In Emergency Situations
04 Feb, 2025

In this bulletin, we will examine the Personal Data Protection Authority’s decision dated August 14, 2023, regarding the decision numbered 2023/787, issued on May 11, 2023, considering the impact of explicit consent in the processing of personal data.

SUMMARY OF THE EVENTS SUBJECT TO THE BOARD’S DECISION

A notification was made to the Personal Data Protection Board (“Board”) regarding the unlawful processing of personal data, including health data, as part of the advertising and promotional activities of a hospital, where explicit consent was sought from patients. According to the complaint, a private hospital requested explicit consent from patients to share their images and videos with media partners for advertising and promotional purposes. It was claimed that this explicit consent was not based on the free will of the patients and that the Private Hospitals Regulation explicitly prohibited advertising and promotional activities by health institutions under Article 60. It was stated that using personal data for advertising and promotional activities, which are prohibited by the relevant regulations, could not be considered a legitimate and lawful data processing activity under Article 4 of the Law No. 6698.

In this context, the Board requested a defense from the data controller involved in the case. The data controller denied the claims, stating that they were carrying out information activities regarding less-known diseases to raise public awareness and educate patients about health, with the consent of the patients, and shared the photos and informative videos on the hospital’s website and social media accounts.

In this context, the Board examined whether the explicit consent violated the provisions of the Personal Data Protection Law (“KVKK”) and the advertising and promotion restrictions imposed on private hospitals.

WHAT IS EXPLICIT CONSENT? WHEN IS IT REQUIRED?

With the enactment of the Personal Data Protection Law, the concept of “Explicit Consent” gained significant importance in personal data processing. It is defined in the law as “consent that is given for a specific matter, based on information, and expressed freely.” In this framework, explicit consent is the patient’s agreement to the processing of their data by the data controller or processor based on their free will.

Article 3 of the law outlines the necessary components for valid consent: it must be for a specific purpose, based on information, and expressed freely. The consent must clearly specify what data is being processed. Vague consents are not considered valid under the law. The person must be informed about what will happen after giving explicit consent. This information falls under the “obligation to inform.” When these components are met without coercion, threat, mistake, or deceit, a valid “Explicit Consent” has been obtained under the law.

Before starting a data processing activity, it should be evaluated whether explicit consent is needed. If the data is special category data, it should be checked whether the data processing activity is based on any other legal grounds besides explicit consent. If not, explicit consent is required. In this context, explicit consent legitimizes the data processing activity.

BOARD DECISION

The Board decided that the relevant healthcare institution unlawfully processed personal data based on the following reasons.

Referring to a similar decision dated 20/08/2019 (file number 2019/2602), the Board ruled that images describing the health issues, treatment, and the doctor’s behavior during the treatment for promotional activities exceeded the scope of legal activities and should be considered as advertisements. The Board found that, despite the ban on advertising by private hospitals, the healthcare institution processed sensitive health data for advertising purposes, and the images created a commercial appearance of the institution’s activities, generated demand, and led to unfair competition.

The Board also concluded that, although the healthcare institution collected data related to the purpose, the excessive data collection based on the explicit consent could not be justified. The Board stated that raising awareness about less-known diseases and providing health-promoting and informational content was not a compulsory method for achieving the goal, thus violating the principle of proportionality.

As a result, the Board ruled that, even though the patients provided explicit consent for the processing of personal data for marketing and promotional purposes, due to the ban on advertising in private hospitals under the relevant secondary legislation, such promotional activities were not permitted. Therefore, in this specific case, “explicit consent” could not be used as a legal basis for data processing.

Consequently, the data controller was fined 25,000 TRY under Article 18 of Law No. 6698, and instructed to cease processing personal data for these purposes. Additionally, the personal data that had been processed and stored must be deleted in accordance with Article 7 of the law and the relevant regulations on data deletion, destruction, or anonymization. If the data had been transferred to third parties, the data controller was required to notify the third parties and inform the Board of the actions taken.

LEGAL EVALUATION

This notification and the defense of the hospital can be clarified not only under the Personal Data Protection Law but also in consideration of the relevant regulations. Article 60 of the Private Hospitals Regulation explicitly states that “advertising and promotion that mislead people, create demand, or violate medical ethics are prohibited.” When examining the situation, it is clear that consent was obtained from the patients for promotional and advertising purposes. The consent obtained under the Personal Data Protection Law conflicts with the relevant provision of the Private Hospitals Regulation. Therefore, the hospital is considered to have assumed a commercial nature. Even if the hospital’s aim is to provide health-promoting and informational content as permitted by the regulations, they could still achieve this goal without obtaining explicit consent from patients and using their personal data in this way.

Although the hospital’s initial explanations could be viewed as “health-promoting and informational,” when evaluated alongside the other regulations, it becomes clear that private hospitals are prohibited from conducting promotional activities aimed at generating demand. In this case, the Board’s decision reminds us of the importance of data processing principles, as it determined that even with explicit consent, if the principle of proportionality is exceeded, the data processing activity is not lawful.

For any questions related to this matter, please contact us using the information below.

Esenyel Partners | Decision of the Personal Data Protection Board dated 11/05/2023 and numbered 2023/787 “On the denunciation that it is unlawful for a hospital to obtain explicit consent from patients regarding the processing of personal data, including health data, within the scope of advertising and promotional activities”
Similar Articles