GUIDELINE ON THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA HAS BEEN PUBLISHED – REVIEW YOUR COMPLIANCE PROCESSES!

With the Law No. 7499 on the Amendment of the Code of Criminal Procedure and Certain Laws published in the Official Gazette dated 12.03.2024, Article 6 titled "Conditions for Processing Special Categories of Personal Data" in the Personal Data Protection Law No. 6698 ("Law") has been amended and this amendment entered into force on 01.06.2024.  

The Guideline on the Processing of Special Categories of Personal Data ("Guideline") was published by the Personal Data Protection Authority on 26.02.2025.  

The Guideline consists of three sections: first, the special categories of personal data determined by limited enumeration in the Law are detailed with examples; second, the new legal grounds for processing under Article 6 of the Law are explained; and finally, the actions to be taken by data controllers to comply with the new amendments of the Law are discussed.

1. Special Categories of Personal Data and its Legal Framework

Within the framework of the relevant regulations of the Law, special categories of personal data are subject to a special protection regime in order to ensure the protection of the fundamental rights and freedoms of the data subjects. In the Guideline, categories of special categories of personal data are discussed in detail by giving examples and explanations regarding these categories and processing procedures are given below.

1.1. Race and Ethnicity Data: The Guideline discusses the concepts of race and ethnic origin, followed by the concept of nationality. Accordingly, the processing of nationality information on the identity card, such as "foreign national", "not a Turkish citizen," or "other," will not be considered as special categorized data.

1.2. Data on Political Opinion:  According to the examples given in the Guideline, information on a person's political party membership or apolitical nature is considered as political opinion data. It is stated that the special categories of personal data related to political opinion processed by the Supreme Election Board and relevant public institutions, political parties or independent candidates and the conditions for their processing are explained in detail in the "Guideline on the Protection of Personal Data in Election Activities" published by the Personal Data Protection Authority ("Authority").

1.3. Data on Philosophical Beliefs, Religions, Sects, and Other Beliefs: According to the Guideline, information on whether a person has a particular religion or belief qualifies as special categories of personal data. For example, if the employer adds the images of the employee praying to the case file in a lawsuit, special categories of personal data processing activity will have taken place. Again, it has been stated that the concept of philosophical belief, which is considered as special categories of personal data, is included and protected both in the Constitution and in many legal regulations.

1.4. Dress and Attire Data: Data on dress and attire are considered as special categories of personal data under the Law in order to prevent discrimination and protect the fundamental rights of the data subject in Turkey. In the Guideline, in line with a decision of the Council of State, it is stated that the imposition of administrative sanctions on the grounds of "wearing jeans and not shaving his beard" is evaluated within the framework of the prohibition of discrimination and the principle of equality. In this framework, it should be evaluated on a case-by-case basis whether information on the appearance and dress of individuals is special categories of personal data, and the purpose of the regulation in the Law to prevent discrimination and violation of the interests of the data subject should be taken into consideration.

1.5. Association, Foundation and Trade Union Membership Data: The Guideline includes definitions of association, foundation and union membership. The fact that the data subject is a member of a trade union, foundation, or association falls within the scope of special categories of personal data. In the Guideline, the employer's processing of information regarding the employee's union membership is considered as a special categories of personal data processing activity.  

1.6. Data on Health and Sexual Life: According to the Guideline, health data includes not only the data that identifies the current health status of the person, but also the possibility of illness, diagnosis,s and treatment processes. Such data may only be processed within the processing conditions set out in Article 6 of the Law.

1.7. Data on Criminal Convictions and Security Measures: The Guideline includes the definitions of conviction, defendant and security measures. Data on criminal convictions and security measures are considered as special categories of personal data. It is also stated that the finalized convictions that constitute the content of the judicial record can be considered as special categories of personal data. For example, when the data controller processes the information regarding the conviction decision or the revocation of the driver's license in the criminal record, special categories of personal data processing activity will be realized.

1.8. Biometric Data: A parallel approach to the GDPR has been adopted for the definition of biometric data. In order for biometric data to be considered as special categories of personal data, physiological, physical, or behavioral characteristics must be revealed as a result of a certain technical process,s and this information must be suitable for identifying or verifying the identity of the person. The Guideline also distinguishes between biometrics and biometric data. Accordingly, while biometrics refers to the physical or behavioral characteristics of a person, biometric data is unique and specific to the person.   

In the examples given in the Guideline regarding whether photographs are biometric data or not, it is emphasized that the processing of biometric photographs cannot be directly qualified as the processing of special categories of personal data, and that in order for a data to be considered as biometric data, that data should only have the ability to identify or verify that person.  

1.9. Genetic Data: Genetic data is defined in the GDPR as data obtained from biological samples that contain unique information about a person's physiology or health. In the Guideline, it is stated that a biological sample alone does not qualify as special categories of personal data, but if the analysis reveals genetic information unique to the person, it will be considered as special categories of personal data.  

The Guideline also emphasizes that all data controllers collecting biological samples should take the necessary technical and administrative measures to ensure the security of these samples.

2. Conditions for Processing Special Categories of Personal Data

Pursuant to the Law, the processing of special categories of personal data is prohibited as a rule. However, under certain circumstances and conditions, the processing of special categories of personal data is permitted under the relevant provisions of the Law. In line with the amendments made to Article 6 of the Law, the conditions for processing special categories of personal data have been expanded in order to ensure harmonization with the EU rules in the field of protection of personal data specified in the Guideline, to adapt to the innovations brought by the developing technology and new approaches adopted in international platforms, and these new processing conditions are explained in detail in the Guideline.

In addition, it is explained for the first time in the Guideline that the expressions "mandatory" and "necessary" in the processing conditions are deliberately chosen and what they mean in the context of the GDPR.  

The concept of “mandatory” in terms of the processing of special categories of personal data is defined as "the absence of any alternative method, therefore the processing activity is inevitable for the purpose in question".

The concept of “necessity” is defined as "It means that the data processing activity should be evaluated in each solid case by justifying the use of personal data based on objective evidence and that there should be a connection between the data processed in connection with the principle of "being purpose-related, limited and proportionate to the purpose for which they are processed" and the legitimate purpose put forward."

2.1. Explicit Consent: A similar regulation is envisaged with the explicit consent requirement for the processing of general personal data regulated in Article 5 of the Law. However, if there is another processing condition other than explicit consent, the use of this condition together with explicit consent may be contrary to the principles of lawfulness and fairness. Therefore, it should be kept in mind that explicit consent is a legal basis that can only be used in cases where there is no other processing condition. The Guideline also underlines that even if all the elements of explicit consent are met, explicit consent obtained in violation of the general principles set out in Article 4 of the Law may render data processing unlawful.

2.2. Explicit Provision in Laws: The processing of special categories of personal data is considered lawful if it is explicitly provided for by a provision of law. If the relevant law explicitly authorizes the processing of special categories of personal data to be directly regulated by secondary legislation (regulation, communiqué, circular, etc.), then the relevant secondary legislation regulations may also constitute a legal basis for the processing of special categories of personal data.  

2.3.  To be Necessary for the Protection of the Life or Bodily Integrity of the Person Who Cannot Give Consent Due to Actual Impossibility or Whose Consent is Not Given Legal Validity: It is possible to process special categories of personal data in order to protect the vital interests or physical integrity of the data subject or a third person. Explicit consent cannot be obtained from the data subject, or there is no legally valid explicit consent. Unlike the GDPR, the Law stipulates the concept of "necessity" for this processing condition.

2.4. Relating to the Personal Data Publicized by the Data Subject and Complying with the Will of Publicization: Publicization means that the data subject discloses his/her personal data to the public. The processing of a person's special categories of personal data in any publicly accessible environment cannot be considered within the scope of publicization only because these data are publicly available. The processing of such data must be in accordance with the data subject's will to make them public and the purpose of making them public.  The will to publicize expresses the purpose for which the data subject discloses his/her personal data to the public and the grounds for such disclosure.  

2.5. To be Necessary for the Establishment, Exercise or Protection of a Right: It is regulated by taking into consideration the subparagraph (f) of the second paragraph of Article 9 of the GDPR titled "processing of Special Categories of Personal Data". Pursuant to the Guideline, the important point in terms of this processing requirement is that it can be justified that the processing of special categories of personal data data is mandatory for the purpose of establishing, exercising or protecting which right. Another important point is that, unlike the GDPR, the Law stipulates the concept of "necessity" for this processing requirement.

2.6. To be Necessary for the Protection of Public Health, Preventive Medicine, Medical Diagnosis, Treatment and Care Services and Planning, Management and Financing of Health Services by Persons Under the Obligation of Confidentiality or Authorized Institutions and Organizations:  It has been regulated by taking into consideration the subparagraph (h) of the second paragraph of Article 9 of the GDPR titled "processing of Special Categories of Personal Data". The Law restricts the processing of special categories of personal data based on the relevant provision in terms of person, purpose, and situation. The Guideline also states that the term "authorized institutions and organizations" includes not only public institutions and organizations but also natural persons and private legal entities providing health services.  The Guideline also stipulates that the persons under the obligation to keep confidentiality shall include all members of the health professions, persons who are not members of the health professions but who participate responsibly in the provision of health services, and health institutions and organizations.

2.7. To be Necessary for the Fulfillment of Legal Obligations in the Fields of Employment, Occupational Health and Safety, Social Security, Social Services, and Social Assistance: This processing requirement relates to the fulfillment of legal obligations that require the processing of special categories of personal data. According to the Guideline, the relevant legal obligation may arise directly from the provisions of the law or may be based on regulations, directives, communiqué,s and contracts. In the Guideline, it is exemplified that employers are obliged to organize personnel files of their employees pursuant to Article 75 of the Labor Law No. 4857 and that the processing of special categories of personal data may also be required within the scope of this process. The concepts of employment, occupational health and safety, social security, social services, and social assistance mentioned in this new processing requirement are also defined in the Guideline.

2.8. For Current or Former Members and Members of Foundations, Associations and Other Non-Profit Organizations or Entities Established for Political, Philosophical, Religious or Trade Union Purposes, or Persons in Regular Contact with These Organizations and Entities, provided that they comply with the Legislation to which they are subject and their Purposes, are limited to their Field of Activity and are not disclosed to Third Parties: With the amendment, the said processing condition has been included in the Law for the first time, taking into account the subparagraph (f) of the second paragraph of Article 9 titled "processing of Special Categories of Personal Data" of the GDPR.  However, this processing activity may be carried out provided that it complies with the legislation to which the organizations are subject and their purposes, is limited to their fields of activity, and is not disclosed to third parties. In the Guideline, the concept of "regular contact" is also addressed separately. Accordingly, the Law permits processing if the personal data is "intended for current or former members and members, or persons who are in regular contact with these organizations and entities". In the Guideline, it is stated that while potential members of an organization, partners who are not officially members of the organization, contributors to this organization or regular beneficiaries of the services of the organization can also be considered within this scope, for example, persons who supply goods or services to these organizations or formations for commercial purposes cannot be considered within this scope. Furthermore, explanations are provided on foundations, associations, and non-profit organizations and formations established for political, philosophical, religious and trade union purposes. It is underlined that the Law, through the concept of "other non-profit organizations or entities", does not include all civil society organizations, but only non-profit organizations and entities.

3. DATA CONTROLLER’S ACTIONS TO COMPLY WITH THE LAW

In line with the amendments made under the Law, the actions to be taken by data controllers for compliance with the Law are set out in the Guideline as follows.

3.1. Updating Personal Data Processing Inventory: Data controllers are required to regularly review their processes regarding personal data processing activities and revise their personal data processing inventories in line with the updated legislation provisions. In particular, data controllers who are obliged to register with the Data Controllers' Registry ("VERBIS") under the Regulation on the Data Controllers' Registry are required to harmonize their VERBIS records with the inventory update process. In the Guideline, it is reminded that any change in the information registered in VERBIS must be notified within seven (7) days from the date of such change.

3.2. Regulation of the Processes for Obtaining Explicit Consent: Prior to the amendments made to Article 6 of the Law, the explicit consent of the data subject was required for the processing of special categories of personal data. However, due to the expansion of the processing conditions other than explicit consent with the amendments, data processing activities based on explicit consent should be reconsidered. In this context, in cases where explicit consent is no longer required, the relevant processes should be brought into compliance with the law, explicit consent texts should be revised, and the data subjects should be informed about the changes that have occurred.

3.3. Amendments to Privacy Notices: Pursuant to Article 10 of the Law, data controllers are obliged to clearly state the legal basis of the personal data processed while fulfilling the obligation to inform the data subjects. Therefore, it is of great importance that the changes in the processing conditions of special categories of personal data are reflected in the privacy notices and announced to the data subjects. In the Guideline, it is stated that the burden of proof in the fulfillment of the obligation to inform belongs to the data controller, and there is no requirement in the Law and secondary legislation regarding the formation of notification, and therefore the most appropriate method can be determined by the data controller, and it is underlined that the most important criterion here is that the data subjects must be informed about these updates in a provable manner.  

3.4. Updating Retention and Disposal Policies: Pursuant to the Regulation on Deletion, Destruction or Anonymization of Personal Data, data controllers who are obliged to register with VERBIS are obliged to prepare a personal data retention and disposal policy in accordance with the personal data processing inventory. In line with the changes in the legal basis for the processing of special categories of personal data, data controllers are also required to update their retention and disposal policies. In accordance with the new processing conditions, it should be ensured that personal data is not retained for longer than necessary and retention periods and disposal processes should be reviewed periodically.  

3.5. Taking Data Security Measures: It is a legal obligation for data controllers and data processors who process special categories of personal data to take adequate administrative and technical measures to ensure the security of personal data. In this context, full compliance with the regulation titled "Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data" specified in the Decision of the Personal Data Protection Board dated 31.01.2018 and numbered 2018/10 should be ensured. In addition, the "Personal Data Security Guide (Technical and Administrative Measures)" published by the Authority should be taken into consideration within the scope of technical and administrative measures to be taken to ensure data security in personal data processing processes. Accordingly, the administrative and technical measures to be implemented in data processing activities should be planned and put into practice, taking into account the new rules.