Recent Decision of Personal Data Protection Board on the Complaint about Demand for Explicit Consent
The Personal Data Protection Board issued its decision dated 03.09.2020 and no.2020/667 regarding the subject of an insurance company requiring the service to be provided to the relevant person to obtain express consent. The decision was published on the website of the Personal Data Protection Board on 11.02.2021.
In the petition of a complaint submitted to the Authority; the relevant person applied to an insurance company who is a data controller and wanted to renew the health insurance policy arranged for his family. However, it was stated that the data controller wanted to obtain explicit consent from him to renew the policy. It has been requested by the relevant person that necessary actions should be taken against the data controller.
As a result of the evaluation of the application, the Personal Data Protection Board issued the decision with the following evaluations:
Provisions regarding sensitive personal data are included in Article 6 of the Personal Data Protection Law titled "Conditions for the Processing of Sensitive Personal Data". As per paragraph number (1) of the Article, sensitive personal data constitutes as, "race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data”.
As per paragraph number (2) of the Article, it is forbidden to process sensitive personal data without the express consent of the person concerned. As per paragraph number (3) of the Article, personal data other than the health and sexual life listed in the first paragraph may be processed without seeking the explicit consent of the person concerned in cases stipulated by the law. Personal data relating to health and sexual life, on the other hand, can only be collected by persons under the obligations of confidentiality or authorized institutions and organizations and can be processed without seeking the express consent of the person concerned for the purposes of protecting public health, conducting preventative medicine, medical diagnosis, treatment and care services, planning and managing health services and financing.
In this context; the health insurance policy includes health data that constitutes sensitive personal data. Accordingly, health data included in the insurance policy cannot be processed within the scope of paragraph (3) of Article 6 of the Personal Data Protection Law. Data processing can only be carried out by obtaining the explicit consent of the relevant person and therefore the request to obtain explicit consent from the relevant person does not constitute a violation of the Personal Data Protection Law.
In consequence of these evaluations, the Personal Data Protection Board decided that there was no action to be taken under the Personal Data Protection Law regarding the complaint.
Article contact: Bilge Derinbay / E-mail: firstname.lastname@example.org