1. What is Health Data and Why is it sensitive?
Health data refers to any information related to an individual’s physical or mental health. Examples include:
- Disease diagnoses,
- Medications used,
- Blood tests or genetic information,
- Medical device usage records.
Why is it sensitive?
Because it directly concerns a person’s private life. If accessed by malicious parties, it may lead to discrimination or privacy violations. Therefore, both KVKK (Turkey) and GDPR (EU) classify health data as “sensitive personal data”and impose stricter rules for its protection.
2. Where Do Pharmaceutical Companies Use This Data?
Pharmaceutical companies process health data in areas such as:
- Clinical trials: Monitoring the health status of participants.
- Patient support programs: Providing services to improve treatment adherence.
- Marketing activities: Statistical data used in product promotion to physicians.
- Pharmacovigilance: Reporting and monitoring adverse drug reactions.
3. Rules to Follow Under KVKK
➤ Explicit Consent and Exceptions
As a general rule, explicit consent is required to process health data.
However, consent may not be necessary in cases such as:
- Processing data for public health protection (e.g., Ministry of Health inspections),
- Processing necessary under a contract (e.g., clinical trial agreements).
➤ Obligation to Inform (Disclosure)
Individuals must be clearly informed about:
- What data is collected,
- Why it is collected,
- With whom it will be shared,
- How long it will be stored.
➤ Data Security Measures
The company must implement:
- Technical measures (e.g., encryption, antivirus),
- Administrative measures (e.g., confidentiality protocols, staff training).
➤ Registration with VERBIS
Companies with over 50 employees or an annual balance sheet exceeding 25 million TL must register in VERBIS, the Data Controllers’ Registry.
4. Rules to Follow Under GDPR
➤ Principle of Lawfulness
Data must be collected for specific, clear, and legitimate purposes.
For example, collecting doctor data for marketing may be legitimate, but collecting patient data without consent is a GDPR violation.
➤ Data Controller vs. Data Processor
- Data Controller: Determines the purposes and means of processing (e.g., pharmaceutical company).
- Data Processor: Processes data only upon instruction (e.g., call center service provider).
➤ Data Protection Officer (DPO)
If a company processes large volumes of sensitive data, it must appoint a DPO, who oversees GDPR compliance within the organization.
➤ Data Breach Notification
If a personal data breach occurs (e.g., a database hack), it must be reported to the relevant European authority within 72 hours.
5. Can Health Data Be Transferred Abroad?
Under KVKK:
Data transfers from Turkey to abroad are allowed if:
- The individual has given explicit consent, or
- The data is transferred to a country approved as safe by the Authority, or
- A data transfer agreement approved by the Authority is in place.
Under GDPR:
Transfers outside the EU require:
- A “safe country” decision by the European Commission, or
- Appropriate safeguards such as Standard Contractual Clauses (SCCs).
6. Compliance Checklist
- Prepare a data inventory (What data is collected? For what purpose?).
- Draft disclosure and explicit consent texts.
- Apply security measures (encryption, access controls, training).
- Appoint a DPO (if required under GDPR).
- Sign data processing agreements with third-party vendors.
- Create a data breach response plan.
Why Is Compliance Strategy Important?
Both KVKK and GDPR are not only legal obligations but also directly impact patient safety and corporate reputation.
Non-compliance may result in:
- Up to TRY 2 million in administrative fines under KVKK,
- Up to 4% of annual global turnover under GDPR.
Secure processing of health data is a key indicator of a pharmaceutical company’s ethical integrity.
Conclusion
Proper and secure processing of personal health data in the pharmaceutical industry is more than a legal requirement.It is a foundation for corporate credibility.
KVKK and GDPR compliance helps avoid penalties and builds trust with patients and healthcare professionals alike.