Covid-19 and personal data protection in turkey – Frequently asked questions
1. Can processing personal data for the purpose of protecting public health within the scope of the struggle and measures taken to prevent the Covid-19 epidemic and its risk be considered as an exception under the Personal Data Protection Law in Turkey? What are the legal reasons for data processing within this scope?
Under Article 28 of the Law on the Protection of Personal Data No. 6698 ("Law No. 6698"), cases that may be exempted from the application of the law are listed. However, among these cases, unfortunately, the processing of personal data for the purpose of protecting public health and preventing pandemic risks or protecting public from threats to health are not included. On the other hand, there is no similar legal basis for processing of personal data or sensitive personal data (such as health data). Since the exceptional rule for the processing of health data (without a need for a consent) is regulated in a very restricted scope under Article 6/3 of Law No. 6698, its application in practice is rather limited.
For this reason, under the Law No. 6698, it will be necessary to obtain the explicit consent of data subjects as regulated in Article 6/2 of the Law No. 6698 in terms of processing of health data. Besides, for personal data that isnot considered as health data, data processing conditions within the scope of Article 5/2 of Law No. 6698 (except for explicit consent) may also find application depending on the situation.
2. Can employers process travel history data of its employees or visitors?
Therefore, employers need to take some precautions to prevent the Covid-19 outbreak from spreading in the workplace and to protect the health of its employees as well as public.
In this context, many workplaces ask their employees to share information about their recent travels (especially in the last 14 days). Similarly, this information is also requested from visitors to the workplace.
Travel information of employees or visitors is considered to be personal data under Law No. 6698. For this reason, employers will be considered as data controllers in terms of their data collection and processing activities. Therefore, employers who are data controllers must act in accordance with the relevant articles of the Law No. 6698 when processing the travel history information of the employees or visitors.
Data controllers may process the travel history data of employees without seeking explicit consent as “it is necessary for the data controller in order to fulfill a legal obligation” as stated in Article 5/2(ç) of Law No. 6698. Thereafter, they can take required measures to prevent any risk.
On the other hand, it is important to remind that employers must comply with the general principles set out in Article 4 of Law No. 6698 when processing personal data. In this context, employers must process personal data lawfully, fairly and in a transparent manner, and also to collect and process data for specified, explicit and legitimate purposes and they must ensure that personal data is accurate and adequate and limited to what is necessary in relation to the purpose of collection. Therefore, data controller employers must collect and process the travel data of the employees or visitors in sufficient and necessary dimensions only in order to combat the Covid-19 outbreak and take necessary measures in the workplace and they must not process any personal data more than what is necessary. In this context, it may be considered reasonable to ask for information about which countries the employees and visitors travel to, whereas the request for the specific address in that country exceeds the limit of proportionality.
3. Can employers ask their employees or visitors to the workplace to report whether they show any signs of illness as part of combating the Covid-19 outbreak? Can they request information about the health status of family members or relatives of employees or visitors? In this context, can they measure the fever degrees of employees or visitors at the entrance of the workplace or collect information about these people by using thermal cameras?
Within the scope of the Covid-19 outbreak, data about whether employees or visitors show any signs of illness and whether they have a fever are health data and are accepted as sensitive personal data under Article 6 of Law No. 6698.
In accordance with Article 6/2 of Law No. 6698, sensitive personal data cannot be processed without the explicit consent of the data subject. On the other hand, in accordance with paragraph 3 of the same article, health data can only be processed by persons, authorized institutions and organizations under the obligation to keep secrets, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning, financing and management of health services, without a need of obtaining explicit consent of the data subject.
Although it is accepted that the processing of health data within the scope of combating the Covid-19 epidemic is conducted for the purpose of “protection of public health”, in order to process health data without the need for explicit consent, the data processing must be carried out only by “persons or authorized institutions and organizations under the obligation to keep secrets”. Since employers cannot be considered as individuals or authorized institutions and organizations that have an obligation to keep secrets, it may be a solution for the employers to include the workplace doctor in the process of processing the health data of their visitors or employees. It is necessary to pay attention to the fact that the health data in question is processed only by the workplace doctor without sharing it with the employers. Otherwise, we think that obtaining explicit consent from visitors and employees is the plausible option considering the legal framework of the Law No. 6698.
4. Do employers need to inform visitors or employees about their personal data processing activities?
One of the most important obligations envisaged by the Law No. 6698 for data controllers is the obligation to inform data subjects about data processing that has been regulated in Article 10.
Data controllers are obliged to provide information to the data subject about their data processing activity, regardless of what processing basis they rely on in terms of processing personal data (in other words, whether they obtain explicit consent from the data subject or other processing conditions that do not require explicit consent). In this context, employers are obliged to inform their employees and visitors as data controllers before performing data processing activities or at the time when personal data are obtained.
5. If employers want to obtain explicit consent from their employees or visitors, but if the employee does not give explicit consent or explicit consent cannot be obtained, can the prevention of entry into the workplace be considered as a situation affecting the validity of explicit consent?
We know that the most important element of explicit consent is “free will – freely given”. In this context, there is a rule that explicit consent cannot be a prerequisite for the provision of a service or cannot be subject to a sanction if not given, as they will affect the validity of explicit consent. Unfortunately, the situations that do not require explicit consent for the processing of health data in Law No. 6698, even in this type of an epidemic, are quite limited. In practice, it is important in order to overcome such problems to inform the relevant people in the most appropriate and correct way and to give information about the sensitivity of the issue. Alternative solutions, such as video interviews, can be offered to prevent entry to the workplace if people do not grant explicit consent. In terms of employees, the employer's obligation to protect workplace health and safety can be explained to the employee again.
On the other hand, collecting data in a way that does not fall in definition of personal data processing within the scope of Law No. 6698 may also facilitate the implementation of measures in practice and data minimizing must be considered at all times.
6. Can public institutions and organizations process health data and other types of personal data?
In accordance with Article 21/1(ç) of Law No. 6698, the Law will not be applied to processing activities if personal data are processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to provide public security.
Given the purpose of Law No. 6698 and the nature of the situation, it is considered that the COVID-19 outbreak can be considered as a “public safety” issue and the measures taken by public institutions and organizations to protect public health within the scope of the COVID-19 outbreak can benefit from the “public safety” exception. Therefore, the authorized public institutions and organizations will be out of the scope of the Law No. 6698 in terms of the processing activities to be carried out for the purpose of public safety.
7. Can employers share personal data of their employees with authorized public institutions and organizations?
As stated above, the data processing activities of authorized public institutions and organizations within the scope of preventive, protective and intelligence activities aimed at ensuring public security are exempted from the Law No. 6698. Therefore, employers may need to share personal data of their employees if authorized public institutions and organizations request data from employers to be shared within the framework of these activities.
In cases where the requested personal data are not of sensitive personal data such as health data, employers will be able to transmit such personal data to the relevant institutions and organizations within the scope of data processing basis stated in Article 5/Ç of the Law No. 6698.: “It is necessary for the data controller in order to fulfill a legal obligation”. On the other hand, if the requested data are sensitive personal data such as health data, such data can only be shared with persons, authorized institutions and organizations who are under the obligation to keep secrets pursuant to Article 6/3 of Law No. 6698.
8. Must workplaces that start working from home as part of the measures taken to combat the Covid-19 outbreak take additional security measures to protect personal data?
In accordance with Article 12 of Law No. 6698, data controllers must take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the illegal processing of personal data, to prevent illegal access to personal data and to ensure the protection of personal data.
There is no change in terms of the obligation in question, not even after the Covid-19 outbreak. Therefore, employers must always take the necessary precautions to comply with this obligation stipulated in the law in order not to encounter any data security violations, even starting to work from home. On the other hand, if necessary, additional technical and administrative measures can be taken to continue technical and administrative measures in the workplace at home; employees who start working from home can be informed or educated in this context.
9. Can employers process location data of their employees within the scope of security measures?
Processing of location data must be evaluated depending on the situation. However, for employers, the processing of this type of personal data will not be compatible with the criteria of proportionality in many cases, especially for the prevention of epidemic risks, it is considered that the processing of this type of data can be held excessive and not compliant with general data processing principles.
10. Is there a change in the legal periods that continue to process in terms of the Personal Data Protection Law?
The Personal Data Protection Authority (DPA) has not made any explanation regarding how the Law No. 6698 and secondary legislation must be implemented or interpreted within the framework of the extraordinary processes experienced in Turkey due to Covid-19 outbreak.
On the other hand, the DPA has announced on March 23, 2020 that they were aware that different operational practices (remote work, rotating work etc.) were started to be applied within the scope of the measures taken by the data responsible in this extraordinary process, and therefore it was stated that regarding the complaints, notices and data breach notifications submitted within the scope of Law No. 6698, the extraordinary conditions that is currently being faced will be taken into consideration in terms of evaluating the compliance of the data controllers with the legal periods specified in the Law No. 6698. However there is no official decision on suspending time limits etc. so data controller must be always diligent.
Article provided by: Begüm Yavuzdoğan Okumuş (Gün + Partners, Turkey)
Dr. Tobias Höllwarth (Managing Director INPLP)