Legal AlertPersonal Data Protection Board Announced Its Decision on the Notice Regarding the Negligent Spoilage and Subsequent Destruction of Scientific Data Samples Recorded for Scientific Purposes.

14 March 2021

The Personal Data Protection Board (“Board”) rendered a decision dated 30.10.2019 and numbered 2019/316 (“Decision”) on the complainant doctor’s (“Complainant”) notice (“Notice”), regarding the data controller Hospital (“Data Controller”) who has recorded the patient records of data subject chronic patients’ (“Data Subjects”) on local computers and hospital data system; stored the blood, serum and tissue samples (“Samples”) taken from the Data Subjects in a proper environment to be used in projects; caused the Samples to spoil as a result of not taking the reasonable care to keep the samples under appropriate conditions; and therefore, the Data Controller did not fulfill its obligations regarding data security in accordance with Article 12 of the Personal Data Protection Law numbered 6698 (“PDP Law”).

The Data Controller stated in its defense submitted to the Board that (i) the Data Subjects whose patient records are kept are regular patients with ongoing treatments, (ii) the refrigerators that the Samples have been kept were not used until they malfunctioned, all records are kept regarding the malfunction, it is investigated whether the Samples were good to use and the Samples were destroyed due to their spoilage, (iii) there are no patient consent forms regarding the Samples and since the Samples were spoiled there was no scientific value of any match with the patients, (iv) any analysis of the Samples would violate the scientific ethic rules due to lack of the patient consent forms, and the Samples were not made subject to analysis because of spoilage and were not used in any other research.

After examining the Notice and the defense of the Data Controller, the Board determined that (i) the Samples gathered from the Data Subjects should be considered as personal data since the Samples are stored in a way that the identity of the patient can be determined, (ii) the classification and recording of the personal data in question according to certain criteria is a personal data processing activity, (iii) pursuant to Article 28, sub-clause 1, section c of the PDP Law, the PDP Law provisions are not applicable in case of personal data processed with scientific purposes provided that national defense, national security, public security, public order, economic security, right to privacy or personal rights are not violated or their processing does not constitute a crime; and that there is no procedure to be established under the PDP Law regarding the Notice.

You may reach the full Turkish version of the Decision via the link below.