It has been necessary to take some legal measures concerning the arrangements on processing and protection of the personal data, in particular health data, in order to eliminate the adverse impacts of coronavirus (COVID – 19) both on the commercial enterprises and individuals in Turkey. In this context, an announcement was made by the Personal Data Protection Authority on March 27, 2020 under the title “Necessary Information During the Struggle Against Covid-19 Within the Scope of the Law on the Protection of Personal Data”.
This article aims to provide information concerning the frequently asked questions related to the conduct of the data processing activities in accordance with the Law on the Protection of Personal Data and the announcement issued by the Personal Data Protection Authority due to the Coronavirus (Covid-19) pandemic.
1) Does the employer have a specific disclosure requirement in the context of the special measures taken with respect to COVID-19?
Pursuant to Article 10 of the Law on the Protection of Personal Data No. 6698 (“KVKK”), each of the data controllers is in charge of providing information about the data processing activities at the time of obtaining the personal data. The scope of this disclosure requirement is determined by the provisions of the above-mentioned article and the responsibility of the employers to illuminate their employees under the Law on the Protection of Personal Data continues if the implementation of the additional measures taken by the employer for the purpose of the prevention of the dissemination of the Coronavirus (COVID-19) pandemic requires the processing of the personal data (including the details of the travels in the past or COVID-19 test results).
2) Is the employer allowed to process the health data of the employees (including fever and general medical examination details)?
If the health data are to be processed by the employers, explicit consent of the employees must be obtained in addition to the disclosure requirement of the data controller due to the fact that health data are defined as special personal data pursuant to Article 6 of KVKK. For that reason, employers are required to obtain the explicit consent of their employees while processing COVID-19 related data belonging to their employees.
3) Does the processing of the health data by the workplace doctor create any difference in respect of explicit consent?
Although processing health data by the employer requires explicit consent, health data can be also processed by those under confidentiality obligation without obtaining any explicit consent of the owner of the health data in accordance with the purposes specified in the relevant legislation including the protection of public health, the conduct of services like preventive medicine, medical diagnosis, treatment and medical care. If practices requiring the processing of health data in that direction are carried out by the employer through the workplace doctor, the employer only needs to consider the respective disclosure issues. In this context, the explicit consent of the employees will not be necessary.
4) Is the employee with COVID-19 symptoms required to inform the workplace doctor of this situation?
Pursuant to Article 19/1 of the Law on Occupational Health and Safety, employees are not allowed to risk the health and safety of themselves and other employees affected by their actions and work performances. In that case, the employer must provide necessary information and warning to the employees that they must immediately apply to the workplace doctor if it is determined that they exhibit any of the symptoms of COVID-19.
5) Is the employer allowed to request from the relevant persons the data about their travels in the past?
The information on the recent travels is considered within the scope of the personal data pursuant to the Law on the Protection of Personal Data No. 6698. Although under normal conditions the processing of personal data requires the explicit consent of its owner, the announcement of the Personal Data Protection Authority has clarified that such information is subject to Article 5 of the Law on the Protection of Personal Data and that the information about the countries to which the relevant persons have recently travelled may not be considered a special personal data based on its ruling that “It goes without saying that, during this process some of the data processed may not be special personal data (for example information on the last country to which the person has traveled). In those cases, the conditions of processing personal data specified by Article 5 must be taken into consideration”. In conclusion, provided that the employer is certain that it has fulfilled the disclosure requirement, it can ask questions to the relevant persons about their travels in the recent past.
6) How can the other employees be informed about a COVID-19 incident that has occurred at the workplace?
The following example is given in the announcement issued by the Personal Data Protection Authority regarding necessary information to the other employees about such an incident:
“… We wanted to inform our other employees about the fact that the COVID-19 test made on our colleague working at the fifth floor of our general directorate building gave a positive result. The persons who contacted him will be identified and informed about this situation based on the respective dates on which that person was at our general directorate building”. In consideration of the statement above, it must be stated that an employer must warn its other employees, provided that one of its employees proves to be Covid-19 positive, and keep his identity undisclosed, must invite them to take the necessary measures and is not allowed to share the details that can be used to identify him. In case it is necessary to disclose the identity of the employee who was contaminated by the virus in order to take the protective measures, the employer as data controller subject to the respective disclosure requirement must provide information to its employees, who were diagnosed to be COVID-19 positive, thereof in advance.
7) Is it allowed to share the health data of the employee with the public authorities?
The employer can share the personal data of employees carrying the contagious diseases subject to mandatory notice with the relevant authorities pursuant to the provisions of Article 8 and the provisions of other relevant laws on the contagious diseases.
8) What are the respective security measures to be taken during the process of working at home?
Institutions and organizations are allowed to carry out their businesses on the basis of teleworking for the purpose of ensuring the work continuity. It has been clarified by the announcement issued by the Personal Data Protection Authority that the institutions and organizations must maintain the administrative and technical measures on the compliance with KVKK throughout this process as well. In this context, the Personal Data Protection Authority has reminded that the data controller has not been released of its obligations regarding ensuring the security of the personal data.
As a result, all kinds of technical and administrative measures must be taken for the purpose of ensuring the security of the personal data during the struggle against COVID-19 pandemic. Besides, additional measures must be taken for the purpose of ensuring the security of the health data in the category of special personal data. When taking these measures, the information to be provided to individuals within the scope of the disclosure requirement must be concise, easily accessible, understandable. A clear and plain language must be used for this purpose. On the other hand, if the activities of the Ministry of Health and the authorized public institutions and organizations aimed at processing the personal data are considered to be within the scope of the preventive, protective and intelligence activities carried out by the institutions and organizations legally authorized for the purpose of ensuring national defense, national security, public security or economic security as stipulated in Article 28, the provisions of this law will not apply.
For further information and inquiries please contact:
Att. Ebru ACAR – [email protected]
en.hansu.av.tr | +90 216 464 12 12
© Hansu Attorney Partnership
Hansu Attorney Partnership provides legal services to local and international clients, particularly in the areas of real estate, corporate, tax, energy and intellectual property law. This article is intended to present recent developments in Turkey and does not constitute legal or professional advice. Readers of this article should contact a lawyer to obtain advice with respect to any particular legal matter.