NEWSLETTER-2019-metin

279 PERSONAL DATA PROTECTION operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services, as well as their financing.” For instance, the data retained and processed for the purposes mentioned under Article 6 (3) by the Ministry of Health, healthcare institutions, or the Social Security Institution, is within the scope of the relevant exception. The Highlight of the Guideline When an adverse incident has been notified to a pharmaceutical company, in order to comply with the pharmacovigilance requirements regarding “definable patient” and “definable reporter,” personal data shall be collected. Pursuant to Article 2.1 of the Guideline, for the processing of per- sonal data for the purpose of pharmacovigilance, the explicit consent of the data subject is not necessary. The former rule is independent from the notifying party’s identity: Whether it is the data subject or the reporter of the adverse effect. The Guideline bases the relevant Article 2.1 to Article 6 (3) of the Law. In that scope, the Guideline accepts the pharmacovigilance data as “sensitive data,” and the pharmaceutical companies as those who are under the “confidentiality obligation”. In addition, the Guideline explicitly states that even though Ar- ticle 2.1 does not require explicit consent, this shall not be construed to be a general exemption from the Law. Accordingly, during phar- macovigilance activities, the parties shall abide by all incumbencies, particularly the obligation to inform, and the obligations regarding data safety. Other Issues in the Guideline The Guideline explains data safety measures in detail. Further- more, with regard to international data transfer, the Guideline makes a separation between “safe” and “unsafe” countries. If there is deemed to be sufficient protection in the recipient country, personal data may