Introduction
Personal data protection in Turkish healthcare and medical services is one of the most sensitive areas of Turkish privacy law. Hospitals, private clinics, doctors, dentists, laboratories, medical tourism companies, pharmacies, insurance providers, telemedicine platforms, rehabilitation centers, aesthetic surgery clinics, and healthcare technology companies process large volumes of highly sensitive personal data every day. These data may include patient identity information, medical history, diagnosis records, laboratory results, prescriptions, radiology images, genetic data, biometric identifiers, disability reports, surgical records, psychiatric evaluations, insurance details, appointment history, and payment information.
Under Turkish law, health data is not treated as ordinary personal data. It is classified as a special category of personal data under Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. Article 6 of KVKK expressly includes “data concerning health” among special categories of personal data and provides stricter processing conditions for such data. Following the 2024 amendments, special categories of personal data may be processed only under specific legal conditions, including explicit consent, express legal provision, protection of life or physical integrity, establishment or protection of a right, public health, preventive medicine, medical diagnosis, treatment and care services, and healthcare planning, management and financing by persons under confidentiality obligations or competent public institutions and organizations. Adequate measures determined by the Turkish Personal Data Protection Board must also be implemented.
For healthcare providers, personal data protection is not merely a formal compliance duty. It is closely connected with patient confidentiality, medical ethics, professional responsibility, hospital administration, malpractice risk, cybersecurity, patient trust, and regulatory supervision. A privacy failure in healthcare may have serious consequences because disclosure of a patient’s diagnosis, treatment, medication, genetic condition, reproductive health record, psychiatric history, or surgical procedure may cause social, professional, emotional, and financial harm.
Legal Framework for Healthcare Data Protection in Turkey
The main legal framework consists of KVKK, secondary regulations issued by the Turkish Personal Data Protection Authority, sector-specific healthcare rules, and the Ministry of Health’s regulations on personal health data. The Ministry of Health announced that the Regulation on Personal Health Data was prepared to determine the procedures and principles to be followed in processes and practices carried out by the Ministry’s central and provincial units, healthcare service providers operating under the Ministry, and related institutions; it entered into force after publication in the Official Gazette dated 21 June 2019 and numbered 30808.
This sector-specific framework is important because healthcare data is processed not only by private hospitals and clinics but also through national health information systems, public health reporting systems, insurance processes, laboratory networks, appointment systems, e-prescription systems, electronic health records, and digital patient portals. Therefore, healthcare privacy compliance requires both general KVKK analysis and healthcare-specific operational analysis.
The Regulation on Personal Health Data was also amended in December 2025. The amendment was published in the Official Gazette dated 3 December 2025 and numbered 33096. It updated several provisions, including the legal basis article and rules concerning access to health data by family physicians, treating physicians, physicians working at the healthcare provider, inpatient physicians, emergency physicians, and access settings through e-Nabız.
What Is Personal Health Data?
Personal health data means any information relating to an identified or identifiable natural person’s physical or mental health. It may include diagnosis, treatment, medications, medical tests, imaging results, surgery notes, pathology reports, vaccination records, chronic disease information, disability records, pregnancy information, psychiatric assessments, genetic information, biometric identifiers used in healthcare, blood type, laboratory findings, hospital admission and discharge records, and health insurance claim data.
In practice, health data may be processed at many points of the patient journey. When a patient books an appointment, the provider collects identity and contact data. During admission, the provider may collect identity, insurance, billing, and medical complaint information. During diagnosis and treatment, doctors and medical staff create examination notes, prescriptions, lab requests, imaging reports, and treatment plans. After discharge, the provider may retain medical records, issue invoices, respond to insurance requests, handle complaints, and defend possible malpractice claims.
Because almost every stage of healthcare service involves personal data, healthcare organizations should not treat data protection as a document-only exercise. It must be integrated into daily medical, administrative, technical, and legal workflows.
Health Data as a Special Category of Personal Data
The classification of health data as a special category has major legal consequences. Under KVKK Article 6, processing special categories of personal data is prohibited as a rule unless one of the legal conditions listed in the law exists. Health data may be processed with explicit consent, but explicit consent is not the only legal ground. Processing may also be lawful where it is explicitly provided by law, necessary for protection of life or physical integrity, necessary for the establishment, exercise or protection of a right, or necessary for public health, preventive medicine, medical diagnosis, treatment and care services, and healthcare planning, management and financing by persons subject to confidentiality obligations or competent public institutions and organizations.
This distinction is crucial for hospitals and clinics. A healthcare provider does not need to obtain explicit consent for every medical act of data processing where the processing is necessary for diagnosis, treatment, medical care, or legally required healthcare operations and is carried out by authorized persons under confidentiality duties. However, explicit consent may be required for processing activities outside the ordinary legal and medical basis, such as using patient photos for advertising, sharing treatment results publicly, using patient data for unrelated marketing, or transferring health data for optional commercial purposes where no statutory ground applies.
Data Controller and Data Processor Roles in Healthcare
In healthcare data protection, it is essential to identify who acts as a data controller and who acts as a data processor. A private hospital usually acts as a data controller for patient records because it determines why and how patient data is collected, stored, accessed, and used. A doctor operating an independent private practice may also act as a data controller. A laboratory may be an independent controller for certain test processes or a processor depending on the contractual and operational structure. A cloud provider storing hospital records on behalf of the hospital will usually be a data processor for that storage activity.
Medical tourism agencies, call centers, appointment platforms, telemedicine software providers, laboratory networks, billing service providers, IT companies, archiving companies, and insurance intermediaries may have different roles depending on the data flow. A company may be a processor in one activity and an independent controller in another. For example, a software provider may be a processor when hosting patient records for a clinic but a controller when processing its own customer contact, billing, and marketing data.
Correctly defining these roles matters because data controllers carry primary obligations under KVKK, including informing data subjects, ensuring lawful processing, implementing security measures, responding to data subject requests, managing transfers, and notifying data breaches.
Core Principles for Processing Healthcare Data
KVKK Article 4 sets out general principles applicable to all personal data processing. Personal data must be processed lawfully and fairly, be accurate and kept up to date where necessary, be processed for specified, explicit and legitimate purposes, be relevant, limited and proportionate to the purposes of processing, and be stored only for the period laid down by law or required for the processing purpose.
In healthcare, these principles are highly practical. A clinic should collect only data necessary for diagnosis, treatment, billing, legal obligations, or patient communication. A hospital should not allow all staff to access all patient records without need. A medical tourism company should not request full medical history before it is necessary. A dental clinic should not keep patient photographs indefinitely if they are no longer required. A hospital should not use treatment images for social media without a separate lawful basis and valid consent.
The principle of proportionality is especially important. Health data is highly sensitive, so every collection, access, transfer, retention, and disclosure should be justified. Healthcare providers must balance medical necessity with patient privacy.
Patient Privacy Notices and the Obligation to Inform
Under KVKK Article 10, data controllers must inform data subjects at the time personal data is obtained. The notice must include the identity of the data controller and representative, if any; the purpose of processing; recipients and transfer purposes; the method and legal basis of collection; and data subject rights under Article 11.
Healthcare providers should prepare privacy notices tailored to their actual operations. A private hospital’s privacy notice should cover patient admission, examination, diagnosis, treatment, laboratory processes, imaging services, prescriptions, surgical operations, inpatient care, billing, insurance, medical reporting, appointment management, patient complaints, legal obligations, malpractice claims, data retention, and transfers to authorized public institutions.
Aesthetic clinics, dental clinics, medical tourism companies, physiotherapy centers, psychology practices, and laboratories should not use generic privacy notices copied from unrelated businesses. Their notices should reflect the specific health data they process and the purposes for which they process it.
The obligation to inform is separate from explicit consent. A patient privacy notice does not automatically mean the patient has consented to optional processing. If explicit consent is required, the consent mechanism must be separate, specific, informed, and freely given.
Explicit Consent in Healthcare Services
Explicit consent under KVKK should be used carefully in healthcare. Many health data processing activities are necessary for diagnosis, treatment, care services, public health, healthcare planning, billing, legal obligations, or protection of rights. In these cases, the correct legal basis may be Article 6 rather than explicit consent.
However, explicit consent may be required where processing goes beyond necessary healthcare purposes. Examples may include using before-and-after photographs for marketing, publishing patient testimonials, sharing patient stories on social media, transferring patient information to third-party commercial partners, using patient data for unrelated research without anonymization or legal basis, or sending promotional messages based on health service history.
Consent must be truly free. A patient should not be forced to consent to unnecessary marketing or promotional use as a condition of receiving medical treatment. Consent should explain exactly which data will be processed, for what purpose, where it will be published or transferred, how long it will be used, and how it can be withdrawn.
Medical Records and Confidentiality
Medical records are the backbone of healthcare service delivery. They document patient complaints, examination findings, diagnosis, treatment plans, consent forms, laboratory results, imaging reports, operation notes, discharge summaries, prescriptions, and follow-up recommendations. These records are necessary for continuity of care, patient safety, legal accountability, insurance processes, and medical defense.
At the same time, medical records contain extremely sensitive data. Access must be limited to authorized healthcare professionals and administrative personnel who need the data for legitimate purposes. Hospital employees, reception staff, billing teams, call center personnel, and technical staff should not have unrestricted access to full medical records unless necessary.
Article 12 of KVKK requires data controllers to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure the protection of personal data. Data controllers and processors must not disclose personal data contrary to the law or use it for purposes other than the processing purpose, and this duty continues after their term of office ends.
Access to Health Data and e-Nabız Settings
Access control is one of the most important issues in Turkish healthcare data protection. The December 2025 amendment to the Regulation on Personal Health Data introduced detailed access rules. According to the amended provision, health data may be accessed, limited to the processing conditions under KVKK Article 6/3, by the person’s family physician without a time limit; by the physician to whom the person applies for healthcare services until procedures directly related to the service are completed; by physicians working at the healthcare provider to which the person applies until directly connected procedures are completed; by physicians at the inpatient healthcare provider until discharge; and by all physicians at the emergency facility, limited to the relevant emergency service, until discharge.
The amendment also regulates access through e-Nabız security settings. Persons who set security preferences through their e-Nabız account may have their health data accessed according to those settings, and relevant persons must be informed in detail about security settings and their consequences.
These rules show that Turkish healthcare data protection is not only about obtaining documents. It is also about operational access governance: who can see which data, for how long, for what medical purpose, and under what patient-controlled settings.
Children’s Health Data and Family Access
Children’s health data requires special care. Parents, guardians, custodians, and caregivers may need access to a child’s health information, but privacy, custody, family law, safety, and medical necessity must be considered together. The December 2025 amendment includes specific rules on access to children’s health data in divorce and custody contexts. It states that during a pending divorce case, the party to whom custody is temporarily granted may access the child’s health data; after divorce, the party granted custody may access the child’s health data. It also allows certain applications by the non-custodial parent, with location, address, or contact information removed where appropriate.
Healthcare providers should be careful when responding to requests from parents, relatives, guardians, or caregivers. Not every family member automatically has unlimited access to a patient’s health data. The legal capacity of the requester, patient consent, custody status, medical necessity, and applicable Ministry rules should be checked.
Data Sharing With Public Authorities and Insurance Systems
Healthcare providers may be legally required to share certain information with public authorities, social security institutions, insurance systems, judicial authorities, or administrative bodies. These transfers may be based on legal obligations, public health requirements, healthcare financing, insurance claims, or legal proceedings.
However, legal obligation does not justify excessive disclosure. Only necessary data should be transferred, and the transfer should be limited to the statutory purpose. For example, billing or reimbursement processes may require certain diagnosis, treatment, invoice, and service codes, but this does not mean unrelated medical history should be shared.
Domestic transfers of personal data are regulated by Article 8 of KVKK. Personal data cannot be transferred without explicit consent unless one of the legal grounds under Article 5/2 or Article 6/3 exists, and sufficient measures must be taken for special categories of data.
Medical Tourism and Foreign Patients
Turkey is a major destination for medical tourism, including hair transplantation, dental treatment, aesthetic surgery, eye surgery, fertility services, orthopedic treatment, and general medical care. Medical tourism companies and clinics often process passport information, foreign contact details, travel information, medical history, photographs, laboratory results, treatment plans, invoices, hotel information, and international payment records.
Medical tourism creates additional compliance risks because data may be transferred between foreign patients, Turkish clinics, interpreters, hotels, agencies, doctors, laboratories, payment providers, insurance companies, and sometimes foreign healthcare providers. Clinics should ensure that foreign patients receive clear privacy notices in a language they can understand. Patient photographs, treatment videos, and testimonials should not be used for marketing without valid explicit consent.
Where health data is transferred abroad, KVKK Article 9 must be assessed. After the 2024 amendments, personal data may be transferred abroad if Article 5 or Article 6 conditions are met and there is an adequacy decision. In the absence of an adequacy decision, appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board may be required; standard contracts must be notified to the Authority within five business days after signature.
Digital Health, Telemedicine, and Healthcare Technology
Digital health services increase the amount and sensitivity of processed data. Telemedicine platforms, remote monitoring devices, health apps, AI-supported diagnosis tools, wearable devices, online appointment systems, digital prescriptions, cloud-based patient records, and laboratory portals all create complex data flows.
A telemedicine platform may process video consultations, patient symptoms, prescriptions, diagnosis notes, identity verification records, IP addresses, device data, appointment data, and payment information. A health app may collect lifestyle data, medication reminders, location data, sleep data, fertility data, or chronic disease tracking information. These data may be highly sensitive even when they do not appear in a traditional hospital file.
Healthcare technology companies should carefully determine whether they are data controllers or processors, which health data they process, whether they transfer data abroad, how they secure video and messaging systems, whether AI tools use patient data for training, and whether patients are properly informed.
Cross-Border Transfers of Health Data
Cross-border transfer of health data is one of the highest-risk areas in healthcare compliance. Examples include foreign cloud hosting of patient records, international laboratory analysis, global hospital group databases, medical tourism coordination with foreign agencies, foreign software support teams accessing patient systems, and international insurance processing.
Article 9 of KVKK was amended in 2024, and the Turkish Personal Data Protection Authority announced English translations of the By-Law on transfer of personal data abroad and standard contract texts on 29 August 2024.
For health data, cross-border transfer analysis must consider both Article 9 and Article 6. Since health data is a special category of personal data, the underlying processing condition must be valid, and additional measures must be taken. Standard contracts and data transfer documentation should specifically address sensitive health data, recipients, purposes, security measures, onward transfers, access limitations, and retention.
Data Security Measures in Healthcare
Healthcare data security must be strong because health data breaches can cause severe harm. Practical technical measures should include encryption, role-based access control, multi-factor authentication, secure medical record systems, audit logs, network segmentation, vulnerability testing, endpoint protection, secure backups, access monitoring, secure deletion tools, and incident detection systems.
Organizational measures should include confidentiality undertakings for personnel, staff training, access authorization procedures, disciplinary rules, vendor due diligence, data processing agreements, physical archive controls, patient file handling policies, breach response procedures, and periodic audits.
Special attention should be paid to hospital information management systems, laboratory systems, radiology archives, appointment platforms, call center recordings, e-mail communications, portable devices, USB drives, shared folders, and remote access tools. Unauthorized access by employees is as serious as external cyberattacks. Hospitals should monitor access logs and investigate unusual access to patient files.
Data Breach Notification in Healthcare
If processed personal data is obtained by others unlawfully, KVKK Article 12 requires the data controller to notify the data subject and the Personal Data Protection Board within the shortest time. The Board may announce the breach on its official website or by other means where necessary.
In healthcare, reportable breaches may include ransomware attacks on hospital systems, unauthorized employee access to patient records, sending test results to the wrong recipient, loss of unencrypted medical files, exposure of patient databases through misconfigured servers, disclosure of psychiatric records, or unauthorized publication of patient images.
Healthcare breach notifications must be handled carefully. Patients should be informed clearly about what happened, what data may be affected, what risks may arise, what measures were taken, and what steps they can take. Breaches involving health data, genetic data, biometric data, children’s data, or psychiatric records may require especially urgent and sensitive communication.
Retention, Deletion, Destruction, and Anonymization
Healthcare providers must retain certain medical records for legal, medical, administrative, and evidentiary reasons. However, health data should not be kept indefinitely without legal basis. KVKK Article 7 provides that personal data must be erased, destroyed, or anonymized when the reasons requiring processing no longer exist, even if the data was originally processed lawfully.
A healthcare retention policy should identify how long patient files, imaging records, laboratory results, consent forms, call center recordings, appointment logs, billing records, insurance documents, complaint files, surveillance camera recordings, and digital access logs will be retained. The policy should also define who is responsible for deletion, destruction, anonymization, and documentation.
Anonymized health data may be useful for scientific research, statistics, public health planning, quality improvement, and medical education. However, anonymization must be real and irreversible in practice. Removing only names may not be enough if the patient can still be identified through rare disease information, date combinations, location, treatment details, or other identifiers.
Patient Rights Under KVKK
Patients have data subject rights under KVKK Article 11. They may ask whether their personal data is processed, request information about processing, learn the purpose of processing and whether data is used accordingly, know third parties to whom data is transferred domestically or abroad, request correction of incomplete or inaccurate data, request erasure or destruction under legal conditions, request notification of correction or deletion to third-party recipients, object to adverse results arising exclusively through automated analysis, and claim compensation for damage caused by unlawful processing.
Healthcare providers must respond to data subject requests within the legal period. Under Article 13, the controller must conclude requests as soon as possible and at the latest within thirty days.
Patient access requests can be complex because medical records may include doctor notes, third-party information, family history, legal restrictions, or sensitive psychiatric details. Providers should establish a clear internal procedure to verify identity, evaluate the request, protect third-party rights, and respond lawfully.
VERBIS Registration for Healthcare Providers
Healthcare providers may be subject to VERBIS registration depending on their status, size, and data processing activities. KVKK Article 16 requires natural or legal persons processing personal data to register with the Data Controllers’ Registry before starting processing unless an exemption applies. Registry applications include information such as the controller’s identity, processing purposes, data subject groups and categories, recipient groups, personal data envisaged to be transferred abroad, data security measures, and maximum storage periods.
Healthcare providers often process special categories of personal data as part of their main activity. Therefore, clinics, hospitals, laboratories, and similar providers should carefully assess VERBIS obligations and exemptions. Even if an exemption applies, this does not remove other KVKK obligations such as privacy notices, lawful processing, security measures, retention rules, data subject rights, and breach response.
Common Mistakes in Healthcare Data Protection
One common mistake is treating patient consent forms for medical procedures as if they also cover all personal data processing. Medical informed consent and KVKK explicit consent are different legal concepts. A patient’s consent to surgery does not automatically authorize using surgical images for advertising.
Another mistake is giving broad system access to all healthcare personnel. Access should be based on role, department, medical necessity, and time-limited treatment needs.
A third mistake is using patient photographs on websites or social media without valid explicit consent. This is particularly risky in aesthetic surgery, dental treatment, hair transplantation, dermatology, and weight-loss procedures.
A fourth mistake is sending test results, prescriptions, or reports through unsecured messaging applications without appropriate safeguards.
A fifth mistake is transferring health data to foreign software or cloud providers without Article 9 analysis.
A sixth mistake is keeping patient records, call recordings, or camera footage without a defined retention policy.
A seventh mistake is failing to train administrative personnel. Receptionists, call center staff, billing departments, and patient relations teams frequently handle sensitive data and must understand confidentiality rules.
Practical Compliance Checklist for Healthcare Providers
Healthcare providers should prepare a full data inventory covering patient admission, diagnosis, treatment, laboratory, imaging, surgery, inpatient care, billing, insurance, appointment systems, patient complaints, legal claims, and digital platforms.
They should determine the legal basis for each processing activity under KVKK Article 6. They should prepare accurate privacy notices for patients, employees, website visitors, medical tourists, and online platform users. Explicit consent forms should be used only where necessary and should be separate from general privacy notices.
Access control should be strengthened. Only authorized persons should access health records, and access logs should be reviewed. Vendor contracts with laboratories, IT providers, cloud services, call centers, medical tourism agencies, software providers, and archiving companies should include confidentiality, security, breach notification, and deletion obligations.
Cross-border transfers should be mapped and brought into compliance with Article 9. Retention and destruction policies should be prepared. Staff should be trained regularly. Breach response procedures should be tested. Patient rights applications should be managed through a documented process.
Legal Consequences of Non-Compliance
Healthcare data violations may lead to administrative fines under KVKK, Board investigations, data subject complaints, civil compensation claims, disciplinary consequences, professional liability, contractual disputes, reputational harm, and in serious cases criminal law implications. KVKK Article 18 provides administrative fines for failures such as breach of the obligation to inform, breach of data security obligations, failure to comply with Board decisions, breach of Data Controllers’ Registry obligations, and failure to notify standard contracts under Article 9/5.
Because health data is highly sensitive, enforcement risk may be more serious than in ordinary commercial data cases. A breach involving diagnosis records, psychiatric notes, HIV status, pregnancy data, genetic data, addiction treatment, or cosmetic surgery images may cause significant harm and regulatory scrutiny.
Conclusion
Personal data protection in Turkish healthcare and medical services requires a careful balance between healthcare delivery and patient privacy. Hospitals, clinics, laboratories, doctors, dentists, medical tourism companies, telemedicine platforms, and healthcare technology providers must process patient data to provide diagnosis, treatment, care, billing, reporting, and legal services. However, this processing must comply with KVKK, the Regulation on Personal Health Data, patient confidentiality principles, and sector-specific security requirements.
Health data is a special category of personal data under Turkish law. It may be processed only under specific legal conditions and with adequate safeguards. Healthcare providers must inform patients, limit access, secure systems, manage transfers, control vendors, respond to patient requests, retain records lawfully, delete or anonymize data when appropriate, and notify breaches where required.
The 2024 amendments to KVKK Article 6 and Article 9, together with the 2025 amendments to the Regulation on Personal Health Data, show that Turkish healthcare data protection is becoming more structured, detailed, and access-control oriented. In this environment, healthcare providers should not rely on generic KVKK documents. They need sector-specific compliance programs that reflect real medical workflows, digital systems, patient rights, and regulatory expectations.
Yanıt yok