Guideline regarding Issues to be Considered while Processing Genetic Data Published by the Personal Data Protection Authority

On 13.10.2023, the Personal Data Protection Authority published a guideline (“Guideline”) regarding issues to be considered while processing genetic data, which is considered among the sensitive personal data in the Law on Protection of Personal Data (“LPPD”). In the Guideline, genetic data is defined by referring to the GDPR and it is reiterated that, due to the very fact that genetic data may contain data of an individual’s relatives as well and cannot be anonymized, the data subject must be informed clearly in a way to understand those risks. Having noted this, the Guideline is also of particular importance as it addresses and clarifies Privacy by Design and Impact Assessment concepts under administrative measures.
 
The following points are particularly emphasized within the scope of the Guideline;
???? The concepts in health legislation and LPPD regarding the obligation to inform and explicit consent refer to different implementations. As such, these should not be confused with each other, and documentation of health legislation and LPPD must be provided to patients separately.
????Rather than anonymization, it is possible to ‘de-identify’ genetic data. Yet, taking technical and administrative measures is crucial since it is possible to re-relate such data with data subjects. 
???? Within the scope of technical measures in this direction;
???? The use of cloud systems should be avoided to the extent possible.
????If cloud systems are used, the record of data that are saved in the systems and their backups should be kept on a hard disk. Further, two-stage authentication must be implemented.
????Data should be encrypted with cryptographic encryption methods, the security of which should be tested and access to cryptographic keys should be limited to the authorized personnel only.
????In case the devices where the data are kept are sent for maintenance/repair, the data storage units should be removed and a letter of undertaking should be obtained from the relevant company that the device has been received without containing any data.
????Measures that provide warning in case of unauthorized access or protection to the data should be implemented. 
???? Within the scope of administrative measures;
????A privacy design approach should be adopted in which the privacy and confidentiality sensitivity regarding the protection of personal data are observed, where all kinds of risks that may harm this sensitivity are taken into account from the very beginning of the production of a product, so that the necessary measures are taken as of that stage.
????While conducting data processing that is considered to be high-risk, data protection impact assessments should be conducted to minimize the violations that individuals may be exposed to and the damages that individuals may suffer accordingly, which may be used as a tool in the privacy design as well.

For the full text: https://kvkk.gov.tr/SharedFolderServer/CMSFiles/703442e0-690c-4618-91c3-83e7583170ca.pdf