Guide
Jul 9, 2025
Right to Rectification & Erasure of Health Data (KVKK)
Learn how under KVKK individuals can request correction or deletion of their health data, the process, deadlines and legal remedies explained.
Control Over Personal Health Data: The Process of Rectification, Erasure, and Legal Recourse
The health data of individuals falls under the category of special categories of personal data pursuant to the Law No. 6698 on the Protection of Personal Data (KVKK) in Turkey. The legal regulations governing the processing, protection, and erasure of this data are applied with paramount sensitivity. This article thoroughly examines the right of individuals to request the rectification or erasure of their health data when it is incomplete, inaccurate, or when the conditions for processing have ceased to exist. It also details the legal basis for these rights, the administrative application process, and the legal remedies available against a negative decision by the administrative authority.
I. Health Data and the Legal Framework
1. What is Personal Health Data and Why is it Special?
Personal data refers to any information relating to an identified or identifiable natural person. An individual’s health data is designated as special categories of personal data by the KVKK and related legislation because of the inherent risk of causing prejudice or discrimination if processed unlawfully. This data includes information regarding an individual's physical and mental health status, health services received, and diagnostic and treatment processes.
The protection of health data is vital for safeguarding an individual's right to privacy and fundamental rights and freedoms. Consequently, the Law imposes additional obligations on data controllers to ensure the security of special categories of personal data.
2. The Legal Basis for the Right to Erasure, Destruction, and Rectification
The right of data subjects (real persons whose data is processed) to control their own data constitutes the foundation of the KVKK. These rights are clearly stipulated in Article 11 of the Law.
Data subjects, referred to as the data subjects, may request the rectification or erasure of their health data based on a legitimate reason. The legal basis for these requests is Article 11 of the Law and Article 7, which regulates the conditions for the erasure or destruction of data.
Law No. 6698 on the Protection of Personal Data (KVKK) Article 11 (Rights of the Data Subject) (In Summary):
The data subject, by applying to the data controller, has the right to:
(c) Request the rectification of personal data if it is incomplete or inaccurately processed,
(d) Request the erasure or destruction of personal data within the framework of the conditions stipulated in Article 7,
(f) Request notification of the rectification or erasure/destruction to third parties to whom the personal data has been transferred.
Law No. 6698 on the Protection of Personal Data (KVKK) Article 7 (Erasure, Destruction or Anonymisation of Personal Data) (Direct Quote):
(1) Despite being processed in compliance with the provisions of this Law and other relevant laws, if the reasons requiring the processing cease to exist, personal data shall be erased, destroyed or anonymised by the data controller ex officio or upon the request of the data subject.
In this context, if a piece of health data (such as diagnosis, treatment information, appointment record, etc.) is incomplete, erroneous, or no longer up-to-date, or if the legal grounds requiring the processing of that data (e.g., expiry of the statutory retention period) have been eliminated, the data subject may request the rectification or destruction (erasure, destruction, or anonymisation) of this data.
II. The Process for Erasure and Rectification of Health Data
When a data subject requests the rectification or erasure of their data held by a healthcare institution, an administrative process is initiated. This process is determined in accordance with Article 13 of the Law.
1. Application to the Data Controller
The data subject must first submit their requests to the healthcare institution (hospital, provincial health directorate, etc.) which is the data controller, in writing or through other methods determined by the Board (Personal Data Protection Board). This application is made via a formal written petition or request, and the nature of the data, the justification for rectification/erasure, and the scope of the request must be clearly specified.
Law No. 6698 on the Protection of Personal Data (KVKK) Article 13 (Application to the Data Controller by the Data Subject):
(1) The data subject shall submit their requests regarding the implementation of this Law to the data controller in writing or through other methods to be determined by the Board.
The data controller, the healthcare institution to which the application is made, is obliged to take all necessary technical and administrative measures to ensure that the personal data subject to the request for erasure is rendered inaccessible and unreusable by the relevant users. Erasure means that the data is no longer accessible to the relevant users, while destruction means that the data is rendered irrecoverable and unusable by anyone through any means.
2. Conclusion of the Application and Response Period
The data controller is obliged to conclude the request received from the data subject according to its nature as soon as possible and, in any case, within thirty days.
Law No. 6698 on the Protection of Personal Data (KVKK) Article 13 (Application to the Data Controller by the Data Subject):
(2) The data controller shall conclude the requests included in the application free of charge as soon as possible and, in any case, within thirty days. However, if the transaction requires an extra cost, the fee determined by the Board’s tariff may be charged.
If the data controller deems the request justified, the requested rectification or erasure is performed, and the applicant is notified of this action. If the requested operation is to be carried out in compliance with the Law and relevant Regulation provisions, the data controller selects and applies one of the appropriate methods of erasure, destruction, or anonymisation.
III. Legal Remedies Against an Administrative Refusal
If the healthcare institution refuses the data subject's request, provides an insufficient response, or fails to respond within the legal thirty-day period, the data subject's right to appeal and complain arises. At this stage, the legal avenue to be pursued is filing a complaint with the Personal Data Protection Board (KVKK).
1. Complaint to the Personal Data Protection Board
The data subject may file a complaint with the Board within thirty days from the date they learn of the negative response from the data controller, and in any event, within sixty days from the date of the initial application.
Law No. 6698 on the Protection of Personal Data (KVKK) Article 14 (Complaint to the Board) (In Summary):
(1) In cases where the application is rejected, the given response is found insufficient, or no response is provided within the stipulated period; the data subject may file a complaint with the Board within thirty days from the date they learn of the data controller's response, and in any case, within sixty days from the date of the application.
(2) A complaint cannot be filed with the Board without exhausting the administrative application route pursuant to Article 13.
The Board evaluates the complaint and examines whether the data controller acted in compliance with the provisions of the Law. The Board's decision is binding on the data controller, and the Board may decide in favour of the erasure/rectification of the relevant data if a violation of the Law is identified.
2. Judicial Recourse Against Board Decisions
The process under the KVKK is an administrative application and administrative supervision mechanism. The data subject also retains the right to judicial recourse against the decisions made by the Board. A lawsuit can be filed in the administrative judiciary, specifically the Administrative Court, against the decisions of the Board. This is the highest legal review mechanism, pursued after the completion of administrative processes, under the constitutional guarantee of the right to protection of personal data.
This legal process is critically important, particularly for the rectification or erasure of an inaccurate or obsolete health record that directly affects an individual's professional or social life (e.g., when health records impede eligibility for a licence, a permit, or fitness to practice a profession). By exercising these rights, individuals can re-establish control over their special categories of data.
Conclusion
Personal data is one of the most significant assets of the modern age, and health data constitutes the most sensitive category as special categories of personal data. The KVKK grants individuals powerful rights, such as rectification and erasure, over their own health data and ensures the protection of these rights through administrative and judicial avenues. If a piece of health data is incomplete, inaccurate, or if the grounds for processing have ceased to exist, the data subject can initiate the process with an application to the data controller and, even if a negative response is received, pursue their rights through the Board and judicial review. The correct management of these processes ensures the safeguarding of individuals' privacy and their futures.
Disclamer
