A. INTRODUCTION
The Regulation on Personal Health Data (the “Regulation”) was substantially revised by the Regulation Amending the Regulation on Personal Health Data, published in the Official Gazette dated December 3, 2025, and numbered 33096 (the “Amending Regulation”).
The main purpose of these amendments is to ensure the continuity of healthcare services, eliminate bureaucratic obstacles encountered in practice, and bring the provisions of the Regulation into full compliance with the Personal Data Protection Law No. 6698 (“KVKK”). Below is a comparative analysis of the previous version of the legislation and the new regulations:
B. COMPARATIVE ANALYSIS OF THE CHANGES
1. Procedure for Lawyers’ Access to Health Data
Under Article 10 of the Regulation, which has been repealed by the new amendment, lawyers were not permitted to access their clients’ health data with a general power of attorney, and the Regulation required a specific provision in the power of attorney indicating explicit consent for the processing and transfer of special category personal data.
With the new amendment, Article 10 of the Regulation has been repealed. With this repeal, lawyers’ access to health data has become subject to the general provisions of the KVKK and, in particular, to the condition set out in Article 6(3) of the KVKK that “data processing is necessary for the establishment, exercise, or protection of a right.” It is now legally possible for lawyers to access health data under a general power of attorney within the scope of performing their duties as lawyers, without the need for a specific declaration of explicit consent in the power of attorney.
2. Health Personnel’s Data Access Authority and Duration
Under Article 6 of the Regulation prior to the amendment, physicians’ access to patient data was restricted by appointment dates or strict 24-hour periods rather than the necessity of healthcare services. It was observed that this time-based restriction was incompatible with the principle of continuity of treatment processes and caused difficulties in practice.
With the Amendment Regulation, Paragraph 2 of Article 6 of the Regulation was reorganized, abolishing the time-based access procedure and establishing a process-based access regime in its place. Under the new regulation, access rights are governed as follows:
- Family Physicians: They have access rights to the health data of their registered patients without any time limit.
- Examination and Treatment Process: The relevant physician’s data access authority shall continue until the medical procedures directly related to the examination, testing, consultation, and treatment are completed.
- Inpatients: All physicians working in the relevant department have access to the patient’s data until the patient is discharged from the healthcare facility.
- Emergency Department: All physicians assigned to the relevant healthcare facility have access to the data until patients admitted to the emergency department are discharged.
3. E-Nabız Privacy Preferences and Access Security
In the repealed regulation, data access rules were subject to a dual distinction based on whether the person had an e-Nabız account. With the new regulation introduced by the Amendment Regulation, Article 6 of the Regulation was amended, removing the e-Nabız account distinction and providing for a uniform privacy regime for all relevant persons:
- If the relevant person restricts access to their past health data, the physician’s access to this data will only be legally possible if the verification code sent to the patient’s registered phone number is shared with the physician and entered into the system.
- For inpatients and patients admitted through the emergency room, considering cases where delay in healthcare services would be detrimental, physicians are permitted access without regard to privacy settings and without the requirement of a verification code.
- In cases where the individual cannot access their phone and therefore the verification code, such as in cases of detention or imprisonment, data access is permitted without any security setting checks, within the limits of Article 6, Paragraph 3 of the KVKK.
4. Access to Children’s Data During and After Divorce
In the pre-amendment version of Paragraph 2 of Article 8 of the Regulation, there was no explicit provision regarding the procedure for accessing the health data of a child by a parent who did not have custody, and the practice was carried out within the framework of the administrative discretion and limits determined by the General Directorate of Health Information Systems.
This normative gap led to legal uncertainties and hesitations in practice, so the new regulation clarifies access rights by amending Article 8 of the Regulation:
- The party granted temporary custody during divorce proceedings or the party awarded custody as a result of the proceedings will have direct access to the child’s health data.
- The parent who does not have custody does not have direct access to the health data of the child. Access requests must be submitted to the General Directorate, and if the request is deemed appropriate by the administration, data relating exclusively to the child’s health status will be shared, with the address, location, and contact information of the custodial parent and the child masked. This regulation aims to establish a legal balance between the safety and privacy of the child and the custodial parent and the other parent’s right to information.
5. Data of Caregivers and Persons with Disabilities
Prior to the amendment, the Regulation’s Article 4, titled “Definitions,” did not include a definition of “caregiver,” and there was a legal loophole regarding access to the health data of persons with disabilities by caregivers other than their legal guardian.
With the new regulation, the definition of “caregiver” has been added to Article 4 of the Regulation; according to this definition, a caregiver is defined as “the child’s guardian or legal representative or natural or legal persons authorized to be responsible for their care and supervision.“ Furthermore, the process has been simplified by stipulating that caregivers who actually provide care to individuals with disability reports can also access their health data.
6. Data Retention Periods and Other Provisions
The period for storing the health data of deceased persons, as stipulated in Article 11 of the Regulation, has been extended from 20 years to 30 years.
7. Other Amendments
In the third paragraph of Article 5 of the Regulation, the phrase “necessary for the provision of health services” in the data processing conditions has been removed and replaced with a direct reference to the provisions of the third paragraph of Article 6 of the KVKK. Thus, the legal basis for data processing is linked to the condition in the KVKK that “medical diagnosis, treatment, and care services are carried out by persons under a duty of confidentiality.”
C. CONCLUSION
The Amendment Regulation published in the Official Gazette dated December 3, 2025, demonstrates a fundamental change in the regime for the processing, protection, and transfer of personal health data, in line with the mandatory provisions of the KVKK and current legal requirements.
These amendments have, on the one hand, expanded the scope of the freedom to seek justice by abolishing formal requirements such as “special authorization/explicit consent” for lawyers’ access to data; on the other hand, they have reinforced the principle of continuity of public service by shifting healthcare professionals’ access rights from a time-limited system to a process-oriented system.
In this context, it is important that all relevant data controllers, particularly healthcare providers, bring their information notices and data retention and destruction policies into compliance with these new regulations.
