Turkish Personal Data Protection Board (“Board”) evaluated a notice regarding a private hospital obtaining explicit consent from patients for processing personal data, including health data, within the scope of advertising and promotion activities in its decision dated 11.05.2023 and numbered 2023/787.
In the notice, the data subject demanded action to be taken by stating that the private hospital data controller, through the patient consent forms, request explicit consent from the patients in order to share their photographs and videos with the contracted media organs for advertising and promotion purposes.
The Board made the following evaluations regarding the notice;
In the case, patients’ explicit consent is requested with the “Informed Consent Form for the Protection of Personal Data Specific to Photograph/Video” presented by the data controller and in the form, it is stated that for marketing, advertising and promotion purposes, the photos/videos will be recorded and can be transferred to third parties, national, local and international media organs and social media platforms with which services are received, cooperated or contracted.
Pursuant to the Law on the Protection of Personal Data with no. 6698 (“DPL”), explicit consent must be given with free will based on an informed decision; on the other hand, the processing must comply with the principles of lawfulness and fairness and the processing for specific, clear and legitimate purposes regulated in the DPL. Pursuant to the opinion of Article 29 Data Protection Working Party dated 03/2013, in the broadest sense, the principle for the processing for specific, clear and legitimate purposes means that the purposes must comply with legislations. In other words, if the personal data processing violates a sector-specific regulation, processing activity cannot be accepted to be lawful.
The Private Hospitals Regulation allows promotion and information by private hospitals if the information is about protecting and improving health; but prohibits carrying out promotional activities in the nature of advertising, with the purpose to create demand. Statements about the successful outcome of a treatment that include the patient's health problem and the doctor's explanations about the patient are beyond the scope of the information and promotion activities of health institutions allowed in the same legislation. In this respect, although private hospitals are prohibited from advertising pursuant to the sector-specific regulation, it is clear that health data and other personal data are processed by the data controller for advertising purposes, and the said processing activity is not in compliance with the legislation and does not have a legitimate purpose.
Further, the principle of processing to be related, limited and proportionate means that personal data that is not suitable or related to or necessary for the purpose, should not be processed; and principle of proportionality means establishing a reasonable balance between the data processing activity and the intended purpose. Therefore, even if personal data is processed related to a specific purpose based on the data subject’s explicit consent, the explicit consent does not legitimize excessive collection of data.
Therefore, although it was stated by the data controller that video recordings were made with the patients’ explicit consent, in order to raise public awareness of diseases that are rarely known in the society, and to provide information about the characteristics and treatment process of these diseases in a way that protects and improves health, processing health data is not necessary to achieve said purposes. Considering that there are alternative ways to achieve these purposes that do not require personal data processing and that the personal data processing is not necessary, this personal data processing activity violates the principle of proportionality.
In this regard, the Board adopted the following decision;
Special categories of personal data is processed by the data controller by shooting videos about the data subject’s diseases and treatment processes and sharing them on its social media accounts. Although this data processing activity is based on the explicit consent of the data subject, private hospitals are prohibited from advertising according to the Private Hospitals Regulation. Therefore, the data subjects’ explicit consent is not valid and the data subjects’ personal data has been processed unlawfully, without any legal base. For this reason, the Board decided to impose an administrative fine of TRY 250.000 (approx. 8.635 EUR) on the data controller on the grounds that the data controller did not take the necessary technical and administrative measures for processing personal data lawfully.
The Board decided to instruct the data controller to terminate the processing of personal data for mentioned purposes; to destroy such personal data in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data; and if such personal data was transferred to third parties, to inform these third parties about these transactions.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Ebru Gümüş