronics
With the Regulation Amending the Regulation on Distance Contracts ("Amending Regulation") published in the Official Gazette dated May 24, 2025 and numbered 32909, important amendments were made regarding distance sales. The key changes introduced by the Amending Regulation are as follows:
-
29.5.2025
Alimony Against Inflation: Adjustmen of Alimony and the Issue of Payment in Foreign Currency
Alimony for supplementary welfare allowance and child support awarded by court judgment as a result of divorce cases is generally fixed at a certain amount and either remains the same over the years or is increased only within limited rates determined by the court. Similarly, the provisional alimony determined during the litigation process can become insufficient over time due to the prolonged duration of the proceedings and high inflation; this significantly hampers the effectiveness of alimony enforcement.
-
22.5.2025
Right To Compassionate Leave: Duration, Implementation And Assessment
Legal Basis and Definition of Compassionate Leave: In situations where an employee is unable to perform their work obligation due to certain personal circumstances in which, pursuant to the principle of good faith, the employer cannot reasonably expect the employee to work, the employee must be deemed to be on justified leave. Compassionate leave was introduced by Law No. 6645 in 2015 and is regulated under Additional Article 2 of the Turkish Labour Law No. 4857.
-
19.5.2025
The Right to Be Forgotten in the Context of Search Engines
IWith the rapid advancement of technology, personal data is increasingly recorded in digital environments and can be stored for long periods of time. This situation causes individuals' past negative experiences or changing opinions over time to remain constantly accessible. In particular, search engines make personal data widely accessible by indexing results that appear when searching individuals by their first and last names. Within this context, the "Right to Be Forgotten" stands out as the right of individuals to request the deletion of their personal data or the restriction of access to it in digital environments.
-
15.5.2025
The Penalty Clause in Turkish Law, Reduction of the Penalty Clause, and Practial Interpretations
One of the fundamental concepts of contract law, "penalty clauses" function as an important security for the creditor in the event that the debtor fails to properly perform their obligation. As an extension of the principle of freedom of contract, the parties may agree in advance to the payment of a specific amount in case the obligation is not performed at all or not performed correctly, thereby encouraging performance and easing the burden of proof for any damages that may arise.
