The recent amendments to the Personal Data Protection Law (“PDPL”) have initiated a fundamental transformation in the processing of special categories of personal data. This transformation removes the restrictions of the previous period, granting data controllers a wider scope of action while also accelerating the alignment with European standards. Previously, the processing of such data was almost entirely conditional on the explicit consent of the data subject, but with the new regulation, additional legal grounds have been determined. This move is not merely a legal obligation; it's a significant step that enhances the fluidity of operational processes and legal certainty.

Definition of Special Categories of Personal Data and Previous Restrictive Practices

The PDPL categorizes personal data into two main types: "special categories" and "general." Special categories of personal data include individuals' most intimate and sensitive information, thus requiring stricter rules for their processing. The Law explicitly lists these as: race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Before the amending Law, the primary, and almost sole, condition for processing this sensitive data was obtaining the explicit consent of the data subject. This often put data controllers in challenging situations, especially when obtaining consent was practically impossible or its legal validity questionable. For example, processing a person's health data in an emergency when consent couldn't be obtained fell into a legally ambiguous area. Considering that explicit consent should be a last resort, the previous situation was clearly legally unsound. Furthermore, the distinction made between health or sexual life data and other special categories of personal data caused confusion in practice, leading to a strong expectation that this distinction would be removed.

2. Comprehensive Innovations and New Legal Grounds with the Amendment

To overcome this "bottleneck" in practice and align more closely with international standards like the EU's General Data Protection Regulation (“GDPR”), the Amending Law significantly broadened the conditions for processing special categories of personal data. Consequently, all special categories of personal data (including health data and data related to sexual life) can now be processed without requiring the explicit consent of the data subject when specific additional legal grounds exist. This provides substantial relief and legal assurance, especially for data controllers' operational processes.

Under the new regulation, the legal grounds for processing special categories of personal data are as follows:

• Explicit consent of the data subject: Although other grounds have been expanded, explicit consent, freely given by the data subject, remains one of the strongest and most fundamental conditions for processing.
• Explicitly foreseen by laws: In cases where specific laws explicitly mandate the processing of special categories of data, processing is possible without consent. This forms an important basis, particularly for public institutions and data controllers in certain sectors.
• Necessity for the protection of the life or physical integrity of the data subject or of another person, where the data subject is physically or legally incapable of giving consent: In emergency situations where consent cannot be obtained, or where the data subject's consent is not legally valid, special categories of data may be processed to protect the life and physical integrity of individuals. For instance, processing the health history of an unconscious patient to save their life falls under this category.
• Relating to personal data made public by the data subject and in accordance with their intention to make it public: Special categories of data that an individual has voluntarily made public can be processed in line with their intention to disclose them. This applies particularly to public figures or individuals who share personal information on social media..
• Necessity for the establishment, exercise, or protection of a right: If processing special categories of data is necessary for the acquisition, exercise, or protection of a legal right, consent is not required. For example, the presentation of a person's health data as evidence in a legal case might fall into this category.
• Necessity for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, the planning, management, and financing of health services, by persons under the obligation of secrecy or by authorized institutions and organizations: This provision is of vital importance for institutions and individuals operating in the healthcare sector. Doctors, hospitals, and relevant health organizations can process patients' health data without consent for the purpose of protecting public health and providing medical services
• Necessity for fulfilling legal obligations in the fields of employment, labor and social security, or social services: This provision provides significant ease for employers and relevant social security institutions, legally solidifying the processing of employees' special categories of data in areas such as occupational health and safety.
• By political parties, religious or trade union-based foundations, associations, and other non-profit organizations or formations, provided that they are in compliance with their legislation and objectives, limited to their field of activity, and not disclosed to third parties; for their existing or former members and affiliates, or for individuals with whom these organizations and formations are in regular contact: This provision allows certain civil society organizations or political formations to process special categories of data related to their members or individuals with whom they are in regular contact, in line with their operational objectives.