The contract between a doctor and her/his patient is formed when the patient consults the doctor for medical purposes and the doctor agrees to perform the medical intervention [1]. Medical intervention may be defined as activities carried out by a doctor, in accordance with medical science, in order to diagnose, treat and if treatment is not possible, relieve, ease, slow or hinder the illness. Once the contract is formed, the doctor is under the obligation to act carefully, examine, diagnose, treat the patient, and protect the patient’s privacy.

A doctor has to examine the patient and collect her/his medical history before applying the relevant treatment. If the findings are inadequate for a decent diagnosis, the doctor will ask to run medical tests that require various samples to be taken from the patient. Shortly, any data concerning the patient’s medical status either retrieved directly by the patient or through tests, constitutes a person’s “health data” which is a special category of “personal data”.

The Law on Protection of Personal Data nr. 6696 defines personal data as “all the information relating to an identified or identifiable natural person”;

The term “Health data” is defined as    

“Personal data concerning health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council (9) to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.” under the regulation (EU) 2016/679 of the European Parliament, and of the Council.

II- Legal Basis of A Patient’s Right to Privacy

Article 6 of the European Charter of Patients’ Rights sets out: “Every individual has the right to the confidentiality of personal information, including information regarding his or her state of health and potential diagnostic or therapeutic procedures, as well as the protection of his or her privacy during the performance of diagnostic exams, specialist visits, and medical/surgical treatments in general.”

Adopted by the 34th World Medical Assembly, Declaration of Lisbon on the Rights of the Patient proclaims that all identifiable information about a patient’s health status is confidential even after the patient’s death, and that it may be disclosed upon explicit consent, only.

Article 6 of the Patient Rights Regulation adapts that a patient’s private and family life may not be intervened unless there is either a legal or medical necessity therefor. 

Section6 of the Law on Protection of Personal Data nr. 6698 deems all health-related data a special category of personal data, and sets out that it may not be processed without explicit consent, except for any purpose of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of non-disclosure, or any authorized institutions and organizations.

As it is seen, all health-related data are considered extremely confidential, and subjected to strict protection policies both nationally and internationally.

III – Sources of Criminal Liability of A Doctor Disclosing A Patient’s Personal Data

The section 136, titled “Illegally obtaining or delivering of data”, of the Turkish Criminal Code nr. 5237 reads as follows: “Any person who illegally delivers data to another person, or publishes or acquires the same through illegal means is punished with imprisonment from one year to four years.”

The section 258, titled “Disclosure of office secrets”, of the Turkish Criminal Code nr. 5237 reads as follows: “Any public officer who discloses or publicize the confidential documents, decisions and orders and other notifications delivered to him by virtue of office, or facilitates access to such information and documents by third parties, is punished with imprisonment from one year to four year.”

These two sections are considered to be possible sources of a doctor’s liability for breaching her/his patients’ privacy. It should be stated firstly that this distinction applies to doctors who perform public duty and are therefore public officers as “disclosure of office secrets” may only be committed by public officers. According to the Court of Cassation, doctors who work at private hospitals and/or private clinics are not considered to be public officers [2].

IV- Criminal Liability of A Doctor Disclosing A Patient’s Personal Data

The old version of the Turkish Criminal Code nr. 765 involved the offence “disclosure of a professional secret” which is very similar to “disclosure of office secrets”, set out under the current version of the Turkish Criminal Code nr. 5237. According to Cambridge Dictionary, a secret is “a piece of information that is only known by one person or a few people and should not be told to others” [3]. For a secret to be deemed professional or office-related, it has to be delivered to the public officer upon trust in her/his title or professional reliability.

As it is defined under the introduction part hereinabove, personal data means as follows: “Any data relating to a natural person is regarded as personal data.” Compared to the term “secret”, “personal data” clearly contains a broader definition [4]. Trying to catch the worldwide legal trend regarding data protection, the current version of the Turkish Criminal Code nr. 5237 has deemed “illegally obtaining or delivering of personal data” a criminal offence for the first time. However, “disclosure of office secrets”, with minor changes made, was adapted from the old version of the said regulation.

A personal data does not have to be a secret. However, a piece of information known to everyone cannot be categorized as personal data. Since a doctor is legally obliged to look out for her/his patient’s interests at all times, it would be the best to adopt the criteria “information that has to remain a secret due to the patient’s interests” [5].  

It might be argued that “disclosure of office secrets” will be applicable for doctors who work at public hospitals as it pertains solely to public officers and hence more specific compared to “illegally obtaining or delivering of personal data”. On the other hand, considering that the legislator made a new rule covering almost the same subject and broadened the aspects of the object and the legally protected value of the crime, it would be right to assume that they wanted to provide a further scope of protection.

It is also important to note that the section 137 of the current version of the Turkish Criminal Code nr. 5237 states that if the person who illegally delivers data to another person; a) “is a public official misusing her/his power derived from her/his public post” or b) “by benefiting from the privileges derived from a profession or trade”, these are the aggravated forms of the main crime. This also indicates that the legislator intends to apply the said section to public officers.

In addition, a patient does not share her/his medical data with the doctor because of the trust generated by the doctor being a public officer. What the patient trusts is that the doctor will use the information provided to her/him only for medical purposes, and will not breach her/his privacy by delivering it to a third party unless legally or medically so required. This fair belief is due to the nature of the relationship between a patient and her/his doctor. In this sense, it is unfair and against the “equality principle” to make a distinction between doctors who are public officers and who work privately [6].

In consequence, a doctor who illegally disseminates or delivers her/his patient’s personal data to a third party, either working privately or in a public hospital, will be punished pursuant to the section 136 of Turkish Criminal Code. The penalty will be increased pursuant to the section 137 due to the fact that the doctor acquired the illegally delivered information from her/his profession.

Att. Ezgi Ozdemir



1. Hakan Hakeri, “Tıp Hukuku”, 4th Edition, Ankara, 2012, p. 43

2. The Decision, dated 30.05.2018, numbered 2018/6166 and bearing the File Number 2016/9578, of the 12th Penal Chamber of the Court of Cassation

3. https://dictionary.cambridge.org/dictionary/english/secret

4. Sabire Senem Yılmaz, “Tıp Hukukunda Kişisel Verilerin Açıklanması Suçu”, Ankara, 2014, p. 85

5. Handan Yokuş Sevük, “Tıp Ceza Hukukunda Kişisel Verilerin Açıklanması”, Tıp Ceza Hukukunun Güncel Sorunları, Türkiye Barolar Birliği Yayını, Ankara, 2008, p. 796

6. Hakeri, ibid, 750