The Guidelines on Processing of Genetic Data has been Published
Introduction
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority (“Authority”) in October 2023 draws attention to the fact that the processing of genetic data may have strategic consequences and addresses the concept of genetic data, conditions for and principles applicable to processing activities, the obligations of data controllers, administrative and technical measures for data security. In addition, the measures taken at the national level are also included. In this Newsletter, prominent assessments and recommendations of the Guidelines will be introduced.

Definition for Genetic Data
The Personal Data Protection Law numbered 6698 (“PDPL”) defines sensitive personal data as data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. The Guidelines draw attention to the fact that the concept of genetic data is not comprehensively handled by the legislation and also refers to the definition introduced by the General Data Protection Regulation (“GDPR”). Pursuant to art. 4/13 of the GDPR, genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.[1] Within the scope of the Guidelines, the concept of genetic data is handled in accordance with the definitions introduced by national and international legislation, regardless of technical breakdowns of this term.[2]
Genetic data makes sense when it is analyzed. On the other hand, a person can be identified with genetic data that is not studied yet; as DNA/RNA samples provide access to the genetic data of a person when studied. Therefore, the measures to be taken by “The Regulation on Deletion, Destruction or Anonymization of Personal Data” are important in terms of genetic data retained. The Guidelines draw attention to the fact that complete anonymization of genetic data is debated as it is not possible to break the contact between the genetic data and the data subject. Accordingly, it is recommended that genetic data should be de-identified when stored. In other words, genetic data should be stored not with labels such as date of birth or location, but with encrypted labels that break the contact between data and data subject. This way, only those who know the keys will be able to identify the data subject.[3]
Data Controllers and Data Subjects
Under the PDPL, the data controller is a natural or legal person who determines the purposes and means of processing and is responsible for the establishment and management of the data recording system. As per art. 18/2 of the Regulation on Genetic Diseases Evaluation Centers, diagnosis of genetic diseases, treatment response of various diseases, determination of the gene responsible for a disease and tests for genetic predisposition or susceptibility to a disease can only be performed in genetic diseases evaluation centers in cases of medical necessity or for scientific research for medical purposes and provided that appropriate genetic counseling is provided. In this context, the Guidelines state that the persons (such as ministries and universities) to which the aforementioned centers are affiliated, responsible for determining the purposes and means of data processing and keeping the data recording system will be the data controller. Depending on the characteristics of the concrete case, real and legal persons such as education and rehabilitation centers, municipalities, institutions and organizations providing health services, public institutions and organizations, and insurance companies may be data controllers.[4]
On the other hand, according to the PDPL, a data subject is a natural person whose personal data is processed, and the Guidelines point out that in terms of processing genetic data, not only the data subjects’ but also their relatives’ genetic data can be processed due to genetic connection.
Processing Genetic Data
The Guidelines refer to the general principles of personal data processing activities by stating that the fundamental rights and freedoms must be protected, and personal data processing activities must be appropriate for the purpose of processing genetic data, necessary for the purpose, and proportionate to the purpose. In addition, genetic data should be retained for the periods necessary for the fulfillment of the purpose; data controllers should regularly review the data retained and destroy it if it is no longer required.[5]
Under art. 6/2 of the PDPL, sensitive personal data may only be processed with the explicit consent of the data subject. The exception is stipulated under the third paragraph of the above-mentioned article and accordingly, health data can only be processed without explicit consent by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. Today, genetic data can also be processed for diagnosis and treatment, as well as for commercial tests such as determining nutritional and sportive predispositions. Accordingly, genetic data may be processed without explicit consent for preventive medicine, treatment and diagnosis purposes, and with the presence of explicit consent for commercial tests such as kinship determination or understanding sportive predispositions. Whether or not explicit consent is required, data subjects must be informed in all cases. The Guidelines remind us that explicit consent for data processing activities cannot be a condition for providing a product or service, and give an example in this regard. Accordingly, the provision of nutrition counseling cannot be conditional on taking a food intolerance test.[6]
Moreover, the Guidelines refer to Art. 9 of the PDPL (Cross border personal data transfer) for the transfer of genetic data abroad. It also draws attention to Art. 28 of the PDPL, which regulates the exceptions, and states that the PDPL is not applicable to cases where personal data is processed for scientific purposes. Processing for scientific purposes is regulated by the Regulation on Personal Health Data. Accordingly, genetic data may be processed for scientific purposes, provided that it does not violate the right to privacy or personal rights or does not constitute a crime. In this case, genetic data should be retained in a way that cannot be associated with the data subject. In addition, the processing of genetic data must be necessary for scientific research, purpose-related, limited and proportionate; and destruction policies must be complied with.
Obligations of Data Controllers and Recommendations by the Guidelines
The Guidelines generally refer to the obligations of data controllers stipulated by the PDPL, such as the obligation to inform, the obligation to register to the data controllers’ registry, and to adopt necessary technical and administrative measures. The Guidelines also provide recommendations for administrative and technical measures for processing genetic data. A selection of outstanding recommendations by the Guidelines are as follows.
Within the scope of the technical measures, it is recommended that genetic data should not be retained in cloud systems. If it is necessary to use cloud systems, especially for analysis programs, genetic data to be stored in the cloud should be recorded and two-step verification should be used when accessed. In addition, genetic data should be stored using cryptographic methods by industry standards and best practices.[7] Accordingly, a policy for encryption and key management should be prepared, and only certain employees should have access to the keys. In addition, the Guidelines remind us that servers located abroad constitute cross-border transfer.[8]
Moreover, data controllers should prefer licensed and up-to-date software. Operations to be conducted with software should be closely monitored and log records should be kept. In addition, systems holding genetic data should be tested regularly.[9] Tests to be conducted before streaming a system or for changes to a system should be carried out with synthetic data, and if this is not possible, the principle of data minimization should be complied.[10]
In terms of administrative measures, the Guidelines refer to the “Privacy by Design” principle stipulated by Art. 25 of the GDPR. Accordingly, privacy should be embedded into every stage of a product or a service. For example, an organization that will process genetic data should anticipate all possible risks, calculate potential damages and adopt appropriate measures in advance. In addition, it is recommended that data controllers conduct a Data Protection Impact Assessment (DPIA) under art. 35 of the GDPR in respect of data processing activities that constitute high-risk when data processed or the technologies used are considered. Although DPIA is not a concept regulated under Turkish data protection legislation, the Guidelines recognize it as a method that helps identify appropriate technical and administrative measures against the risks that may arise.[11]
Conclusion
In short, the Guidelines stand as an important source of information to understand the Authority’s approach to genetic data processing activities and provide examples for good practice. It also provides guidance for understanding data processing conditions, and appropriate technical and administrative measures for genetic data. The reference to the European Union data protection legislation, especially in terms of administrative measures exhibits the importance of genetic data as processing genetic data is of a nature that may affect not only the data subjects, but also their relatives, the economy, future generations, and countries.
- Personal Data Protection Authority, The Guidelines on Issues to be Considered in the Processing of Genetic Data, October 2023, p. 8.
- The Guidelines, p. 10.
- The Guidelines, p. 12.
- The Guidelines, p. 22-23.
- The Guidelines, p. 25-27.
- The Guidelines, p. 31.
- The Guidelines, p. 42.
- The Guidelines, p. 43.
- The Guidelines, p. 44.
- The Guidelines, p. 43.
- The Guidelines, p. 47.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.