Learn how Turkish law protects patient confidentiality and privacy, what counts as a healthcare privacy violation, which penalties and compensation remedies apply, and how patients can enforce their rights in Turkey.
Patient confidentiality is not a secondary courtesy rule in Turkish healthcare. It is a legal obligation tied to bodily integrity, private life, personal data protection, and the broader trust relationship between patient and provider. In Turkey, privacy in healthcare is protected through several overlapping sources: the Constitution, the Patient Rights Regulation, the Personal Data Protection Law No. 6698, the Turkish Penal Code, and ordinary compensation rules. That layered structure matters because a confidentiality problem in a hospital or clinic can produce more than one consequence at the same time. The same incident may lead to a patient-rights complaint, a data-protection application, administrative fines, civil compensation, and even criminal proceedings if the disclosure is serious enough. (Anayasa Mahkemesi)
At the constitutional level, the protection is strong. The Constitution states that everyone has the right to request the protection of personal data, including the rights to be informed, to access data, to request correction and deletion, and to learn whether data are being used consistently with their stated purposes. It also says personal data may be processed only where the law allows it or where the person has given explicit consent. This is especially important in healthcare because health information is among the most intimate forms of personal information a person can have. The same constitutional structure also protects corporeal and spiritual existence, which is why Turkish law treats confidentiality not merely as an administrative rule, but as part of the protection of the person. (Anayasa Mahkemesi)
The Personal Data Protection Law No. 6698 translates those constitutional protections into operational rules. Its purpose is expressly to protect fundamental rights and freedoms, especially the right to privacy, in the processing of personal data, and it applies to natural and legal persons processing data wholly or partly by automated means or within a filing system. The law also defines “explicit consent” as freely given, specific, and informed consent. In healthcare settings, this matters because hospitals, clinics, laboratories, imaging centers, pharmacies, telemedicine platforms, and even contracted software providers can all become part of the data-processing chain. (KVKK)
Turkish law treats health data as especially sensitive. Article 6 of Law No. 6698 classifies data concerning health, sexual life, criminal convictions and security measures, and biometric and genetic data among the “special categories of personal data.” The same article states that processing such data is prohibited unless one of the listed legal conditions is present. For health data specifically, processing is permitted where it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, or for the planning, management, and financing of healthcare services, provided this is done by persons under a legal duty of confidentiality or by competent public institutions and organizations. This is one of the central legal ideas in Turkish healthcare privacy law: health data may be processed where medical care genuinely requires it, but not as if it were ordinary commercial information. (KVKK)
The Patient Rights Regulation gives this data-protection framework a healthcare-specific form. It states that respect for patient privacy is essential and that every medical intervention must be carried out with respect for privacy. It goes further by explaining what that means in practice: medical evaluations concerning the patient’s condition must be conducted confidentially, examination and treatment must take place in a reasonably private environment, persons not directly related to the treatment should not be present during the intervention, and information about the source of healthcare expenses must be kept confidential. The same regulation also states that death does not eliminate the right to privacy. These provisions are crucial because they show that Turkish healthcare privacy is not limited to computer records. It covers the physical environment of care as well. (inhak.adalet.gov.tr)
The Regulation also sets an explicit confidentiality rule. It states that information obtained due to the provision of healthcare may not be disclosed in any way except in cases allowed by law. It adds that even where the patient’s consent exists, disclosure that results in a total waiver of personality rights, transfer of those rights to others, or excessive limitation of them does not eliminate legal responsibility. It further says that disclosure without a legally and morally valid justification, where such disclosure may harm the patient, can lead to both legal and criminal responsibility for staff and other persons. It even extends this protection to research and educational activities by stating that patient identity information may not be disclosed for those purposes without consent. In Turkish practice, this is one of the strongest regulatory texts for healthcare confidentiality. (inhak.adalet.gov.tr)
This means a confidentiality violation in Turkish healthcare can take many forms. It can be an unauthorized sharing of a report with family members, discussing a diagnosis in a public corridor, letting unnecessary people stay in the examination room, using patient photographs in education or promotion without valid consent, allowing staff without a treatment-related role to access files, sending records through insecure channels, or disclosing insurance and payment-source information beyond what is necessary. The law is not built only for dramatic data leaks. It also addresses everyday failures of confidentiality in how care is delivered. That conclusion follows directly from the Regulation’s privacy, disclosure, and treatment-environment rules. (inhak.adalet.gov.tr)
A current Constitutional Court press release illustrates how seriously Turkish law can treat these problems. In a 2025 case, the Court examined a situation where a report containing sensitive health data relating to an adult patient’s treatment process had been handed to his mother without his knowledge or consent. The Court stated that, although family members may sometimes be informed depending on the circumstances, the disclosure in that case went beyond merely informing the family. It criticized the lower court for failing to examine whether there was any compelling need to hand over the document itself, whether there was a conflict of interest between the applicant and his mother, whether there was any urgent situation requiring the release of a six-year-old treatment document, and whether there were alternatives to handing the report to a third party. The Court concluded that the State had failed to fulfil its positive obligations regarding the protection of personal data. This is a powerful contemporary example of how privacy violations can arise inside ordinary clinical practice. (Anayasa Mahkemesi)
The same incident also shows why “good intentions” do not automatically make a disclosure lawful. The first-instance criminal court had reportedly accepted the idea that the disclosure had been intended to protect the applicant, but the Constitutional Court still found the reasoning insufficient. In other words, Turkish privacy law in healthcare does not ask only why the provider disclosed information. It also asks whether the disclosure was necessary, proportionate, limited, justified, and properly reasoned under Article 20 of the Constitution. That is a high standard, especially when the patient is an adult and the disclosed material includes detailed treatment information. (Anayasa Mahkemesi)
The Personal Data Protection Law adds another layer of protection by setting out the patient’s rights and the healthcare provider’s obligations. Under Article 11, the data subject may learn whether personal data are processed, demand information about that processing, learn the purpose of the processing, know the third parties to whom the data are transferred in Turkey or abroad, request rectification of incomplete or inaccurate data, request erasure or destruction under the legal conditions, request that corrections or deletions be reported to third parties who received the data, object to automated decision-making against them, and claim compensation for damage caused by unlawful processing. In healthcare practice, these are strong remedial rights because they allow patients to move from suspicion to documented legal action. (KVKK)
Article 12 of the same law imposes concrete security duties on the data controller. It requires all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. It also makes the data controller jointly responsible with processors acting on its behalf, requires internal audits, prohibits controllers and processors from disclosing or using data contrary to the law even after their term ends, and obliges the controller to notify both the data subject and the Board as soon as possible if the processed data are obtained unlawfully by others. For hospitals and clinics, this is extremely important because many privacy failures in modern healthcare are not only interpersonal but technical: weak access controls, unsecured email flows, bad archiving, insufficient internal authorization, or poor vendor management. (KVKK)
Turkish law also gives patients a structured enforcement path under data-protection law. Article 13 requires the data subject to apply first to the data controller, and the controller must answer as soon as possible and at the latest within thirty days. Article 14 then allows the data subject to complain to the Personal Data Protection Board within thirty days after learning of the controller’s response, or within sixty days from the request date if no response is given. Article 15 empowers the Board to examine complaints and ex officio violations, to order infringements to be remedied, and, where appropriate, to suspend processing or cross-border transfers if the breach is explicit and risks serious harm. This gives patients in Turkish healthcare a direct regulatory path that exists independently from malpractice litigation. (KVKK)
The law also contemplates sanctions. Article 17 links personal-data crimes to Articles 135 to 140 of the Turkish Penal Code, and Article 18 provides for administrative fines for breaches such as failure to comply with the information duty, failure to meet data-security obligations, failure to comply with Board decisions, and registry-related breaches, while also making clear that disciplinary rules apply to civil servants and other public officers in public institutions after Board notification. In healthcare settings, this means privacy violations may trigger a multi-layered response: criminal exposure for the individual, administrative fines for the controller, and disciplinary measures for public employees. (KVKK)
The Turkish Penal Code supplies the clearest criminal exposure. Article 134 criminalizes violation of private life, including unlawful disclosure of images or sounds related to private life. Article 135 criminalizes unlawful recording of personal data, and specifically mentions information concerning a person’s health status as sensitive data within that context. Article 136 criminalizes unlawfully giving, disseminating, or obtaining personal data. Article 137 increases penalties where these offenses are committed by a public official abusing the authority of office or by taking advantage of the convenience provided by a profession or craft. In healthcare, that aggravating clause is especially significant because doctors, nurses, administrators, and medical secretaries often access data precisely because of their professional role. (Adli Sicil)
For public healthcare institutions, another criminal provision may become relevant. Article 258 of the Penal Code criminalizes the disclosure by a public official of secret documents, decisions, orders, or other information learned due to office where the information should remain confidential. This can matter when the person handling the data is a public servant in a state hospital or other public health unit. As a result, public healthcare privacy breaches in Turkey may carry a slightly different criminal profile from identical conduct in the private sector, even though both remain serious. (Adli Sicil)
Civil compensation is also available. The Personal Data Protection Law expressly preserves the right to seek compensation under general provisions for persons whose personal rights are violated, and Article 11 separately recognizes the data subject’s right to claim compensation for damage arising from unlawful data processing. In healthcare, that means a patient may seek compensation not only where there is quantifiable economic loss, but also where a privacy breach causes reputational harm, emotional distress, stigma, or other forms of injury connected to unlawful processing or disclosure. The Patient Rights Regulation also supports this by expressly allowing claims for pecuniary damages, moral damages, or both against the institution employing the personnel. (KVKK)
The route for compensation depends on whether the provider is private or public. The Patient Rights Regulation states that claims for pecuniary and moral damages may be brought against the institution employing the personnel, but if the defendant institution is public, the claimant must proceed under Articles 12 and 13 of the Administrative Procedure Law. In practical terms, this means a privacy breach in a private hospital or clinic can usually be pursued in the judicial branch against the institution and, where appropriate, the responsible persons, while a breach in a state hospital may need to follow the administrative route against the administration. So even when the wrongful act looks similar, the correct procedural path changes with the institutional setting. (inhak.adalet.gov.tr)
In day-to-day healthcare operations, several recurring risk areas deserve special attention. One is over-sharing with family members. Turkish law does not say family members can never be informed, but the 2025 Constitutional Court press release shows that giving an adult patient’s detailed treatment document to a parent without consent can violate the right to protection of personal data. Another is educational and research use of patient materials. The Patient Rights Regulation explicitly requires consent before patient identity information is disclosed for research or training purposes. A third is internal access. Under the Regulation, persons not directly related to treatment should not be present during interventions, and under the Personal Data Protection Law access to personal data must remain limited, proportionate, and secure. Together, these rules push Turkish healthcare providers toward a need-to-know model rather than an open-access culture. (Anayasa Mahkemesi)
For healthcare providers, compliance in Turkey therefore has to be both legal and operational. It is not enough to obtain a generic consent form or to circulate a privacy policy. Providers need role-based access controls, training on confidentiality, secure archiving and transmission practices, a disciplined response to patient requests under Articles 11 to 14 of Law No. 6698, and careful judgment before disclosing anything to relatives, insurers, researchers, students, or vendors. The Ministry of Health’s own public-facing data-security statement reflects this institutional concern by emphasizing the need to secure electronic health records and protect personal data through technical, administrative, and legal measures. (KVKK)
For patients, the enforcement roadmap in Turkey is comparatively clear. First, obtain the relevant records and identify exactly what was disclosed, accessed, used, or stored unlawfully. Second, apply to the healthcare provider or other data controller under Article 13 of Law No. 6698 and request information, correction, deletion, or another appropriate remedy. Third, if the response is refused, inadequate, or missing, complain to the Personal Data Protection Board within the statutory period under Article 14. Fourth, evaluate whether the conduct also supports a criminal complaint under the Penal Code or a compensation action under the general rules and the Patient Rights Regulation. Because healthcare privacy violations often sit at the boundary between medical law and data law, patients should think in terms of parallel remedies rather than just one complaint channel. (KVKK)
Patient confidentiality and privacy violations in Turkish healthcare are therefore not narrow technical breaches. They are legal wrongs that may implicate constitutional rights, special-category health-data protection, patient-rights rules, criminal law, administrative fines, and compensation. Turkish law protects privacy at the bedside, in the file room, in the database, in the courtroom, and even after treatment has long ended. The 2025 Constitutional Court press release on disclosure of health data to a patient’s mother shows that these protections are not theoretical. Turkish institutions are expected to justify healthcare disclosures carefully, especially where the patient is an adult and the information is sensitive. (Anayasa Mahkemesi)
The practical lesson is simple. In Turkish healthcare, confidentiality is not just about silence. It is about lawful processing, limited access, proportionate disclosure, secure systems, respect for private space, and enforceable patient control over health information. Providers that treat privacy as a formality invite regulatory, civil, and criminal exposure. Patients who understand the Turkish framework have meaningful tools to challenge that conduct and seek redress. (KVKK)
Yanıt yok