The Regulation on the Protection and Processing of Data within the scope of the Social Security Institution’s (SSI) Operations (“Regulation“) has been published in the Official Gazette No. 31755, dated 19 February 2022. The Regulation stipulates the procedures and principles of data processing within the scope of the SSI’s duties and authorities. The Regulation came into force as of its publication. The Regulation is available here in Turkish.
What does the Regulation cover?
General principles on processing data
- The Regulation applies to processing activities connected to the SSI’s duties and authorization, which concern the following people: SSI employees, data subjects, natural and legal persons providing system software and hardware services, public institutions and organizations that process personal data within the scope of the SSI’s operations or on behalf of the SSI, as well as the natural and recipient parties of the transferred data.
- The data processed is divided into three categories: (i) personal data; (ii) personal health data; and (iii) data as trade secrets (collectively, “Data“). The individuals who process Data are deemed to be under the confidentiality obligation.
- Data processing is subject to Law No. 5502 and the legislation issued by the Personal Data Protection Board. With respect to transferring personal data, the Law No. 5502 is reserved.
- Data controllers and data processors are jointly responsible for the processing and security of the Data. In this context, data controllers are required to perform audits. In the case of unlawful access to Data, data controllers are obliged to notify the Personal Data Protection Board within 72 hours and the data subjects within a reasonable time.
- The contracted health service providers are obliged to keep the personal health data they process on behalf of the SSI in the SSI data recording system and must not copy or transfer this data outside the system.
- SSI employees’ access to personal data is limited to the situations stipulated under the Regulation and the employees must be specified and authorized prior to accessing it. The Regulation also sets forth the approval and authorization mechanism for accessing Data.
- As per the Regulation, the data subjects have rights granted to them under the Personal Data Protection Law No. 6698 (LPPD).
Data requests and transfer of Data
- As per the Regulation, the requests of data subjects, institutions and organizations, the Ministry of Health, contracted health service providers and the judicial and executory authorities are subject to different data transfer mechanisms.
- In general, data transfer requests must be made in writing and where necessary, the legal basis for the request must be specified.
- If the data request is accepted, a protocol must be prepared and signed by the recipient party. Secure ways, such as registered mail, hand delivery and an email address with the “gov.tr” extension, must be used for transferring data.
- The data recipients must use the data solely for the requested purpose. They are obliged to ensure the data’s confidentiality and security, and must not disclose the data to other parties.
- As per the Regulation, the data may also be transferred anonymously for different purposes, such as determining strategies for health and social insurance services, preparing statistics and conducting scientific and academic research.
- Those who violate the Regulation are subject to sanctions under the LPPD and Turkish Criminal Code.
The Regulation stipulates the processing of Data within the scope of the SSI’s operations and requests from institutions and organizations regarding Data and data transfer mechanisms in detail. Those who are subject to the Regulation should review it and align their practices accordingly.