Turkish Data Protection Authority issues new guidelines for the processing of sensitive data

On 26 February 2025, the Turkish Data Protection Authority (“DPA”) published Guidelines on the Processing of Special Categories of Personal Data (the “Guidelines”). The Guidelines shed further light on the new rules for the processing of sensitive data which came into force on 1 June 2024 as a result of amendments to Turkish Law No. 6698 on the Protection of Personal Data (“DPL”).

The amended rules expand the cases in which sensitive data can be processed without obtaining consent from the data subjects. Most importantly for companies, they address a legal gap by enabling employers to process sensitive data, including health data, to fulfil their legal obligations related to employment and maintain workplace health and safety – without requiring employee consent.

The Guidelines provide companies acting as data controllers with detailed guidance on the steps to be taken to implement the new rules:

1. Update of data inventory. Data controllers must review the applicable legal grounds for their processing of sensitive data in view of the new rules, and ensure that their data inventory is updated accordingly.
2. Assessment of explicit consents. As indicated in the Guidelines, consent should not be obtained where one of the exceptions to consent under the DPL applies. The DPA considers that obtaining consent when there is another legal basis to process the data is misleading to the data subject, and constitutes a breach of the DPL. Data controllers should thus reassess the cases in which they rely on consent to process sensitive data, and determine whether the data should now be processed on the basis of a legal exception instead.
3. Update of privacy notices. Any change in the applicable legal ground for processing sensitive data should also be reflected into the privacy notices given by data controllers to comply with the obligation to inform data subjects. In order to ensure transparency, the relevant data subjects should be informed of such changes in new privacy notices.
4. Update of data retention and disposal policy. It is necessary for data controllers to review their data retention and disposal policy in order to ensure that sensitive data is not retained longer than necessary under the new legal grounds for processing.
5. Adoption of data security measures. When processing sensitive data, data controllers must take the additional technical and organisational measures listed in DPA Decision No. 2018/10 dated 31 January 2018, so as to prevent unlawful processing or unauthorised access and to ensure the overall protection and security of the sensitive data. These security measures include establishing clear and sustainable policies and procedures for data security, organising employee access authorisations and regular training, and putting confidentiality agreements in place. It is thus essential for data controllers to review the data security measures in place in relation to the sensitive data they process.