The Event subject to the Judgement
An applicant stated in the case involving the Authority that, express consent is requested from patients on the approval form concerning the sharing of their photos and videos with the media organisations with which the hospital has an agreement for the purpose of advertising and promotion; and that the photos and videos of patients involve sensitive personal data in accordance with the Personal Data Protection Law No. 6698 (“PDPL”) and therefore the applicant expected some exceptions that: it is forbidden to process sensitive personal data whether express consent is obtained or not; it is regulated as a legal obligation that stricter measures should be taken about such protection; Article 60 of the Private Hospital Regulations clearly prohibits health institutions from advertising and promoting such matters in the media; and the use of personal data of patients by private hospital for advertisements and promotion which is prohibited by the legislation related to the sector is not lawful and it does not have any legitimate purposes as stated in Article 4 of the PDPL, the fact that the patient has signed the so-called approval forms written contrary to this will not make the express consent lawful, on the contrary, the fact that the private hospital, which is the data controller, imposes this consent on patients further increases the legal liability that arises, and he requests a resolution.
In summary of the data officer’s defence, he expresses that Article 60 of the Private Hospitals Regulation does not completely prohibit promotion. Private hospitals can provide information for health protection purposes. In order to raise public awareness about diseases that are little known to the public, the company shared these images by informing the patients and obtaining their explicit consent. There was no behavior that undermined the patients’ will during the process of signing the consent documents. The data in question is not health data anyway.
Applicable Legislation
Referring to Article 4 of the PDPL, the Authority states that personal data will only be processed in accordance with the procedures and principles stipulated in the legislation. It must comply with the law and good faith. It should be accurate and up-to-date when it is necessary. Personal data must be processed for specified, clear and legitimate purposes, and personal data must be relevant, limited and proportionate to the purpose for which it is processed. These are mandatory requirements for the processing of personal data. Processed personal data must be kept for a necessary and reasonable period. In addition, the Authority recognizes that the data in dispute is personal data of a special nature and has stated that the processing of this data can only be possible with the express consent of the individuals.
When the approval form for the incident was examined, it was determined that the express consent of the patients was requested in the form, and that the photo and video taken in the name of advertising and promotion would be recorded and transferred to social media platforms.
The Authority emphasized that in accordance with Article 4, paragraph 2, subparagraph (a) and (c) of the PDPL, the processing of personal data should be in accordance with the law and good faith rules and should contain significant, clear and legitimate purposes. In addition, the Authority stated that the processing of personal data is unlawful if the processing of personal data leads to a violation within the scope of sector-specific regulation.
Conclusion
The Authority referred to the decision of the Advertising Board dated 20.08.2019 and file number 2019/2602, which was related to a different issue from the concrete case. In the promotion of a private hospital, the health problems of the patients and the successful outcome of their treatment are mentioned. This promotion exceeded the informing and promotion activities permitted by the legislation. This promotion also resembles a commercial and it is demand stimulating. Therefore, it has been evaluated that the data processing activity in question is unlawful and does not have a legitimate purpose.
According to the principle of the limited and proportionate processing of personal data regulated in Article 4, paragraph 2, subparagraph (ç) of the PDPL, although photographs and videos are taken in line with the express consent of the patients, it is not necessary to process personal health data for the purpose in question as it is possible to provide information about diseases without processing personal data and accordingly, it is not necessary to process personal data; therefore, the data processing activity subject to the dispute constitutes a violation of the principle of proportionality and an administrative fine of TL250,000 was imposed in accordance with Article 18, paragraph 1, subparagraph (b) of the PSPL.
Moreover, in accordance with Article 15, paragraph 7 of the PDPL, it was decided to terminate the processing of personal data, to destroy the personal data processed and kept until the day of the incident, to notify third parties about the destruction of this data if such data is transferred to third parties, and to instruct the data controller to fulfil the obligation by third parties and to inform the Authority.