Corona Outbreak: Crucial Points to be considered for Data Controllers in the wake of Covid-19 Pandemic in Turkey

Turkey’s Personal Data Protection Authority (“Authority”) has published a new statement regarding necessary steps in the process of combatting Covid-19. Accordingly, it is inevitable to process various personal data (such as national identity number, name, address, workplace, travel information and health related data, etc.) by the public institutions, organizations and workplaces while are taking the necessary steps in order to mitigate the effects of the pandemic.

According to the Authority, it should be noted that even at these exceptional times, it is important that the personal data is processed in accordance with the law and that any precautions taken in this regard comply with the general principles of the law, especially with the Law on the Protection of Personal Data No. 6698 (“Law No. 6698”) and the decisions taken in this regard should be within the framework of the guidance and / or instructions of public health institutions, particularly the Ministry of Health. In this context, it is important that besides the basic principles of data processing enumerated in the Law No. 6698, data controllers shall pay attention to following points when processing personal data (especially health data).

The processing conditions of special categories of personal data including health data are determined as per the Article 6 of the Law No. 6698. Accordingly, although it is stated that special categories of personal data cannot be processed without the explicit consent of the data subject; personal data other than health and sexual life can be processes if such processing is prescribed by law; and the data related to health and sexual life can be processed in case it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, financing and management of health services by authorized institutions and organizations without seeking the express consent of the data subject.

On the other hand, according to the Article 28/1-d of the Law No.6698, the provisions of the Law No. 6698 will not apply if the data is processed by the authorized public institutions within the scope of intelligence activities, national defense, public security and order. In this context, since the current situation threatens public security and public order, there is no obstacle for the processing of personal data by the Ministry of Health, authorized public institutions and organizations covered by the mentioned article.

Data processing in terms of working remotely: According to the Authority, Law No.6698 is no obstacle for employees who work remotely and use their own devices or communication equipment during the outbreak.

In order to minimize the risks for data breaches, necessary technical and organizational measures must be put in place in order to ensure the security of personal data; the data traffic between the systems must be carried out with high security communication protocols and anti-virus systems and firewalls must be active. However, it should not be forgotten that the measures to be taken by the employees do not eliminate the responsibility of the data controller to ensure the security of personal data under the Law No.6698.

Employer's obligation to inform regarding the data of diseased cases: The employer has responsibilities to ensure the health and safety of its employees as well as to fulfill its obligation to care. Thus, the employer is obliged to inform other employees about diseased co-workers without giving the names of those individuals or any excessive information that will directly identify who the employee is, such as position or team. In cases where it is necessary to reveal the name of the employee / employees infected with the virus in order to take protective measures, the relevant employees must be informed on such disclosure in advance.

In addition, considering the current circumstances, employers have justified reasons to ask employees to inform themselves on whether they have visited a virus-affected area and / or show signs of the disease caused by the virus. If yes, there is no obstacle as per Law No. 6698 to give certain recommendations or asking for employees/visitors to take appropriate measures in workplace. And within the framework of Article 8 of the Law No. 6698, personal data regarding those who are known to carry the virus or show the symptoms may be shared with the relevant authorities by the employer.

Lastly, regarding the complaints and data breach notifications to be submitted to the Authority within the scope of the protection of personal data; various periods have been determined by the Law No. 6698 and related regulations. The authority stated that it is not possible to extend the legal periods specified. However, considering that different operational practices (working remotely etc.) are made within the scope of the measures taken by the data controllers, each application or data breach notification will be observed by the Authority in their own situation.