Processing of Special Categories of Personal Data: The Current Legal Framework in Türkiye

Amendments were made to the Personal Data Protection Law No. 6698 (“Law”) through the Law No. 7499, published in the Official Gazette dated March 12, 2024, and numbered 32487. In February 2025, the Guide on the Processing of Special Categories of Personal Data (“Guide”) was published on the website of the Personal Data Protection Authority (“Authority”).

 

1. Introduction

 

Under the Law, special categories of personal data include information on individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, physical appearance and attire, membership to associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

 

Before the amendment, processing special categories of personal data was, as a rule, subject to the explicit consent of the data subject. Regarding processing such data without explicit consent, the Law previously established a distinction between “data related to health and sexual life” and “other special categories of personal data.” According to this distinction:

 

• Other special categories of personal data: could only be processed without explicit consent, if explicitly provided for by law.

 

• Data related to health and sexual life: could only be processed without explicit consent, for purposes such as the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing, but only by persons or institutions under a confidentiality obligation.

 

Under the previous regulation, health data could almost exclusively be processed by the Social Security Institution, the Ministry of Health, and healthcare institutions. This raised several practical concerns regarding the processing of health data needed in sectors such as insurance, occupational health and safety, and social services. In fact, the regulation had restricted certain activities of public institutions, private sector stakeholders, and non-governmental organizations, preventing them from fulfilling some of their statutory obligations. Therefore, the amendments aimed to address these practical issues and meet current needs.

 

2. Current Situation

 

With the recent amendments, the distinction between “data related to health and sexual life” and “other special categories of personal data” has been eliminated. Consequently, data related to health and sexual life is no longer subject to different legal bases for processing than other special categories of personal data. Moreover, processing conditions have been revised to apply uniformly to all special categories of personal data, and additional legal bases have been introduced.

 

Under the new regulations, special categories of personal data can be processed under the following conditions:

 

a) Explicit consent of the data subject: If the data subject provides explicit consent, their special categories of personal data may continue to be processed based on such consent. there is no hierarchical difference between explicit consent and the other legal bases listed below. However, it should be noted that explicit consent must continue to comply with the general principles established by the Law.

 

b) Explicitly provided by law: Special categories of personal data may be processed without the explicit consent of the data subject if explicitly provided for by law. For instance, under article 5 of the law 2559 on the Powers and Duties of Police, fingerprint data may be collected from individuals applying for a driver’s license or passport. The Guide clarifies that regulations such as bylaws, communiqués, and circulars issued under the authority explicitly granted by law for processing special categories of personal data will also fall under this legal base.

 

c) Practical Impossibility: If a data subject is unable to provide consent due to a situation of practical impossibility/disability or his/her consent is legally invalid, special categories of personal data may be processed without consent if essential for protecting the life or physical integrity of the data subject or another person. An example of this legal base is processing information about a person’s blood type and past illnesses in an emergency medical situation where the individual is unconscious.

 

d) Data publicly disclosed by the data subject: If the data subject has made their special categories of personal data public, such data may be processed without consent, provided that the processing aligns with the data subject’s intent. For instance, if an individual publicly shares their blood type and allergy information for emergency purposes, such data may be used for this purpose. It should be emphasized that the mere fact that the data subject has made their special categories of personal data public is not sufficient on its own; the data controller must act in accordance with the data subject’s intention or purpose of disclosure when processing these data.

 

e) Establishment, exercise, or protection of legal rights: Special categories of personal data may be processed without consent if essential for the establishment, exercise, or protection of a legal right. For example, an employer may retain a former employee’s health data for potential legal disputes following the termination of an employment agreement.

 

Similarly, in cases where it is not possible for a lawyer to assert their client’s rights in any other way, the submission of lawfully obtained special categories of personal data to the court as part of the case file may be considered a lawful basis for processing. As another example, in cases where the processing of special categories of personal data, such as disability or health information related to employees’ spouses and children, is required for salary payments, the processing of such data by the employer may also be considered within this scope.

 

f) Healthcare services and similar necessities: Persons or authorized institutions and organizations under the obligation of confidentiality may continue processing special categories of personal data without obtaining explicit consent if necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, as well as for the planning, management, and financing of healthcare services.

 

The Ministry of Health, all types of healthcare institutions, and the Social Security Institution are considered within this scope regarding the data they collect for specified purposes. The Guide indicates that the term “authorized institutions and organizations” includes not only public institutions and organizations but also individuals and private legal entities providing healthcare services. The term “persons under the obligation of confidentiality” includes all healthcare professionals, as well as those who, even if not healthcare professionals, are involved in providing healthcare services.

 

g) Compliance with employment-related legal obligations: Special categories of personal data may be processed without the explicit consent of the data subject if essential to fulfill legal obligations in the areas of employment, occupational health and safety, social security, social services, and social assistance.

 

Examples of this legal base include; employers processing health or criminal conviction data to fulfill their obligation to employ disabled or convicted individuals under Labor Law No. 4857 (article 30), processing health data for health examinations required by collective bargaining agreements (Trade Unions and Collective Bargaining Agreements Law No. 6356, article 36(1)), and processing criminal conviction and health data for drivers (Road Transport Regulation, article 34) and security personnel (Law No. 5188 Regarding Private Security Services, article 10).

 

h) Membership in foundations, associations, and non-profit organizations: Special categories of personal data (of the current or former members and individuals who are in regular contact with these organizations) may be processed without explicit consent by foundations, associations, and non-profit organizations established for political, philosophical, religious, or union purposes, provided that processing is in accordance with their legal framework and objectives, is limited to their activities, and is not disclosed to third parties.

 

For example, the processing of information related to the current members, as well as former members and individuals who are regularly in contact by making donations, will be considered within this scope. Similarly, a trade union can only process data related to union membership in relation to its scope of activities and objectives. However, personal data related to the health or religion of union members cannot be processed if it is unrelated to the scope of activities and objectives.

 

Some of the legal bases above contain the terms “necessary” or “essential.” According to the Guide:

 

• The term “necessary” signifies that data processing activities must be assessed on a case-by-case basis by justifying the use of personal data based on objective evidence. It also implies that there must be a connection between the processed data and the legitimate purpose claimed, in line with the principle of being relevant, limited, and proportionate to the purpose for which they are processed.

 

• The term “essential” does not rely on a subjective assessment but refers to a situation where public and societal conditions require the processing of special categories of personal data. In such processing activities, there must be no alternative method for processing special categories of personal data, making the processing activity unavoidable within the scope of the specified purpose.

 

Therefore, before initiating the processing of special categories of personal data based on any of these legal bases, a thorough assessment should be conducted to determine whether these criteria are met.

 

3. Conclusion

 

Following the amendments, data controllers processing special categories of personal data must revise processes based on explicit consent, update their personal data processing inventories, information notices, and retention and destruction policies.

 

The requirement to take “adequate measures” remains unchanged. Special categories of personal data must continue to be processed in compliance with the Personal Data Protection Board’s decision dated January 31, 2018, and numbered 2018/10 regarding adequate measures to be taken by data controllers in the processing of special categories of personal data. If adequate measures have not yet been implemented, organizations must ensure compliance as soon as possible.

 

Additionally, data controllers processing genetic and/or biometric data must also consider the principles outlined in the Guide on the Processing of Genetic Data and Guideline on Considerations in the Processing of Biometric Data.