DECISION, DATED 07.05.2020 AND NUMBERED 2020/355, OF THE PERSONAL DATA PROTECTION BOARD

The incident, constituting the subject matter of the decision, is as follows: A petitioner applies with the Provincial Directorate of Health, claiming that a pharmacist is uncapable of practicing due to health issues and therefore lacks the knowledge and skills required by the job, and should not be allowed to run and be in charge of a pharmacy for the benefit of public health. Attached to the petition, there are “Medula Pharmacy” documents that disclose some diagnostic and pharmaceutical information belonging to the afore-mentioned pharmacist.

“Medula” is an electronic information system run by the Social Security Institution to collect healthcare data and perform billing based on such data. “Medula Pharmacy” is a system that monitors if the drug prescriptions, received by General Health Insurance right holders from pharmacies contracted with the Social Security Institution, are in accordance with the rules, as set by the Social Security Institution, or not.

Pharmacies contracted with the Social Security Institution are authorized to make use of this system and can log into the system with their ID numbers and access all personal data, and sensitive personal data. Therefore, pharmacists can process data through the Medula System.

Provincial Directorate of Health reports the incident to the Personal Data Protection Board as the petitioner’s spouse is also a pharmacist, and it is highly likely that the Medula Pharmacy documents, attached to the petition, have been obtained from the spouse’s pharmacy.

Personal Data Protection Board adopted a decision, stating that the pharmacy failed to take necessary actions to prevent third parties from accessing to Medula System under the scope of the contract between the pharmacy and the Social Security Institution. The pharmacy, breaching the Section 12 of the Law on Protection of Personal Data, received an administrative fine of TRY 60,000.00 pursuant to the Section 18/1 thereunder.

The Board also denounced to the Public Prosecutor’s Office that the petitioner, who used Medula Pharmacy documents belonging to the respective person, acquired the respective personal data through illegal means, resulting in the breach of the Section 136 of the Turkish Penal Code.