Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Turkey: KVKK publishes guidelines on considerations when processing genetic data

The Turkish Personal Data Protection Authority (KVKK) published its guidance on the processing of genetic data in October 2023 in the Guidelines on Matters to be Considered in the Processing of Genetic Data (Genetic Data Guidelines). In this Insight article, Melis Mert, from BTS & Partners, explores the highlights and key takeaways of these guidelines. 

BlackJack3D / Signature collection / istockphoto.com

Within this framework, it would be good practice for those who process genetic data in the capacity of data controller or processor to ensure compliance with the relevant recommendations in the Genetic Data Guidelines, even though it is not legally binding per se. To note, the definitions of data controller and data processor in the Data Protection Law are parallel to the definitions in the GDPR: 

  • data controllers are the natural or legal persons who determine the purposes and means of processing personal data, and set up and manage the data filing system; and 
  • data processors are the natural or legal persons who process personal data for data controllers with their authorization.  

What is genetic data? 

Pursuant to Article 6 of the Law on Protection of Personal Data No. 6698 (the Data Protection Law), genetic data is considered as special categories of personal data and, accordingly, subject to separate regulation. Until now, the definition of genetic data was only found in Article 4(13) of the General Data Protection Regulation (GDPR) and defined as 'data relating to the inherited or acquired characteristics of a natural person, which provide unique information about the physiology or health of a natural person and which result in particular from the analysis of a biological sample taken from that natural person.' Pursuant to the Genetic Data Guidelines, genetic data also encompasses all or part of the information obtained from all DNA, RNA, and protein sequences encoded from the cell nucleus or mitochondria from the genome of the living thing.  

What are the main compliance items?  

As detailed below, the KVKK has introduced numerous compliance needs and stressed that such processing should always be assessed delicately. Similarly, the KVKK emphasized that the processing of genetic data may affect not only the individuals concerned, but also their relatives, future generations, national security, and the economy. In the assessments and compliance studies to be carried out on genetic data processing activities, it would be useful to evaluate whether there will be a negative impact on these third parties and on the interests and values of the general public.  

Pursuant to the Data Protection Law, the principles set out in Article 4, which are also highlighted in the Genetic Data Guidelines, must be complied with for each and every personal data processing activity. All processes should be designed in accordance with these principles before processing genetic data: 

  • protection of fundamental rights and freedoms, paying attention to the personal consequences of genetic data processing activity;  
  • purpose limitation, ensuring that the genetic data processing method is the least intrusive, is necessary for the purpose to be achieved, and that data is no longer stored once the purpose has been achieved; and  
  • proportionality, verifying that the data processing activity is suitable for the purpose to be achieved and that there is a proportion between the purpose and the means to be achieved by data processing. 

In addition to the obligation to inform the data subjects via privacy notices, pursuant to Article 10 of the Data Protection Law certain additional requirements have been set forth by the KVKK, including the need to provide information on:  

  • which genetic data is processed;  
  • for what legal reason and for what purpose genetic data is obtained on the basis of genetic data type;  
  • the importance of genetic data; and  
  • the consequences that may arise in the event of a data breach, and therefore the risks of processing genetic data. 

What are the recommended security measures? 

In the Genetic Data Guidelines, various technical and administrative measures are recommended to prevent any unlawful processing of genetic data, similar to those included in the KVKK's Decision Number 2018/10, dated October 31, 2018, on the adequate measures to be implemented when processing special categories of personal data. Some of these measures are as follows:  

  • storing genetic data in cloud systems should be avoided, but if this is necessary, detailed records should be kept, backups should be taken made, and two-stage authentication controls should be applied; 
  • genetic data processing should be carried out on the basis of Privacy by Design, although not explicitly included in the Data Protection Law; 
  • genetic data that is processed and stored should be encrypted to ensure an adequate level of security in accordance with current technology standards; 
  • in the case of devices being delivered to authorized companies for maintenance, repair, etc., or return of rented devices to the relevant companies, the data storage units on the device must be cleared or removed, or all data must be delivered on a hard disk drive, and a written commitment must be obtained from the company that there is no data on the device or server; 
  • data controllers should test the system before installing it and after any changes using synthetic data, if possible, in the test environments; 
  • data controllers should use certified equipment and licensed and up-to-date software, provide patch management, and make necessary updates to the system without delay; 
  • data controllers should be able to monitor and limit user operations on the software that processes genetic data, and transaction records (logs) of all actions performed on the program/system that processes genetic data should be kept in a separate system which should be securely protected; and 
  • hardware and software security tests of the systems that process genetic data should be performed periodically.  

Finally, the Genetic Data Guidelines emphasized national security concerns. Accordingly, it should be kept in mind that persons subject to the Circular on Information and Communication Security Measures No. 2019/12 (Circular) and the Information and Communication Security Guide (Security Guide), prepared under the coordination of the Digital Transformation Office of the Presidency of Turkey within the scope of the Circular, especially the public sector and critical infrastructure providers, must comply with the measures specified in these resources when processing genetic data. On the other hand, it may be valuable for persons who are not subject to the Circular and Security Guide to consider these guidelines as recommendations during the processing of genetic data (as can be seen from the Genetic Data Guideline's language in these documents). 

Melis Mert Managing Associate – Attorney at Law 
[email protected] 
BTS & Partners, Istanbul