|The Regulation on the Protection and Processing of Data Before the Social Security Institution (‘‘Regulation’’) has been published in the Official Gazette dated February 19th, 2022 and entered into force on the same date.
In the Regulation, the procedures and principles to be complied with in the processing of the data obtained by Social Security Institution (‘‘SSI’’) through fully or partially automatic or non-automatic means as a part of a data recording system has been determined within the scope of the duties and authorities specified in the relevant legislation.
Pursuant to the Regulation:
- In order to fulfil its duties, in the processing of personal data, personal health data and trade secret data, SSI must comply with the following principles: (i) being in conformity with the law and good faith, (ii) being accurate and if necessary, up to date, (iii) being processed for specified, explicit, and legitimate purposes, (iv) being relevant, limited and proportionate to the purposes for which data are processed, (v) being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected.
- Health service providers who have a contract with the SSI shall be obliged to transfer the personal health data which they processed on behalf of the SSI to the data recording system of SSI.
- Health service providers shall not copy or transfer the personal health data they process on
behalf of SSI under the contract to any medium other than data recording system of SSI.
- Anyone who processes personal data, personal health data and trade secret data on behalf of SSI or accesses these data due to their duty have a confidentiality obligation and must comply with the measures determined by the SSI and the Personal Data Protection Board (‘‘Board’’) in order to ensure data confidentiality.
- The regulations made by the Board must be complied with in the processing of personal data, personal health data and trade secret data. However, in data transfer, the provisions of Article 35 of the Social Security Institution Act numbered 5502 is reserved.
- In order to be granted access to the data recording system of the SSI which contains personal data, personal health data and trade secret data, a user must be identified within the authorization. Activities related to user identification and authorization are recorded and these records are stored. Issues regarding authorization, recording and data protection are determined by the data controller.
- Access to personal data, personal health data and trade secret data of SSI personnel whose user identification and authorization are provided to perform the duties assigned to SSI; shall not be considered as data transfer, provided that it is not given, disclosed to third parties and obligations set by the SSI and that the obligations set by Board regarding data security are complied with.
- Additionally, queries made by data processors in data recording systems as a requirement of the service shall not be considered as data transfer.
- SSI may transfer personal data and personal health data to the following persons or reject data requests by providing a justification:
- To the data subject or other natural or legal persons with the notarized consent of the data subject or with the consent given by confirmation of identity via e-Devlet application,
- To persons authorized by a court order to access the health data of the data subject
- To the lawyer of the data subject provided that it is stated in the special power of attorney by the client that the lawyer is authorized to request personal data and personal health data or may reject such request by providing justification.
- SSI, upon request, may share personal health data with the Ministry of Health for the purposes of protecting public health, performing preventing medicine, medical diagnosis, conducting treatment and care services, monitoring the suitability and appropriateness of the health services, and planning the financing.
- In relation to those acting contrary to the provisions regarding data protection, the misdemeanour shall be reported to the Board for the implementation of the provisions of Article 18 of the Personal Data Protection Law numbered 6698.
- A criminal complaint shall be filed in accordance with the Turkish Penal Code numbered 5237 regarding those who are granted access by SSI, changing or destroying the integrity of the accessed data.
You can access the full Turkish text of the Regulation via the link below.