On August 14, 2023, the Personal Data Protection Board ("Board") released two rulings pertaining to the activities of two separate entities in the healthcare sector, within the framework of the Personal Data Protection Law ("Law").
In the first decision, stemming from a complaint regarding the linkage of health service provision by a private healthcare institution to explicit consent, an evaluation led to the imposition of a fine amounting to 300,000 TL on the institution. Furthermore, a decision was made to modify the phrasing that signifies endorsement of the consent form yet creates the perception of aligning with the clarification text. Additionally, a decision has been made to further organize explicit consent texts pertaining to personal data processed within the scope of explicit consent, despite it not being obligatory.
The second decision that was published involved an inquiry that was initiated by a report about a hospital procuring explicit consent from patients for processing personal data, including health data, for advertising and promotional purposes. In consequence, the hospital was imposed a penalty of 250,000 TL. Furthermore, it was decreed that the processing of personal data for the mentioned purposes would cease. The personal data that has been processed thus far will be erased in accordance with relevant legislation. Notifications of the destruction processes will be communicated to third parties, provided that personal data had been conveyed to them.
Both decisions are significant in clarifying the Board's stance toward practices of entities operating within the healthcare sector concerning personal data. Detailed explanations regarding the Board's decisions are provided below.
Demanding explicit consent for advertising activities unrelated to services is contrary to law and good faith.
In the instance of the decision dated May 2, 2023, numbered 2023/692, it was determined that failure to tick the checkbox next to the statement “I consent to the utilization of my personal information for the purpose of receiving information about Health Group services and announcements, as well as for contact purposes.” while completing a form to secure an appointment with a private healthcare institution resulted in an inability to secure the appointment.
In relation to this practice, the Board undertook the following evaluations:
- Legal validity of explicit consent necessitates that it be disclosed with free will.
- Requiring explicit consent for advertising activities that are not directly related to healthcare services, in order to access healthcare services violates the element of freely given consent.
- Furthermore, making the processing of personal data, which doesn't inherently require explicit consent for the appointment application form, conditional upon obtaining explicit consent is deceptive and constitutes an abuse of rights.
- These circumstances violate the principle of adhering to both legality and good faith, as outlined in Article 4 of the Law.
Based on the aforementioned evaluations, the Board concluded that the private healthcare institution, in its capacity as the data controller, breached its obligations pertaining to data security under the Law. Consequently, a fine of 300,000 TL was imposed.
Moreover, though consent for data processing was obtained through the statement "I have read the clarification text regarding the processing of my personal data. I give my consent to the processing of my data in accordance with the Personal Data Protection Law" it was considered misleading as it created the impression of giving consent for the clarification text, even though it was actually providing consent for the processing of personal data. Consequently, a revision was mandated, involving the exclusion of the phrase "I give my consent" from the text, with the inclusion of a checkbox merely indicating the reading of the clarification text. Furthermore, a decision was made that if there were personal data processed based on explicit consent, the explicit consent texts for such data would be organized separately. Subsequently, the hospital would be required to inform the Board.
Even with explicit consent, healthcare institutions are not allowed to advertise or process personal data for promotional purposes.
In the decision dated May 11, 2023, numbered 2023/787, The Board examined content shared via social media accounts belonging to a private hospital. In these records, patients furnished information about their health issues, and treating physicians expounded upon diagnoses and treatment outcomes. The records evidenced that patients had provided explicit consent for capturing images/videos containing personal data through the "Clarified Consent Form for the Protection of Personal Data in Photograph/Video Capture". This consent extended to marketing, advertising, and promotional procedures, encompassing the dissemination of captured content to third parties, press, and social media platforms.
In its evaluation of the case, the Board highlighted a decision dated August 20, 2019, numbered 2019/2602 made by the Advertising Board in similar circumstances. This decision established that similar content on the website of a private hospital was regarded as advertising in nature. Such content was determined to present a commercial appearance, stimulate demand, and involve unfair competition in relation to other healthcare facilities.
Consequently, specific regulations within the industry preclude private hospitals from engaging in promotional activities of an advertising nature. In the present case, it was discerned that the processing of personal health data and other personal data for advertising purposes neither possessed legal validity nor legitimacy.[1] Moreover, it is stated that private hospitals cannot engage in advertising-like promotion aimed at creating demand, according to the Regulation on Private Hospitals ("Regulation").
Furthermore, the decision highlights that private hospitals are permitted to engage in informative and promotional activities that are aimed at protecting and enhancing health. This includes informing the public about their service areas, the services they offer, opening details, and similar matters. This permission is in line with the provisions of the Regulation that allow promotional activities and advertisements for the purpose of informing the community.
It was accentuated that personal health data need not undergo processing for fostering awareness about lesser-known diseases; it was feasible to apprise the public about the attributes and treatment processes of such diseases without processing personal data. It has been concluded that the specific personal data processing activity conducted in this case contradicts the principle of proportionality.[2]
In consequence of these evaluations, the Board inferred that:
- Even when data subjects provided explicit consent, provisions of the Regulation preclude the utilization of explicit consent as a stipulation for data processing in the specific case.
- Consequently, the data processing activity in question falls short of compliance with the conditions governing the processing of sensitive personal data, as delineated by the Law.
- As the data controller, the private hospital failed to ensure an adequate level of security to prevent unlawful data processing.
Accordingly, a fine of 250,000 TL was imposed on the hospital. Moreover, it was mandated that the data processing activity for the aforementioned intents would be discontinued. The personal data processed and retained until that point would be destructed, in accordance with applicable legislation. In instances where personal data had been shared with third parties, these entities would also be apprised of the destruction process. The hospital would also have a responsibility to inform the Board about these measures.
Conclusion
Board decisions offer valuable insights to ensure the compliance of healthcare institutions' data processing activities with relevant legislation. In this context, healthcare institutions should:
- Avoid practices that could lead to an interpretation that the provision of any product and/or service is conditioned on the explicit consent of the data subject.
- Stay clear of activities that could be construed as data processing for advertising purposes.
- Refrain from processing personal data within activities aimed at informing about diseases, even if explicit consent is obtained.
- Ensure that the acknowledgement of reading the clarification text is distinctly and separately arranged from the consent given for data processing activities.
- Arrange explicit consent texts for data requiring such consent separately from those not requiring it.
It is of paramount importance to exercise utmost care in these matters and to seek expert legal assistance in order to avoid any violations in this context.
You can access the summary text of the decision dated 02.05.2023 and numbered 2023/692 from here (Only available in Turkish).
You can access the summary text of the decision dated 11.05.2023 and numbered 2023/787 from here (Only available in Turkish).
With thanks to Onur Akar for his assistance in this article.
[1] Before reaching the conclusion, a reference was made to Opinion 03/2013 of the Article 29 Data Protection Working Party concerning the 'purpose limitation' principle. It was stated that the legitimacy of a purpose, as encompassed by the principle of processing for specific, explicit, and legitimate purposes, implies that purposes, in the broadest sense, must adhere to legal regulations. In this context, it was indicated that if the processing of personal data leads to a breach within a sector-specific regulation, it cannot be considered lawful for the respective processing activity.
[2] In the decision, it has been stated that the principle of proportionality, which is one of the general principles to be adhered to in the processing of personal data, signifies establishing a reasonable balance between data processing and the intended purpose.
-
Kemal Altuğ Özgün
Managing Partner
-
Burak Bayrak
Associate